This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
News
Former SEC Chairman joins Fireblocks Advisory Board. Regulators join the industry.
2FA. Coinbase accidentally sends a message to 125K clients that their 2FA settings have changed.
Bitcoin
Bitcoin Core 22.0. There are new release candidates for Bitcoin Core 22.0 which means it is time to test. A testing guide is available. A release notes draft is available here. Guix is now used as part of the build system! Previously, Bitcoin relied on Gitian for deterministic builds. I gave the workflow a shot and it’s really simple. I tried running the guix flow on MacOS a few months ago and it was much clunkier. This is a big win for trustless deterministic builds.
Output Script Descriptors. The series of BIPs related to the output descriptor language have BIP numbers assigned (380-386) to them now. Descriptors are a language for describing and scoping outputs and wallets. Although they are human readable, they are designed for wallets to easily import/export metadata.
Ethereum
Chain split. Last week we covered a newly tagged release that patches a vulnerability. This week, a chain split occurred for nodes that did not upgrade to v1.10.8. Contrast this public announcement for upgrading with the Bitcoin Core’s vulnerability disclosure process and you get a significantly different result.
OpenZeppelin TimeLocks. A vulnerability in the OpenZepplin TimeLockController contract causes privilege escalation.
Aave Bridges. Aave open sources tooling for cross-chain bridge governance.
Token Delegation. A16Z shares thoughts on token delegation.
Self-healing contracts. Paper investigates “context-aware” patching for fixing vulnerabilities in smart contracts.
Bridge Season. Security analysis of bridges.
Other Chains
New Polkadot Release. A new release tagged v0.9.9-1.
Wallets. Updated matrix of supported Polkadot wallets.
Ceremony Design. Aleo shares its setup ceremony. The ceremony is public and allows the community members to generate parameters in the MPC scheme.
Security
Supply Chains. There’s an upcoming event scheduled covering supply chain security. The talks will be online, and the topic is increasingly relevant for wallet engineers.
Reversing Engineering Crypto. Really cool post on reverse engineering crypto functions in the context of ransom malware.
Intro to Rust Crypto. Yet another introduction to cryptography in rust.
Vulnerabilities from Github Copilot code contributions. Researchers found that 40% of Github’s AI-based Copilot tool code contributions produced vulnerabilities. What does it say about the data set?