# One more LNbank Vulnerability

Yesterday I received a report about another critical vulnerability in LNbank. Especially with regards to the recent vulnerability, this is extremely sad and painful.

I will not go into detail about the vulnerability, but urge people to upgrade to LNbank v1.9.2! The new version fixes this particular vulnerability and also completely disables the sending functionality.

v1.9.2 will be the last version of LNbank and everyone using the plugin should phase out its usage, especially if you are running this on an instance, which offers public registration for everyone.

# Pulling the plug

I am discontinuing the development of LNbank because for now there is no way for me to guarantee the safety of its usage. I formed this decision a few days after the first report, but needed to ensure this isn’t because of emotions. So I wanted to wait and think about this until after Christmas — this unfortunate incident now being the final validation.

There seem to be more users of LNbank than I expected or heard of, quite a few running it in the open. I simply don’t want any further losses due to this plugin.

In response to the first vulnerability announcement there was this comment by Tony Giorgio, which encapsulates the essence of it:

There’s millions of dollars sunk into securing custodial funds. While it is completely irresponsible to hook up your life savings into an LN node, let alone external plugins, this is perhaps something that should not exist in the first place.

# Sunsetting LNbank and its usage

v1.9.2 fixes the particular vulnerability and also completely disables the sending functionality. It is an additional security measure to prevent any further loss.

Unfortunately it also means, your users will not be able to pay out their funds themselves anymore. This has to be done via the Lightning node CLI or third-party tools like RTL or Thunderhub.

The instance admin can see an overview of the users, their wallets and aggregated balances in the LNbank admin section (/plugins/lnbank/admin). Admins can get to it via the settings symbol on the top right of the general LNbank page, which also contains the personal wallet overview.

If you have trouble upgrading to LNbank v1.9.2, please first uninstall the plugin and reinstall it afterwards. You will not lose the data during uninstall, only the plugin code is removed from the file system. The data is kept in the database and will be present on reinstall.

If you need further assistance, please contact me (d11n) on our Mattermost.

Sorry for the inconveniences!