关键漏洞信息 Vulnerability Type: Hashed Timelock Contracts (HTLCs) Affected Component: HTLC spending condition Description: HTLCs enable locking ecash tokens to the hash of a preimage or a timelock. The preimage data is crucial for spending locked tokens and is included in the witness data. If an application relies on the preimage being retrievable without knowledge of the spender’s private key, it must check if the mint supports this feature using the endpoint per NUT-07. Potential Risks: - If the mint does not support this spending condition, proofs may be treated as regular anyone-can-spend tokens. - Applications should verify if the mint supports this feature via the endpoint to ensure secure spending. Mitigation: - Applications should always check the endpoint to confirm mint support for the HTLC spending condition. - Ensure the application handles cases where the mint does not support this feature securely. - Utilize NUT-07 for preimage retrieval functionality. - Implement additional security measures, such as signature flags and multisig requirements, as described in NUT-11. Related Specifications: - NUT-10: Describes the well-known format - NUT-07: Endpoint for preimage retrieval - NUT-11: Signature scheme and additional security features