Avatar
calle 2mo ago

ultra brief post mortem on recent nutshell denial-of-service bug for those who have missed it.

what: cashu has htlcs. the spec says the preimage must be 32 bytes. nutshell, one of multiple mint implementations, didn't check the size of the htlc preimage before validation. it violated the spec.

why: the preimage is stored for some smart contracts where bob doesn't want to rely on alice to actually provide it. like how lightning channel fore-closes don't rely on alice being nice but on on-chain data.

we fixed it instantly in nutshell 0.18.0. unfortunately attacker disclosed irresponsibly without respecting industry standard time frames (2 weeks lol) or any other collaboration. cashu got better as a result.

Reply to this note

Please Login to reply.

Discussion

Avatar
calle 2mo ago

those who are celebrating the attack on mint operators, most of which are normal bitcoin plebs like you and me running infra for their communities, is behaving unethically and has clearly lost their way.

these people are providing the grassroots rails for bitcoin use all around the world. they do it as a service for the network and most of them do it for free. if you celebrate this, you should be ashamed. look in the mirror and ask yourself what you do to support bitcoin.

anyone grilling me for it as an individual, game on.

Avatar
Praveen Perera 2mo ago

no one attacked mints, everyone’s just pointing out your hypocrisy

is it shitty when people make your money worse by using exploits?

Avatar
OT 2mo ago

Floppy?

Avatar
u32Luke 2mo ago

Any reports of mint ddos?