This Week in Custody #10

PTLCs, Scaling Ethereum, and ATM security.

This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.


  • U.S. Bank Custody. Traditional banks continue to offer custody for popular cryptocurrencies to their clients. This week, its U.S. Bank. It looks like they are not building their own custody systems, but instead relying on sub-custodians like NYDIG.

  • Square. Square launches a newsletter covering their approach to self-custody.


  • The Blocksize War. This weekend I took some time reading Jonathan Bier’s The Blocksize War. Highly recommend! The scaling wars in Bitcoin were not too long ago, but it also feels like a distant memory.

  • PTLCs. Mailing list discussion on replacing HTLCs used in the Lightning Network with Point Time Locked Contracts (PTLCs). Suredbits has an excellent blog post series explaining PLTCs.

  • Bitcoin Problems. A list of open-ended research problems in the Bitcoin ecosystem.

  • Adaptor Signatures. Testing adapter signatures in the context of PTLCs.

  • MPC HD Wallets. Excellent survey of using MPC in the HD wallet context.

  • Bitcoin in Python. From earlier this year, but a great tutorial on learning Bitcoin with python.

  • MuSig2. Video explanation of MuSig2.

  • Dust HTLCs. A new CVE is disclosed that affects several LN implementations. A new LND release has been tagged. Lightning Labs also released a dust tool to survey affected channels.

  • State of LN. Arcane Research published a widely shared report on the Lightning Network.


  • Security. Secureum is running a bootcamp on smart contract security. For those that want to follow along, they are releasing videos.

  • Phishing. More phishing attempts targeted at Metamask users.

  • Security Standards. Repo attempting to standardize the security standards of smart contracts.

  • Flashbots. The Flashbots Project announces a new API titled Flashbots Protect.

  • Scaling. Approachable beginner guide to scaling Ethereum.

  • Hardhat. Hardhat is working on a VS Code plugin.

  • Podcasts. The Zero Knowledge Podcast has an episode on WalletConnect. Stephan Livera has an episode with the CTO of Ledger.

Other Chains

  • Solana. A post for understanding Solana from an Ethereum developer’s POV.

  • Polkadot. Part 3 on XCM in Polkadot.


  • Twist Attacks. Excellent overview on Secp256k1 twist attacks.

  • ATMs. Kraken identified vulnerabilities in the popular General Bytes (GB) Bitcoin ATM. It appears that the ATMs shipped with a uniform default password. Akin to not changing the default password on a WiFi router, it is likely that Bitcoin ATM operators did not change their password. This means anyone with an QR code of the default password can interact with the software admin interface as well as modify hardware inside the machine. No tamper detection either! It appears that GB was notified in April. Let’s hope most operators got the memo! 🤞

  • AWS Ransomware. Whitepaper from AWS on ransomware risk management.

  • Supply Chain. A GCC dependency depended on an http endpoint and it went offline for a couple days. Tweet.

  • Cosmic Rays. In the list of edge cases possible during key generation ceremonies, it’s important to add cosmic rays causing bit flips. It happens in the wild.

  • ECDSA. New paper out by researchers at Dfinity on the security of ECDSA additive key derivation and presignatures.

  • Bug Bounties. Tweet thread on developer experiences with bug bounties in the cryptocurrency ecosystem.

ICYMI, Bitcoin contributors can apply to receive a free ticket to Bitcoin 2022.

Have a great week!