@bitcoinplebdev
398,801 sats stacked
stacking since: #50813longest cowboy streak: 11 verified stacker.news contributor
112 sats \ 1 reply \ @bitcoinplebdev 22 Jul \ on: Meme Monday- Best Bitcoin Meme gets 10k Sats bitcoin
When you still work your 9-5 even though you have your 6.15
I'm using Zeus wallet but I'm not using their 'built in' lightning node I'm connecting to my own lightning node hosted on https://voltage.cloud
This was after a day where I had a pretty popular post but also these are auto withdrawals so some of these include sats I received to my sn lightning address (through nostr, testing, or random tips from people elsewhere)
I also have the ~devs territory which gives me some extra revenue but not much.
I think it would be cool to have a full 'subscriptions' feature where a creator could enable subscriptions for a certain amount and make 'premium posts' that were only viewable by subscribers or creator could also opt to make these premium posts for sale individually.
This is why it's important to carefully vet what products/services/wallets you use in this space.
I could try to start a witch hunt for the hacker but I dont think it's the right approach.
I'm the one who let down my users, the hack was my fault, the attacker was just exploiting my mistake, so I take full responsibility.
Thanks Jason!
What was important to me was discovering the exploit and being able to fix it (which I was able to do without communicating with the hacker)
I still might try to reach out to who I think the hacker (esp if they keep trying to attack) but I'm gonna give them to chance to come to me first.
In general though I take full responsibility for the attack, the hacker was just exploiting my mistake, so it falls on me.
True, I would have paid 200k in a second to get alerted of this bug, the real price for me though is the shame of letting down my users, and in general shaking the trust of everyone who follows me and uses any of my projects.
I should also mention:
There is a lot of details I have to leave out for privacy/security reasons.
But I'm 99% positive I know who hacked bitcoinlink, and it is a prominent developer in the space I'm sure everyone would recognize.
I'm not absolutely certain though so I wont name them, but they could still definitely shoot me a dm ;)
Ahh yeah I could have been a little more clear with the wording, the sender sets the budget themselves by how many links they generate and the sats per link.
Yeah there was a budget on the nwc, it's what kept the wallet from getting completely drained, allows the user to cap their risk, but I should have only allowed smaller NWC budgets at first.
MISLEADING TITLE!
I was conflating the nostrPubkey field as being "pregenerated" for each user but this is not true! In the nip57 spec the nostrPubkey field is used to verify where the zapReceipt is coming from. You notice every endpoint has the same npub, this is cashapps one keypair they'll be using to sign zapRecipts.
So yeah nothing crazy here, they're just setup for lnaddress and zaps.
~devs will be here till the end