This Week in Custody #40
This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
Last Week’s Most Clicked
Lightning Dev Kit (LDK) blog posts:
BitMEX Research writes about OP_Return.
BNP Paribas is working on custody.
US Treasury sanctions Ethereum addresses related to Tornado Cash.
Figment announces Slate - a universal staking API.
Dynamic raises seed round to build wallet-based authentication.
Barclays backs Copper.
Nomad bridge is hacked. The exploit drained ~$190M from the bridge. A recent upgrade introduce a bug that changed how messages on the bridge were checked.
Halborn explains the attack.
Slope, a popular wallet on Solana, has a widespread incident where its users funds were stolen. Their postmortem explains that the app sent *plaintext* secret key material to Sentry, a third-party service.
Near Protocol’s Web Wallet discloses that it sometimes sent *plaintext* secret key material to a third-party service. If a user interacted with the web wallet and chose email as their recovery method, their seed phrase was leaked to a third-party.
New draft BIP for specifying multiple BIP32 derivation paths in a single Descriptor. This is nice way of describing wallets that have derive internal and external addresses using the same parent keychain.
FediMint is building federated Chaumian e-cash mints. It’s been described as a scaling solution and is a really neat model for sharing UTXOs if one is comfortable with the trust model.
Fuzzing BDK’s coin selection source code. Nice story on how fuzzing always helps.
BitMEX covers the recent narrative for ETHPoW and ETH2. There has been a lot of conversation about the upcoming merge and the non-zero risk of a contentious hard-fork.
Rainbow Wallet adds support for NFTs.
Some more ETHCC videos:
Infura shares its history and future roadmap. Infura is busy adding new networks to its hosted node infrastructure including Near, Aurora, and StarkNet.
What are the best off-the-shelf fuzzers available for smart contract fuzzing? Fuzzing Labs gives an overview.
OpenZeppelin highlights latest developments in smart contract.
WalletConnect has a deep dive on its architecture.
What happens when you send 1 DAI? This blog post showcases the order of operations that happens in wallets and the EVM.
A proposed Uniswap Foundation asks for money from the community.
Trail of Bits publishes a blog post on its slither-read-storage tool which allows one to read storage slots of a smart contract using only source code.
Delphi Digital publishes a complete guide to rollups. As usual, the guide is very long-form and thorough.
Proposal for mev-boost to add a circuit-breaker pattern to its deployment.
Huff language announcement.
Account Abstraction has been a popular topic and is really important to understand if on-chain wallets continue to be popular. This is a good entrypoint.
ConnectKit looks like a powerful tool for wallet developers. It is a React component library for apps requiring wallet connections.
Osmosis increases minimum gas fee.
Moonbeam published a really good overview of how Axelar is helping create cross-chain applications.
ZSwap: non-interactive swaps.
Paradigm makes a PoC replacing Tendermint with Narwhal/Bullshark.
Juno experiences a chain-halt due to a fault in the cosmwasm implementation. Thread.
A paper that discusses how to bootstrap PoS chain to PoW (e.g. bitcoin) to derive its security by making succinct commitment to the trusted chain.
Writing Solana programs with Python using Seahorse.
Aleo announces another testnet.
Relayer v2 Announcement. Relayer forwards messages between IBC-enabled app chains. Among other things, the announcement signals that Relayer will start to support non-Cosmos SDK chains like Penumbra and Polkadot.
Excellent post on scaling state history indexing for Solana.
Google’s Project Paranoid checks for well-known vulnerabilities and implementation errors found in cryptography. Lattice attacks against weak ECDSA signatures gets a callout. Worth checking out.
DJB is suing USG (again).
Luca is malware that targets wallets. The source code was leaked and this drew a lot of fanfare because its written in Rust.
[Solana] Mainnet - v1.10.34
[Cosmos SDK] v0.45.7
[Polkadot] Polkadot v0.9.27
[Mina] Mainnet Stable Release 188.8.131.52
[Osmosis] Osmosis v11.0.0
[Cosmos Gaia] v7.0.3
Thanks for reading! Have a great week.
Thanks for reading This Week in Custody! Subscribe for free to receive new posts and support my work.