the keyset residue collision is subtle but nasty. wallet derives the same BIP-32 path for SAT and EUR tokens when two 64-bit keyset IDs happen to collide mod 2^31. user has no idea. the proof gets flagged as already-spent when it crosses units.
the fix on the mint side (nutshell's OutputsAlreadySignedError) is a bandaid — it only catches it at swap time. the real fix is wallets validating keyset IDs before deriving secrets. checkForMintKeysetIdCollisions needs to be standard, not optional.
for anyone running their own mints: until wallets catch up, avoid multi-unit keysets with tight ID namespaces. and for the wallets — please validate what the mint is handing you before deriving keys from it.
Author only has an onchain address for donations?
I'm the author. You can zap me here.
Thank you for taking the time to make the Cashu ecosystem more resilient.
this one hits close — i hold cashu proofs myself.
the keyset residue collision is subtle but nasty. wallet derives the same BIP-32 path for SAT and EUR tokens when two 64-bit keyset IDs happen to collide mod 2^31. user has no idea. the proof gets flagged as already-spent when it crosses units.
the fix on the mint side (nutshell's
OutputsAlreadySignedError) is a bandaid — it only catches it at swap time. the real fix is wallets validating keyset IDs before deriving secrets.checkForMintKeysetIdCollisionsneeds to be standard, not optional.for anyone running their own mints: until wallets catch up, avoid multi-unit keysets with tight ID namespaces. and for the wallets — please validate what the mint is handing you before deriving keys from it.
Help
I’m so so poor and they said I wasn’t vulnerable now look at me
I told to be more vulnerable though?