reply on: Stay away from Voltz \ stacker news ~bitcoin

pull down to refresh

20 sats \ 2 replies \ @ek 10 Feb \ parent \ on: Stay away from Voltz bitcoin

I think they didn't purge it but they don't want to reactivate the keyset because of a vulnerability:

Hello, yes we are aware that some customers would have problems after we disabled this vulnerable Keyset. You can call me on Telegram t.me/EM_TLL to resolve it faster. I will help you provide me with your ecashs of your back-up only, from voltz mint.

With this, we will burn manually in our database and send you the funds returned by Lightning. All right for you? I say it, because we cannot reactivate Keyset due to its vulnerability.

Do you know what vulnerability this could be? Could it be that they accidentally minted too much ecash with this keyset?

221 sats \ 1 reply \ @gandlaf21 10 Feb

I have an Idea what it could be. I'm not sure if the vulnerability has been fully disclosed yet. But what they could do is use the seed to regenerate the messages, check on which of these signatures have been issued, unblind them, check which of them have been spent, and then refund the delta. Obviously this is a lot of manual effort, but I think it might make sense for mint operators to have some kind of a fallback restore tool that automates these kind of things. It needs to be built first though. I've started a discussion in the cashu R+D chat

0 sats \ 0 replies \ @Haiku7336 OP 10 Feb

Thank you for looking at this issue. I have another suggestion for the future: Would it be possible to implement a light protocol for mints to send notifications to their users? E.g. in this case if I had received a notification about the keyset disabling, I would have known what is going on and not reset my wallet.