What is Nostr?
conduition
npub1l6u…zvtg
2024-09-06 20:32:31

conduition on Nostr: I'm very happy to see these vulnerabilities fixed in a timely fashion, but Mercury ...

I'm very happy to see these vulnerabilities fixed in a timely fashion, but Mercury went public releasing a patch and publishing my report without even asking me for a review first. The first I heard about this patch was Tom Trevethan's twitter post a few hours ago.

Mercury's bug bounty program offers only 800 GPB for a critical loss-of-funds vulnerability. Rather than chasing Mercury down again for another mediocre payout, after this experience i'm more inclined to just hold onto any new vulns I might find and exploit them later, if mercury ever sees wider use.

Oh well, it's their code i suppose. To be fair, Tom made clear they treat Mercury Statechains as unsafe prototype software, and clearly tell people not to use it with mainnet funds. Vulns like these are why.

Remember kids, if a dev tells you not to use their own code with real money, you should listen!

References:

Mercury Layer v0.2.0: Fix for Malicious Backup Transactions Vulnerabilities

"This update fixes vulnerabilities related to malicious backup transactions bypassing receiver verification checks. We've revamped the way backup transaction checks are constructed to ensure robust security."

https://www.nobsbitcoin.com/mercury-layer-v0-2-0/


https://x.com/mercurylayer/status/1832062894428545114

https://conduition.io/code/mercury-disclosure/

https://github.com/commerceblock/mercurylayer/blob/07b2a4485187592ed24c642b7284b321aceaa8fe/disclosure.md
Author Public Key
npub1l6uy9chxyn943cmylrmukd3uqdq8h623nt2gxfh4rruhdv64zpvsx6zvtg