BR055 - Sparrow, SATSLINK, Vulnerability Hell (RPI, ESP32,26₿ gone)+MORE, Craig Raw, Odell, Rijndael
I’m joined by guests Craig Raw, Odell & Rijndael to go through the list.
Housekeeping
00:03:36 Subscribe now for Bitcoin Black Friday early DEALS access.
00:03:59 SATSLINK official announcement video from nostrasia
Vulnerability Disclosures
00:10:42 A phishing email is being sent out impersonating Blockstream [Blockstream]
“DO NOT click on any suspicious emails claiming to be from Blockstream. Blockstream will NEVER ask for personal information via email.”
“NEVER enter your seed phrase online or share it with anyone, even if they claim to be from the Blockstream support team.”
“You should only update your Jade firmware through the Blockstream Green wallet application or our dedicated firmware website.”
00:12:19 Fake Ledger Live app in Microsoft Store stole $768,000 in crypto [Bleeping Computer]
Microsoft has recently removed from its store a fraudulent Ledger Live app for cryptocurrency management after multiple users lost at least $768,000 worth of cryptocurrency assets.
00:12:52 The Apple AppStore for iOS has published a range of fraudulent bitcoin wallet apps including Electrum Wallet Management [Oscar P]
Similar apps all using the same scam:
“LUMI WALLET MANAGEMENT”
“SAMOURAIWALLET MANAGEMENT”
“JAXX LIBERTY TRADE”
“JAXX LIBERTY WALLET MANAGEMENT”
“FANTOM WALLET MANAGEMENT”
“AAVE PROTOCOL ASSETS TRADE”
00:17:01 No Fault injection but secure-boot bypass on ESP32 just by swapping CS line. [Arun Magesh]
00:19:33 Every single Raspberry Pi 5 is given a unique identification number, laser-etched on to the board
00:25:35 Rick Messitt 25 BTC hacked from self hosted password manager
30bit password used. Rick suspects device(s) compromised, keylogger or SIM swap.
Bitcoin
Software Releases & Project Updates
00:55:29 COLDCARD Edge 6.2.1X (2023-10-26)
New Feature: Enroll Miniscript wallet via USB (requires ckcc v1.4.0)
New Feature: Temporary Seed from COLDCARD encrypted backup
Enhancement: Add current temporary seed to Seed Vault from within Seed Vault menu. If current active temporary seed is not saved yet, Add current tmp menu item is present in Seed Vault menu.
Reorg: 12 Words menu option preferred on the top of the menu in all the seed menus
Enhancement: Mainnet/Testnet separation. Only show wallets for current active chain. contains all the changes from the newest stable 5.2.0-mk4 firmware
00:34:35 Sparrow 1.8.0 (2023-11-09)
Add a figure caption to the overview diagram on a transaction tab to describe the transaction
Enlarge the QR display dialog and increase the default QR code density
Add Search All Wallets functionality to the View menu to search across all open wallets
Add airgapped message signing via QR
Increase the gap limit where necessary to sign a PSBT where its global xpubs match an open wallet
Add fee rate selection slider to the Private Key Sweep dialog
Add a Scan button to QR display dialog to progress immediately to scanning
Support opening multiple wallet or transaction files at once
When searching, show transactions with a matching output address if a full address is provided
Add Satochip card support as an airgapped or connected hardware wallet (@Toporin)
Add Krux as an airgapped hardware wallet
Temporarily disconnect from Whirlpool if the wallet gap limit is increasing rapidly during mixing due to network issues
Add Whirlpool Postmix to the list of possible accounts that can be added to any Legacy or Segwit wallet
Add additional testnet public server qtornado.com
Freeze and unfreeze UTXOs in Sparrow Terminal by pressing f on the UTXOs table
Check and indicate in the title bar if a proxy is configured and working in Sparrow Terminal
Add keyboard shortcut cmd+alt+arrow on MacOS to switch tabs (ctrl+pageup/pagedown already works on all platforms)
Select all text in the message sign signature field on mouse click
Reload Cormorant wallet if unloaded when polling Bitcoin Core
Support hexadecimal Border Wallets grid PDFs
Improve fullscreen behaviour by setting dialog ownership to parent window
Add duplicate payment address warning to transaction diagram
Display an error message when attempting to mix from account 0 and it is not the master wallet
Remove block hash from transaction tab fields, add to context menu for block height and timestamp
Add Bisq segwit custom derivation to mnemonic wallet discovery
00:58:01 Liana v3.0: Terceira (2023-11-02)
Two new optional parameters were introduced to the listcoins command to be able to filter coins by status (confirmed, spent, etc..) and outpoints (to query specific coins).
Updated the “quick try” guide to make use of the managed bitcoind. Trying out Liana on Signet is now easier than ever!
GUI-specific:
You can now use the BitBox02 signing device. The minimum supported version of the firmware is v9.15.0.
It’s now possible to label coins and payments (that is, a transactions output). It’s also possible to label batches of payments (that is, a transaction itself) and addresses.
The number of steps in the installer was reduced by dropping the final confirmation screen.
All text inputs are now sanitized to remove whitespaces.
Various loading screens at startup were updated to include more information.
The transaction fee rate is now displayed in addition to the absolute fee in the details.
The managed bitcoind version was bumped to 25.1 for new installations.
00:58:49 Electrs 0.10.1 (Nov 01 2023)
Fix build failure on Raspberry Pi 4 (32bit) (#940)
Return first txid-matching transaction (#933)
Add txid collision scanner (#928)
Optimize indexing via bitcoin_slices (#927)
Optimize index querying via bitcoin_slices (#913)
Avoid precompiled ‘serde_derive’ >=1.0.172 (#924)
Allow exiting mempool sync on SIGINT (#917)
Allow skipping merkle proof downloads in history.py (#915)
Remove IndexResult and index into db::WriteBatch (#914)
Dockerfile: re-add curl for the second time, so it can be used for docker health checks (#912)
Reuse buffer in p2p handling (#910)
Preallocate serialized vector of HashPrefixRow (#909)
Less verbose logging when bitcoind is warming up (#908)
Drop Cirrus CI due to flakiness (#948)
1:01:07 Blockstream Green IOS [v1.4.18]
1:01:16 Nodeyez v23.10
New Panel: Geyser Fund panel spotlights a randomly selected project. The name, description, image, and tags are displayed along with a QR code that can be scanned to go to the projects page. Configuration allows for selecting the specific tags (categories) from which to select projects.
1:01:32 Padawan Wallet v0.12.0 (#note: A testnet-only bitcoin wallet for Android full of tutorials on how to use bitcoin wallets.)
This version comes with support for the app entirely in Spanish
Project spotlight
1:08:24 Bitescrow [Website/Github]: Core library for implenting the escrow protocol.
Features:
Method libraries for the proposal, contract, and settlement rounds of the protocol.
Multi-platform client with minimal dependencies.
Run-time schema validation (using zod).
Showcases the power of taproot and musig2.
E2E test suite with native Bitcoin Core integration.
Beta program is officially launched
bitescrow.app: Non-Custodial, No-KYC, Lightning-enabled Bitcoin Escrow
1:09:33 Bitcoindev.org: Bitcoin & Lightning Development Resources by Vortex
Grab the latest Libraries, SDKs, and APIs in your favorite programming languages.
1:09:40 bitcoin-scriptexec by @stevenroose3- A Rust library for executing Bitcoin Script.
1:11:14 Seedle39 by @Fichte42: A word puzzle game where you have 5 attempts to guess the chosen BIP 39 seed word.
1:11:40 Opcode Explained by thunderbiscuit: A small encyclopedia of opcodes
The goal of the website is to become a reference point that can be used to learn about opcodes of course, but also to be a resource you can always point to when writing formal documentation and referencing opcodes
Contribute on Github
1:12:06 Cubit from [nabi_technology]:(https://twitter.com/) A Powerful and Reliable x86 Microserver That Makes Running Your Own Node Hassle-Free
Powered by the Intel Celeron N5105 (4+ times faster than the Raspberry Pi 4)
16GB of DDR4 RAM, expandable up to 64GB
Dual port 2.5 Gb Ethernet for fast data transfers
4 USB ports
1 SSD NVMe drive for extreme speed
and 2 SATA ports to give you the peace of mind that comes with RAID (Learn More)
Compact and Minimalist Design
Features:
Secure your data at home by running your own Nextcloud server.
Become uncensorable by running your Nostr Relay, Matrix server and your Decentralized Web Node.
Protect your online privacy by configuring a secure VPN, block any ads, and self host everything
1:15:14 BitChimney Space Heater
20/240V, Plug & Play, Low Noise, WiFi Space Heater Based on a single Antminer S19 hashboard, APW3++ PSU & Loki Kit, BitChimney is designed to plug into household power outlets & provides heat while earning Bitcoin rewards
Runs on 110V-240V Input Voltage
Plug and Play
Wifi-Enabled
PSU included
Utilizes Loki Kit by Pivotal Pleb Tech
Bitchimney ships fully assembled & only needs WiFi & mining pool credentials for setup.
Lightning + L2+
Software Releases & Project Updates
1:15:37 Blixt v0.6.9
Highlights:
Simple Taproot Channels support
New robust Tor implementation for Android
Support for a bunch of new languages.
New Persistent Mode on Android - keep Blixt Wallet running all the time in the background
Common:
Updated to lnd 0.17.1 rc3
Speedloader has been improved with support for bsdiff patches (This means you won’t have to download the full channel database for each sync, resulting in speedier syncs)
Zero confirmation channels is now supported on Dunder LSP
Added support Simple Taproot Channels for manual channel openings (Simple Taproot Channels will be enabled for Dunder LSP too in the near future)
Chain filter syncing should be substantially faster, as a part of Neutrino performance improvements in lnd 0.17.0
New languages: Czech, Danish, Finnish, Hindi, Korean, Norwegian, Persian, Romanian, Traditional Chinese, Simplified Chinese, Swahili and Kenyan Swahili.
Changed the camera lib to react-native-vision-camera - should be more performant and offers faster QR code scanning
Receiving onchain via Taproot is enabled by default
Long-press on the “Generate address” button to generate a SegWit address
Upgraded react-native to version 0.72.6. This has resulted in faster startup times
Added the ability to set a custom preimage for invoices. Enable this feature in settings
Added the ability to set outgoing channel when paying an invoice
Added the ability to change speedloader server
Added “Force close delay” information to Lightning channel info boxes
Increase recovery window to 500 addresses when recovering wallets.
Android:
New Tor implementation - More robust and reliable.
Persistent Mode:
In this mode, Blixt Wallet and lnd will run persistently in the background. (Can be useful for when you’re awaiting payments.)
Also lets you always keep in sync with the Bitcoin chain, making spontaneous payments really quick.
In the near future, we will allow Lightning Address support for any user running Persistent Mode, via the service Lightning Box. (Note: This may affect your battery life depending on the device.)
Explicit build only for arm64-v8a. This has resulted in slightly smaller APK sizes
1:15:52 Zeus
New branding
Korean language support
Embedded LND node
OLYMPUS by ZEUS 0-conf channel service
ZEUS PAY self-custodial lightning addresses, using Zaplocker
Simple Taproot Channels
Contact book
1:16:04 Phoenix
1:16:14 Mutiny Node
1:16:29 LN Wallet APIs/LSPs
Integrate Bitcoin and Lightning payments into projects.
Allows for onchain and Layer two Lightning payments in Bitcoin or USD.
Key Features:
Instant transactions – no waiting for funds to arrive
Final settlement – no more chargebacks
Low cost – save 2-5% compared to credit cards
Micropayments – no minimum payment amount
Interoperability – permissionless payment network
Zero fee for Blink-to-Blink transactions
Breez SDK Core
Publish python package
Introduce max_reverse_swap_amount to allow draining all channels when sending on-chain.
Extend payment type filter to include ClosedChannels.
Introduce prepare_sweep to estimate the sweep transaction fee.
Introduce prepare_refund to estimate the refund transaction fee.
Improve error handling and specifying error code in exceptions and errors.
Include SwapInfo in Payment.
Add payment hash to lnurl_pay.
Auto-discovery for default LSP.
Add Getinfo command
Support paging in list payments - Thank you @dleutenegger
Add optional claim_txid and lock_txid to ReverseSwapInfo
Add closing_txid to closed channels received in payments list
Use millisatoshi instead of satoshi for lightning amounts.
Improve sync and sending payments performance
Taproot Assets v0.3.1
Daemon Config Enhancements:
Users can now configure PostgreSQL database settings from the command line.
RPC Enhancements:
The txid of the batch is now returned with the MintingBatch for tapcli assets mint finalize.
Users can specify a custom proof courier on the CLI.
gRPC max message size increased.
Universe Sync Improvements
Default Universe sync algorithm now follows an “on demand” approach.
Added new caches to Universe-related RPC calls for improved performance.
Optimized the call to fetch all Universe roots.
Less Debug Logging
Reduced debug logging for the Universe sync process.
1:23:01 Torq v1.4.1
Possibility to copy a view
Add payment request to payments page
Closed channels sometimes reappeared as active when delayed gossip was processed
Pagination indicated to many pages when filtering
You can now choose refresh interval for each list view
Fix turnover layout and calculation
Channel filter “Active” is now true when both sides of the channel are active (used to be local side only)
Improvements on channel inspect page:
Show channel open and close dates on charts
Added basic channel info
Indicators if data is loading
1:23:05 BitBanana v0.6.8
Stealth mode (hide app on device)
Option to hide all balances
Support for custom (self-hosted) Block Explorers
Additionally we improved some other things:
Updated Block Explorer list
1:23:09 10101 v1.5.0
Allow to drain on-chain wallet by sending amount 0.
Load persisted rust-dlc ChainMonitor on restart.
Upgrade rust-lightning to version 0.0.116.
Charge channel opening fee through the lsp flow
Allow to configure tx fee rate when opening channels from the coordinator
1:23:13 Minibits 0.1.3-tor-beta.6
Minibits becomes full member of Lightning ecosystem:
Reacts to lightning, cashu, lnurlw and lnurlp deeplinks
Allows paying to static QR codes, links and lightning addresses, including NOSTR zaps (LNURL Pay)
Allows withdrawals into the wallet from services supporting LNURL Withdraw
Univarsal .APK of Minibits now has its own Tor daemon, that allows to connect to the mints with .onion addresses. Mints thus does not know the IP address of the interacting wallet. Another neat usecase is to run your own mint without the need to have public IP address and domain. You can expose it via Tor service that the wallet can connect to without additional networking setup.
1:23:20 rust-lightning 0.0.118 - “Just the Twelve Sinks”
API Updates:
BOLT12 sending and receiving is now supported as an alpha feature. You may run into unexpected issues and will need to have a direct connection with the offer’s blinded path introduction points as messages are not yet routed.
ConfirmationTarget has been rewritten to provide information about the specific use LDK needs the feerate estimate for, rather than the generic low-, medium-, and high-priority estimates. This allows LDK users to more accurately target their feerate estimates.
lightning-invoice payment utilities now take a Deref to AChannelManager.
peel_onion is provided to statelessly decode an OnionMessage.
ToSocketAddrs + Display are now impl’d for SocketAddress.
Display is now implemented for OutPoint.
Features::from_be_bytes is now provided.
Node Compatibility:
LDK now sends a bogus channel_reestablish message to peers when they ask to resume an unknown channel. This should cause LND nodes to force-close and broadcast the latest channel state to the chain. In order to trigger this when we wish to force-close a channel, LDK now disconnects immediately after sending a channel-closing error message. This should result in cooperative peers also working to confirm the latest commitment transaction when we wish to force-close.
Security:
Expands mitigations against transaction cycling attacks to non-anchor channels, though note that no mitigations which exist today are considered robust to prevent the class of attacks.
In order to mitigate against transaction cycling attacks, non-anchor HTLC transactions are now properly re-signed before broadcasting.
1:23:49 Wallby v0.10.4
Now available on iOS
Features:
Bitcoin wallet;
Liquid Network wallet with token and NFT support;
Rootstock wallet with Sovryn integration for tokens and liquidity pools.
1:23:58 Alby + Zaprite
You can now link your Alby wallet to Zaprite to start accepting bitcoin payments over the lightning network
Nayuta Wallet is now open source
Stacker News introduces image uploading
Blockstream Green iOS v4.0.18
Lightning support LNURL withdraw
Lightning Shortcuts
Project spotlight
1:24:19 LNESIM
Instantly buy travel eSIM with Bitcoin Lightning Network
No KYC or email required
1:24:25 cipherchat.app by secondl1ght: Encrypted messaging over the bitcoin lightning network
Free and open source
Can be self-hosted
Only requires browser to run web app
Connect lightning node via LNC & pairing phrase from Lightning Terminal
Tech stack: Svelt kit, Typescript, Tailwind, dexie.js, node.js
Writeup on [lightningnetwork.plus]
How it functions:
Users connect their Lightning node to the app through Lightning Node Connect (LNC), utilizing a pairing phrase from the Lightning Terminal. This process establishes an end-to-end encrypted connection between the user’s node and the web app, facilitated by an LNC Mailbox relay proxy server. Communication occurs through keysend payments, each carrying a message, ensuring a secure and private exchange of information.
Innovative Features for Enhanced Experience:
Spam protection: Leverages the inherent ‘proof-of-work’ of setting up a Lightning node and the costs associated with messages to deter spam. Users can start conversations easily with just another node’s pubkey and explore public nodes through platforms like LN+’s Explorer.
Compatability:
Currently, the app is tailored for LND and is not compatible with Core Lightning, but it stands interoperable with other Lightning messaging apps that adhere to established standards.
1:24:48 Lifpay Bitcoin Lightning wallet [iOS / Android]
Customize your LN address with your name, i.e. your_name@lifpay.me
Single Balance: Make all Bitcoin and Lightning send from a single balance.
Account sync: Single account matches App and Web with auto-sync transaction data.
Notifications: Get notified of all you are sending or receiving.
Simple layout
1:24:53 getbit.money: Send money from the USA 🇺🇸 to India 🇮🇳 instantly with the magic of the lightning network
1:25:02 Plasma from Fonta1n3: Core Lightning Wallet powered by LNSocket
Features:
LNSocket/LNLink for connecting to your node.
Export LNLink for sharing your node (can be used with fine grained runes).
Bolt12 send/receive
Bolt11 send/receive
Taproot addresses for onchain deposits
Onchain send and receive
Payment history
Onchain UTXOs
Add channels
Rebalance channels
Nostr
Software Releases & Project Updates
1:25:45 rust-nostr v0.25.0
add extra nip11 fields
Negentropy Syncing
Custom time of reconnect options added
sdk: allow to change Keys
sdk: fix stop and start
sdk: fix pong not match if connect method called multiple times
sdk: add Limits
Filters
Impl Display and FromStr for Method
1:25:59 Damus
Add setting that allows users to optionally disable the new profile action sheet feature
Add follow button to profile action sheet
Added reaction counters to nostrdb
Record when profile is last fetched in nostrdb
Improve discoverability of profile zaps with zappability badges and profile action sheets
Add suggested hashtags to universe view
Suggest first post during onboarding
Add expiry date for images in cache to be auto-deleted after a preset time to save space on storage
Add QR scan nsec logins
1:26:04 Primal
1:26:20 Amethyst v0.80.7
Migrates external sharing service to njump.me
Adds support for Greek, Indonesian, Spanish & Arabic translations
Updates Kotlin compiler version
Removes a recomposition between the started state and the isOnline state that is already cached.
Migrates the check if stream is online to a single compose object.
Forces relay reconnection when a new WIFI service is available
Fixing translations of the that create the same message but with different character cases
Refines the layout of Author Pictures for performance
Refines layout of URL Previews for performance
Refines the padding of chat messages and reaction row
1:26:28 Nos.social
Added a confirmation before reposting a note.
Added the ability to delete your reposts by tapping the repost button again.
Show reposts in stories.
Added a content warning when a user you follow has reported the content
Changed copied links to notes and authors to open in njump.me.
Added the ability to initiate USBC transactions and check your balance if you have linked a Universal Name to your profile with an attached USBC wallet.
Add Stories view to the Home Feed
Redesigned the Universal Names registration flow
1:26:31 Highlighter 2.0
Data-vending-machine support: you can now very easily highlight podcasts and video content in a text-native way.
Patreon support: You can now create RECURRING subscriptions to support your favorite creators and shitposters. I will say a lot more about this and a follow up with a NIP to standardize and help other builders disrupt Patreon and bring creators of all kinds to Nostr easier and more compelling.
Zap-splits: Zapping a highlight creates a split on everybody involved in you seeing that content.
Curation: You can now create curations of articles and earn zap splits for your curation efforts.
NIP-32 Labels: categorize highlights and “margin notes” with any category
Full text support: Find what interests you across any topic in any type of event in nostr.
1:26:42 Mostro
1:26:48 Current iOS v0.1.4-Palo Verde
Chat with PlebAI - Plebs version of chatGPT. PlebAI exclusively connects to open-source, large language models.
1:27:02 0xchat v1.2.2-beta.2
Add support for NIP42
Add multilingual support for group chats
1:27:06 Lume
Redesign UI
Use Harmony color palette (source)
Use media-chrome for video player
Support Light and Dark Mode based on system
Support nsecBunker
Support outbox model
Migrate from custom secure storage (tauri-stronghold) to native secure storage (keyring-rs)
Improve native notification
New composer support write text, article (long-form content) note and file sharing (NIP-94)
Upgrade to Tauri v2
Add Nix dev environment
Added keyboard navigation to widget list, using Arrow Left and Right to navigate
Added new event cache system, powered by NDK and Tauri SQLite
Added infinite loading to all widgets
Improved performance and loading time
Project spotlight
1:27:15 Nostr Assets: LightningFi on Nostr
Send, Receive & Trade #Taproot Assets & #Bitcoin
1:33:03 Flockstr (#note: Submitted by Zach who listens to the show)
Uses the NIP-52 kinds to create a meetup.com/eventbrite-style experience on Nostr.
Users can create calendar events, share announcements, RSVP to events, and much more.
Soon to integrate lightning to handle paid events and ticketing.
Built as a progressive web app
Seeking feedback.
Bounty: 100K sats to integrate Flockstr’s events (Meetup Calendars) on Amethyst by Vitor
1:33:43 Nostter: Twitter clone built on Nostr
1:33:50 Nostr feature matrix
Compendium of nostr clients and known features.
1:34:34 [nostrudel(https://nostrudel.ninja/): Nostr web client
Privacy Software
Software Releases & Project Updates
1:34:39 StartOS v0.3.5
Moved from source available to fully open-source MIT license
Ditch Docker, replace with Podman
Remove locking behavior from PatchDB and optimize
Boost efficiency of service manager
Require HTTPS on LAN, and improve setup flow for trusting Root CA
Better default privacy settings for Firefox kiosk mode
Eliminate memory leak from Javascript runtime
1:35:54 Unleashed Chat
One button to deploy your own chat. Own your data. Private. Uncensored. Fast.
Boosts
1:42:13 Thanks to everyone who streamed sats, and shoutout to our top boosters:
[🏆 TOP BOOSTER] @hgw39 (20,000 sats) “yo nvk. just so you know there’s some resistance to all the totalitarian shit going on in New Zealand I wrote this especially for you. The Bitcoin scene in New Zealand in 2023.”
@apemithrandir (7,777 sats) “v4v”
@vake (4,000 sats) “bitcoin is boring and nothing happens”
@mrmr (1,209 sats) “” … Proof of fist.” sounds like a must listen.”
@dubravko (2,110 sats) ““Face to face. Proof of fist.” 😂🤣😂🤣😂🤣”
@heidisov (2,100 sats) “F$@& sleep meds…my husband told me I should just listen to a soothing podcast to deal with a recent bout of insomnia …I told him I have just the one…”
@sovereignindividual (2,100 sats) “Good”
Bitcoin Optech Newsletter
1:43:27 Highlights from recent Bitcoin Optech Newsletters
Replacement cycling vulnerability against HTLCs:
Since the replacement cycling vulnerability disclosure, implementations have been updated to include mitigations for the attack and we strongly recommend upgrading to the latest version of your preferred LN software. Only nodes being used to forward payments are affected; users who only use their channels to initiate and receive payments are not affected.
Deployed mitigations in LN nodes for replacement cycling
Frequent rebroadcasting
After a relay node’s mempool has Bob’s spend replaced by Mallory’s spend, and then has Mallory’s input removed by Mallory’s second replacement, that relay node will immediately be willing to accept Bob’s spend again. All Bob needs to do is re-broadcast his spend, which costs him nothing beyond the transaction fee he was already willing to pay.
Longer CLTV expiry deltas
When Bob accepts an HTLC from MalloryA, he agrees to allow her to claim an onchain refund after a certain number of blocks (let’s say 200 blocks). When Bob offers an equivalent HTLC to MalloryB, she allows him to claim a refund after a smaller number of blocks (let’s say, 100 blocks). Those expiry conditions are written using the OP_CHECKLOCKTIMEVERIFY (CLTV) opcode, so the delta between them is called the CLTV expiry delta.
Mempool scanning
To initiate a replacement cycle, Mallory still needs to briefly disclose her preimage to miner mempools in order to replace Bob’s spend. If Bob runs a relaying full node, Mallory’s preimage transaction may propagate across the network to Bob’s node. If Bob then detects the preimage before he’s due to give MalloryA a refund, the attack is defeated and Mallory loses any money she spent on attempting it.
Discussion of mitigation effectiveness
Riard’s initial announcement said, “I believe replacement cycling attacks are still practical for advanced attackers.” Matt Corallo wrote, “the deployed mitigations are not expected to fix this issue; its arguable if they provide anything more than a PR statement.” Olaoluwa Osuntokun argued, “[in my opinion], this is a rather fragile attack, which requires: per-node setup, extremely precise timing and execution, non-confirming superposition of all transactions, and instant propagation across the entire network”.
Proposed additional mitigations for replacement cycling:
Incrementing fees towards scorched earth
Antoine Riard’s paper about the attack and mailing list posts by Ziggie and Matt Morehouse suggest that, instead of having the defender (e.g. Bob) just rebroadcast his refund spend, he starts broadcasting conflicting alternative spends that pay ever-increasing feerates as the deadline approaches with the upstream attacker (e.g. MalloryA).
Automatic retrying of past transactions
Corallo suggested that, “the only fix for this issue will be when miners keep a history of transactions they’ve seen and try them again after an attack like this.”
Presigned fee bumps
Peter Todd argued that, “the correct way to do pre-signed transactions is to pre-sign enough different transactions to cover all reasonable needs for bumping fees. There is zero reason why the B->C transactions should be getting stuck.”
OP_EXPIRE
Peter Todd proposed several consensus changes to enable an OP_EXPIRE opcode that would make a transaction invalid for inclusion after a specified block height if the transaction’s script executes OP_EXPIRE
Bitcoin UTXO set summary hash replacement
Fabian Jahr posted to the Bitcoin-Dev mailing list to announce that a bug had been discovered in Bitcoin Core’s calculation of the hash of the current UTXO set.
Research into generic covenants with minimal Script language changes
Rusty Russell posted to the Bitcoin-Dev mailing list a link to some research he has performed about using a few simple new opcodes to allow a script being executed in a transaction to inspect the output scripts being paid in that same transaction, a powerful form of introspection
Proposed BIP for OP_CAT
Ethan Heilman posted to the Bitcoin-Dev mailing list a proposed BIP to add an OP_CAT opcode to tapscript. The opcode would take two elements at the top of the stack and concatenate them into a single element.
Mailing list hosting
Administrators for the Bitcoin-Dev mailing list announced that the organization hosting the list plans to cease hosting any mailing lists after the end of the year. The archives of previous emails are expected to continue being hosted at their current URLs for the foreseeable future.
HTLC aggregation with covenants
Johan Torås Halseth posted to the Lightning-Dev mailing list a suggestion for using a covenant to aggregate multiple HTLCs into a single output that could be spent all at once if a party knew all the preimages. If a party only knew some of the preimages, they could claim just those and then the remaining balance could be refunded to the other party. Halseth notes that this would be more efficient onchain and could make it more difficult to perform certain types of channel jamming attacks.
News & Noteworthy
Bitcoin
Durabit whitepaper dropped via inscription [Tweeted by Rijdael]
“A novel solution that leverages the power of Bitcoin to establish enduring incentive systems for continuous data distribution. This tooling combines time-locked Bitcoin bonds and timestamped torrent magnet links to motivate users to actively participate in the seeding of large files. Durabit not only addresses the initial data propagation challenge but also helps offset the long-term operational costs of seeding files. By marrying the immutability of Bitcoin’s blockchain with the efficiency of BitTorrent magnet links, Durabit ensures data availability and integrity while building a self-sustaining incentive system for content distribution.” [Durabit Github]
Bull Bitcoin Launches Self Custody Wallet [Bitcoin News]
With this development, Bull Bitcoin has integrated a non-custodial exchange and a non-custodial wallet within a single application.
Federal Reserve threatens to sue #Bitcoin Magazine in attempt to silence criticism of its FedNow service [Bitcoin Magazine]
BitStream: Decentralized File Hosting Incentivised via Bitcoin Payments paper released by Robin Linus
Lightning
Lightspark unveiled enterprise-grade end-to-end solution for Universal Money Addresses (UMA) [Announcement]
UMA combines human-readable Lightning Addresses with enhanced messaging and integration with the Lightning Network’s real-time, global payment rails to make sending money as easy as sending an email.
It is open-source and available for anyone to use.
It has generated controversy for extending lightning and LNURL to [support compliance] (“Through UMA, Lightspark’s solution supports a full range of compliance messaging for anti-money laundering, sanctions reviews, and travel rule purposes.”)
Relai partners with Breez to launch Lightning Beta [Announcement]
In collaboration with the Lightning startup Breez, as of now, you can sign up for the beta test for Relai’s on-Custodial Lightning Wallet
With this integration, Relai now supports Lightning transactions while ensuring users maintain full control over their Bitcoins
Strike
Launched 0-value Lightning invoices
Enables our users to send any amount from their cash or Bitcoin balance to other wallets
Live for all users globally on iOS and Android (latest version)
Partnered with BitRefill to enable users globally to make real-world purchases via the Lightning Network within Strike
Now supports incoming wire transfers, allowing Strike customers to transfer unlimited funds and buy as much bitcoin as they’d like, all withdrawable immediately.
Brought back direct deposits. You can now get any portion of your paycheck paid in bitcoin with Strike.
Expanded supported payment methods, including debit cards and enhanced bank connectivity support.
Begun allowing some customers to use Strike with their linked payment method, no longer requiring a deposit first. Make Lightning payment with your debit card, send bitcoin to cold storage with your bank account, and more.
Removing channel reserve for mobile wallet users proposed by t-bast
Batch exchange withdrawal to lightning requires covenants according to t-bast
Kollider is shutting down [Announcement]
“We weren’t able to find a large enough audience that wanted to trade but also use Lightning. Operating an exchange is expensive so its hard to sustain with not much trading activity.”
Athena becomes the first Bitcoin ATM company to support Lightning Network withdrawals. [Asociación Bitcoin de El Salvador]
Nostr
Geyser migrates to Nostr [Announcement]
Every Geyser project now gets a unique Nostr identity (NPUB) - a big leap for the Open Creator Economy
Your Geyser project lives on Nostr, regardless of whether you’re logging in via Nostr or Twitter.
This means broader visibility and more engagement for your content on Nostr platforms
Scionic Merkle DAG Trees: Backwards-Compatible Integration with Nostr for Multimedia Hosting paper released by H.O.R.N.E.T. Storage
Funding
Opensats
Long-Term Support For Matt Morehouse
Matt is a security researcher & developer focused on the detection and prevention of various bugs and attack vectors that could threaten the stability of the Lightning Network.
He is dedicated to enhancing the security and robustness of Lightning implementations through extensive fuzz testing, meticulous auditing of BOLT specs and Lightning implementations, and responsible disclosure of discovered bugs and vulnerabilities. His efforts aim to motivate greater investment in the security of Lightning, ensuring its reliability and trustworthiness.
Furszy joined as a Core developer in June 2022 and has been actively involved in a wide spectrum of contributions ever since. Prior to his current role, he served as a software maintainer for a privacy-centric project. Consequently, privacy and performance are two of the areas Furszy focuses on.
Long-term support will allow Furszy to dedicate significant attention to the project’s shared goals and the stability of the main reference client. In addition to his own code contributions, he is actively reviewing and providing feedback on others’ pull requests, as well as engaging in daily discussions with other core developers to address potential issues and collaboratively explore avenues for enhancing the project.
Mining
Bitcoin Miner Marathon Tests BTC Mining With Methane Gas From Waste Landfill [Coindesk]
Bitcoin miner Marathon Digital (MARA) has started a pilot mining project in Utah that is using methane gas generated from landfill waste to make electricity to power mining operations.
The 280 Kilowatt (kW) pilot project in Utah is already operational.
Block completes the first prototype of the MDK’s hashboard
Key features:
Distributed controller architecture
Precision load control
Extended operating range
Business & Finance
NYAG files complaint against Gemini, Genesis, DCG, Michael Moro and Barry Silbert over Earn product and covering up $1 billion hole [The Block]
The NYAG has filed a complaint against multiple entities involved in the Gemini Earn saga, which involved lending money to Genesis — which was ultimately lost by Three Arrows Capital.
The NYAG claims that Genesis, Michael Moro and Barry Silbert conspired to fraudulently represent Genesis’ financial condition to hide the hole in its finances.
Gemini Sues Bankrupt Lender Genesis, Its Former Partner, Over $1.6B Worth of GBTC [Coindesk]
Gemini is seeking to gain control of the GBTC shares, which, Gemini said, “would completely secure and satisfy the claims of every single” Earn customer – whose money was locked up when Genesis froze withdrawals last year.
TBD and Circle Announce New Initiative Enabling Decentralized Identity, Credentials, and Open Payment Standards [TBD]
Foundation members will work together to contribute and promote open source standards, including technical specifications, open source software, and reference implementations focused on areas including:
Identity and Credential Standards to establish trust, including specifications, standards, and reference implementations for decentralized identity issuers, high assurance verifiable credentials for payment use cases, naming conventions to find and address counterparties via human-friendly names and URIs, and operational capabilities to grow and certify identity and credential issuers based on these standards.
Open source liquidity protocol, to be contributed by TBD, along with specifications, reference implementations, and tools that work together with stablecoins and identity to support mainstream payments and commerce use cases, promoting wallet and financial service interoperability for highly scalable, low-cost, and trusted exchanges of value.
Bitcoin custody platform @custodiabank founded by Bitcoin advocate @CaitlinLong_ launches custom-built custody platform [Bitcoin Launches]
Service targeting businesses like fiduciaries, investment advisers, fund managers & corporate treasurers
Products vary depending on state
Won approval from the Wyoming Division of Banking in October
Offers segregated (rather than omnibus) custody accounts
Global Bitcoin Asset Management Platform from Onramp Launches a Global Bitcoin Asset Management Platform Built on Multi-Institution Custody [Bitcoin Launches]
Privacy
Swan will no longer service clients who directly interact with mixing services (such as Wasabi, Samurai and similar services) due to the recent proposed ruling from FinCEN regarding Bitcoin mixing. [wim]
There have been recent incidents in Sweden involving armed robberies targeting Bitcoin and crypto holders in their homes. [Erica Wall]
Multiple cases, including prominent figures in the cryptocurrency sector, have been reported.
Victims had either discussed Bitcoin publicly or livestreamed Bitcoin-related content.
The issue arises from the ease of accessing residential addresses and tax records in Sweden.
This accessibility is due to the legal principle of “Public Access to Information.”
Some individuals have left Sweden due to these safety concerns and may not return until privacy laws change.
Government & Political
“FinCEN is proposing to apply section 311 of the Patriot Act against basically all types of crypto privacy, including on noncustodial methods.” [Lyn Alden]
“Notably, if successful (it is still in the proposal phase), it would be a big extension of their mandate to apply that section to a “class of transactions” rather than to any particular custodial entity.”
“Certain types of math/software would become illegal/sanctioned.”
EU urged to drop new law that could allow member states to intercept and decrypt global web traffic [The Record]
More than 300 of the world’s most respected cybersecurity experts as well as Linux Foundation, Cloudflare and Mozilla have written to European Union lawmakers to warn that the proposed regulations are a “dangerous intervention” and could undermine online security.
The letters were prompted by a proposed update to the bloc’s eIDAS (Electronic Identification, Authentication and Trust Services) regulations which would give EU member states the ability to issue so-called Qualified Website Authentication Certificates (QWACs) - cryptographic certificates that web browsers would have a legal obligation to accept as valid — paving the way for governments to intercept encrypted web traffic globally.
Kraken has notified its users when they will comply with a requirement to provide IRS with user records [Bitcoin Magazine]
“After losing a lengthy court case, they will need to turn over sensitive data to the Internal Revenue Service (IRS) after a legal battle that began in May 2021”.
SEC subpoenas PayPal over its USD-pegged stablecoin [TechCrunch]
“The payments giant said Thursday that it had received a subpoena from the Securities and Exchange Commission related to its U.S. dollar-pegged stablecoin, according to Reuters.”
Reads & Resources
1:52:22 Here’s a list of our top recently published reads and useful resources:
Lightning Report - October 2023 by River
Lightning Development with Swift: Make Your First Lightning App with LDK Node Swift [by Bitcoin Developers on Youtube] (20 minute tutorial!)
How does a lightning replacement cycling attack work? Thread by mononaut
Technical Case Study: How to enable Bitcoin payments for merchants at events using BTCPay Server by [BTCPay Server]
Scionic Merkle DAG Trees: Backwards-Compatible Integration with Nostr for Multimedia Hosting by H.O.R.N.E.T. Storage
BitStream: Decentralized File Hosting Incentivised via Bitcoin Payments by Robin Linus
Episode submission ideas
We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
Nostr & LN ⚡nvk@nvk.org (not an email!)
Did I get anything wrong above? Help me correct it producer@coinkite.com