Six months ago i discovered a severe vulnerability in Cashu affecting most major wallets, which would let a malicious mint steal money from users.
See the link to my blog for a full description, but the TLDR is that Cashu spec for deterministic wallets - NUT-13 - contained a small oversight which allowed a malicious mint to trick Cashu clients into revealing secrets meant for an unrelated target mint. Using some math and leveraging the authentic mint as an oracle, a malicious mint operator could steal a target mint's ecash proofs from users, and claim the money for himself.
Thanks to the good work of cashu devs like @calle and lollerfirst it has since been patched, with stable long-term protocol-level fixes coming soon.
As far as I understand, if a mint wants to cheat, it is better off just rug pulling all its users by nuking the database and withdrawing the funds from the node. Stealing particular tokens is not worth the effort.
This isn't about a mint stealing funds from its own users. It's about a malicious mint stealing funds from users of another mint. E.g. you trust Alice's mint and have $1000 on there. You don't trust Bob's mint, but someone airdrops you $5 in ecash from Bob's mint. You try to transfer (melt) the ecash to Alice's mint (which you trust) but doing so allows Bob to steal the $1000 of valid ecash that you already had on Alice's mint.
Oh, that would be really bad. Thanks. Reading your paper...
Even though most of the math is something I'd have to puzzle over (and perhaps take a refresher course to get), I enjoyed your blog post. I'm reminded once again that cryptography is really really hard to for well. Hard off to people who build tools that use it in novel ways -- and to people like yourself who poke around to find vulnerabilities like this.
Tienes muchas razón
Deterministic wallets are powerful but they must be designed with careful compartmentalization to prevent one actor in the system from influencing another. The community should continue to document these incidents in detail because each one adds to the collective knowledge base that helps prevent similar issues in the future.
Feels less like a “market shift” and more like the predictable outcome of policy piling up.
Thank you
what vulnerability did this guy find then?
Another one 🫣
view on x.comhttps://twiiit.com/i/status/1979648693159842240
Where is @DarthCoin? Ecash technically isn't Bitcoin and qualifies as a shitcoin under the qualifications he uses. Did he downzap you like he does everyone else that posts about anything he considers a "shitcoin?" Ya know @k00b keeps downzaps having so much more weight to keep darth happy by being able to control what people see and don't see with his downzapping
STFU shitcoiner.
ecash is not bitcoin, are just gift cards, fucking idiot. And this post have nothing to do with me.
Once again you prove your idiocy
Dude. That's what I said. I said it's not Bitcoin. You truly can't read can you?
Shut up Darth, you have no fucking idea what you're talking about, of course it's Bitcoin you dumbass, learn how to write English properly fucking moron, doesn't even know what's Bitcoin and what isn't.
If you can't unilaterally exit the system it is not Bitcoin. Go fuck yourself.
Shut up idiot, you're fucking retarded. If I can use it to get more Bitcoin into my cold storage what the fuck is the difference you moron. Not every single use case needs unilateral exit you clown. People use different services for different purposes and they don't all need to have the exact same trade-offs dumbass
Shitcoiner take. Have some integrity.
you can't unilaterally exit the base layer 🤔
Bitcoin is a fault tolerant network. You can join and leave at will. Hope you learned something today.
i agree with the spirit, but your argument is simplistic. ecash is paper bitcoin, but that's still bitcoin until it isn't. this is different from eth, which is never bitcoin but can be exchanged for it
#1408394
Bitcoin and lightning in self custody is bitcoin. But ecash is like custodial lightning without accounts. It is not bitcoin anymore. The giftcard comparison is correct.
If you start running or using a mint you may understand this.
The mint can always disappear with all the sat the users saved. Is this how bitcoin works? Is bitcoin designed for exit scams? I say no!
So you have to realize it is not the same.
If you still think it is the same, you can put all your sat into my mint.
It's ok not to use it because you disagree with the tradeoffs involved, and it's fine to criticize the model based on your preferences.
But it is still Bitcoin. It's just a way to use Bitcoin that you don't like. It's not like gift cards at all. The money in your gift card can't be withdrawn, isn't interoperable with your bank account, can't work in other stores even if they want to accept them, the analogy doesn't work.
I think you're doing the Lord's work by highlighting the pros and cons, but saying it's not Bitcoin is really not correct.
"A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution."
What's a mint?
call it custodial/paper bitcoin then. yes, the inception of bitcoin didn't recognize custody. this makes sense from a philosophical point but not a realistic one.
as it stands, self-custodial bitcoin is not viable. if that bothers you, you can try to do something about it.
#992856
You are retarded.
Ecash is not bitcoin. It's an IOU from another shitcoiner. Nothing philosophical about it. It's really that simple.
This conversation has been had before. We're all just waiting for you to catch up.
Forward! Well done let’s keep building