This Week in Custody #45
This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
Last Week’s Most Clicked
Telegram launches a P2P exchange with its @wallet bot.
Flashbots has a new MEV-boost Dashboard.
Tweet thread on threat models against MPC & TSS.
News
BNY Mellon starts its crypto custody service.
Copper raises a $196M Series C.
Zerion raises a Series B for its wallet.
River announces its River Lightning Service.
Google Cloud partners with Coinbase.
Networks
A bug in LND nodes on the Lightning Network caused block syncing to fail past a certain block. A transaction spending a 998-of-999 tapscript multisig output caused wire parsing to fail in btcd which is a dependency in lnd. An issue was raised and fixes to both btcd and lnd were merged. A hotfix was released with the v0.15.2-beta tag.
“The issue here is that the old checks for the maximum witness size, circa segwit v0 where placed in the wire package as well as the tx engine. This check should only be in the engine, since it's properly gated by other related scrip validation flags.
The fix itself is simple: limit witnesses only based on the maximum block size in bytes, or ~4MB.”
A dashboard covering 18 months of IBC.
Avalanche’s Banff update adds support for creating Proof of Stake subnets. There are also considerable changes to some transactions types.
A large-scale exploit occurred on Binance Smart Chain’s bridge.
An IBC Security Advisory is communicated to Cosmos chains. A patch is circulating privately to chains while a public patch will be made available today with the release of the Cosmos-SDK v0.45.9 and v0.46.3.
“A chain is safe from the critical vulnerability as soon as ⅓ of its voting power has applied the patch. Chains should still seek to patch to ⅔ as quickly as possible once the official patch is released.”
Tweet thread on Account Abstraction. And blog post on the subject.
This past week had a lot of high-profile exploits. Highly recommend subscribing to rekt.news for analysis:
Bitcoin may get a new transaction version.
Private Payments is now BIP-351.
Bitcoin Inquisition is a Bitcoin client for testing soft-forks on signet.
Gauntlet launches Aera.
Coinbase is supporting EIP-4844 on Ethereum.
Guides
Insights from a large Lightning Network node.
Lightning Network liquidity 101.
Delphi Digital Labs publishes a paper titled SLAMM: A Unified Model for Cross-Chain Liquidity.
History of the Cosmos network by Interchain.
a16z crypto has a great primer on wallet security.
TryBitcoin is an interactive tutorial for beginners who want to learn more about the technical side of Bitcoin.
Tools & Software
Aztec releases Noir, a domain specific language for ZK-provable programs.
The anticipated StratumV2 reference implementation is released! Twitter thread.
Ethereum Transaction Viewer is a simple UI for tracing smart contract calls on Ethereum.
delegate.cash is an on-chain registry that lets users specify delegates for cold wallet vaults.
Blend: a p2p borrowing and lending protocol on LN.
Cryptography
Thread on STARK math resources.
To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild
Security
Improving the Secure Boot landscape: sbctl & go-uefi (video).
“Beyond tweaking data, BPF programs can do things like filtering out spurious button clicks. It will also be possible for BPF programs to communicate directly with devices.”
I’m really interested to see how BPF can be applied to make retail hardware wallet usage less error-prone and secure.
Guix for development.
Releases
Thanks for reading. Have a great weekend!