LNbank Vulnerability Recap: Last week, a critical vulnerability was identified in the LNbank plugin, which I developed as a plugin for @btcpayserver. The following post aims to outline what transpired and steps I, as a maintainer of the plugin, and BTCPay Server team are taking to prevent similar occurrences in the future. https://d11n.net/lnbank-vulnerability-recap
I'm sorry for all the have lost Bitcoin, but am also sorry for what you went through with this vulnerability. I know how much of your heart and soul you have put into this plugin over the years with the best of intentions.
Thank you for your contributions Dennis 🫂
I was not affected, but I read stories of those that were. They'll appreciate it he apology and the gesture. Thanks for the post mortem.
Thank you @d11n. Appreciate all that you do for Bitcoin.
We appreciate everything you do for Bitcoin Dennis 💚
Thank you very much for hanging in with this and work tirelessly to identify the source of the bug and fix it asap. Thank you for developing this great plugin in the first place.
It shows that we need to care more for the software we use and help reviewing code and doing more adverserial testing or help in any other way to improve it.
You mention that people can donate sats to distribute to people affected, where can we do that? Zap on this post or any special lnaddress or something?
You can donate to @Hugo Ramos via the Lightning Address hugo@wallets.fyoumoneypod.com or onchain to bc1qz8dxk6h8gha5qvsnw67rjzz3xn6t4k0wmafqz3.
Related, can you explain why BTCPay asks for an admin macaroon in order to connect a remote LND instance? Shouldn't a read-only macaroon with invoice permission suffice?
Thank you for the recap!
Indeed these things can happen, but working and solving issues in the open teaches and benefits everyone.
While also being sorry for the losses I am looking forward to what more you are building! 💚💚💚
You’re the man, Dennis. Thanks for all your amazing work.
Oddbean new post about login | logout