Potential Vulnerability in Lightning Backends: BOLT-11 'Payment Hash' Does Not Commit to Payment
Someone is reportedly attempting to exploit recently reported vulnerability that may still be present on various Lightning services.
- Mutiny's Ben Carman warned that someone is attempting to exploit 'BOLT-11 payment hash' vulnerability that was reported to the Lightning dev mailing list on June 19, 2023.
There is someone going around attempting to exploit this on various services, be sure you are not vulnerablehttps://t.co/UV18vyaqe7
— Carman (@benthecarman) July 6, 2023
- "In short, the attacker was able to insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A."
- "The mitigation is quite simple. Backends should either use self-generated unique "checking id's" for looking up internal payments or use additional checks to make sure that the invoice details have not been messed around with (e.g., asserting amount(A) == amount(B))."