Fishcakeday

**Name of the Vulnerable Software and Affected Versions** LNbits versions prior to 0.12.6 **Description** Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) can lead to a payment being considered failed, even though it may still be in flight. This issue can result in a total loss of funds for the node backend. The problem arises when using `blocking: true` on the API call, leading to a timeout error if a payment does not get settled within the 30s timeout. **Recommendations** For versions prior to 0.12.6, update to version 0.12.6 to prevent loss of funds due to unsettled invoices. As a temporary workaround, consider checking the payment status after an error and always assume a payment is still in flight when unsure. Restricting the use of `blocking: true` on API calls until the issue is resolved can also help minimize the risk of exploitation.