This Week in Custody #41

Regular programming with a feature on The Merge.

This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.

---

Last Week’s Most Clicked

• Rainbow Wallet adds support for NFTs.

• BNP Paribas is working on custody.

• Fuzzing BDK’s coin selection source code.

News

• Galaxy Digital abandons its plan to acquire BitGo. The original deal was announced in May 2021 with a $1.2 billion price tag. BitGo plans to sue Galaxy Digital for its share of the breakup fee.

• CopperConnect adds Solana.

• Safeheron announces a raise to build MPC tools.

• Private keys are increasingly being revealed in US courts as part of discovery or pre-trial motions. Worth reading!

Bitcoin

• Coinbase covers LN growth metrics.

• Lightning Labs’ recent newsletter also covers growth:

Wallet of Satoshi took 26+ months to do their first 1M Lightning payments, but only around six months to go from 2M to 3M payments, and about 4 months to hit 4M. Lightning adoption is accelerating!

• Pikachu: Checkpointing PoS chains into Bitcoin’s chain using Taproot. Does this make Bitcoin a data availability (DA) layer for Ethereum?

• An interactive demo to experiment with blind Schnorr signatures.

• Mass Exit Attacks on the Lightning Network.

• A Treatise on Bitcoin Seed Backup Device Design

• The Summer of Bitcoin is a program that helps students contribute to open-source Bitcoin projects. They have a blog:

  • 7-part series on coin selection

  • Improving coin selection in BDK

  • My Summer of Bitcoin experience with BDK

• Channel jamming is a big area of research in LN. Lab31 publishes technical content on the topic.

Ethereum and The Merge

The long awaited “Merge” network event is right around the corner, so it is worthwhile to dedicate some time to cover it and provide resources on what to expect.

The Ethereum Foundation (EF) has released a few blog posts covering the announcement. The official announcement by EF provides an FAQ.

The Merge is a two-step process. First, the consensus layer (fka Beacon Chain) will experience a fork to include rules that incorporate transaction execution. This fork is called Bellatrix. Second, the actual merge on the execution layer (e.g. Geth) will hotswap PoW with PoS. This fork is called Paris.

Following the Merge, the definition of a full node has changed in the Ethereum protocol. It is now a requirement to run both the consensus client and execution client if you want to operate under the same trust model as before. There is a documented interface secured by JWT that connects both nodes.

Choosing the consensus client that you will run is not a trivial choice unfortunately. If you choose to stake, the client that you run will have financial consequences. A disincentive exists that significantly punishes node operators when they choose to run a popular implementation of Ethereum. The disincentive will slash your staked ETH at higher rates if you run a popular client that experiences a bug that causes downtime or satisfies one of the slashing conditions.

To see a complete list of changes in the Bellatrix fork, see the consensus-specs repository. To review the Paris fork, see the execution-specs repository.

Below is a list of important dates from the EF:

The following is the high level of dates and events expected to unfold:

• [2022/08/18] – TTD reassessed and finalized on All Core Devs call

• [2022/08/18 to 2022/8/22] – EL and CL teams cut Mainnet software releases

• [2022/08/23] – Client resources, EF blog, and other community and infrastructure announcements of final parameters and releases

• [2022/09/06 11:34:47am UTC] – Bellatrix Mainnet upgrade

  • All stakers must upgrade to EL+CL Merge-ready nodes before this time

  • All infrastructure providers, users, and community members should upgrade PoW nodes to EL+CL Merge-ready nodes before this time

• [Estimated: 2022/9/15] – Paris Mainnet Merge transition

  • All infrastructure providers, users, and community members must upgrade to EL+CL Merge-ready nodes before this time. Plan on configuring systems at least one week in advance and ideally before Bellatrix

Ethereum

• dydx has a vulnerability with gasless deposits. The issue was resolved through their reasonable disclosure process.

• OpenZepplin contracts have an ECDSA signature malleability issue.

• Curve Finance gets DNS spoof’d.

  • Certik has a write-up.

• An Empirical Study on Ethereum Private Transactions and the Security Implications

• BitMEX writes about OFAC enforcement in the context of PoS Ethereum.

• Flashbots Relay is open sourced.

Other Chains

• Jump Crypto is writing its own Solana client with C++.

• Jump Crypto is building Silo, a threshold signature scheme that uses BFT consensus as part of its system.

• Coinbase investigates the Nomad Bridge incident.

• An example of a StarkNet transaction signed using iPhone’s enclave.

• SlowMist provides additional analysis on the Slope Wallet incident.

Crypto

• Zcon3 was earlier this month! There was a talk covering the latest research in FROST.

• MuSig-L: Lattice-Based Multi-Signature With Single-Round Online Phase

Security

• Auditing Crypto Wallets is an excellent primer that covers a lot of security details when it comes to developing non-custodial wallets. Highly recommend reading it!

• An executive at Binance was allegedly impersonated using deepfake videos in order to facilitate an asset listing scam.

• If I were COO of your crypto team... is a fun read for anyone working on wallet operations.

Releases

• [Avalanche Go] v1.7.18 - Chapelco

• [Cosmos SDK] v0.46.1

• [Polkadot] Polkadot v0.9.28

• [Go Ethereum] Sentry Omega (v1.10.23)

Thanks for reading!