This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
News
OTP. There has been some coverage on 2FA shortcomings lately. Here is blog on how phishers have been attempting to steal OTP credentials.
Société Générale. The French bank is getting into custody.
Facebook. Facebook is launching its Novi product. Coinbase is handling the custody.
Bitcoin
Performance. Tweet thread on the various performance improvements made to Bitcoin Core software in the last few years.
Amount-less invoices. Something brought to my attention this week is the safety around using amount-less invoices in the Lightning Network. These are invoices that do not encode the value in the BOLT#11 string. In the past, amount-less invoices were considered unsafe for these reasons. Several popular wallets have made it burdensome or impossible to send payments to invoices that do not explicitly have a value requested. However, the situation has improved since by including the payment secret / payment address in the final onion hop. Worth pinging wallets to start supporting these invoices again. Link to tweet with further context.
Ledger. Ledger is working on Taproot support. Nice.
Rebalancing Channels. Paper discusses an approach to rebalancing LN channels with a focus on privacy.
LN Proxy. Cool implementation of a proxy server for a LN node.
P2P. Chaincode podcast on Bitcoin’s P2P protocol.
Ethereum
Trail of Bits. Trail of Bits has released two presentations for testing smart contracts and safely integrating ERC20 tokens.
Beacon Chain. An annotated guide to the Beacon chain.
EthClipper. Paper describes how a malicious actor with access to the clipboard can create a convincing fraudulent address that looks similar to the real address displayed in a hardware wallet. The paper does not discuss other encoding schemes like Bech32 used in Bitcoin.
Other Chains
Polkadot. Parachain auctions are coming to Polkadot.
Cosmos. Proposal to have different derivation paths for each chain in the Cosmos Hub. This is similar to SLIP44.
Security
Coinbase. Coinbase releases a blog post on their implementation of FROST (threshold Schnorr signature scheme).
Schnorr Security. Paper discusses the security of Schnorr signature schemes with a focus on MuSig2 and FROST.
Debian builds. The Qube OS team tackles the reproducible build problem in the Debian ecosystem.
SiliFuzz. Google announces an effort to fuzz CPUs for defects.
Sodiumoxide. The Sodiumoxide cryptographic library for Rust is deprecated.
Have a great week!