This Week in Custody #40

This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.

---

Last Week’s Most Clicked

• Lightning Dev Kit (LDK) blog posts:

  • An overview of LDK and the mission

  • An introduction to phantom node payments

• BitMEX Research writes about OP_Return.

• BNP Paribas is working on custody.

News

• US Treasury sanctions Ethereum addresses related to Tornado Cash.

  • GitHub removes the source code.

  • Circle freezes USDC assets.

  • Infura and Alchemy are no longer serving RPC requests to Tornado Cash.

• Figment announces Slate - a universal staking API.

• Dynamic raises seed round to build wallet-based authentication.

• Barclays backs Copper.

• Nomad bridge is hacked. The exploit drained ~$190M from the bridge. A recent upgrade introduce a bug that changed how messages on the bridge were checked.

  • Halborn explains the attack.

• Slope, a popular wallet on Solana, has a widespread incident where its users funds were stolen. Their postmortem explains that the app sent *plaintext* secret key material to Sentry, a third-party service.

  • SlowMist analysis.

  • OtterSec thread.

• Near Protocol’s Web Wallet discloses that it sometimes sent *plaintext* secret key material to a third-party service. If a user interacted with the web wallet and chose email as their recovery method, their seed phrase was leaked to a third-party.

Bitcoin

• New draft BIP for specifying multiple BIP32 derivation paths in a single Descriptor. This is nice way of describing wallets that have derive internal and external addresses using the same parent keychain.

• FediMint is building federated Chaumian e-cash mints. It’s been described as a scaling solution and is a really neat model for sharing UTXOs if one is comfortable with the trust model.

• Fuzzing BDK’s coin selection source code. Nice story on how fuzzing always helps.

Ethereum

• BitMEX covers the recent narrative for ETHPoW and ETH2. There has been a lot of conversation about the upcoming merge and the non-zero risk of a contentious hard-fork.

• Draft for a BLS transaction type.

• Rainbow Wallet adds support for NFTs.

• Some more ETHCC videos:

  • Infura shares its history and future roadmap. Infura is busy adding new networks to its hosted node infrastructure including Near, Aurora, and StarkNet.

  • What are the best off-the-shelf fuzzers available for smart contract fuzzing? Fuzzing Labs gives an overview.

  • OpenZeppelin highlights latest developments in smart contract.

  • WalletConnect has a deep dive on its architecture.

• What happens when you send 1 DAI? This blog post showcases the order of operations that happens in wallets and the EVM.

• There is a new implementation of EIP-5139. The proposal describes a format for lists of RPC providers for EVM-like chains. This is similar to Token Lists, but for RPC providers.

• Arbitrum One is preparing its Nitro upgrade for the end of August. Nitro is claimed to provide cheaper costs and faster execution for transactions. Here is a primer.

• A proposed Uniswap Foundation asks for money from the community.

• evm-translator by Metagame turns transactions into human readable JSON objects. Very interesting way to simulate transactions or attributing meaning to on-chain actions. Demo available here.

• Trail of Bits publishes a blog post on its slither-read-storage tool which allows one to read storage slots of a smart contract using only source code.

• Delphi Digital publishes a complete guide to rollups. As usual, the guide is very long-form and thorough.

• Proposal for mev-boost to add a circuit-breaker pattern to its deployment.

• Huff language announcement.

• Account Abstraction has been a popular topic and is really important to understand if on-chain wallets continue to be popular. This is a good entrypoint.

Other Chains

• ConnectKit looks like a powerful tool for wallet developers. It is a React component library for apps requiring wallet connections.

• Osmosis increases minimum gas fee.

• Moonbeam published a really good overview of how Axelar is helping create cross-chain applications.

• Payment Channels for Monero.

• ZSwap: non-interactive swaps.

• Paradigm makes a PoC replacing Tendermint with Narwhal/Bullshark.

• Analysis of Polkadot: Architecture, Internals, and Contradictions

• Juno experiences a chain-halt due to a fault in the cosmwasm implementation. Thread.

• A paper that discusses how to bootstrap PoS chain to PoW (e.g. bitcoin) to derive its security by making succinct commitment to the trusted chain.

• Writing Solana programs with Python using Seahorse.

• Aleo announces another testnet.

• Relayer v2 Announcement. Relayer forwards messages between IBC-enabled app chains. Among other things, the announcement signals that Relayer will start to support non-Cosmos SDK chains like Penumbra and Polkadot.

• Excellent post on scaling state history indexing for Solana.

Crypto

• Google’s Project Paranoid checks for well-known vulnerabilities and implementation errors found in cryptography. Lattice attacks against weak ECDSA signatures gets a callout. Worth checking out.

• DJB is suing USG (again).

• Cryptoeconomic Security for Data Availability Committees

Security

• Luca is malware that targets wallets. The source code was leaked and this drew a lot of fanfare because its written in Rust.

• UEFI Secure Boot the Right Way

Releases

• [Solana] Mainnet - v1.10.34

• [Cosmos SDK] v0.45.7

• [Filecoin] v1.17.0

• [Polkadot] Polkadot v0.9.27

• [Mina] Mainnet Stable Release 1.3.1.1

• [Osmosis] Osmosis v11.0.0

• [Filecoin] v1.17.0

• [Cosmos Gaia] v7.0.3

Thanks for reading! Have a great week.