Zecwallet Lite Nonce Reuse Issue

Yesterday I pointed out to zecwallet that their latest release which added back wormhole connectivity had a major issue that would allow the wormhole to replay encrypted packets (effectively allowing a rogue wormhole to perform actions it should not).

This came on the heels of their electron upgrade which had issueszecwallet-electron-deanonymization/ (and still does).

Zecwallet attempted to silently fix the issue in their 0.94 update which made no reference to the nonce reuse issue.

A quick glance at the code revelaed that this did not fix the issue

On the one hand you could analyse this as a small mistake in the comparison function typeing `>` instead of `>=`.

On the other hand, this is the 3rd security related vulnerability in roughly a week, and doesn't reinforce trust in software which is indented to handle money.

• log sec-research privacy-research