I'm very happy to see these vulnerabilities fixed in a timely fashion, but Mercury went public releasing a patch and publishing my report without even asking me for a review first. The first I heard about this patch was Tom Trevethan's twitter post a few hours ago. 

Mercury's bug bounty program offers only 800 GPB for a critical loss-of-funds vulnerability. Rather than chasing Mercury down again for another mediocre payout, after this experience i'm more inclined to just hold onto any new vulns I might find and exploit them later, if mercury ever sees wider use. 

Oh well, it's their code i suppose. To be fair, Tom made clear they treat Mercury Statechains as unsafe prototype software, and clearly tell people not to use it with mainnet funds. Vulns like these are why. 

Remember kids, if a dev tells you not to use their own code with real money, you should listen!

References:

nostr:note13jcuax3zmupdld2egn8ew9n0jru4p4fd0e82csz499ugnyrj8jvs4vhqmw

https://x.com/mercurylayer/status/1832062894428545114

https://conduition.io/code/mercury-disclosure/

https://github.com/commerceblock/mercurylayer/blob/07b2a4485187592ed24c642b7284b321aceaa8fe/disclosure.md