This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
News
Kraken CSO profile. Verdict writes about the security efforts at Kraken.
UI Fractionalization. Recently, a reader brought up an interesting find that Ledger Live’s UI and functionality varies based on jurisdiction. For example, some users cannot swap assets easily based on country location. Compliance to local laws is nothing new, but I wonder what sort of enforcement might creep its way into the firmware code.
CACEIS. CACEIS, a very large European bank, is building its own in-house custody unit.
Bitcoin
Bitcoin Core v22.0. Bitcoin Core v22.0 has been tagged. Notice that this is the first release without a leading zero! Great post on what’s new.
Scaling LN at River. I wrote a blog post discussing the approach River Financial took to integrating the Lightning Network. Engineers looking to integrate LN at their company might find the trade-offs we took interesting. The post includes some thoughts on some user stories as well as technical decisions.
Getting Started with LN. A thread on getting started with the Lightning Network by running a node.
LND: Remote Signing Over RPC: A new PR to LND makes it possible to do all private key signing outside of the node. Awesome!
Chivo App. The newly launched government-backed El Salvador bitcoin wallet has launched last week. The most immediate concern was displaying government names in invoices. This has supposedly been fixed since online criticism.
Ethereum
Clockwork Finance Framework. A new paper creates a framework for analyzing the economic security properties of smart contracts.
Dependency Graphs. A running issue in Web3 is the large dependency chain involved. For many users accessing Ethereum through their browser, the dependency chain includes the wallet (e.g. Metamask), web browser, host machine, hardware wallet vendor library, and finally the firmware on the device. Any breaking change in the chain cascades fairly quickly. A recent twitter thread highlights the challenges of a single change done in Google Chrome. Is there a framework for handling these dependencies?
dapptools-rs. New rust implementation of `dapp` and `seth` for dapp development tooling.
Security
Travis CI. It appears that environment variables of all public Travis CI repos were potentially leaked.
NSO. NSO’s zero-click exploit has been found in the wild. The impact of this vulnerability is staggering. Update your Apple devices.
Thanks for reading. Have a great week!