NB: yesterday I discovered a flaw in pomade which allows a malicious client (with an authenticated/trusted session) to exfiltrate private key material due to nonce re-use.
In practice, because clients are already trusted and frequently hold keys anyway, I don't think anyone is affected in practice (the only integration I'm aware of, Flotilla, doesn't execute this attack). However, if you run a pomade signer, please update ASAP.
A two-stage upgrade process is available if you are running in production and have active clients:
1. Upgrade your signers to 0.2.6, which are backwards compatible with the vulnerable signing method.
2. Upgrade your clients to 0.3.0, which swaps out the sign method to a RFC-compatible nonce exchange + psig exchange.
3. Upgrade your signers to 0.3.0, which removes the vulnerable signing method.
hodlbod
npub1jl…jynqn
2026-06-05 19:58:26 UTC
Author Public Key
npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqnPublished at
2026-06-05 19:58:26 UTCEvent JSON
{
"id": "115b6586abd5c50058b6624f9695979b636129170566ec6dd2ee9cbc871d5390",
"pubkey": "97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322",
"created_at": 1780689506,
"kind": 1,
"tags": [],
"content": "NB: yesterday I discovered a flaw in pomade which allows a malicious client (with an authenticated/trusted session) to exfiltrate private key material due to nonce re-use.\n\nIn practice, because clients are already trusted and frequently hold keys anyway, I don't think anyone is affected in practice (the only integration I'm aware of, Flotilla, doesn't execute this attack). However, if you run a pomade signer, please update ASAP.\n\nA two-stage upgrade process is available if you are running in production and have active clients:\n\n1. Upgrade your signers to 0.2.6, which are backwards compatible with the vulnerable signing method.\n2. Upgrade your clients to 0.3.0, which swaps out the sign method to a RFC-compatible nonce exchange + psig exchange.\n3. Upgrade your signers to 0.3.0, which removes the vulnerable signing method.",
"sig": "800f9fe71c95975b15084adbc12ffbe0bb1471d9bed785ebcd629a6da72c3a622188930f7dca82bf1d70c74610fd7f6f17e0db31f4dbe318fa38211b25e769e5"
}