The [getBolt11](https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/custom-functions.php#L55) function also has an exploitable flaw:

It asks the external (!) Bolt11 server for parameters related to the user-provided address, and honors **minSendable** in a funny way:

> $minAmount = $lnurlDetails->minSendable;
> $payAmount = ($amount * 1000 > $minAmount) ? $amount * 1000 : $minAmount;

An attacker can use an address that leads to an attacker-controlled Bolt11 resolver, which returns an absurdly high minimum. The logic above will then use that (instead of the amount due)!



random_

bitdevs

BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)

ealvar39

There is a check in [lightning_address.php line 280](https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/lightning_address.php#L280).

Why is that not working at all?

Because it's checking the **totalSats** parameter provided by the client, not the value encoded in the invoice (provided in the first call as **amount=10**)!