6031fe0847
This fixes a zap issue where someone could send a fake zap with a zapper that doesn't match the user's nostrPubkey zapper. This is possible because damus looks up the zapper via the ptag on note zaps. Fix this by first looking up the cached event's ptag instead. This prevents zappers from trying to trick Damus into picking the wrong zapper. Fixes: #1357 Changelog-Fixed: Fix issue where malicious zappers can send fake zaps to another user's posts Reported-by: benthecarman <benthecarman@live.com> Cc: Tony Giorgio <tonygiorgio@protonmail.com>
44 KiB
44 KiB