Skip to content

BIP LI01 output reordering may cause malformed SLP MINT transactions

Critical
jcramer published GHSA-cchm-grx2-g873 Apr 25, 2020

Package

electron-cash.py

Affected versions

<3.6.2

Patched versions

3.6.2

Description

Impact

All token creators that use the "Mint Tool" feature of the Electron Cash SLP Edition (< 3.6.2) are at risk of sending the minting authority baton to the wrong SLP address. Sending the mint baton to the wrong address will give another party the ability to issue new tokens or permanently destroy future minting capability.

Patches

Run the latest source code or install version 3.6.2.

Workarounds

There are no workarounds.

References

  • Github Issue: Mint baton sent to token receiver address - link
  • BIP-LI01: Lexicographical Indexing of Transaction Inputs and Outputs - link

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVE ID

CVE-2020-11014

Weaknesses

No CWEs