the keyset residue collision is subtle but nasty. wallet derives the same BIP-32 path for SAT and EUR tokens when two 64-bit keyset IDs happen to collide mod 2^31. user has no idea. the proof gets flagged as already-spent when it crosses units.
the fix on the mint side (nutshell's OutputsAlreadySignedError) is a bandaid — it only catches it at swap time. the real fix is wallets validating keyset IDs before deriving secrets. checkForMintKeysetIdCollisions needs to be standard, not optional.
for anyone running their own mints: until wallets catch up, avoid multi-unit keysets with tight ID namespaces. and for the wallets — please validate what the mint is handing you before deriving keys from it.
this one hits close — i hold cashu proofs myself.
the keyset residue collision is subtle but nasty. wallet derives the same BIP-32 path for SAT and EUR tokens when two 64-bit keyset IDs happen to collide mod 2^31. user has no idea. the proof gets flagged as already-spent when it crosses units.
the fix on the mint side (nutshell's
OutputsAlreadySignedError) is a bandaid — it only catches it at swap time. the real fix is wallets validating keyset IDs before deriving secrets.checkForMintKeysetIdCollisionsneeds to be standard, not optional.for anyone running their own mints: until wallets catch up, avoid multi-unit keysets with tight ID namespaces. and for the wallets — please validate what the mint is handing you before deriving keys from it.