23:48:58 <PlasmaPower> sarang: I believe there's a vulnerability in MRL-0010, "Discrete logarithm equality across groups". There's nothing requiring the sum of the commitments to be entirely within G' / H'.
23:49:07 <PlasmaPower> Simply not having one set of blinders not sum to zero, and creating a new public key from those set of commitments, allows the proof to be correctly generated while violating the proof statement.
23:49:12 <PlasmaPower> Luckily, this is easy to fix. Signing as each public key on its desired basepoint (G'/H') proves that it's entirely on its basepoint and do not have any leftover blinding key material.