Closed gorrdy closed 2 years ago
Looking into this right now.
Fix for the expensive routing attack (#442) for LndRestWallet
merged into master. Please update your lnbits with git pull
. I recommend changing to LndRestWallet
if you're using LndWallet
.
Note: For LndRestWallet
you need to enter the hex string of your macaroon in the .env
file. You can get the hex string via xxd -ps -u -c 1000 /path/to/admin.macaroon
Closing as resolved
I'm not confident that it's entirely resolved. Sure #442 at least allows safe usage with a specific implementation: LND over REST. IMO these additional steps should be made:
However if you feel this should be a separate issue (or multiple) for organizational purposes I have nothing against separating it.
I've been attacked.
An attacker just used LNbits to sweep my channels' balance. He used a trick with a malicious routing node with an enormous routing fee that resulted in an ln payment with the amount of 891,000 sats and a fee ~890,000 sats.
The attack vector is quite simple. From the attacker's perspective:
Hope it helps with resolving the issue. Currently, every LNbits site that is publicly accessible is in danger.
Transaction detail:
Transactions in Thunderhub: