The plugin that enables accepting Lightning payments without the need for one’s own node is being discontinued due to two vulnerabilities identified within a few days.
BTCPay Server, the open-source software enabling Bitcoin payments, allows the development and addition of advanced features through an external plugin system.
LNbank is an external plugin that enables an administrator of a BTCPay Server instance to become the custodian of funds for users of that instance, allowing them to receive and send Lightning transactions easily without the need for their own node.
Two bugs in two weeks
In just over two weeks, two severe vulnerabilities were found in LNbank, leading Dennis Reimann, the developer of the plugin, to halt the development of LNbank.
The first bug, allowing the withdrawal of liquidity from the Lightning node of a BTCPay Server instance administrator, resulted in the loss of funds for some users. One user lost 4 BTC.
On December 25th, the BTCPay Server team identified a second vulnerability in version 1.9.0 of the plugin.
To mitigate the issue, the BTCPay Server team urges all users employing the LNbank plugin to update immediately with the newly released version.
Version 1.9.2 addresses the vulnerability in question and completely disables the transaction sending functionality.
Despite the update, Dennis Reimann has stated that version 1.9.2 will be the last version of LNbank, advising all users of the plugin to gradually phase out its usage, especially on an instance allowing open registration.
The two vulnerabilities found impact only users utilizing the LNbank plugin. Users who have not enabled it are unaffected and do not need to take any specific actions.
