Closed
Description
As of #167 we track HTLCs separately as required by BOLT 2 for privacy. However, we currently reject/accept all to-us HTLCs at once when the user gives us a preimage/no-such-preimage callback. This allows an attacker to (in a really race-y way) query us if we are the intended recipient of a payment that was routed through them by simply sending us a small value HTLC with the same hash as the one they saw. This will likely require an API change, and users may end up needing to do something like tracking the expected value of a payment and only fulfilling HTLCs that match the expected value (to the single-msat level).
Metadata
Metadata
Assignees
Labels
No labels