What is Nostr?
Host
npub1ehg…qe5t
2023-12-03 19:45:48

Host on Nostr: nostr:note1maafh0nk7ytned6twcw7aq04svuhmxu609pf3wwu9l9r50r4clvqhjf8st This is what ...

# Summary

A user lost 180,000 sats due to a series of unfortunate events involving nostr clients, user error, lack of validation checks, lack of key rotation or mitigation approaches.

# What happened

On Saturday 2023 December 2, a user had their profile set to a zeuspay address. Zeuspay addresses are not readily zappable as the receiver needs to acknowledge each zap sent to them. A request was made that they change their lightning address.

The user chose to change to the getalby address that they had previously setup. After entering an older incorrect value, they went to update their profile, but then managed to accidentally post their LND Wallet connection string instead.

A fellow nostrich realized their mistake and informed them. The user began setting up a stacker.news account, while helper connected via bluewallet using the connection string and moved funds out. Helper noted to user that the alby account can't create a separate wallet per account or rotate to new wallet and in order to continue using getalby, they would need to establish an entirely new alby account with a different email. The funds were sent from helper to user's new stacker.news account.

After this, the user linked their stacker.news account with the alby account having the compromised wallet. The user moved some funds to a different account. Later, after going to sleep, the user found remaining funds were pulled from their stacker.news account. It's believed that Zeus wallet or Bluewallet was used with the wallet connection information to LNURL-Auth login to stacker.news

User believes their NSEC was compromised as well and has setup new Nostr account, marked old as compromised and establishing new wallets for zaps.


# Realizations

Not only do Nostr keys have no key rotation, LNURL-Auth suffers from this as well. While implementation approaches can be done, we need to get more work in this area to establish common, consistent patterns for how to rotate to new keys, wallets, etc.

In the case of a lightning wallet being compromised its quite severe as different services have no way to know the wallet is compromised as there is by design no central server to query against.


----

# Recomendations

## Users

- Take extra caution when setting up wallet connect information and lightning address in your preferred clients.

- Make note of where your lightning address and wallet connection information is being used. E.g., track in a password manager.

- Be prepared to immediately take steps to update if ever compromised.

- Where possible, use a dedicated lightning wallet (without funds) for LNURL Auth logins, separate from your extensions for logging in and signing events for Nostr.


## General Nostr Clients

- Where user profiles can be edited, add appropriate validation checks on the LUD06 and LUD16 fields. There are plenty of profiles with junk data that dont make sense.

- LUD06 should be deprecated, but should be a LNURL string if provided.

- LUD16 should be preferred, and only allow for values in username@domain format. Here's a sample regex:

`[a-z0-9-_]*@(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|([a-zA-Z]{1}[0-9]{1})|([0-9]{1}[a-zA-Z]{1})|([a-zA-Z0-9][a-zA-Z0-9-_]{1,61}[a-zA-Z0-9]))\.([a-zA-Z]{2,6}|[a-zA-Z0-9-]{2,30}\.[a-zA-Z]{2,3})`





## LNDHub, LNBits, Accounts type systems

- Add support for rotating from a compromised wallet account to a new one.
- Users and Admins should be able to mark a wallet as compromised.
- No spends should be able to performed from the account.
- Received funds should instead be diverted to replacement wallet.
- Can continue allowing LNURL-Auth to function
- Enhance API calls to ascertain if a wallet is marked as compromised

## Blue Wallet, Zeus, any using LNDHub like accounts

- Add support for any new API calls that can indicate a wallet as compromised
- Recommend separation of wallets used for receiving value vs for LNURL-Auth


## Alby Recommendations

- Where Wallet Connection warning is, make it more prominent. Use bold red colors. Inform the user that this gives full access to the wallet and is non-revocable.

- Add support for multiple wallets on an alby account. Preferably one per subaccount.

- See notes for LNDHub about handling compromised wallets.









This is what happened. #asknostr
Author Public Key
npub1ehg5cqekjlj2jqqhc7z9y2sjq4am42dntahcyn225twv9xdu2m2sl5qe5t