From 344d11f5679efea7ba512f0f562641b626bc3dc1 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Thu, 18 Jul 2024 07:51:14 -0400 Subject: [PATCH] Update README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 41c8868..62e0803 100644 --- a/README.md +++ b/README.md @@ -235,6 +235,11 @@ We have a number of mitigations against this attack: When the issuer detects a site is attacking its token supply, it can fail redemption (before the token is revealed) based on the referring origin, and prevent browsers from spending tokens there. +### Issuer Exhaustion + +Given a cap on the issuers usable per top-level origin, there might be a race between third-party scripts to call `hasPrivateToken(issuer)` to ensure their preferred issuer is available. +The top-level document can control this process by calling `hasPrivateToken(issuer)` for its preferred issuers before any other scripts are loaded. +This would ensure the availability of the desired issuers and prevent a race to determine availability. ### Double-Spend Prevention