Oddbean new post about | logout
 Mercury Layer v0.2.0: Fix for Malicious Backup Transactions Vulnerabilities

"This update fixes vulnerabilities related to malicious backup transactions bypassing receiver verification checks. We've revamped the way backup transaction checks are constructed to ensure robust security."

https://www.nobsbitcoin.com/mercury-layer-v0-2-0/ 
 🤙 
 The vulnerabilities are described in detail on my blog here: https://conduition.io/code/mercury-disclosure/ 
 I'm very happy to see these vulnerabilities fixed in a timely fashion, but Mercury went public releasing a patch and publishing my report without even asking me for a review first. The first I heard about this patch was Tom Trevethan's twitter post a few hours ago. 

Mercury's bug bounty program offers only 800 GPB for a critical loss-of-funds vulnerability. Rather than chasing Mercury down again for another mediocre payout, after this experience i'm more inclined to just hold onto any new vulns I might find and exploit them later, if mercury ever sees wider use. 

Oh well, it's their code i suppose. To be fair, Tom made clear they treat Mercury Statechains as unsafe prototype software, and clearly tell people not to use it with mainnet funds. Vulns like these are why. 

Remember kids, if a dev tells you not to use their own code with real money, you should listen!

References:

nostr:note13jcuax3zmupdld2egn8ew9n0jru4p4fd0e82csz499ugnyrj8jvs4vhqmw

https://x.com/mercurylayer/status/1832062894428545114

https://conduition.io/code/mercury-disclosure/

https://github.com/commerceblock/mercurylayer/blob/07b2a4485187592ed24c642b7284b321aceaa8fe/disclosure.md 
 Can you maybe post your blog here on Nostr instead? Would love to stick im here and not jump to a website