Oddbean new post about login | logout Would love an ELI5 on this. I don't have a sense of what exactly this guy did wrong. My understanding was that BTCPay allows vendors to *receive* payments. How exactly was it able to swipe his funds? The extent of my current Lightning involvement is running an LND node with two open , outbound channels, both of which are controlled by Zeus. Am I vulnerable?
you should be fine as long as you are not running any additional plugins/software on top of your lnd node like btcpay/lnbank. Any additional software you introduce that has access to your rpc is just increasing your attack surface. This is why I prefer the lightning client app approach I was working on such as http://lnlink.org . No additional software needed on the node side.
Thanks for the response. I thought long and hard about it, and the only two add-ons that have access to my LND REST address and admin cookie (aka macaroon?) are GetAlby and Zeus. With Zeus, presumably the cookie would be stored on my phone. No third party should be able to access it, correct? With GetAlby, I'm not really sure. It's a PC browser-based extension, so hopefully it's stored on my computer locally, as opposed to an Alby server? I never gave such issues a great deal of thought until reading this fellow's horror story. Just trying to tighten up my OpSec game a bit so as not to repeat his mistake.