⚡️DailyZap: Just in case you missed it

''Payment Hash Does Not Commit To Payment''

The Lightning-dev mailing list got a quick heads@npub12rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sf485vg up from reminding everyone that the "payment_hash" of a Lightning invoice doesn't actually commit to the payment itself. Rather, it sets the condition under which the payment can be claimed: the revealing of a preimage which hash is equal to the payment_hash (e.g. hash(preimage) = payment_hash).

The LNBits team discovered an exploit in the LNBits codebase that could be used to create sats out of thin air, and stems directly from this misconception. A payment's "payment_hash" is not a unique identifier, and one should always perform additional checks (for example on amounts) when trying to correlate two payments.

https://nostrcheck.me/media/public/nostrcheck.me_6734699359468046851688749146.webp