Do modern Bitcoin wallet software keep a memory of all previously used h1s? The spec for lnurl-auth calls for randomly generated h1s, however, suppose a malicious website (or compromised website) wanted to derive the private key of lnurl-auth users to steal funds. Could going against the spec as written, allow for an attacker, to steal funds?

Related thread on finding ECDSA private key due to k reuse. https://bitcoin.stackexchange.com/questions/35848/recovering-private-key-when-someone-uses-the-same-k-twice-in-ecdsa-signatures