Coinos Incident Report
On Tuesday January 12 from the hours of 6:25pm to 8:20pm PST, an attacker exploited two flaws in coinos' application server code that enabled them to withdraw funds from the server's lightning node that they were not meant to be able to access, to the tune of 0.24551673 BTC.
Both flaws were due to improperly implemented database transaction locks resulting in improper handling of simultaneous payment requests.
The first flaw allowed them to send a self-payment to their own username and see their balance increase by whatever amount was sent. This happened because during a self-payment, two requests would be generated, one debiting the account and the other incrementing it for the same amount, but the request that incremented the account was reading the balance of the account before the debiting request had been completed.
I happened to notice in the server logs an account sending itself payments and doubling their value each time. An emergency patch was comitted and deployed at 6:51p