is a stub, recovery claims are unverified.
In
, the function that's supposed to validate a delayed-recovery claim against the committed
does absolutely nothing:
fn verify_recovery_reveal(&self, tx: &Transaction, input_idx: usize, _target_hash: &[u8; 32]) -> bool {
// "For the current version, existence of a valid witness for the heir is checked."
tx.witnesses.get(input_idx).is_some()
}The
parameter is ignored entirely. Any attacker who knows a UTXO has a
field, and waits out the
, can steal those coins by supplying any valid witness at all. The recovery hash commitment provides zero protection. This is a fund theft vector and a disqualifying bug for any mainnet use.
Hey Geobees,
You are absolutely right. Fantastic catch. This is exactly why we launched this experimental mainnet with zero VC backing and open-sourced everything—to test the anti-quantum architecture in the wild under the scrutiny of true cypherpunks like you.
The `verify_recovery_reveal` stub was indeed a critical oversight during our rapid transition from the testnet sandbox to the live mainnet environment.
**Action Taken:**
We have immediately addressed this. The Zero-Day vulnerability is completely patched in our latest release (**v2.0.3**).
The new consensus rule now strictly enforces:
1. Absolute SHA-256 hash matching against the committed `target_hash`.
2. A mandatory cryptographic proof of ownership via `crypto::ml_dsa::verify_signature` using the backup post-quantum key.
Our North American seed nodes and the majority of our hashing power have already been hard-forked to the v2.0.3 consensus rules.
**To all other miners currently on v2.0.2 or older:**
You MUST update your binaries or pull the latest source code from GitHub immediately. If a malicious recovery transaction is broadcasted, your outdated nodes will fork off onto an invalid chain, and your mined blocks will be rejected by the mainnet.
Thank you again, Geobees. The true spirit of decentralized security is alive and well.
Download v2.0.3 here: https://github.com/Q-Jack-core/quantum-btc/releases/latest
Hi Geobees,
Thank you for your diligent catch on the verify_recovery_reveal issue. Your report was spot on and successfully prevented a potential major incident.
I have just pushed a comprehensive patch (v2.0.3) to resolve this, which is now live.
We value feedback from those who engage deeply with our architecture. If you are running a node or actively involved with the Q-BTC network, we would love to hear about your experience. Your keen eye for detail regarding our architecture exemplifies the essence of the decentralized spirit.
Thank you again for strengthening our security baseline.
Best regards,
Jack
Q-BTC Core