@1440000bytes has been teasing a vulnerability he discovered in Cashu.
Well, here it is: there is a DOS attack on mints where a user can fill a mint's database with data.
19 October 2025: I reported the vulnerabillity to cashu-dev@pm.me
19 October 2025: Cashu dev team acknowledged it as a serious issue and opencash rewarded with 100k sats
21 October 2025: It was fixed in refactor: HTLC spending conditions (#803) · cashubtc/nutshell@f84028c · GitHub
28 October 2025: v0.18.0 was released with the fix
29-31 October 2025: I reached out to several mints and requested to update nutshell
2 November 2025: Public Disclosure
so serious it was worth 100k sats
The bounty is based on their limited budget and not the severity of the vulnerability.
Makes sense, thanks for replying
😂😂😂😂😂😂😂
My thought exactly
Here's floppy's more detailed write up of the vulnerability.
https://uncensoredtech.substack.com/p/denial-of-service-using-htlc-in-cashu
What a passionate mankind. Never rug the system you're gonna use. Fix it and make this world better.
Even Satoshi wrote about it: If a greedy attacker is able to
assemble more CPU power than all the honest nodes, he would have to choose between using it
to defraud people by stealing back his payments, or using it to generate new coins. He ought to
find it more profitable to play by the rules, such rules that favour him with more new coins than
everyone else combined, than to undermine the system and the validity of his own wealth.