Hi Insiders. This is Tuma, open-source reporter from the Insider Edition. I spent 10+ hours in open-source developer calls in the Bitcoin ecosystem last week. Here is what caught my eye:

• A vulnerability in the Cashu Protocol was responsibly disclosed by developer Conduition.

  • Developer Conduition posted to Stacker News, on Saturday 10th, an article explaining his findings on a vulnerability present in most Cashu mints and wallets. While Conduition’s findings dates back to July 2025, the possible exploit was first responsibly reported to the Cashu team, disclosing it to the general public only last week, after patches have been applied to the code.

  • The vulnerability lays in the NUT-13 specification, which describes a deterministic backup standard for Cashu wallets. To generate a secret for an ecash token, the wallet takes the Keyset ID (a unique identifier of a mint) and shrinks it down into a smaller number to fit into 32-bit integer, compliant with BIP32 format. Since the number space is small (about 2 billion possibilities), a malicious attacker could easily create a fake mint with a different name but a Keyset ID that results in the exact same derived ID as a popular, legitimate mint and trick a user into revealing its secret-s.

  • A short-term patch has already been applied to the most important wallets and mints to prevent exploiting the vulnerability. In the meantime, developers are working on modifying the NUT-13 specification, transitioning to a Keyset ID V2 based on HMAC-SHA256 derivation.

• A Marmot protocol update: Status of the audit and the latest developments

  • During the monthly call, on Tuesday 6th, Marmot developers provided an update on the status of the protocol, on feedbacks on the ongoing audit, and on the latest developments.

  • For what concerns the audit, the independent firm finished reviewing the specifications, providing some suggestions to improve media encryption. Changes have already been applied. Auditors have then moved to the MDK codebase, identifying around 45 vulnerabilities in the code, which are already been addressed by Marmot developers.

  • In the meantime, marmot-ts development is proceeding. Developers are implementing the TypeScript library feature-by-feature according to the specifications. Advancement can be checked on the example website.

• PR1459 in CDK is adding a feature to backup the wallet’s mint list on Nostr.

  • During the weekly call, on Wednesday 7th, CDK developers discussed PR1459, which brings a new feature that allows users to backup their wallet’s mint list on Nostr. The PR is based on the recently merged NUT-27.

  • According to the specifications, the mint list is encrypted using NIP-44 and published as a replaceable Nostr event on one or more user-defined relays. The backup keys are deterministically derived from the wallet’s mnemonic seed phrase.

  • What’s cool about the tech: This feature allows users to restore their mint configuration across different devices or wallet instances using their mnemonic seed phrase.

Looking for an opportunity to join up with some bitcoin devs in person? Join us in Florianopolis this February 26-28 to talk about exploiting Bitcoin.