Monero and locked payments
We use our own instance of BTCPay Server to process payments with Monero and Bitcoin.
On November 19, 2022, we received a message from Mochi101 informing us about an issue for recipients of Monero transactions that also affects the BTCPay server.
Using the example of a purchase on our shop digitalgoods.proxysto.re, they were able to show that a payment with Monero was received (block 2,759,573) and confirmed (block 2,759,583) and subsequently the digital goods were delivered, although the funds did only become available to us at a later block (2,760,291). Senders could lock the payment for recipients for days, weeks, or even years by setting the unlock_time appropriately.
Kukks fixed this bug on November 21, 2022 with a commit, which was deployed in BTCPay Server version 1.7.0.
Other services were also affected by the problem. One provider has already published a text about this on Reddit: [Warning] Incoming payments can be confirmed but locked on protocol level forever.
We have since discovered that this risk has been known for some time and users also use this feature for their own purposes.
We would like to thank Mochi101 for the report and Kukks for the quick solution.
If you want to show your appreciation to Mochi101, you can use their following addresses: