A security researcher discovered vulnerabilities in the Cashu Ecash protocol's NUT-13 deterministic wallet recovery standard. The flaw stems from wallets tracking counters by full keyset ID while deriving secrets from a reduced 31-bit integer representation, allowing a malicious mint to craft a keyset ID that collides with a legitimate mint's ID. This causes wallets to reuse the same secret preimages and blinding factors across both mints. An attacker can exploit this via a 'poisonous airdrop' attack: sending victims Ecash tokens from the malicious mint, then intercepting the swap process to steal blinded signatures from the target mint. Affected wallets include Minibits, Cashu.me, and Nutstash. Two fixes were agreed upon: a short-term backwards-compatible guard against colliding 31-bit keyset residues, and a long-term protocol fix replacing BIP32 derivation with HMAC-SHA512 scoped to full keyset IDs, tied to the upcoming keyset ID v2 upgrade. The researcher received a $500 bug bounty.
Table of contents
Prerequisite KnowledgeNotationEcashNUT-13The FlawMethodAffected SoftwarePracticalityVisibilityMitigationsConclusionSort: