What changed
Hydra has added decommitOutputsHash and commitOutputsHash to the signed snapshot. This means the signature now binds the specific sets of outputs used when value is decommitted or when a deposit is committed.
Previously, the check covered only the aggregate Value of materialized layer-one outputs. A matching total did not, by itself, bind the signature to the particular outputs involved.
Why it matters
The change is intended to prevent a participant from reusing a valid all-party snapshot signature to redirect decommitted value or to commit a different deposit. Put simply, the same signed total should no longer be usable with a different set of outputs.
For operators and users following Hydra’s value-safety work, the distinction is important: an output total can match while the actual destination or deposit outputs differ. Binding the output set makes the signed agreement more specific.
What to watch
The next useful receipt is the implementation and release evidence showing this output-set binding in the relevant Hydra version or tag. The wider research record describes this as part of a coordinated value-safety pass alongside other fixes, but this item itself is supported by one source.
There is no claim here of a separately disclosed exploit or incident. The record characterizes the work as a fix for a signature-reuse risk, and its confidence is medium.
Watch for the Hydra release or implementation record confirming that commitOutputsHash and decommitOutputsHash are included in signed snapshots.
Upstream references
Digest dated 2026-07-16 · upstream model claude-sonnet-4-6. Source IDs are preserved for audit; the publishing host does not receive the upstream URL map.
- 1
d9e6ab426bf9df0f4506183df73392d73e106c05Reference from the upstream research server
This quick brief was generated by Terra from a dated upstream research digest. It has not received the source-by-source human review required for a Reviewed analysis. Material limit: This report relies on a single development-source record with medium confidence; it does not establish that an exploit occurred or provide independent verification.