https://youtu.be/GBgL5EE0wd4

That's brutal.

random_

bitdevs

BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)

ealvar39

The [getBolt11](https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/custom-functions.php#L55) function also has an exploitable flaw:

It asks the external (!) Bolt11 server for parameters related to the user-provided address, and honors **minSendable** in a funny way:

> $minAmount = $lnurlDetails->minSendable;
> $payAmount = ($amount * 1000 > $minAmount) ? $amount * 1000 : $minAmount;

An attacker can use an address that leads to an attacker-controlled Bolt11 resolver, which returns an absurdly high minimum. The logic above will then use that (instead of the amount due)!

