So in LnBits I was able to create a Cashu ecash mint. Then as a user I sent myself Bitcoin over lightning and the mint credited me some ecash.

Then I was able to go into my LNbits wallet and drain the sats from it. The Cashu wallet still shows that it held the ecash and I could send it around. But when I tried to send sats out of the mint, burning the ecash it wouldn't send because there was no actual Bitcoin held by the mint. It was really easy to rugpull myself.

As a merchant, I see how someone could mint some ecash, drain the wallet, then try to buy something from me. I wouldn't know the ecash was worthless until I tried to claim the sats later. It's like writing a bad check.

So yeah, not great for stores to accept Cashu payments unless the ecash is on a mint they trust. The wallet does ask you if you trust a mint when receiving ecash so you do have a small "due diligence" step before accepting payment.

I would like to see a receiving Cashu wallet that automatically sweeps ecash onto a chosen mint or just to a lightning address immediately upon receipt to mitigate this attack.