Damus
Coinos
Recent notes
We've revoked some NWC connection secrets due to concerns of a security leak. This affects NWC connections that were created before Feb. 19 2025. If you're having trouble zapping from Coinos via NWC please visit https://coinos.io/settings/nostr to create a new NWC connection and then copy the new connection string into your Nostr app.
Hi folks we've been experiencing some disruptions over the past couple days as we've been working to mitigate against an attacker who found and exploited a vulnerability in our system that allowed them to get password reset codes for accounts that didn't belong to them. Using this exploit they were able to gain access to a number of accounts that they shouldn't have had access to and withdraw funds. We've patched the issue and believe we've revoked the attacker's access to the compromised accounts by invalidating their JWT authentication tokens and NWC secrets. We've instituted system-wide withdrawal limits as a precautionary measure while we work to fully restore and migrate the payment records of affected accounts. If you are seeing a blank screen when you visit the Coinos site, you may need to visit https://coinos.io/logout or clear your browser cache. If you have Coinos installed as a PWA you may need to uninstall it and re-add it to your homescreen. About 80 accounts had their passwords reset by the attacker but only a handful were actively stolen from. If your account was compromised you may be missing some recent transactions. We do have backups and will be writing scripts to find and restore those payment records over the coming days. If you were using Coinos via NWC your NWC connection string secret may have changed in which case you will need to re-connect Coinos to your Nostr apps. We'll be reverting unsolicited withdrawals and covering all losses ourselves to make all our users whole. Thankfully we caught the attack relatively quickly and managed to take corrective action before the attacker had time to fully drain our wallets. Coinos is essentially a volunteer effort and one-man show on the tech front so please be patient as it's going to take me a few days to restore everything back to normal. This incident has not shaken my resolve, only strengthened it. Sincerely, Adam Soltys
Public Disclosure: We just found and corrected an issue that was causing some zaps to get missed in cases where our server was unable to successfully broadcast the zap receipt notification to the recipient's relays. We've fixed the issue now and have gone back to retroactively credit all the zaps that were missed.