I learned something really cool the other day: There is an attack on signature schemes called the "blinding attack". It basically abuses what we cherish in ecash: blind signatures.

The gist is the following: You can make someone sign a "bad message" M (example: "I confirm that I'm stupid") if you can find a blinding factor r such that r*M looks like an "good message" (like "I'm very smart").

You get a signature on the blinded message r*M and can unblind the signature (very much like in Cashu) to get a signature on the unblinded bad message M – and now everyone thinks you're stupid!