Nostr Web Client

Regretfully, just several hours ago an attacker took advantage of some still unknown exploit in the LSP liquidity leasing flow in publsp and liquiditystr. The tldr is that the attacker managed to get some LSPs, including myself, to lease liquidity with some initial balance on the attacker's side but without paying the full amount for that pushed balance.

Through some small miracle I picked up on it relatively early on. I managed to get in touch with the LSPs that had active ads to help mitigate the impact of the exploit but, despite my best efforts, other LSPs have also lost funds in this attack.

To be honest, I think that's the part that hurts more than the funds I lost. Others trusted the project enough to give it a try but ultimately got burned by something I built. I'm gutted over the fact that some node runners have lost some of their hard earned sats, and I'm truly very sorry this happened.

I'm still bullish on the vision of more decentralized marketplaces over nostr, including one for Lightning liquidity. However, for the moment I'm too shaken by the events that took place that I'm going to step back for a while and figure out how to be better.

Reply to this note

Please Login to reply.

Discussion

smallworlnd 5mo ago 💬 3

A post mortem on this exploit if you're curious. The attacker paid a hold invoice as expected, but force-closed the channel immediately on first confirmation of the funding transaction, which is very much not expected. That basically broke the signalling chain such that publsp expected an 'OPEN' status but it never got it since the default number of confirmations for the LN implementation to send the 'OPEN' is 3. So the preimage needed to settle the invoice was never released. That's the second problem. The preimage needs to be released in order to actually claim the attacker's payment, but persistence was in memory only, and after the dust settled on what happened, the preimage was effectively gone, thus dashing any hope of claiming the lost funds. The HTLC will have expired and the attacker will have walked away with the pushed funds.

nostr:nevent1qqsy2jxek8dh093v2lqn5un3g5dzvtctjcandm82z9ljd2ds7n9j3acpzemhxue69uhhwmm59ehx7um5wgh8qctjw3uj7q3qtkfex6fd5er9h83299pzxcn699lxdrd3ff3859vhqfm9twtz5leqxpqqqqqqztsksv6

EVAN KALOUDIS 5mo ago

Please consider posting a post mortem to share lessons learned

, 5mo ago

He has one posted

Filou 5mo ago

nostr:nevent1qqsgtjfmhp4d0qz2efau8guv2c4p5cpsh3hzjgrzq3f55njgmju8lhcq6dkhv

Filou 5mo ago 💬 7

On top of everything else, I lost about 4.7M sats yesterday due to this exploit. 😭 A fairly significant sum for me.

I guess I’ll have to make it all back on shitcoins. 💩

nostr:nevent1qqsy2jxek8dh093v2lqn5un3g5dzvtctjcandm82z9ljd2ds7n9j3acppamhxue69uhkztnwdaejumr0dswuyf5h

paranoia machinery 5mo ago 💬 1

Supertestnet what happened?

nostr:nevent1qqsy2jxek8dh093v2lqn5un3g5dzvtctjcandm82z9ljd2ds7n9j3acpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgs9myundyk6v3jmnc4zjs3rvfazjlnx3kc55cn6zktsyaj4h9320usrqsqqqqqp467xdw