Privacy in Minibits

Feb 17, 2026

Key Rotation

Minibits app provides options to rotate nostr keys. However, persistent identifiers (walletId, seedHash, device) make this useless. Both the server and public observers can link old and new keys.

{
  "id": 8700,
  "pubkey": "c0013ceda3ccd2f046ee923961a2a181f01964a89b9c44edaef229827a690d4b",
  "device": "cZqXBQHRReGL1sb1TIJ5hW:APA91bH3jP3gz9_5hLIyO3jnNCYsu78HqINT5c8nMmyOiPLvRH-xp1MupvUGkAI6Rvm5k6RMMyXAdnxdcgjA7rXJXg3q6mPaxpsQtk1T7T-lTUKMcfeXKSw",
  "avatar": "https://api.minibits.cash/profile/avatar/c0013ceda3ccd2f046ee923961a2a181f01964a89b9c44edaef229827a690d4b",
  "createdAt": "2026-02-16T11:39:19.028Z",
  "walletId": "lockedbutt943",
  "nip05": "benigndarky973@minibits.cash",
  "name": "benigndarky973",
  "lud16": "benigndarky973@minibits.cash",
  "donatedAt": null,
  "updatedAt": "2026-02-16T12:14:35.582Z"
}

{
  "id": 8700,
  "pubkey": "c0013ceda3ccd2f046ee923961a2a181f01964a89b9c44edaef229827a690d4b",
  "device": "cZqXBQHRReGL1sb1TIJ5hW:APA91bH3jP3gz9_5hLIyO3jnNCYsu78HqINT5c8nMmyOiPLvRH-xp1MupvUGkAI6Rvm5k6RMMyXAdnxdcgjA7rXJXg3q6mPaxpsQtk1T7T-lTUKMcfeXKSw",
  "avatar": "https://api.minibits.cash/profile/avatar/c0013ceda3ccd2f046ee923961a2a181f01964a89b9c44edaef229827a690d4b",
  "createdAt": "2026-02-16T11:39:19.028Z",
  "walletId": "lockedbutt943",
  "nip05": "dimbridge867@minibits.cash",
  "name": "dimbridge867",
  "lud16": "dimbridge867@minibits.cash",
  "donatedAt": null,
  "updatedAt": "2026-02-16T12:14:35.582Z"
}

{
  "id": 8700,
  "pubkey": "6681268ace4748d41a4cfcc1e64006fb935bbc359782b3d9611f64d51c6752d9",
  "device": "cZqXBQHRReGL1sb1TIJ5hW:APA91bH3jP3gz9_5hLIyO3jnNCYsu78HqINT5c8nMmyOiPLvRH-xp1MupvUGkAI6Rvm5k6RMMyXAdnxdcgjA7rXJXg3q6mPaxpsQtk1T7T-lTUKMcfeXKSw",
  "avatar": "https://delvingbitcoin.org/user_avatar/delvingbitcoin.org/1440000bytes/288/301_2.png",
  "createdAt": "2026-02-16T11:39:19.028Z",
  "walletId": "lockedbutt943",
  "nip05": "floppy@joinstr.xyz",
  "name": "/dev/fd0",
  "lud16": "floppy@rizful.com",
  "donatedAt": null,
  "updatedAt": "2026-02-17T13:15:11.691Z"
}

Unlike seedHash (which only the server sees), walletId is publicly visible and it’s included in the user’s profile metadata. The device token is Firebase Cloud Messaging token used by the server to send notifications to user device.

I have created a webpage to see the profile for some minibits.cash nip 5 addresses used in last few years: https://1440000bytes.github.io/minibits_explorer/

Censorship

The app uses minibits nostr relay (a few others), ecash mint and API server by default. Users could add other mints later in the wallet.

When someone pays you via your lightning address, the server mints ecash and stores it. You claim using your seedHash:

const claimedTokens = await MinibitsClient.createClaim(
    keys.SEED.seedHash,
    isBatchClaimOn ? 5 : undefined
)

As explained in this post, P2PK-locked tokens add the recipient’s public key in the proof secret. Minibits uses the user’s nostr pubkey directly as the P2PK locking key:

const p2pk: { pubkey: string; locktime?: number; refundKeys?: Array<string> } = {}
if (lockedPubkey && lockedPubkey.length > 0) {
    if (lockedPubkey.startsWith('npub')) {
        p2pk.pubkey = '02' + NostrClient.getHexkey(lockedPubkey)
    } else {
        if (lockedPubkey.length === 64) {
            p2pk.pubkey = '02' + lockedPubkey
        }
    }
}

The mint can refuse to redeem tokens based on nostr key or other profile metadata. IP address for all the requests are also known to the API server and Cashu mint.

NFC surveillance

The icon_url field from the mint’s NUT-06 /v1/info endpoint is stored and rendered with no validation:

{mint?.mintInfo?.icon_url ? (
    <FastImage
        style={{ width: moderateScale(28), height: moderateScale(28), borderRadius: moderateScale(14) }}
        source={{ uri: mint.mintInfo.icon_url }} 
        resizeMode={FastImage.resizeMode.contain}
    />

~~The risk is IP tracking during NFC payments. Mint operator knows your IP, the exact time you opened the payment screen and can correlate this with the mint/melt operations that follow.~~

Correction: NFC screen shows the cached icon for the mint (unlike mint info screen) so it cannot be used to track NFC payments.

Minibits dev

14h

Thank you for the post. Minibits wallet is open source software and thus open for fixes and improvements. It is my fault I have not yet published comprehensive process for reporting security or privacy related incidents in private and publish them after they are addressed - I'll put it on my work stack.

Regarding the findings, here is my quick feedback:

1. Key rotation to own nostr keypair

- you are right, device token should not be exposed in the profile data, this is now fixed

- bug in profile read endpoint is now fixed as well

- if you'd like to keep max ecash related privacy with your own nostr keypair, import your keypair to freshly installed wallet, walletId is fully opaque

- to be precise, Minibits allows to rotate both nostr keys and seed using different processes

2. Censorship

I believe the finding starts from different assumptions how claiming ecash works, then it is the case in real implementation. There is no lock to pubkey involved in the process.

Censorship issue is of course real in general - and here we should separate the ecash protocol and its privacy guarantees and specific, unrelated functionality of Minibits lightning addresses, that is basically fully custodial lightning service, bridging to ecash. Here the privacy to the operator of such service is very limited by design. That's why it should - and is - used mostly for zaps, that are by nature public.

3. NFC surveillance

Mint icon is cached in the on device wallet state, so correlating on this is not possible. However there might be other cases where unwanted correlation is material. If so, please report privately and feel free to published once I'll fix those.

Thank you for making Minibits better.

floppy’s Substack

Discussion about this post

Ready for more?