diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 05052ab..57c4f22 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -1950,7 +1950,7 @@ for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1
 
 $\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i} \in \range{0}{2^{64}-1}$.
 
-\subparagraph{\Nullifier{} integrity}
+\subparagraph{\Nullifier{} integrity} \label{nullifierintegrity}
 
 for each $i \in \setofOld$:
 $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
@@ -3814,6 +3814,22 @@ that the derived $\NoteAddressRand$ values are unique, at least for
 any two \joinSplitDescriptions that get into a valid \blockchain.
 This is sufficient to prevent the Faerie Gold attack.
 
+A variation on the attack attempts to cause the \nullifier of a sent
+\note to be repeated, without repeating $\NoteAddressRand$.
+However, since the \nullifier is computed as
+$\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if
+the adversary either finds a collision on $\PRFnf{}$, or knows the
+\spendingKey $\AuthPrivate$. The former is assumed to be infeasible
+(see \crossref{abstractprfs}), while the latter is not be a valid
+attack because knowledge of $\AuthPrivate$ is intended to authorize
+spending the \note.
+
+Importantly, ``\nullifier integrity'' (\crossref{nullifierintegrity})
+is enforced whether or not the $\EnforceMerklePath{i}$ flag is set
+for an input \note. If this were not the case then an adversary could
+perform the attack by creating a zero-valued \note with a repeated
+\nullifier, since the \nullifier does not depend on the value.
+
 
 \nsubsection{Internal hash collision attack and fix} \label{internalh}
 
@@ -4089,7 +4105,8 @@ Filippo Valsorda, Zaki Manian, and no doubt others.
 \Zcash has benefited from security audits performed by NCC Group and
 Coinspect.
 
-The Faerie Gold attack was found by Zooko Wilcox.
+The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
+of variations on the attack was performed by Daira Hopwood and Sean Bowe.
 The internal hash collision attack was found by Taylor Hornby.
 The error in the \Zerocash proof of Balance relating to collision-resistance
 of $\PRFaddr{}$ was found by Daira Hopwood.
@@ -4103,6 +4120,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 \subparagraph{2017.0-beta-2.4}
 
 \begin{itemize}
+    \item Explain a variation on the Faerie Gold attack and why it is prevented.
     \item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
 \end{itemize}