Similarly to #3, concurrently generating a deposit address may reveal addresses to the user, only one of which is will be associated with the user in the database:
if (!(await u.getAddress())) await u.generateAddress();
which may race against each other.
Secondly, this approach presents a privacy concern. Since lndhub's channels are publicly known, and spends into them can be detected, and since users' deposit addresses are unique, users can be clustered around these addresses linking their antecessor TXOs and change outputs.
Similarly to #3, concurrently generating a deposit address may reveal addresses to the user, only one of which is will be associated with the user in the database:
https://github.com/BlueWallet/LndHub/blob/6a3de700f4f41c887eacdbaacdf3adab7bad4c13/class/User.js#L209
There are multiple instances of the following:
which may race against each other.
Secondly, this approach presents a privacy concern. Since lndhub's channels are publicly known, and spends into them can be detected, and since users' deposit addresses are unique, users can be clustered around these addresses linking their antecessor TXOs and change outputs.