NUT-14 HTLC refund path incorrectly requires preimage (spec violation)

[Amperstrand]

Summary

NUT-14 HTLC refund path requires a preimage even after locktime has passed. The spec says only a signature is needed.

Bug Location

cashu/core/nuts/nut14.py lines 24-27:

if not proof.htlcpreimage:
    raise TransactionError("no HTLC preimage provided")  # Checked BEFORE locktime
now = time.time()
if not htlc_secret.locktime or htlc_secret.locktime > now:  # Locktime check comes AFTER

The preimage check is unconditional but should only apply before locktime.

Expected vs Actual

Test	Expected	Actual
Refund with signature only (per spec)	ACCEPT	REJECT
Refund with dummy preimage	N/A	ACCEPT

Proof of Concept

https://gist.github.com/Amperstrand/3cc9788f1bac4c1461e441bfa1ef47eb

Run: npx tsx nutshell_htlc_bug_e2e.ts

Fix

def verify_htlc_spending_conditions(proof: Proof) -> bool:
    # ...
    now = time.time()
    
    # Refund path: locktime passed, only signature needed
    if htlc_secret.locktime and htlc_secret.locktime < now:
        return True
    
    # Hashlock path: require preimage
    if not proof.htlcpreimage:
        raise TransactionError("no HTLC preimage provided")
    # ...

Note

Existing HTLC tests always include a preimage in refund scenarios, so this wasn't caught.

[Amperstrand]

======================================================================
NUTSHELL HTLC BUG - END-TO-END PROOF OF CONCEPT
======================================================================

Mint: https://testnut.cashu.space
Test amount: 9 sats

✓ Connected to mint
✓ Mint supports NUT-14 HTLC

======================================================================
STEP 1: Get Funding
======================================================================

Requested mint quote for 9 sats
Quote ID: CmWBMQOD0Givr_Ela3GhO1sfVrV-eaGsah-DIusY

⏳ Waiting for payment (testnut auto-pays)...
✓ Payment confirmed!


======================================================================
STEP 2: Mint Tokens
======================================================================
✓ Minted 2 proof(s) totaling 9 sats

======================================================================
STEP 3: Create HTLC-Locked Proofs (with expired locktime)
======================================================================

📋 HTLC Parameters:
   Hashlock:         4e7f39b2dd10e3791da949fea1b1d231...
   Real preimage:    6b19d1095d802b0c0f17d4a962d5d774...
   Locktime:         1765717687 (EXPIRED - 24 hours ago)
   Refund pubkey:    020683cf0b0bb9a610594635867a6c15...
   Recipient pubkey: 026d1413facc761d75f457af983c0544...

📋 HTLC Secret:
[
  "HTLC",
  {
    "nonce": "9edf542b5db45e21a862aa1d1b492065",
    "data": "4e7f39b2dd10e3791da949fea1b1d231b45144b50e4829cf84e479fa1fdf2feb",
    "tags": [
      [
        "locktime",
        "1765717687"
      ],
      [
        "refund",
        "020683cf0b0bb9a610594635867a6c15d3ab78f46167b997e4877a58f59a3df697"
      ],
      [
        "pubkeys",
        "026d1413facc761d75f457af983c0544935b0c2df9542036cdcedee607eb04dc84"
      ]
    ]
  }
]

💰 Input: 9 sats (2 proofs), Fee: 1 sats, Available: 8 sats
   Creating 8 sat HTLC proof

🔄 Swapping regular proof for HTLC-locked proof...
✓ Created HTLC-locked proof

======================================================================
STEP 4: Test HTLC Refund Bug
======================================================================

----------------------------------------------------------------------
TEST 1: Refund with ONLY signature (spec-compliant)
----------------------------------------------------------------------

Witness: {"signatures":["4f0e6740031ca782e195136c601757a88ef64dc79a4bb7933527ea4852a494d3e6d7a4f1090498de01734d8be0ffc40fb401ddfd0686d6fc35a380b9b3d8db72"]}

Per NUT-14 spec: Should be ACCEPTED (locktime passed + valid refund signature)

✗ REJECTED: no HTLC preimage provided

🐛 BUG CONFIRMED: Nutshell requires preimage even for refund!
   This violates NUT-14 spec which says refund only needs signature.

----------------------------------------------------------------------
TEST 2: Refund with signature + INVALID dummy preimage
----------------------------------------------------------------------

Dummy preimage:  041a20850ad949be8023cc1c62b5f887...
SHA256(dummy):   bfe8f1b946f7c5213fe201cfd3b22b27...
Expected hash:   4e7f39b2dd10e3791da949fea1b1d231...
Match:           NO - INVALID!

Witness: {"signatures":["4f0e6740031ca782e195136c601757a88ef64dc79a4bb7933527ea4852a494d3...

Per NUT-14 spec: Should be REJECTED (invalid preimage)
Nutshell behavior: Will be ACCEPTED (preimage not validated after locktime)

✓ ACCEPTED with invalid preimage!

🐛 BUG CONFIRMED: Nutshell accepts ANY preimage after locktime!
   The preimage is REQUIRED but NOT VALIDATED.

======================================================================
SUMMARY
======================================================================

Test Results:
─────────────────────────────────────────────────────────────────────

TEST 1: Refund with only signature (spec-compliant)
  Result: rejected_preimage_required
  Expected per NUT-14: Should be ACCEPTED
  
TEST 2: Refund with signature + INVALID preimage
  Result: accepted_invalid_preimage
  Expected per NUT-14: Should be REJECTED (invalid preimage)

─────────────────────────────────────────────────────────────────────

🐛 BUG CONFIRMED!

Test 1 proves the bug: Nutshell requires a preimage even for refund path.

Nutshell's nut14.py verify_htlc_spending_conditions() does this:

  if not proof.htlcpreimage:
      raise TransactionError("no HTLC preimage provided")  # <-- BUG!
  
  # This check happens BEFORE checking locktime!

This violates NUT-14 which clearly states:
  "if the current system time is later than Secret.tag.locktime,
   the Proof can be spent if Proof.witness includes a signature
   from the key in Secret.tags.refund"

The spec says ONLY a signature is needed for refund. No preimage.

FIX: Check locktime BEFORE requiring preimage:

  def verify_htlc_spending_conditions(proof: Proof) -> bool:
      ...
      now = time.time()
      
      # Refund path: locktime passed, only need signature  
      if htlc_secret.locktime and htlc_secret.locktime < now:
          return True  # Signature already verified in conditions.py
      
      # Hash lock path: validate preimage
      if not proof.htlcpreimage:
          raise TransactionError("no HTLC preimage provided")
      ...