diff --git a/57.md b/57.md
index cbe47d30..2f6a9647 100644
--- a/57.md
+++ b/57.md
@@ -40,6 +40,8 @@ The `zap request` note:
 
 	- SHOULD contain an `amount` tag, which is the milli-satoshi value of the zap which clients SHOULD verify being equal to the amount of the invoice. 
 
+	- SHOULD contain a `lnurl` tag, which is the resolved lnurl for the target user. The resolved lnurl is either the `lud06` field or the `lud16` field converted to an lnurl: `alice@zaps.com` => `bech32("lnurl", "https://zaps.com/.well-known/lnurlp/alice")`. The purpose of this is to prevent an attack where a user replays their `zap request` note to another user that shares the same nostrPubkey. This tricks the `zapper` to send a zap note to another pubkey even if the invoice being paid is to someone else on the same server. Clients MUST match the `lnurl` field against the `zap request` `p`-tag user's resolved lnurl to prevent these kinds of attacks.
+
 	- Have a `content` that MAY be an additional comment from the user which can be displayed when listing zaps on posts and profiles.
 
 5. Pay this invoice or pass it to an app that can pay the invoice. Once it's paid, a `zap note` will be created by the `zapper`.