8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight.
Using blocking: true
on the API call will lead to a timeout error if a payment does not get settled in the 30s timeout with the error: Ask timed out on [Actor[akka://eclair-node/user/$l#134241942]] after [30000 ms]. Message of type [fr.acinq.eclair.payment.send.PaymentInitiator$SendPaymentToNode]. A typical reason for AskTimeoutException is that the recipient actor didn't send a reply.
https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L138
This is considered a payment failure by parts of the code, and assumes the payment is not going to be settled after:
https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L144
https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L141
https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L146
The best way to fix this is to check the payment status after an error, and when not sure, always consider a payment still in flight.
A very simple way to exploit this is:
This vulnerability can lead to a total loss of funds for the node backend.
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%