This is a really cool idea and an awesome new project to try out.
The BIG downside I see with this is that whoever can read the contents of the NFC chip, has access to the LNURL-withdraw link and can thus drain the entire node's funds.
Am I seeing this correctly or am I missing something?
There's a maxWithdrawable value, so I'm guessing the card can be configured to be used X times and up to N sats per transaction.
I think. I pretty much only know LN in general, and am not very familiar with LNURL specifically, Maybe someone else seeing this and knows the answer can pipe in.
If so, this means that still anyone could pull X*N sats in total. Like this the implementation doesn't seem to be usable in the real world yet. There would have to be some security mechanism in place to make a payment link non-reusable.
Even entering some sort of PIN doesn't seem to be a fitting solution as this PIN — once entered into a POS terminal — could then be used with the respective LNURL-withdraw link to pull funds as one pleases.
If someone more knowledgeable could clear up any mistakes I made in my reasoning, I'd really appreciate it.
This is a really cool idea and an awesome new project to try out.
The BIG downside I see with this is that whoever can read the contents of the NFC chip, has access to the LNURL-withdraw link and can thus drain the entire node's funds.
Am I seeing this correctly or am I missing something?
There's a maxWithdrawable value, so I'm guessing the card can be configured to be used X times and up to N sats per transaction.
I think. I pretty much only know LN in general, and am not very familiar with LNURL specifically,
Maybe someone else seeing this and knows the answer can pipe in.
If so, this means that still anyone could pull X*N sats in total. Like this the implementation doesn't seem to be usable in the real world yet. There would have to be some security mechanism in place to make a payment link non-reusable.
Even entering some sort of PIN doesn't seem to be a fitting solution as this PIN — once entered into a POS terminal — could then be used with the respective LNURL-withdraw link to pull funds as one pleases.
If someone more knowledgeable could clear up any mistakes I made in my reasoning, I'd really appreciate it.
Any ideas yet on how to overcome these issues?
Damn it boomers! Now you have no excuse to use LN!
capitulate to lnurl already. it's lightning magic.
The full thread, unrolled:
Thread by @thedavidcoen on Thread Reader App
https://threadreaderapp.com/thread/1524000406984142850.html
The How-To:
Send payments with a NFC tag and a BTCpay Server POS
https://github.com/theDavidCoen/LightningNFC/blob/main/README.md#send-payments-with-a-nfc-tag-and-a-btcpay-server-pos
The video from this Tweet is also available on Youtube:
Offline Lightning Network payment from a NFC card thanks to BTCpay's LNURL NFC Support plugin
https://www.youtube.com/watch?v=4m-FQoUAs50