This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
News
Coinbase acquires Unbound Security and BRD Wallet.
Block (formerly Square) provides an update on its hardware wallet project. NFC is highlighted as the primary protocol for payload transmission. They describe the decision in the post.
Block releases the tbDEX whitepaper describing a trust-minimized protocol for fiat onramps.
Fireblocks raises $400M.
KKR backs Anchorage.
Bitcoin
Overview of Ledger’s new Bitcoin 2.0 App.
A short tweet thread on the origins history of BIP32.
BDK tutorial on building a taproot transaction.
The print copy of Mastering the Lightning Network is released. A free copy is available on GitHub.
A list of L2 protocols that are compatible with Bitcoin.
Slides on fee bumping techniques.
Awesome Taproot repo.
Ethereum
Secureum has been hosting smart contract security seminars. This new mindmap is a good entrypoint.
Vitalik writes about the trade-offs of big block chains.
An interactive playground for EVM opcodes.
BadgerDAO loses ~$120M from a vulnerability.
Other Networks
Monero has vulnerabilities in a multi-signature wallet. No details yet.
Solana Cookbook has tutorials for getting started with Solana.
Thread breaks down the different parts of a Solana transaction.
Security
Project Zero breakdowns a recent vulnerability in Mozilla’s NSS cryptographic library. In hindsight, the bug is obviously trivial - but tests and basic fuzzing never discovered it. The discovery came after using fuzzing for stack coverage and browser isolation. I’m not familiar with either in how it relates to fuzzing, but their postmortem has a great explanation.
Monzo shares really cool insights into the efforts of designing safe key ceremonies. Their air-gapped OS of choice is the same used by ICANN during DNS KSK ceremonies. If you have 3 hours to kill, IANA publishes videos of their KSK ceremonies to the public.
Guide to verifying dice seed generation.
MyCrypto deep dives on the problems of trusting links.
Matthew Green has a tweet thread on the HSM market.
Designing backdoors for Rust.
Google releases a Threat Horizons report. They identify the increasing threat of compromised GCP instances being used for cryptocurrency mining.
Binary Transparency is highlighting issues in the software supply chain.
Deepfakes used in social media for account take-overs.
Have a great week! Did I miss anything? Let me know.