This Week in Custody #36
This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
Last Week’s Most Clicked
GameStop releases a wallet.
PayPal announces send & receive support for some assets.
The Off the Chain Conference gathered wallet and security professionals in SF on June 7th. The livestream is available.
A LN node running on a cloud hosting provider gets compromised.
LN Summit 2022 Notes on the lightning-dev mailing list.
btc++ conference in Austin had some interesting talks including:
Rule 110 in Bitcoin.
Ledger’s Bitcoin wallet team suggests a descriptor language called “wallet policies” that sits above the current output descriptor language to help create a compact representation of descriptors with metadata. The bitcoin-dev post is found here.
MetaMask awards a bug bounty for a clickjacking vulnerability. There is no known exploit of this vulnerability, but it would have allowed attackers to reveal private data as well as send assets without realizing.
20 million Optimism tokens are lost because of a poor wallet configuration issue. Instead of sending the tokens to a L1 Ethereum multi-signature account, the funds were sent to a not yet deployed L2 account. During the mishap, an attacker deployed a multisig account and took control of the tokens.
Solidity scripting added to Foundry.
MPC wallets vs smart contract wallets Twitter thread.
Soulbound Token (SBT) draft described in EIP-5114.
PoW turned off for Ropsten.
Predicting Total Terminal Difficulty (TTD) on Ethereum.
Ethereum Cat Herders Podcast on Wallets. Really fascinating conversation on the difficulty of tracking account balances, minimizing spam for users, and improving the UX between (d)app developers and wallets.
Nervos gets a new address format.
Alchemy announces support for Solana.
An unofficial guide to Aleo’s Snarkvm internals.
Keplr Wallet, a popular Cosmos wallet, adds support for readable authz module messages.
Solana goes down again. This time, a runtime bug caused by durable nonces caused a chain split. The network deployed a hotfix to disable durable nonces. The absence of this feature makes offline signing incredibly difficult. Typically, a signer must commit to the
recent_blockhashwhich creates a constraint to sign and broadcast transactions within ~1 minute.
Cosmos Builders Foundation launches to help coordinate development of public goods in the ecosystem.
An attacker compromised two oracles operated by the Rocket Pool team. The entrypoint was an RCE leveraged against a team member’s workstation. Two plaintext SSH keys allowed the attackers to steal funds from the two nodes.
Security supply chain reading list.
The BSidesSF keynote on building sustainable security programs.
Netflix publishes a follow up blog on scaling application security.
Thanks for reading! Have a great week.