Nostr Web Client

nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm

here is my analysis (assumption)

And I think it won’t be too difficult for alby to fix it.

1. When the payee requested to receive a payment, he uses the Web UI to create an invoice and Alby call it’s LND, record this in DB and send to user

2. If the payee sends this invoice to the payer, which happens to be another Alby user, Alby only record this operation on DB and update both sides balances (i.e. deduct from payer and credit to payee).

3. However, that invoice is not revoked, even it’s actually used and Alby system is aware about this fact.

4.Then someone from an external wallet tried to pay this invoice. Since it’s not technically used, LND will accept this payment and Alby LND node still receive sats.

5. However, when Alby try to look up payee in internal db but found this invoice “has been used internally”. Some errors throw, and balances not updated nostr:note19jgtjprckcnxk4fphtnq826l37scvk68wn9hya8uw0fhaghkdnvsu0t2qu

Reply to this note

Please Login to reply.

Discussion

elsat 1y ago

nostr:npub1ejxswthae3nkljavznmv66p9ahp4wmj4adux525htmsrff4qym9sz2t3tv is this alby communicating with another app/wallet via nostr? If yes, could you add to https://github.com/nostrability/nostrability/issues 🙏

Sherry 1y ago

Not during my testing process. But if invoice is some open data on nostr, this subtle bug has chance to happen. I will add it later. Thank you for your suggestion!

arvin 1y ago

I was just going to suggest this might be what's happening when you were able to replicate with WoS as well. It's something we explicitly had to guard against in nostr:npub13ljnkd633c7maxatymv3y2fqq8vt3qk7j3tt0vytv90eztwgha9qmfcfhw

Sherry 1y ago

Oh cool!

arvin 1y ago

Adding a little context, here's where we guard against this for nostr:npub13ljnkd633c7maxatymv3y2fqq8vt3qk7j3tt0vytv90eztwgha9qmfcfhw

https://github.com/GaloyMoney/galoy/blob/af051a6/core%2Fapi%2Fsrc%2Fapp%2Fpayments%2Fsend-lightning.ts#L529

Sherry 1y ago

Thank you! I believe This will be super useful if alby starting fix it . I will add it to my lnd too lol

Sherry 1y ago

I think wallet of Satoshi guard it too. When invoice generated by wos duplicated payment is not allowed

NotBiebs and 69 others 1y ago

Hope you get a bounty for this. Pretty crazy if this bug has existed this whole time.

Sherry 1y ago

Well I feel weird since we had some crazy time pasting invoice everywhere on nostr 💜😂

NotBiebs and 69 others 1y ago

Alby probably stacked a bunch of sats when we were doing that because of this bug 😂

Sherry 1y ago

😂😂

bumi 1y ago

awesome! thanks for the detailed, great analysis which is mostly correct!

The invoice is not rejected on the lightning level which means another ln wallet can still pay it.

but what is your use cases there? why would you give the same invoice to multiple people? an invoice is always a 1-1 relationship.

can you send the details to support@getalby.com it will be taken care of there to make sure the second transaction shows up.

Sherry 1y ago

sure. Thanks for your feedback.💜💜💜💜🫡🫡🫡🫡

I use 1000 Sats to test so it’s fine. Not a big amount.

My user case is about posting invoice in a group. It is not intended designed to pay by two people but I cannot stop the second transaction, if someone else see there is an invoice and pay it out of curiosity 😂. Like before zap is invented, we pasted invoice everywhere on nostr. 😂