story time. the recently disclosed nutshell cashu mint vulnerability is as ironic as it gets. it’s very similar to an inscription which is hilarious. as per the cashu spec, a HTLC must have a preimage witness size of 32 bytes.
unfortunately, the mint never checked the size before validating and storing it in its db. we simply overlooked it. since users never paid a fee that depends on the witness size (because we assumed it would be constant), this allowed the attacker to store jpgs of dickbutts in a mints database. for free!
fortunately there’s no messy consensus in cashu. every mint operator dictates their own rules. the fix is simple: now we reject all tokens with a witness that’s too large. those maliciously crafted tokens (of which we haven’t seen any in the wild) can’t be spent anymore.
i must admit, given my recent active engagement in the filter debate, this is probably the funniest exploit possible. i own this one and i’m giggling as i type this. it’s pure comedy.
however, this doesn’t mean the disclosure has gone well. the attacker has proven to be malicious and refused to coordinate with us. instead, he’s putting active mints at risk. this is not how responsible disclosure works. very unprofessional. if you run a mint or know someone who does, update to the latest version (0.18.1) where this issue is fixed. funds were never in danger.
it’s certainly worth a laugh. grill me. this one is simply too good. 😊
thanks to the entire cashu team for their amazing work and their swift reaction. you’ve handled it like pros.
Replies (37)
staying humble ✅
That is very ironic indeed.
Thank you for workinganonymously in public
it wouldn't be #NutNovember without a few giggles.
This is klassik! Respect Kallie
“The attacker has proven to be malicious” bruh 🤣🤦♂ this cashu thing is a joke.
I cannot believe I'm seeing so many clowns come out in support of DDoSing
Stfu, dumb bitch.
nothing to see here, just an OP_RETURN size limit
View quoted note →> i must admit, given my recent active engagement in the filter debate, this is probably the funniest exploit possible. i own this one and i’m giggling as i type this. it’s pure comedy.
Seems like it was a retaliation for your active engagement for lifting filters. Junk is junk, no matter where it is and some attackers have money to throw at it.
REEEEEE CENSORSHIP STORE MY DICKBUTT YOU FASCIST!
Thanks for the heads-up! I’ll update it!
pls do
Core v30 that came out of the compromised Core devs opened up Bitcoin for more abuse of spam than it was previously possible.
It was previously possible because compromised Core devs rejected to fix the inscriptions spam.
It is the same, and good that you admit it, that the vulnerability opened Cashu to more abuse of spam.
It was awful to see you support Core v30 and supporting the spammers case. I still wonder about your specific root cause to do it.
Floppy did do responsible disclosure and that is documented.
The grill.
> now we reject all tokens with a witness that’s too large
Censorship alert detected
Those dickbutts meet cashu consensus rules. What are you complaining about?
nope, see spec.
😉
Unfortunately, I ran into an error while upgrading from 0.16 to 0.18.1. I’ll pause the upgrade for now and check the issue first.
raise Exception(
Exception: Seed is set to default value 'supersecretprivatekey'. Please change it.
the error says what the issue is. DM me on telegram / matrix and I'll help
I honestly don’t know how to feel about this
Is there no solution without filters?
life does seem to optimize for irony
Irony lvl 100
Schadenfreude is on 11 for me.
I’m loving the people exposing Calle for who he is.
Couldn’t have happened to a douchier guy.
🤣😂🤣 (pic for reference and for people who are not familiar with the meme)
find god
basically summarized 99% of the “dunks”
The infighting continues? Why?
Your filters don’t work.
You were right all along.
Calle has chosen a path of arrogance and is reaping what he sowed.
learn the difference between centralized and decentralized systems.
Learn to tell the truth for once.
BitcoinIsFuture
Didn't they tell you that filter don't work? Well see the current OP_RETRUN filter limiting data to less than 83 Bytes.
Arrogance will be your downfall.
Leftist superiority complex is a disease, and it’s self-correcting.
Also floppy made a responsible disclosure to affected parites.
