pull down to refresh
10 sats \ 8 replies \ @Scroogey 31 Jan \ on: BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀) bitdevs
It seems I can repeatedly send two requests and get more than 3 times the payout:
Take the invoice from the response and put it into
Ad infinitum...
reply
There is a check in lightning_address.php line 280.
Why is that not working at all?
Because it's checking the totalSats parameter provided by the client, not the value encoded in the invoice (provided in the first call as amount=10)!
reply
reply
The getBolt11 function also has an exploitable flaw:
It asks the external (!) Bolt11 server for parameters related to the user-provided address, and honors minSendable in a funny way:
$minAmount = $lnurlDetails->minSendable; $payAmount = ($amount * 1000 > $minAmount) ? $amount * 1000 : $minAmount;
An attacker can use an address that leads to an attacker-controlled Bolt11 resolver, which returns an absurdly high minimum. The logic above will then use that (instead of the amount due)!
interesting! it doesn't boot your request after 3 tries with the same lightning address?
reply
It seems to rely on the client sending a request to get itself counted:
The client can simply skip this call to get endless calls.
All the logic should be in the server: use a single call to submit the answers, and have the server count the address, generate and pay the invoice in one step. You can't rely on the client following any expected procedure. Hackers will do any call in any order with any parameter to exploit you.
reply