Gold Nugget #2

Wallets in all flavors: Software, Hardware and As-A-Service

🏡 Alchemist Internals

• (#ChirpChirp) We've started a Twitter account for Alchemist! Be sure to follow us: https://twitter.com/TeamAlchemist79

• (#WeLikeTheJam) Our friends from JustAddMeta improved their web3 experience... We look forward to receiving physical glasses of jam in exchange for our NFTs! 😎 https://justaddmeta.com

• (#TheGoal) Alchemist79 internal strategy leaked: https://twitter.com/0xCharlota/status/1656402347751358471

🔥 Hot + Trending

• (#NotFromMinecraft) RedStone had a successful funding round: https://redstone.finance/

  • RedStone positions themselve as oracle newcomer and Chainlink alternative.

  • In addition to their on-demand pushing of off-chain data onto various chains, they mentioned a cool idea for creating KYC reputation oracles or “KYD: know your DeFi user”: https://blog.redstone.finance/2022/12/05/can-institutional-players-interact-safely-with-defi-yes-they-can-introducing-kyd-oracle/

  • Your on-chain activity, e.g. outgoing transactions from known KYC'ed exchanges, is used to derive your KYC status. Other services can use this status and it can even be used as a modifier in a smart contract.

• (#LedgerAsAService) Ledger gets roasted for their surprising new feature that can store shards of your seedphrase with different providers: https://twitter.com/P3b7_/status/1661012196397305859

  • Their move seems to be defeating the core idea of a secure hardware wallet. Sure, recovery mechanisms are great, but instead of increasing the attack surface, more people should use multi-signature wallets, e.g. Safe. Your ledger could then be used as one of the signatures, removing this single point of failure.

  • Hardware usually stays a blackbox most of the time as you need to trust the manufacturer and their supply chain. Trezor seems to be no safe alternative either: https://finance.yahoo.com/news/crypto-security-firm-unciphered-claims-153529306.html

  • Nevertheless, we really like Ledger’s move to open-source their software and offer a self-hosted shard backup provider. Giving users the freedom to decide their own “level of paranoia” is a good starting point. Especially business users might be interested in storing their secrets in on-premises software.

• (#InsertCoinToStart) Coinbase starts Wallet-as-a-Service on Ethereum Mainnet: https://twitter.com/yugacohler/status/1661057313678016526

  • This sounds like a good on-boarding strategy: Start with a seamless user experience, use multi-party computation for security and eventually let the user export their private keys if they like to.

  • More details: https://www.coinbase.com/cloud/products/waas

• (#BasedVitalik) Vitalik underlines the role of Ethereum as the basic and neutral consensus layer for other app-specific L2 chains: "Don't overload Ethereum's consensus" https://vitalik.ca/general/2023/05/21/dont_overload.html

• (#APennyForYourEyeballs) ChatGPT founder Sam Altman collects $100M funding: https://coincodecap.com/chatgpt-founder-sam-altman-crypto-worldcoin-gets-100mn-funding

  • What? We thought the world agreed that Worldcoin is a dystopian nightmare..

  • Privacy concerns are addressed, but it still sounds wrong to have your iris scanned: https://worldcoin.org/privacy

  • We think a more nuanced approach such as Gitcoin Passport is a better solution: https://www.gitcoin.co/passport

  • Solving the specific task to check if a user is unique (sybil resistance), “Proof of Humanity” is another relevant project: https://proofofhumanity.id

🔍 Analytics + Security

• (#TheLitmusTest) BASE audit starts on code4rena: https://code4rena.com/contests/2023-05-base

• (#IAmTheBossNow) Tornado cash exploit is a governance attack: https://twitter.com/samczsun/status/1660012956632104960

  • A secure system is as strong as its weakest link: In this case it was again human error. People were signing a governance proposal that had a backdoor.

  • This again shows the need for good tooling that supports a user during their signing process. Users need to know (1) what they are signing and (2) presented on a level of abstraction that fits their crypto knowledge.

  • In the future it might be possible to have every governance proposal checked just like smart contracts audit are carried out. This way, only verified proposals, e.g. checked on code4rena, are executed.

🎓 Research + Academia

• (#HiddenInPlainSight) Wallet UX viewpoint: “Wallets must be invisible” https://mirror.xyz/sylve.eth/A8VnNvBVbc0aXmW2FlG58ysI8oZUnH0HGwwjIsQGHUk

  • A common viewpoint is that blockchain technology should be hidden and the end-user should not realize that there is a blockchain involved.

  • Some people underline this argument and say that the term “wallet” needs to vanish completely as it conveys the wrong metaphor:

    https://twitter.com/0xDesigner/status/1658851890803744768

  • A different view is that the user should understand that there is a blockchain involved but good UX helps to understands the special blockchain characteristics, such as delay due to the consensus mechanism, etc.

• (#OpcodeGalore) EVM handbook: https://noxx3xxon.notion.site/noxx3xxon/The-EVM-Handbook-bb38e175cc404111a391907c4975426d

  • It helps a lot to understand EVM internals as you are dissecting smart contracts, comprehend data structures and how everything comes together.

  • Several authors refer to opcodes when doing gas-cost optimization but we are sure many of those optimizations (e.g. using inline assembler or changing prefix and postfix increment/decrement operators) will make their way into the Solidity compiler.

  • Bigger opportunities are the optimization of your data structures or thinking about what really needs to be saved on-chain.

• (#MakeOrBreak) Implications of removing the SELFDESTRUCT opcode:

  https://twitter.com/dedaub/status/1661858103518806021

  • Fundamental changes to the EVM behaviour are always tricky.. The core idea of smart contracts was “deploy and run forever” but this seems to be one of the rare cases where a feature needs to be changed.

  • Many of the affected contracts can be updated but I guess there are also other contracts that will break after this update. It makes sense to consider this scenario when deploying a smart contract just as you would think about your patching strategy when a critical bug is found.

• (#WhatsAaaaaab) Guess an ABI from bytecode: https://github.com/shazow/whatsabi

  • This seems to be really helpful as there are still many popular contracts out there without published and verified source code.

  • Sometimes you cannot get around interacting with such a contract or your need to analyze it for a security audit. Projects like this give you a first starting point as human-readable version.

💡 Concepts + Ideas

• (#BringItTogether) a16zCrypto: “Business strategy, design, and decision making in web3” https://a16zcrypto.substack.com/p/on-business-strategy-design-and-decision

• (#ShareACokeWithRobots) Impressive usage of machine learning tools (Midjourney!) for advertisement by Coca Cola: https://twitter.com/StabilityAI_JP/status/1656859810682515456