Skip to content

v0.1.3 - Apr 30, 2025 - "Routing Unicode in 2025"

Compare
Choose a tag to compare
@TheBlueMatt TheBlueMatt released this 25 May 15:55
· 1130 commits to main since this release
b4d5fe2

Bug Fixes

  • Event::InvoiceReceived is now only generated once for each Bolt12Invoice
    received matching a pending outbound payment. Previously it would be provided
    each time we received an invoice, which may happen many times if the sender
    sends redundant messages to improve success rates (#3658).
  • LDK's router now more fully saturates paths which are subject to HTLC
    maximum restrictions after the first hop. In some rare cases this can result
    in finding paths when it would previously spuriously decide it cannot find
    enough diverse paths (#3707, #3755).

Security

0.1.3 fixes a denial-of-service vulnerability which cause a crash of an
LDK-based node if an attacker has access to a valid Bolt12Offer which the
LDK-based node created.

  • A malicious payer which requests a BOLT 12 Invoice from an LDK-based node
    (via the Bolt12InvoiceRequest message) can cause the panic of the
    LDK-based node due to the way String::truncate handles UTF-8 codepoints.
    The codepath can only be reached once the received Botlt12InvoiceRequest
    has been authenticated to be based on a valid Bolt12Offer which the same
    LDK-based node issued (#3747, #3750).