This Week in Custody #8
This Week in Custody is a newsletter covering technical and narrative developments in digital asset custody written for wallet engineers, digital asset operators, and security engineers.
News
Twitter adds Bitcoin tipping. Twitter adds support for tipping using the Lightning Network. They partnered with Strike allowing Twitter users to authorize invoice creation from their Strike account. This is pretty exciting. However, a user has to perform KYC with Strike in order to receive payments. Sounds like a walled garden. To receive payments on LN without requesting a BOLT11 invoice, one can use spontaneous payments or offers.
IRS funds hardware exploits. The IRS is funding attempts to crack hardware wallets. Yes, state actors should always be part of your threat model.
OFAC. OFAC updates its list of crypto addresses. To stay up to date on this list, b10c has a tool for this on Github.
Bitcoin
Strike API. Strikes announces its API and Twitter as its first customer.
LN Fee Siphoning. Someone has taken advantage of poor fee practices with some Lightning Network wallets to collect payments in the form of routing fees. This type of DoS vector has been known for sometime. The attack works like this:
Create a node with high fee policies.
Create an invoice that would always need to use the route with your node.
Pay the invoice from a wallet that subsidizes fees. The node (attacker) will collect the difference as profit.
The solution is to always charge users for their withdrawals. Using fee estimation and charging the final fee mitigates this attack.
Ethereum
Diligence Fuzzing. Consensys releases a new product to its suite called Diligence Fuzzing. It’s a fuzz corpus that you can run your fuzz functions against to test for popular vulnerabilities in smart contract code.
Hardhat Ignition. Nomic labs teases an extension to the Hardhat testing framework.
Account Abstraction. Vitalik writes about ERC 4437.
Solidity 0.8.8. Release notes for Solidity 0.8.8.
Other
What’s in Your Wallet? New paper enumerates the privacy issues in Web3 wallets.
Security
Linux Plumbers Conference. Videos are online from the Linux Plumbers Conference. Lots of good topics covered, but the most relevant might include system boot and security.
Vendor Security 2.0. Nice writeup on vendor security.
REvil Ransomeware. Wait, the FBI has a decryption key? Always had it.
Firmware Security. A review of attack vectors in firmware.
Have a great rest of the week!