I want to thank lontivero from the Wasabi team for responsibly disclosing this ...

2025-01-05 19:30:09

I want to thank lontivero (nprofile…t3rp) from the Wasabi team for responsibly disclosing this vulnerability in Cashu's cryptography around one year ago.

I also thank phyro (nprofile…ycww) , waxwing (nprofile…eruw) , Ruben Somson, and the Cashu devs, who were instrumental for finding a fix in a very short time. It was a couple of chaotic and exciting days (can live without it though!).

Here is a more in-depth analysis of the issue and how we ended up fixing it.

https://gist.github.com/callebtc/0bb0c1ce8ed030dd7c9330b70aec3b6d

quoting nevent1q…pmg8
Exactly a year ago, I discovered a vulnerability in Cashu: https://gist.github.com/lontivero/91b98dbb44b45140b9b7090229f2b8ca
It was fixed immediatelly in this commit: https://github.com/cashubtc/nutshell/commit/6db4604f998bc5499594cbc55f6c7c2dd9708710 and further improved in subsequent commits.

Author Public Key

npub12rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sf485vg

Show more details

Published at

2025-01-05 19:30:09

Kind type

1 Short Text Note

Event JSON

{ "id": "cdb0cc0bc3a3472eee3c5b886cf824910794dd821215a2acd2c05c5bb3b1cdec", "pubkey": "50d94fc2d8580c682b071a542f8b1e31a200b0508bab95a33bef0855df281d63", "created_at": 1736105409, "kind": 1, "tags": [ [ "p", "9e30e940238cd9ebebc6328176dd4d109812129442f2a6c38727fc66fa7ea90a", "wss://eden.nostr.land/", "mention" ], [ "p", "b0b00009763375d6800c7bc477431cfaaf032a065d301b22dac492728ea3df29", "", "mention" ], [ "p", "675b84fe75e216ab947c7438ee519ca7775376ddf05dadfba6278bd012e1d728", "wss://atlas.nostr.land/", "mention" ], [ "e", "998b7ef264f050b9bf6115e519731bd1ea42f2ea3fb3e900a2e4f6de1af2cc3a", "https://gist.github.com/lontivero/91b98dbb44b45140b9b7090229f2b8ca", "mention" ], [ "r", "wss://eden.nostr.land/" ], [ "r", "wss://hist.nostr.land/" ], [ "r", "wss://nos.lol/" ], [ "r", "wss://nostr-pub.wellorder.net/" ], [ "r", "wss://nostr.bitcoiner.social/" ], [ "r", "wss://nostr.mom/" ], [ "r", "wss://nostr.oxtr.dev/" ], [ "r", "wss://relay.0xchat.com/" ], [ "r", "wss://relay.damus.io/" ], [ "r", "wss://relay.nostr.band/" ], [ "r", "wss://relay.primal.net/", "read" ], [ "r", "wss://relay.siamstr.com/" ], [ "r", "wss://relay.snort.social/" ], [ "r", "wss://yabu.me/" ] ], "content": "I want to thank nostr:nprofile1qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj7qg4waehxw309ahx7um5wghx77r5wghxgetk9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qpqnccwjspr3nv7h67xx2qhdh2dzzvpyy55gte2dsu8yl7xd7n74y9qcat3rp from the Wasabi team for responsibly disclosing this vulnerability in Cashu's cryptography around one year ago. \n\nI also thank nostr:nprofile1qqstpvqqp9mrxawksqx8h3rhgvw04tcr9gr96vqmytdvfynj363a72gzzycww , nostr:nprofile1qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcpzemhxue69uhk2er9dchxummnw3ezumrpdejz7qtxwaehxw309anxjmr5v4ezumn0wd68ytnhd9hx2tmwwp6kyvtkv9jxxenvdc682em5xf5rjun4waeh2am4x4m82dtpd568scttvymhqaekd5mkz7rexuukzutedpcrvaf4wyukkmn4w5mn7cnjdaskgcmpwd6r6arjw4jszenhwden5te0ve5kcar9wghxummnw3ezuamfdejj7mnsw43rzanpv33kvmrwx36kwapjdquhyathwd6hwaf4we6n2ctdx3uxz6mpxac8wdndxashs7fh89shz7tgwqm82dt3894kuat4xulkyun0v9jxxctnws7hgun4v5q36amnwvaz7tmwdaehgu3dxqcjucn0d36zummzwdjhyan9wghsz8thwden5te0dehhxarj95crztnzdak8gtn0vfek2unkv4ez7qg7waehxw309ahx7um5wgkhqatz9emk2mrvdaexgetj9ehx2ap0qy08wumn8ghj7mn0wd68yttsw43zuam9d3kx7unyv4ezumn9wshsz8thwden5te0dehhxarj94ex2mrp0yh8wmrkwvh8xurpvdjj7qgawaehxw309ahx7um5wgkhyetvv9ujuamvweejuumsv93k2tcpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uq3qamnwvaz7tmwdaehgu3wwa5kuegpzpmhxue69uhkummnw3ezuamfdejsz8rhwden5te0dehhxarjxyh8gatwdejkcumpw3ejucm0d5hsz8rhwden5te0dehhxarjxyh8gatwdejkcumpw3ejucm0d5hsz9thwden5te0wfjkccte9ejxzmt4wvhxjme0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qgkwaehxw309aex2mrp0yhxummnw3ezucnpdejqz9mhwden5te0wfjkccte9ehx7um5wghxjmnxduhsz9mhwden5te0wfjkccte9ehx7um5wghxjmnxduhszxthwden5te0wfjkccte9eekummjwsh8xmmrd9skctcpr9mhxue69uhhyetvv9ujuumwdae8gtnnda3kjctv9uq35amnwvaz7tmjv4kxz7t9wghxv6tpw34xze3wvdhk6tcprfmhxue69uhhyetvv9uk2u3wve5kzar2v9nzucm0d5hsqgr8twz0ua0zz64eglr58rh9r898wafhdh0stkklhf3830gp9cwh9q4geruw , Ruben Somson, and the Cashu devs, who were instrumental for finding a fix in a very short time. It was a couple of chaotic and exciting days (can live without it though!). \n\nHere is a more in-depth analysis of the issue and how we ended up fixing it.\n\nhttps://gist.github.com/callebtc/0bb0c1ce8ed030dd7c9330b70aec3b6d\n\nnostr:nevent1qvzqqqqqqypzp83sa9qz8rxea04uvv5pwmw56yyczgffgshj5mpcwfluvma8a2g2q9pxsar5wpen5te0va5hxapwva5hg6r4vghxxmmd9akx7mn5d9mx2un09uunzc3e8pjxyc35x33rgdf3xscxywtzxucrjvpjxgukvvnz8p3kzq25dp68gurn8ghj7emfw3582c3wvdhk6tmrv9eksatzw33j7mn4w3eksetvdshkxmmdd45hgtekv33rgd3sx3nrjwfcvf3n2dpe8y6njdrrvf3n2dtxxe3nwcejv3jrjdes8qmnzvqqyzvcklhjvnc9pwdlvy272xtnr0g75shjaglm86gq5tj0dhs67txr5jwpmg8 ", "sig": "b053794730cdb42ce129d71ea72b42939ea61a23837b14add21210b62bf20429c81d8f50f2717009225f601487b991be9bad106b79b2f4739f083423aade3b7e" }

calle 👁️⚡👁️ on Nostr: I want to thank lontivero from the Wasabi team for responsibly disclosing this ...