🚩 First Stacker News CTF - NWC Debug Edition 🪲

8710 sats \ 50 comments \ @ek 17 Feb meta

🚩 First Stacker News CTF - NWC Debug Edition 🪲

When we released NWC support on Tuesday, some people reported that their wallet indicator was stuck on red, like here, here and here.

We believe it's related to our new Content Security Policy (CSP)¹ which makes SN a lot more secure; especially against cross-site scripting attacks (XSS)². A CSP basically tells the browser which fonts, images, assets etc. but most importantly which scripts it is allowed to load. We tightened browser security so much that even image uploads were broken for a short period after the release (was an easy fix).

Since I wasn't able to reproduce the bug with NWC, I present you four sites with which you can test NWC if you want to earn some sats:

All four sites have a different CSP. Hopefully, at least in one of them NWC will work for you. If all four work, that's even better! Then I think you have no problems with NWC on SN. The most interesting reports will be the ones where some sites work and others don't. These are the data points we are looking for.

This is called a CTF (Capture The Flag) since you should see a flag at the end when you followed all steps as mentioned on each site. Post the flag here so I can zap you 1k sats for a flag from each site. This means you can earn 4k sats in total if you test all four sites!

A report could look like this:

sn1.ekzyis | <insert flag here> | works sn2.ekzyis | <insert flag here> | does not work sn3.ekzyis | <insert flag here> | does not work sn4.ekzyis | <insert flag here> | works

If you don't mind sharing, please include which browser (and possibly version) and OS you are running.

For login with lightning, an LNbits instance is provided at https://lnbits.ekzyis.com/.

We recommend that you use the test version of Mutiny Wallet to test NWC. If you bring your own NWC wallet, we recommend that you delete the connection in your wallet afterwards.

If you want to post something on a site for some reason (all sites share the same database) and thus need some toy sats, drop an invoice in the comments and I will pay it from my local signet node.

I try to keep these sites up for the whole weekend so everyone has a chance to test them out but I am not sure how easy that will be. They are all running on the same machine. So first come, first serve!

1,000 sats paid 8 times

ek's bounties

view all past bounties

10 replies \ @ek OP 17 Feb

I believe we found the bug! I forgot to put a comma somewhere.

Thanks to everyone who participated so far!

And special thanks to @sudocarlos and @BitByBit21. It's not an error in your setup, it's a bug in our wallet detection.

I'll keep the sites up for a while but I think that's it.

419 sats \ 7 replies \ @sudocarlos 17 Feb

Hmm, indicator light is now green, but when I zap stuff it's using my SN balance even though NWC is set as default payment method. Is this expected until I deplete my SN balance?

42 sats \ 6 replies \ @ek OP 17 Feb

Ah, yes, the naming "default payment method" is confusing. It's to select which attached wallet you want to use for sending if you have multiple attached.

And yes, we first use your sats on SN since they can be spent with 0 fees.

Glad it's green now!

0 sats \ 5 replies \ @sudocarlos 17 Feb freebie

Zaps stuck on "payment pending cancel"

408 sats \ 0 replies \ @BitByBit21 17 Feb

Wow, good job!

418 sats \ 0 replies \ @sudocarlos 17 Feb

🥳 thanks!

5956 sats \ 2 replies \ @WeAreAllSatoshi 17 Feb

Instance	Flag	Status
sn1	`w45_tH15_Y0vR_f1r57_c7F_b69d7117`	works
sn2	`w45_tH15_Y0vR_f1r57_c7F_c645fec4`	works
sn3	`w45_tH15_Y0vR_f1r57_c7F_4a6c3ac2`	works
sn4	`w45_tH15_Y0vR_f1r57_c7F_13b4d53c`	works

The other two instances are not usable at the moment. I will add another comment if I get a chance to test them when they're usable. Or I'll edit this comment, if it happens in the next 10 minutes :)

And yes, this was my first CTF :)

0 sats \ 1 reply \ @ek OP 17 Feb

For some reason I thought asking for a nicely formatted table like yours is too much to ask, haha. Thanks!

First blood! That usually gives extra points in a CTF.

561 sats \ 0 replies \ @WeAreAllSatoshi 17 Feb

I like markdown, naturally I made a nice table haha

5483 sats \ 5 replies \ @sudocarlos 17 Feb

sorry to say

instance	flag	status
sn1	w45_tH15_Y0vR_f1r57_c7F_cd2df6ee	does not work
sn2	w45_tH15_Y0vR_f1r57_c7F_73bd7dd6	does not work
sn3	w45_tH15_Y0vR_f1r57_c7F_1ee5683d	does not work
sn4	w45_tH15_Y0vR_f1r57_c7F_bf59c193	does not work

PopOS 22.04, Firefox 122.01

2236 sats \ 2 replies \ @sudocarlos 17 Feb

My issue is related to third party cookies

Console displays this:

Cookie “” has been rejected as third-party. v1
Request to access cookie or storage on “<URL>” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. 2
Request to access cookie or storage on “https://relay.getalby.com/v1” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

Request to access cookie or storage on “https://relay.getalby.com/v1” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

Cookie “” has been rejected as third-party. v1

And shows a link Learn more

10 sats \ 1 reply \ @ek OP 17 Feb

Seems like another wallet specific issue. So unrelated to our CSP. Thanks! Also very useful information. Will make sure Alby NWC works with SN.

update: Reading this again, actually not sure if this has anything to do with Alby.

Can you test with Mutiny Wallet?

10 sats \ 0 replies \ @ek OP 17 Feb

Just tried it out with Alby NWC and have a red wallet indicator with no error message, too!

This must be it, thanks! We were dumbfounded by our CSP.

10 sats \ 1 reply \ @ek OP 17 Feb

No worries! It's still helpful information. One instance has no CSP, so it's not related to CSP—at least for you. Which wallet did you try? @BitByBit21 mentioned here that it works with the test Mutiny Wallet but not with NWC 0.4.2 on umbrelOS 0.5.4, for example.

917 sats \ 0 replies \ @sudocarlos 17 Feb

I tested with Mutiny Wallet and it worked.

My original results were using NWC 0.4.2 on StartOS 0.3.5~1. I use this for zaps in Damus and its working.

4764 sats \ 0 replies \ @go 17 Feb

All 4 are green 1 w45_tH15_Y0vR_f1r57_c7F_afbc1c32 2 w45_tH15_Y0vR_f1r57_c7F_e268652e 3 w45_tH15_Y0vR_f1r57_c7F_8d9a6749 4 w45_tH15_Y0vR_f1r57_c7F_dad51034

iOS Mutiny pwa 0.5.8 In-pwa safari browser

5472 sats \ 4 replies \ @BitByBit21 17 Feb

macOS 14.2.1
Brave 1.62.165

Keep up the good work!

10 sats \ 3 replies \ @ek OP 17 Feb

What. One of those runs the same CSP as SN 🤔

Can you try NWC on SN again? Does it still not work?

Also, with "works" you mean that the NWC indicator is green, right?

2236 sats \ 2 replies \ @BitByBit21 17 Feb

Can you try NWC on SN again? Does it still not work?

I just tried again on SN and it works with the test Mutiny wallet but not with my own NWC app. So it seems that the issue is related to my setup.

I'm running NWC 0.4.2 on umbrelOS 0.5.4.

Also, with "works" you mean that the NWC indicator is green, right?

Yup, all four had a green light!

21 sats \ 1 reply \ @ek OP 17 Feb

Huh, interesting. Very interesting. That helps a lot with troubleshooting, thanks!

Need to try out different NWC wallets it seems. Will try your setup. Thanks again!

561 sats \ 0 replies \ @BitByBit21 17 Feb

Happy to help, thanks for all the sats!

5472 sats \ 2 replies \ @doofus 17 Feb

Mullvad Browser using Alpine Linux

12 sats \ 1 reply \ @ek OP 17 Feb

Thanks!

Alpine Linux. Interesting. Didn't know one can run a browser on it lol. Thought it's only used for minimal docker images.

653 sats \ 0 replies \ @doofus 17 Feb

Yep, I use it as a daily driver!

2226 sats \ 2 replies \ @WeAreAllSatoshi 17 Feb

Also, I see this in the console on sn1:

The source list for the Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-wasm-eval''. It will be ignored. sn1.ekzyis.com/:1

0 sats \ 1 reply \ @ek OP 17 Feb

lol, thanks, I must have copied a wrong directive from somewhere and for some reason, I thought I can ignore that error because it's a "too new" directive. Double-checked it on MDN now. It's called wasm-unsafe-eval. Thanks! Fixed.

0 sats \ 0 replies \ @WeAreAllSatoshi 17 Feb

Yw!

917 sats \ 3 replies \ @WeAreAllSatoshi 17 Feb

This was super fun, please organize another!

100 sats \ 2 replies \ @ek OP 17 Feb

We need more bugs that are hard to reproduce lol

But I planned to create some spin-offs from real CTF challenges in ~security as mentioned in #373534. That will be the (weekly?) highlights of ~security hopefully. Need to take my job as founder of ~security more serious!

edit: Oh, I only mentioned write-ups in #373534. But I think some real live CTF challenges would also be cool. Just for learning mostly.

917 sats \ 1 reply \ @WeAreAllSatoshi 17 Feb

We need more bugs that are hard to reproduce lol

Careful what you wish for lol

But I planned to create some spin-offs from real CTF challenges in ~security as mentioned in #373534. That will be the (weekly?) highlights of ~security hopefully. Need to take my job as founder of ~security more serious!

edit: Oh, I only mentioned write-ups in #373534. But I think some real live CTF challenges would also be cool. Just for learning mostly.

I eagerly await this!

0 sats \ 0 replies \ @ek OP 17 Feb

I eagerly await this!

Just like you wait until I am done editing my comments haha

917 sats \ 1 reply \ @WeAreAllSatoshi 17 Feb

I am seeing these errors on sn4 node, so I can't login. Similar to doofus' comment

0 sats \ 0 replies \ @ek OP 17 Feb

Thanks, fixed! I thought when one instance went up, I can create a new build in the same folder without an issue. Apparently, that's not the case. Every instance has its own folder now.

917 sats \ 2 replies \ @doofus 17 Feb

This probably doesn't qualify yet, because the login button and login with lightning button didn't work with the 2, 3, and 4. I'm not sure where on the SN page to view the flag for the first one.

8 sats \ 0 replies \ @ek OP 17 Feb

I'm not sure where on the SN page to view the flag for the first one.

You should see it on /settings/wallets when NWC is configured.

4 sats \ 0 replies \ @ek OP 17 Feb

Oh no, I had this button issue before but I thought I fixed it even though I am not sure what caused it 🤔

Let me see, I probably have to rebuild. But should only take a few minutes.

update: Mhh, I think I found the issue. Restarted sn2 and now sn1 login button no longer works. Can't run all four apps from the same folder, I think. Will create separate folders for each one.

update: login buttons for sn1 and sn2 should work now. sn3 and sn4 coming up.

518 sats \ 1 reply \ @TonyGiorgio 17 Feb

Nice use of bounty and crowdfunded troubleshooting, great analysis work.

0 sats \ 0 replies \ @ek OP 17 Feb

In hindsight, the bug is obvious though haha. But I guess that's always easy to say in hindsight.

Thank you for the kind words! I also had some fun thinking about how to set this up.

63 sats \ 5 replies \ @ek OP 17 Feb

cautiously mentioning @benthecarman, @justBrian, @sudocarlos and @BitByBit21 since they mentioned they are stuck with red indicators 👀

Do you mind trying this out for 4k sats? I would be very interested in the results.

🚩 First Stacker News CTF - NWC Debug Edition 🪲

Footnotes