👉 CVE-2020-26896: LND Invoice Preimage Extraction

Prior to v0.11.0-beta, an lnd node could be coerced into revealing an invoice preimage for a forwarded HTLC with a colliding payment hash. This can be exploited to a) weaken the victim’s receiver privacy by confirming the destination of an HTLC, and/or b) under certain circumstances, result in loss of funds to the victim by believing the invoice was paid when it only received routing fees. We have no evidence of either case being exploited in the wild.

Summary: Lightning-dev