Dennis's avatar
Dennis dennis@einundzwanzig.space 2 years ago
LNbank Vulnerability Recap: Last week, a critical vulnerability was identified in the LNbank plugin, which I developed as a plugin for @BTCPay Server. The following post aims to outline what transpired and steps I, as a maintainer of the plugin, and BTCPay Server team are taking to prevent similar occurrences in the future.
LNbank Vulnerability Recap Β· d11n πŸ―πŸ¦‘βš‘οΈπŸ•—πŸ”—
This post summarizes the critical vulnerability in the LNbank plugin, which got announced last week and how we intend to prevent something similar ...

Replies (13)

UNCLE ROCKSTAR's avatar
UNCLE ROCKSTAR rockstar@primal.net 2 years ago
I'm sorry for all the have lost Bitcoin, but am also sorry for what you went through with this vulnerability. I know how much of your heart and soul you have put into this plugin over the years with the best of intentions. Thank you for your contributions Dennis πŸ«‚
Derek Ross's avatar
Derek Ross derekross@grownostr.org 2 years ago
I was not affected, but I read stories of those that were. They'll appreciate it he apology and the gesture. Thanks for the post mortem.
ndeet's avatar
ndeet ndeet@btcpayserver.org 2 years ago
Thank you very much for hanging in with this and work tirelessly to identify the source of the bug and fix it asap. Thank you for developing this great plugin in the first place. It shows that we need to care more for the software we use and help reviewing code and doing more adverserial testing or help in any other way to improve it. You mention that people can donate sats to distribute to people affected, where can we do that? Zap on this post or any special lnaddress or something?
1 replies ↓
Jameson Lopp's avatar
Jameson Lopp lopp@lopp.net 2 years ago
Related, can you explain why BTCPay asks for an admin macaroon in order to connect a remote LND instance? Shouldn't a read-only macaroon with invoice permission suffice?
1 replies ↓
openoms's avatar
openoms openoms@diynodes.com 2 years ago
Thank you for the recap! Indeed these things can happen, but working and solving issues in the open teaches and benefits everyone. While also being sorry for the losses I am looking forward to what more you are building! πŸ’šπŸ’šπŸ’š
↑