Proof-of-Payment (PoP) Login on Lightning Network Apps
MicroBet is a bitcoin prediction and betting game that lives on top of the Lightning Network. It started as a proof of concept but with time people started to use it regularly and is working pretty well and stable.
Since MicroBet was launched months ago, I wanted it to be very simple to use but I also wanted to keep the user privacy that Lightning Network provide us. This is why it never asks the user any information, not even a username.
In order to give to the user a better experience, a cookie session is created when the user makes the first payment. With this session, if the user wants to participate in other predictions he/she can see them on the my bets section to keep track of the user activity. but the question is if the user needs to logout, how the system will know which person owns which account?
The easy answer to this is with the preimage. I experimented with this by allowing people to recover their session only with the payment preimage during a few months, I wanted to see if users finds this useful. During that time this option was allowed the site was receiving a small number of weekly transactions with the majority of them being 100 satoshis, for the sake of science I was willing to pay to the users if anything goes wrong.
The preimage is the secret number that the payee gives to the payer as a proof of payment. The problem is that this number is not so secret; the payer node creates a route of nodes to send the money to the payee, during which each node in the route exchanges the money for the same preimage which is then finally delivered to the payer, I’m not going to explain in detail the payment process because it is not the subject of this post and there’s a lot of useful resources explaining this out there. Google is your friend 😃
This is where the problem arrives; after the payment has been delivered, all the nodes in the route have knowledge of the same preimage. A node forwarding money only knows where the money came from and where it is going but nothing more. This means that is difficult for an attacker to know what to do with a preimage, but easily an attacker can open a channel directly with a final node like MicroBet node and save all the preimages that he forwarded, then make a bruteforce attack and try to get some funds from other user.
I’ve been thinking on how to keep this feature without puting in risk the users funds and finally I decided to use a very simple concept, one decoded bolt11 payment request look like this:
"description": "Lay bet: Liverpool FC - Everton FC → EVE 🏆 +1 [dKLwm]",
The payer doesn’t need more information than this to send a payment. We can see there’s a description field, this description field stays on the payer side. That gives us a place where we can add a small id, that I call sid and is a pseudo random five char string composed of letters (upper/lower case) and numbers. Currently this string is only 5 chars, yet if an attacker tries to bruteforce it he/she will need to make k-permutations of n or 62⁵ which is equal to 916,132,832 combinations per each preimage, and if we take in consideration that MicroBet site only allows 10 request by minute by IP address, the attacker will need 174 years to hack one preimage. Good luck with that.
Lightning Network is in a very interesting moment, when is our duty to experiment and apply ideas, it doesn’t matter if they are dumb ideas because they still lead us to more questions and then to more thinking and solutions, if you have something in your mind, just build on it and we’ll see what happen.
So this is it! If you have suggestions about this way of session-recovering or think I’m not considering other security risk just let me know in the comments, I always like to know more about security and how to improve it on my systems. If you want to know more about my work you can follow me on twitter (@negrunch).