A detailed security disclosure report examining five validation vulnerabilities in the Mercury Layer Statechains protocol client libraries. Mercury is a Bitcoin off-chain transfer protocol using a semi-trusted blind server. The five vulnerabilities (VULN_1 through VULN_5) range from medium to high severity and stem from insufficient validation of backup transactions given by senders to receivers. The most critical bug (VULN_5) involves the use of max sequence numbers (0xFFFFFFFF) by default, which disables locktime enforcement on all Mercury backup transactions, allowing any previous statecoin holder to double-spend at any time. The report recommends immediate on-chain withdrawal of all statecoins and proposes a paradigm shift: receivers should reconstruct backup transactions from minimal data points rather than accepting fully serialized transactions from senders, eliminating entire classes of attacks.
Sort: