Vulnerabilities in the Cashu ECash Protocol \ stacker news

pull down to refresh

Vulnerabilities in the Cashu ECash Protocol conduition.io/code/cashu-disclosure/

4947 sats \ 36 comments \ @conduition 10 Jan bitcoin

Six months ago i discovered a severe vulnerability in Cashu affecting most major wallets, which would let a malicious mint steal money from users.

See the link to my blog for a full description, but the TLDR is that Cashu spec for deterministic wallets - NUT-13 - contained a small oversight which allowed a malicious mint to trick Cashu clients into revealing secrets meant for an unrelated target mint. Using some math and leveraging the authentic mint as an oracle, a malicious mint operator could steal a target mint's ecash proofs from users, and claim the money for himself.

Thanks to the good work of cashu devs like @calle and lollerfirst it has since been patched, with stable long-term protocol-level fixes coming soon.

view all related items

221 sats \ 0 replies \ @Scoresby 10 Jan

Even though most of the math is something I'd have to puzzle over (and perhaps take a refresher course to get), I enjoyed your blog post. I'm reminded once again that cryptography is really really hard to for well. Hard off to people who build tools that use it in novel ways -- and to people like yourself who poke around to find vulnerabilities like this.

1 sat \ 2 replies \ @SwapMarket 10 Jan

As far as I understand, if a mint wants to cheat, it is better off just rug pulling all its users by nuking the database and withdrawing the funds from the node. Stealing particular tokens is not worth the effort.

211 sats \ 1 reply \ @conduition OP 10 Jan

This isn't about a mint stealing funds from its own users. It's about a malicious mint stealing funds from users of another mint. E.g. you trust Alice's mint and have $1000 on there. You don't trust Bob's mint, but someone airdrops you $5 in ecash from Bob's mint. You try to transfer (melt) the ecash to Alice's mint (which you trust) but doing so allows Bob to steal the $1000 of valid ecash that you already had on Alice's mint.

0 sats \ 0 replies \ @SwapMarket 10 Jan

Oh, that would be really bad. Thanks. Reading your paper...

10 sats \ 0 replies \ @03488c153e 10 Jan

Tienes muchas razón

0 sats \ 0 replies \ @Offset 10 Jan

Feels less like a “market shift” and more like the predictable outcome of policy piling up.

0 sats \ 0 replies \ @rblb 10 Jan

Thank you

0 sats \ 1 reply \ @Taj 10 Jan

what vulnerability did this guy find then?

Another one 🫣

0 sats \ 0 replies \ @nitter 10 Jan

https://twiiit.com/i/status/1979648693159842240

0 sats \ 0 replies \ @BitcoinIsTheFuture 10 Jan

Forward! Well done let’s keep building

0 sats \ 0 replies \ @035736735e 10 Jan -100 sats

Deterministic wallets are powerful but they must be designed with careful compartmentalization to prevent one actor in the system from influencing another. The community should continue to document these incidents in detail because each one adds to the collective knowledge base that helps prevent similar issues in the future.

11 sats \ 24 replies \ @AJ1992 10 Jan -121 sats

Where is @DarthCoin? Ecash technically isn't Bitcoin and qualifies as a shitcoin under the qualifications he uses. Did he downzap you like he does everyone else that posts about anything he considers a "shitcoin?" Ya know @k00b keeps downzaps having so much more weight to keep darth happy by being able to control what people see and don't see with his downzapping