This Week in Custody #38

This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.

---

Last Week’s Most Clicked

• BitGo has a write-up on TSS.

• Deprecating Kiln, Rinkeby and Ropsten testnets.

• Informal Systems develops a multi-signature tool for Tendermint/cosmos-sdk based chains.

News

• Attention grabbing headlines this week as the market downturn continues to make waves:

  • BlockFi’s partnership with FTX.

  • Voyager suspends withdrawals.

    • And files for bankruptcy.

• Matrixport’s Cactus Custody adds NFT custody.

• Anchorage offers Eth2 staking to its clients.

• Ledger held its bi-annual Ledger Op3n conference in New York two weeks ago. A couple of interesting announcements:

  • Clear Sign: Devices now display the entire message that is being signed. Lots of users lost NFTs in the past year due to blind signing requests from malicious websites.

  • Ledger Connect: A web browser extension that pairs nicely with the Ledger ecosystem. One of the features includes Web3 Check

    “Ledger Connect” will also add a new security layer called “Web3 Check.” When a Web3 app will look suspicious, “Ledger Connect” will automatically warn you about potential security risks.

  • Ledger Enterprise Create: A way for creators and companies to mint NFTs or assets.

• OpenSea’s customer emails are compromised due to a vendor incident.

• Uniswap acquires Genie.

Bitcoin

• Bitcoin-S has support for MuSig2.

  • And a long list of test vectors!

• Three-party escrow on Lightning Network for Bisq.

• TxWithhold Smart Contracts

Ethereum

• A proposal for an off-chain mixer for account-based blockchains.

• OxParc writes about on-chain procedural generation.

• Sepolia Merge Announcement

• Coinbase launches an NFT Dapp Start Kit for developers.

• EIP-4804 attempts to create a standard URI that maps to an EVM message.

• This narrative article is from October 2021, but I think it’s the best primer on NFT culture I’ve read. Highly recommend!

• a16z launches a tool for checking metamorphic properties of deployed smart contracts.

  Metamorphic smart contracts are mutable, meaning developers can change the code inside them. These smart contracts pose a serious risk to web3 users who put their trust in code that they expect to run with absolute consistency, especially as bad actors can exploit this shape-shifting ability.

• A new tutorial on learning common smart contract vulnerabilities while using Foundry.

Other Chains

• Coinbase writes an informative post on scaling node operations:

  One of the most difficult aspects of node management is keeping up with the constant, and sometimes unpredictable, changes to the node software. Asset developers are consistently releasing new code versions

  • They developed an internal tool called Asset Release Manager (ARM) to monitor GitHub release activity and automatically deploy new nodes.

• Writings from a recent ICP hackathon.

• Aztec Connect launches on mainnet Ethereum.

• How can smart contracts hold private keys? This blog post provides background on using MPC and ZKPs to allow for more programmatic contracts.

• Aave announces GHO.

Crypto

• Mysten Labs has an updated list of unsafe Ed25519 libraries. Lots of popular libraries make the list!

• NIST announces the first four finalists from its quantum-resistant crypto algorithms competition.

Security

• Trail of Bits publishes a report on operational risk assessment on deploying blockchains.

• An in-depth look into the infrastructure supporting the “fake wallet” phishing industry

• Darknet Diaries has a podcast episode with Geoff White who covers some wild cryptocurrency hacks from the Lazarus Group.

Releases

• [Filecoin] v1.16.0

• [Go Ethereum] Vectra (v1.10.20)

• [Polkadot] Polkadot v0.9.25

• [Go Algorand] Algorand 3.8.0

Thanks for reading! Have a great week.