damus doesn't count zaps to yourself
Zaps are broken. There is a vulnerability/bug (depending on how you see it) where you could show off on social media that you zapped someone but you could just pay yourself.
Here’s how to reproduce it:
When you click zap, an invoice is fetched from a URL that looks like this
- https://stacker.news/api/lnurlp/02fbae2cc5/pay?SOMECRAP
- Replace 02fbae2cc5 with your own user ID and fetch the invoice and pay it, so you pay yourself. Check the post you’re trying to Zap, it will get updated saying you zapped them. LOL
https://snort.social/e/note1sxedhg4r6tyjamdtr7txzxda5e24tkfxh9amgxs5cpccw3e0v9vs36vfxq
This is an example post, Only one of my zap is real, 2 more I just paid myself.
#[0] found this out.
Discussion
Unless you're referring to something else?
I wasn’t zapping myself there. I was zapping Odell.
Here’s the full URL. 02fbae2cc5 This is my stacker news ID. But the pubkey in the JSON string is of ODELL.
https://stacker.news/api/lnurlp/02fbae2cc5/pay?amount=500000&nostr={"id":"a719a1f21b49991ba832c02722e30cf271f9f8f7fa9fa3c0a459184de3ef497c","pubkey":"021d7ef7aafc034a8fefba4de07622d78fd369df1e5f9dd7d41dc2cffa74ae02","created_at":1676836080,"kind":9734,"tags":[["e","81b2dba2a3d2c92eedab1f966119bda65555d926b97bb41a14c07187472f6159"],["p","04c915daefee38317fa734444acee390a8269fe5810b2241e5e6dd343dfbecc9"],["relays","wss://relay.snort.social","wss://nostr.fmt.wiz.biz","wss://nostr.bitcoiner.social","wss://relay.damus.io","wss://nos.lol","wss://relay.nostr.bg","wss://relay.current.fyi","wss://nostr.oxtr.dev","wss://brb.io","wss://nostr.foundrydigital.com","wss://nostr.zebedee.cloud","wss://relay.nostr.info","wss://eden.nostr.land"]],"content":"","sig":"301ed4bda185bd59ce3ea0eadb2db4c12e4c4587f38793c8b00c4a0b6515be5d4615ba9301e6c60bc0440cb183b583d425d360437172ee198ff8cff0cfa94072"}
Odell’s geyser.fund Lightning wallet doesn’t support NIP-57
The URL is stacker.news. Nothing to do with geyser.fund
I really don't understand what you're saying. Your zap request has all the info about who/what you are zapping and that can't be modified.
https://void.cat/d/DXmSmpSy7SmSgUG7Jt2ExG.webp
One of these is real.
Two of them are self-payments that still show up as actual zaps to Odell.
Right but where you’re getting the invoice from can be modified. It’s just an endpoint. The rest of the &Nostr= part remains the same.
how can that be modifed? Clients fetch it from the users lnurl over https
It’s just a GET endpoint you get from browser devtools. Maybe I’m missing your point?
I could fetch an invoice from MY Lightning address and attach a zap note for YOUR note to it, no?
