The fake note zap attack made me realize that there is a way to do fake
profile zaps using a similar technique. Since damus only checks the
first ptag if it is a profile zap, this means you could include multiple
ptags, the first one being the fake profile with the fake zapper, and
the second p tag as the real target.
This would allow a fake zapper to create a fake a zap, while the zap
notification would still appear for the second ptag because damus
listens for zap events via #p, and that would match the second ptag.
To fix this, ensure that zaps only have at most 1 ptag and 0 or 1 etag.
my CLN zapper checks this but if we don't check this here as well then
we run into fake zap issues.
Changelog-Fixed: Fix potential fake profile zap attacks
Cc: Tony Giorgio <tonygiorgio@protonmail.com>
Cc: benthecarman <benthecarman@live.com>
Cc: Vitor Pamplona <vitor@vitorpamplona.com>
William Casarin
13f98659a4