Public Disclosure: Denial of Service using HTLC in Cashu

This flaw permitted attackers to overload the mint’s database and disk space with arbitrary data by exploiting the handling of HTLC (Hash Time Locked Contracts) preimages. The core of the issue lay in the software's failure to verify the proper preimage against the expected hashlock, especially when no locktime was defined or had not yet elapsed, as demonstrated in the provided Python code snippet.

The vulnerability, tracked as NUT-14, could potentially be exploited to create cashu tokens using a preimage, while NUT-07 might reveal the preimage stored by the mint, thereby compromising the integrity and functionality of the affected systems. A proof of concept detailing how this vulnerability could lead to a denial of service is available at uncensoredtech.substack.com.

The resolution of this vulnerability was promptly addressed by an individual known as lollerfirst, who submitted a fix through a GitHub pull request, which was later merged into the main branch of the project. The correction involved validating the preimage size to prevent arbitrary data injection. This fix was officially incorporated into version v0.18.0 of nutshell, released on 28 October 2025, following the initial report to the cashu development team on 19 October 2025 and subsequent acknowledgment and reward from opencash for identifying this critical issue.

Despite the swift action taken to mitigate the vulnerability, advisories were issued to both mints and users regarding the persistent risk posed by unupdated versions of nutshell. Mints were urged to back up their databases and upgrade to version 0.18.0 immediately, contacting the Cashu dev team for any assistance needed during the update process. Users, on the other hand, were advised to verify the version of their mint using a specified URL and to cease using any mint that supports NUT-14 but runs on an outdated version of nutshell, highlighting ongoing concerns for security until comprehensive updates were confirmed across the ecosystem.