Thank you for practicing responsible disclosure.
Now the vulnerability is out in the open, could the code please be updated to contain the information here, but in the comments? Gavins commit merely mentions there is a DoS attack without discussing further what it involves, also, the vulnerability of the merkle hash function should ideally be noted inside it.