This is my report on the technical details of the Mercury Layer vulnerabilities I responsibly disclosed to their developers. I disclosed this report to mercury 4 days ago. Earlier today, the mercury devs released a patch to address these vulnerabilities (without my review). I haven't reviewed their code yet to see if the fixes are effective, or if they've introduced any regressions.
I have more to say about the subjective experience of finding and disclosing these vulnerabilities but i'm out of energy today. I'll comment on this post once I have the time and energy to write.
P1 = O1 + S1
). If the statecoin is spent as a happy path, there shall be no mark in the blockchain logs.network = "bitcoin"
in the client'sSettings.toml
file, so it's not that hard to set up. In fact, to demonstrate the vulns to mercury I double-spent some mainnet coins after ostensibly "transferring" the statecoin UTXO to Tom. But it would take a conscious effort to do that, in spite of blatant warnings to the contrary.