Reported by Least Authority TFA GmbH in the whitenoise-rs Initial Audit Report (11 March 2026), covering Git revision bd74532.
Status: Not fixed. MIP-03 line 72 still specifies 12 bytes as the minimum. The correct minimum is 28 bytes: 12 for the nonce, 16 for the authentication tag.
Location
03.md#L72
Synopsis
MIP-03 requires rejecting event.content that decodes to fewer than 12 bytes. That number is wrong. A valid ChaCha20-Poly1305 payload always has a 12-byte nonce and a ciphertext that's at least 16 bytes (the authentication tag alone, for an empty message). The real floor is 28 bytes.
Impact
Low.
Payloads between 12 and 27 bytes pass the spec's check but are structurally invalid. In practice most crypto libraries will produce an authentication error on such inputs anyway, so the practical exposure is limited.
Feasibility
Low.
Severity
Low.
Technical Details
The content format per the spec:
event.content = base64(nonce || ciphertext)
Where:
nonce = 12 bytesciphertext = ChaCha20-Poly1305 output = plaintext + 16-byte authentication tag
Minimum valid decoded length:
12 (nonce) + 0 (empty plaintext) + 16 (auth tag) = 28 bytes
The current spec text:
If base64-decoded event.content is fewer than 12 bytes (nonce cannot be extracted), the event MUST be rejected.
Mitigation
Implementations should apply the 28-byte floor regardless of what the spec currently says.
Remediation
Update MIP-03 line 72 to require a minimum of 28 bytes for decoded event.content.
Status: Not fixed. MIP-03 line 72 still specifies 12 bytes as the minimum. The correct minimum is 28 bytes: 12 for the nonce, 16 for the authentication tag.
Location
03.md#L72Synopsis
MIP-03 requires rejecting
event.contentthat decodes to fewer than 12 bytes. That number is wrong. A valid ChaCha20-Poly1305 payload always has a 12-byte nonce and a ciphertext that's at least 16 bytes (the authentication tag alone, for an empty message). The real floor is 28 bytes.Impact
Low.
Payloads between 12 and 27 bytes pass the spec's check but are structurally invalid. In practice most crypto libraries will produce an authentication error on such inputs anyway, so the practical exposure is limited.
Feasibility
Low.
Severity
Low.
Technical Details
The content format per the spec:
Where:
nonce= 12 bytesciphertext= ChaCha20-Poly1305 output = plaintext + 16-byte authentication tagMinimum valid decoded length:
The current spec text:
Mitigation
Implementations should apply the 28-byte floor regardless of what the spec currently says.
Remediation
Update MIP-03 line 72 to require a minimum of 28 bytes for decoded
event.content.