A post mortem on this exploit if you're curious. The attacker paid a hold invoice as expected, but force-closed the channel immediately on first confirmation of the funding transaction, which is very much not expected. That basically broke the signalling chain such that publsp expected an 'OPEN' status but it never got it since the default number of confirmations for the LN implementation to send the 'OPEN' is 3. So the preimage needed to settle the invoice was never released. That's the second problem. The preimage needs to be released in order to actually claim the attacker's payment, but persistence was in memory only, and after the dust settled on what happened, the preimage was effectively gone, thus dashing any hope of claiming the lost funds. The HTLC will have expired and the attacker will have walked away with the pushed funds.

Heartbreaking story, but also the beginning of a great new journey. All the best.

If only life were that simple

Peak LLM is already upon us?

The year 2017 called, they want their bad narrative back.

In lnd I'm not sure the OpenChannel endpoint has control over that. Just 1 conf seems risky to me for other reasons, like a reorg happening after the channel has been used to spend.

Regretfully, just several hours ago an attacker took advantage of some still unknown exploit in the LSP liquidity leasing flow in publsp and liquiditystr. The tldr is that the attacker managed to get some LSPs, including myself, to lease liquidity with some initial balance on the attacker's side but without paying the full amount for that pushed balance. Through some small miracle I picked up on it relatively early on. I managed to get in touch with the LSPs that had active ads to help mitigate the impact of the exploit but, despite my best efforts, other LSPs have also lost funds in this attack. To be honest, I think that's the part that hurts more than the funds I lost. Others trusted the project enough to give it a try but ultimately got burned by something I built. I'm gutted over the fact that some node runners have lost some of their hard earned sats, and I'm truly very sorry this happened. I'm still bullish on the vision of more decentralized marketplaces over nostr, including one for Lightning liquidity. However, for the moment I'm too shaken by the events that took place that I'm going to step back for a while and figure out how to be better.

https://github.com/djkazic/abacus 👀