BR090 - COLDCARD, BullBitcoin, Tangem & Proton Vulnerabilities, Signatures Explained + MORE ft. Rob
I’m joined by guest Rob Hamilton to go through the list.
Housekeeping
00:01:37 Verify-address over NFC using a Coldcard Q and BDK iOS example wallet [Demo by Matthew Ramsden]
Urgent Vulnerability Disclosures
00:18:57 New fake Ledger data breach emails try to steal crypto wallets [Bleeping Computer]
These emails falsely claim that a data breach has occurred, urging recipients to verify their recovery phrases through a provided link.
00:20:51 Cryptocurrency hardware wallet Tangem ‘fixes’ app bug that saved user seed phrases in application logs, exposing private keys during support interactions [Coin Telegraph]
“What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.” [Tangem’s Reddit comment]
Redditor, u/areklanga points out in a Reddit discussion on Tangem’s operations “So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system and are available for Tangen employees. Which makes all Tangem users compromized.”
00:26:03 Irrevocable fees—stealing from LN using revoked commitment transactions [David Harding’s disclosure]
A critical vulnerability in all major Lightning Network implementations could allow miners to steal up to 98% of channel funds under certain conditions. Honest users performing normal operations also risk smaller fund losses due to similar flaws.
Eclair, LDK, and LND with default settings were vulnerable to an immediately exploitable version of the attack. Core Lightning users face risks with non-default configurations, especially when the
--ignore-fee-limitssetting is enabled.Mitigations for the most critical flaws are implemented through updates: Eclair v0.10.0 (Feb 2024), LDK v0.0.123 (May 2024), and LND v0.18.3-beta (Sept 2024). Future protocol changes are required to eliminate all variations of the vulnerability.
00:27:13 Security research company Zellic identified a vulnerability in Proton Wallet’s early preview version, affecting wallet and backup mnemonic security.
The issue stemmed from the use of Dart’s Random() class, which is not cryptographically secure. This weakness made it feasible for attackers to predict generated passwords, compromising user data.
Bitcoin
Software Releases & Project Updates
00:28:29 Coldcard Edge v6.3.4
Shared Improvements - Both Mk4 and Q
Enhancement: Hide Secure Notes & Passwords in Deltamode. Wipe seed if notes menu accessed
Enhancement: Hide Seed Vault in Deltamode. Wipe seed if Seed Vault menu accessed
Bugfix: Do not allow to enable/disable Seed Vault feature when in temporary seed mode
Bugfix: Bless Firmware causes hanging progress bar
Bugfix: Prevent yikes in ownership search
Change: Do not allow to purge settings of current active tmp seed when deleting it from Seed Vault
Mk4 Specific Changes
All updates from 5.4.0
Enhancement: Export single sig descriptor with simple QR
Q Specific Changes
All updates from version 1.3.0Q
Bugfix: Properly re-draw status bar after Restore Master on COLDCARD without master seed
00:33:00 BLOCKCLOCK v1.2.3
MINI only:
Add some “mime fun” on display page. Mr. Yellow makes an appearance.
Press either of the two middle buttons (not top/bottom) and the next value in your list will be shown immediately. MICRO already had this feature with bottom right button.
External IP address reported into the log file to aid network debug.
MAC address (wifi) is now shown on network page. Might be used for DHCP management on your LAN.
Carat symbol (^) added to the font.
Some values will be able to show OVER/UNDER without the bar between.
Improve local API display of numeric values, when using /api/show/number endpoint.
00:33:36 BDK v1.0.0
Wallet::transactionsshould only return relevant transactionsMinor updates to fix new rustc 1.83.0 clippy warnings
00:33:50 Nunchuk
00:34:19 BullBitcoin Mobile v0.4.0 - Payjo+n
Basic Payjoin Implementation:
Bull Bitcoin integrates Payjoin V2 into its mobile wallet, enabling serverless, asynchronous Bitcoin transactions. [Announcement]
Payjoin transactions no longer require constant internet connectivity or a full node. The receiver’s device can stay offline, resuming the session when reconnected.
00:36:59 Bitcoin Keeper
Mobile v1.3.1
New Collaborative Wallet flow to make it easier to create a wallet with friends and family
Update the signing devices UI with a focus on easier collaboration and use
How to set up Bitcoin Keeper wallet with Tapsigners to create a mobile inheritance plan [Tutorial by BTC Sessions]
00:37:21 Electrs v0.10.8
Separate blocks reading & index writing into scoped threads
Set HTTP
Content-Typeheader for Prometheus responseUse
ctrlcin place ofsignal-hookon WindowsDon’t deserialize transactions if not needed
Run CI only on
masterbranch and PRsUpdate dependencies (
bitcoin,bitcoin_slices,crossbeam-channel,tempfile)
00:39:20 BTCPayServer v2.0.5
Checkout: Add support link to footer
Pull Payment: Add “Copy Link” button to the action column
Greenfield: Remove authorization requirement for PoS data
Greenfield: Resolve store user’s image URL
00:39:36 rust-payjoin v0.22.0
Payjoin V2 Sender now serializes reply_key so that it may resume after being persisted
Propagate uri Fragment parameter errors to their caller
Have Sender persist reply key so resumption listens where a previous send session left off
00:39:45 Krux installer v0.0.20
First stable version of the entire code refactoring. Exisiting features:
Automatic check of latest official firmware
Optional selection of older firmware versions
Supported devices: M5stickV, Sipeed Amigo, Sipeed Bit, Sipeed Dock, Sipeed Cube, Yahboom, WonderMV
Flash official firmware with automatic integrity/authenticity verification
Flash beta firmware devices
Air-gap update devices with SDcard
Wipe devices
Support for Windows, MacOS Arm, MacOS Intel, Debian-like OS and Fedora
00:39:55 Frostsnap v0.0.0-alpha.1
Basic wallet recovery:
Allows you to delete keys from the key list
Allows you to recover them by plugging in devices
00:40:42 Bitcoin Safe 1.0.0rc1
New Features:
Full support for all major hardware signers Coldcard, Q, Bitbox02, Blockstream Jade, Trezor, Foundation Passport, Keystone, Ledger, Specter DIY
Full support for BBQr and UR
Balance Statement PDF Export
Improved Features:
Sync & Chat: Label Synchronization backup and Multi-party Multisig Collaboration can now be enabled in the last wallet setup wizard step
Transaction diagram navigation by clicking on inputs and outputs
00:42:03 Blockstream Satellite v2.5.0
Add graphical user interface (GUI) application (
blocksat-gui)Add option to disable Linux media build backport on TBS driver installation
Update Telstar 11N Africa and Europe downlink frequencies
00:42:28 Raspiblitz v1.11.4
AlbyHub feature release
Add AlbyHub to RaspiBlitz SSH menus
Improve mempool install script
00:42:39 Ashigaru v1.1.0
Overhaul of Settings menu user interface
Add wallet accounts recovery information
Ability to automatically update over Tor the app’s functionality URLs (with PGP verification) to ensure continuous PayNym directory and Soroban network availability.
Display Tor direct download .onion URLs. URLs automatically updated over Tor (with PGP verification).
Display Ashigaru Tor website URL. URL automatically updated over Tor (with PGP verification).
Ability to hide balance by tapping on available balance
Consolidation and Wallet Sweep transaction alerts
00:45:02 BoltzExchange
boltz-web-app v1.6.0
Add WalletConnect
Show error when QR scanning is not supported in browser
Help server claim Chain Swaps that receive on EVM
boltz-backend v3.9.0 - Swarm of Swaps
Add batch claim support for Chain Swaps
Add batch claiming on EVM based chains
BoltzExchange launched Boltz Pro, a non-custodial way to earn sats with swaps on Boltz [Announcement]
Boltz Pro offers dynamic fees that let users earn sats for swapping funds in specific directions when wallet imbalances arise.
00:45:04 Mempal v1.4.0
New app icon
Tap to refresh any individual dashboard card
Save multiple custom mempool servers in settings
New settings option to change notification intervals from minutes to seconds
Fee distribution data will now fallback to mempool.space when using a custom mempool server
Widget data now defaults to mempool.space when using Tor
00:45:11 Zaprite v2024-12-23
Orqestra: add new Orqestra.io integration to enable automated USD-to-BTC conversions
Merchant X: update Merchant X Checkouts to use an inline credit card form instead of a modal
Public API: update documentation to explain that Orders are not visible until paid
LNURL: enhance LNURL error reporting
00:45:13 ESP-Miner v2.4.2
Add uptime to home screen
Change naming of stratum url to host
Change Stratum Fallback URL as well
Adds solohash getQuickLink()
Change Mining URL to Stratum Host on screen
Project spotlight
00:45:18 Satoshi: A new wallet for Bitcoin, Lightning, and Liquid payments, that can be both custodial or self custodial [Announcement]
Satoshi Version 1.0 is now live in the App Store in 40 countries. 🎉
00:45:28 Joinstr: An experimental rust implementation of joinstr [Github]
A dedicated RSS feed is available.
00:45:33 miningpool-observer: The project compares block templates produced by a Bitcoin Core node to blocks produced by mining pools to provide insights [Github]
00:46:51 Dojo Bay: A directory of available Dojo nodes, allowing users to select nodes based on reputation and location, both for Mainnet and Testnet.
00:46:56 Nightly Bitcoin Core Tests: A tool to test and review development versions of Bitcoin Core [Github]
00:47:04 Nigiri: A delicious docker box for special Bitcoin cookings [Github]
Nigiri offers a command-line interface that utilizes preconfigured Docker Compose setups to create a ready-to-use Bitcoin regtest environment.
The preconfigured package includes a Bitcoin Core node running in regtest mode, a backend and frontend explorer (Electrum) and Chopsticks a JSON HTTP proxy. You can extend the setup with: Ark, Elements/Liquid sidechain, and Lightning Network nodes.
00:47:15 Run Litd: Notes and helper scripts for setting up and running a Litd node. [Github]
00:47:28 bllsh: A bullish shell for a bitcoin lisp language [Github]
“Basic Bitcoin Lisp language (bll) is a proposed scripting language that could be added to Bitcoin in a soft fork. Formerly called BTC Lisp and conceptually based on Chia Lisp, it’s part of a set of tools that includes symbll (a miniscript-like compiler of higher-level Lisp to lower-level bll) and bllsh (a REPL for trying and debugging symbll and bll).” [Bitcoin Optech definition]
AJ Towns recently presented his work on Basic Bitcoin Lisp Language to Brink engineers [Presentation]
00:48:05 Btceed: Bird’s-eye view of your bitcoin HD wallet [Github]
Btceed is a web application that provides a graphical overview of Bitcoin HD wallets using seed phrases.
00:48:12 Zero Fee Playground: A site for trying out zero fee bitcoin transactions
The Zero Fee Playground provides a step-by-step demonstration for creating and testing paired transactions using Bitcoin version 28’s updated rules.
00:49:17 P2PK Playground: A site for creating P2PK outputs in bitcoin i.e. paying someone’s raw public key
The guide includes step-by-step instructions for creating and spending P2PK outputs, highlighting tools for broadcasting transactions
00:50:51 Bitcoin Testnet4 Faucet: A faucet for Bitcoin testnet4 coins, written in C# using ASP.Net Razor Pages and NBitcoin. [Github]
The faucet uses OAuth to authenticate users and does not store any personal information.
00:50:58 Hashteroids: browser-based game combining elements of the classic Asteroid arcade gameplay with Bitcoin mining concepts
00:51:07 My First Bitcoin launches Community Hub to support independent bitcoin educators with resources and tools [Announcement]
The platform features Wikis, forums, and a structured system for new educators, helping them connect and share resources globally.
Vulnerability Disclosures
00:51:39 Oasis Security’s research team discovers a critical flaw in Microsoft’s Multi-Factor Authentication system, enabling attackers to bypass it and access user accounts, including Outlook, OneDrive, Teams, and Azure Cloud. [Public disclosure]
The vulnerability involves a lack of rate limiting for failed MFA attempts, permitting rapid session creation and code enumeration.
Attackers can exhaust all 1 million possible six-digit codes within approximately an hour, without user interaction or alerts.
00:51:53 Five dollar wrench attacks: Fake uber driver steals over $223,000 in cryptocurrency from customers’ centralized exchange accounts [Fox10]
The driver allegedly deceived victims into handing over their phones by claiming his own device was malfunctioning or offering to assist with the Uber app.
Once in possession of the phones, he reportedly transferred funds from their Coinbase accounts.
00:52:40 Two men fall victim to phishing scams, in May 2024, involving fraudulent Google security prompts [Krebs On Security]
An individual fell victim to a phishing scam, losing nearly $500,000 in cryptocurrency. Scammers tricked him into clicking a fraudulent Google account recovery prompt, providing them access to his Google account. They then retrieved his secret seed phrase stored in Google Photos.
Another individual lost 45 bitcoin after receiving a fake Google security alert and a call from someone claiming his account was compromised. The victim clicked “yes” on the fraudulent prompt and later provided his seed phrase on a phishing site, leading to the instant drainage of his wallet.
00:55:28 Apache MINA’s CVE-2024-52046 flaw, rated CVSS 10.0, enables remote code execution through unsafe Java deserialization. [The Hacker News]
The vulnerability affects versions 2.0.X, 2.1.X, and 2.2.X, triggered by specific classes and unsafe data processing.
00:55:37 WPA3 vulnerability: risks of downgrade attacks and social engineering [CyberNews]
Researchers reveal WPA3 vulnerabilities through a rogue access point and a downgrade attack to WPA2. This allows hackers to capture partial handshake data and potentially recover WiFi passwords.
00:56:07 Hackers compromise 16 Chrome extensions, affecting over 600,000 users, by injecting malicious code to steal cookies and access tokens. [The Hacker News]
The attack begins with a breach of Cyberhaven’s extension on December 24, 2024, through a web-browser-based supply chain attack, exploiting an employee’s credentials to publish a malicious update. [Press release]
00:56:54 Symlink exploit: A vulnerability in Apple’s FileProvider component, identified as CVE-2024-44131, allows unauthorized access to sensitive data by bypassing the Transparency, Consent, and Control (TCC) framework. [The Hacker News]
Exploiting this flaw, a malicious app can intercept user file operations in the Files app, redirecting them to attacker-controlled locations without user awareness.
Audience Questions
00:57:22 Thanks to everyone who sent in questions. Remember to send yours to questions@bitcoin.review.
00:57:32 Can you explain (like I own ETH), how signatures work for spending Bitcoin? Perhaps you can give a useful analogy for how signing can be done offline using your private key, but which doesn’t releal your private key to the network. In other words how do you PROVE to the network you can legitmately spend that bitcoin without revealing your private key? - anonymous
01:01:04 When people say “there’s not enough UTXOs for everyone to have one”. How do you quantify that? What’s the number of UTXOs and what factors affect that number? (Such as blocksize?) - anon
01:06:20 “I have a legacy address that starts with 1 wirh some BTC Should I be worried about CC?” -@Johnylabb
01:07:16 “Don’t get it….why should anyone, except maybe millionaires, self custody? Even if u have a lot of BTC, if it’s from many small utxo then it’s worthless” -@Richard-ki4nkgm
01:10:20 “If BTC must be essentially be held in custody, then why use BTC over gold? Distrust among large banks might encourage BTC over gold?” -@Richard-ki4nkgm
Privacy & Other Related Bitcoin Projects
Software Releases & Project Updates
Reticulum MeshChat
Add interface importing and exporting
Add dropdown menu on interfaces
Add button to export a single interface
Add docker image
Add the ability to select a custom profile icon similar to Sideband’s Icon Appearance
Add the ability to select different levels of image compression when adding an image to a message
Add new Ping tool under
Tools->Ping
Add RNode web flasher to new tools section
Add SNR and hops away to LXMF announces list
Add new drop down menu to conversation viewer
Add the ability to ping destination from conversation viewer dropdown
Add LXMF user icons to the announce list and conversation viewer
Add signal metrics to conversation viewer
Add dark mode
Add full micron format and field support thanks
Add setting to select Light Theme or Dark Theme
Add support for showing Sideband/LXMF user appearance icons in conversations list
SimpleX
Chat lists: organize and filter your chats
Open files in default app (Android)
Project spotlight
Superbacked: A secret management platform used to back up and pass on sensitive data from one generation to the next, is now free and source-available [Announcement]
“Superbacked distributed backups are encrypted using Shamir Secret Sharing … before being encrypted (again) using Blockcrypt.” [Github]
The Ludlow Institute: an independent research and media organization dedicated to defending privacy, freedom, and individual autonomy in the digital age. [Announcement]
The institute aims to advance privacy and surveillance research, support privacy tools through advocacy and grants, and provide educational resources such as workshops and meetups.
Lightning + L2+
Project spotlight
Self-custodial wallet Klever Wallet integrates the Lightning Network using the Breez SDK. [Blog post]
Klever targets underserved areas like Nigeria, Brazil, India, and the Philippines with this integration.
Doppler: A tool for building out and managing bitcoind/lightning clusters for regtest or signet environments [Github]
LN OPR: A fast, scalable protocol for resolving Lightning payments [Github]
The Off-chain Payment Resolution (OPR) protocol enables Lightning payments to be resolved off-chain, even in worst-case situations.
It ensures faster resolution, typically within seconds, and improves scalability by avoiding additional blockchain data. [Research paper]
Magma AI: Intelligent channel management for Lightning Network [Announcement]
“By analyzing network data to recommend optimal channel configurations, Magma AI helps node operators improve routing performance and manage liquidity more efficiently.”
Lightstack (Full Phoenixd Stack): Automagic selfcustodial cloud Lightning stack [Github]
A self-custodial Lightning node that can be run on a VPS using this stack, accessed via your domain name. It includes an LNBits instance on your node and a phoenixd endpoint secured with SSL.
A multistack feature now allows multiple stacks to operate on the same VPS, served concurrently.
ZapPlanner: Schedule automatic recurring lightning payments
ZapPlanner is a tool enabling automated transfers within customizable intervals, using Nostr Wallet Connect.
CLN Backup: A CLN plugin that uploads the latest SCB to remote locations. [Github]
Hashpool: An accountless mining pool that represents mining shares as ecash tokens [Github]
“This project is a fork of the Stratum V2 Reference Implementation (SRI) that replaces traditional share accounting with an ecash mint.”
nutjar-ui: A project that helps integrate Lightning tips on websites using nostr and Cashu [Github]
It provides a web component that simplifies the process of adding donation functionality, allowing users to configure attributes like donation receiver details and minting options.
Software Releases & Project Updates
Core Lightning v24.11.1 - The lightning-dev Mailing List II
xpaycompatibility improved significantly forxpay-handle-pay:the JSON return should be identical, and it handles maxfeepercent and exemptfee parameters.xpayresults inlistpayswill includedestinationandamount_msatfields.xpaydoesn’t spam the logs at INFO level any morexpaynow works through unannounced channels
Zeus v0.9.4-rc1
Embedded Node: LND v0.18.4-beta
Speed up transaction UX improvements
CLNRest: fix display of destination addresses on TXs
Display keysend messages in Activity and Payment views
Open Channel view: UI tabs for Connect Peer
LND: optimize payment path calls after payments
CLNRest: add ability to paste connection strings
Channels: restore sort by Close Height
Networking improvements
Ark v0.4.1 - Support absolute locktime (CLTV)
Patch release that adds supports for absolute locktimes encoded in the VTXO script with CLTV
Fedimint v0.5.0 - Christmas Edition
Highlights:
Add Tor support for client-federation connections
Stabilize v2 lightning module
Upgrade rust-bitcoin (and related ecosystem-crates) from 0.30 to 0.32
Improve CI to increase our agility while maintaining compatibility guarantees
Fedi App Update
Cashu Melting: Spend eCash between CashuBTC and Fedimint
Portable Nostr Keys: Fedi generates an nPub for you and you can take this nPub with you
Alby
Alby-go v1.8.1
Enhanced UI with popicons and new transaction icons
Verified ownership of Lightning addresses to avoid confusion
Support for nostr+walletconnect:// connection URLs
Show wallet name in payment confirmations and home screen
Simplified wallet renaming process
Alby-hub
v1.12.0 - Michael Froomkin
Pay 0-amount invoices
Migrate to VSS
Fire channel open and closure events in lnd
Improve Alby Account connection card
Add environment variable to customize LDK listening addresses
v1.11.2 - Suelette Dreyfus
Implement a large number of improvements to the privacy of app connections:
Relay connectivity
Backups
Open channel flows
Receive page
Isolated app connections
Transaction lists
BitBanana v0.8.8
Proper Android 14 support
Add Auto-Lock Timeout setting
Increase disconnect timeout after app moved to background to 5 min
Unlocking the app does no longer restart the connection
Migration Backup now includes app settings
Increase displayed lightning fee precision
Add explanation popup when enabling stealth mode
Add Tamil language
Loop v0.29.0-beta
Add support for persisting address loop in mode
Nostr
Project spotlight
PZP, a peer-to-peer protocol focused on enabling decentralized app development with lightweight storage requirements [Code repository]
Key features include public-key addressing, content deletion, multi-device identity support, and easy CRDT data structures like sets and dicts.
PZP differs from Nostr by using device-specific keys, sig-chains to track missing content, and being invite-only.
Narr: A self-hosted Nostr and RSS reader [Github]
“narr (not another rss reader) is a web-based RSS and Nostr long-form feed aggregator which can be used both as a desktop application and a personal self-hosted server.”
Noflux: A minimalist and opinionated feed reader based on Miniflux. [Github]
Noflux is a free and open-source Nostr and RSS feed reader optimized for readability, featuring fast navigation, no advertising or user tracking, and simple installation, while supporting Nostr NIP-23 feeds.
Keycast: Secure remote signing and permissions for teams using Nostr. [Github]
Keycast is an open-source platform designed for secure remote signing and key management for teams using Nostr. It enables collaborative management of keys, setting policies, and managing permissions.
Aegis Relay: A premium relay and blossom service that allows relay operators to earn income by providing relay services to the network. [Github]
Nostr Safebox: Your own private portable safebox on nostr [Github]
Nostr Safebox acts as a personal, portable safebox for securely storing private information like wallets and records while using the Nostr network.
It uses NIP-44 encrypted events to store its index and contents securely. Access is granted via a unique nsec key, which can be user-generated or provided by a custodial service.
nostr-nsec-seedphrase: A focused TypeScript library for Nostr key management and seedphrase functionality, with seamless integration with nostr-crypto-utils [Github]
This package is designed to convert between nsec keys and seed phrases, manage delegations, and support multiple key formats.
Noscrypt: A nostr specific cryptography library written in C [Github]
“A high-level C utility library built specifically for nostr cryptography operations such as those defined in NIP-01 and the new NIP-44 (NIP-04 coming soon).
Noscrypt simplifies key generation, note signing & verification, NIP-44 data encryption, NIP-44 private message encryption, and much more.”
Immortal: A nostr relay designed for scale [Github]
Immortal is a Nostr relay implementation written in Go, and designed for scalability and high performance. It is particularly suitable for large community or paid relays, rather than personal use.
LumiLumi: A lightweight web client for Nostr [Github]
LumiLumi is a web-based client for the Nostr protocol. It supports image and URL sharing, custom emojis, and various muting features.
To accommodate users with limited data, LumiLumi offers settings to disable images, icons, and Open Graph Protocol (OGP) data, reducing communication costs. It also includes features like NIP-05 verification, relay configuration, and reaction settings.
nostr-zap-view: View any nostr zaps from anywhere, supporting npub, nprofile, note, and nevent identifiers. [Github]
Spring boot starter: Write Nostr applications with the Spring boot kit [Github]
The project helps developers build Nostr applications, supports both custom relay software and client creation, and integrates with nostr-proto for core Nostr concepts.
Bouquet: A web tool to sync blobs between blossom servers. [Code repository]
CVS Importer: A Nostr Uploader. Publish events in bulk via CSV
Servus: A minimalist social media server [Github]
Servus is fully self-contained within one executable file: CMS, Personal Nostr relay, and Personal file server (Blossom & NIP-96).
Mostr: An immutable nested collaborative task manager, powered by nostr [Github]
Novia (NOstr VIdeo Archive): Manage video downloads on NOSTR [Github]
A service that connects video archive tools to NOSTR. It supports video downloading, metadata management, and publishing video events on NOSTR relays while enabling decentralized video management and sharing.
Meme Amigo: A companion app for Gifbuddy.lol, designed as a PWA for creating memes on the go. It allows users to easily add memes to notes on Nostr.
Meme templates stored on relays under NIP94, generate @nostr.build URLs for easy sharing, add emojis, paste images, and meme GIFs on the same page.
Awesome Nostr Bots: List of collected Bots on nostr [Github]
A curated list of bots on Nostr with their descriptions and functionalities. These bots bring automation, insights, and updates to the Nostr network.
Persian Nostr Book: A nostr book written in Persian [Github]
Software Releases & Project Updates
Rust Nostr v0.38.0
Add full NIP42 support for SDK and relay builder
Add negentropy support
Add read/write policy plugins for relay builder
Add NIP35 support
Improve logs, docs, and performance
Primal Android
Highlights in Reads
USD currency support in Wallet
Biometric prompt when accessing private key
Blossom support when rendering images in feeds
Rendering quoted articles, highlights and notes in note editor
Implemented:
Profile avatar and cover image viewer in profile details screen
Rendering highlights and generic events in feeds
Tap QR code to copy addresses on profile QR code viewer
Follow/unfollow approvals if contact list is not found
Onboarding follows customisation and zaps introductions
Premium badge on profile details screen
Support for primal legend avatars across the app
Primal premium check into profile editor
Damus Testflight v1.12
Render Gif and video files while composing posts
Add profile info text in stretchable banner with follow button
Paste Gif image similar to jpeg and png files
Improve UX around the label for searching words
Improve accessibility support on some elements
YakiHonne web Update
Resolve issues causing the article editor to appear malformed
Add support for both LTR and RTL languages in the article editor
Enhance the messaging box to support long text writing
Secure DMs (Nip44) can now be enabled globally via the messages and settings pages
Flotilla v0.2.0
Add NIP 29 compatibility
CDK v0.6.0
Changed:
cdk: Enforce quote_id to uuid type in mint
cdk: Refactor wallet mint connector
Added:
cdk: NUT19 Settings in NUT06 info
cdk: NUT17 Websocket support for wallet
cdk-axum: Redis cache backend
cdk-mints: Get mint settings from env vars
cdk-axum: HTTP compression support
Knox Update
Switch to NIP-44 encryption
Gossip v0.13.0
File Metadata support (NIP-92 / NIP-94)
Blossom support (BUD-01, BUD-02)
NIP-89 Support - Recommended Application Handlers
Search on relays (NIP-50): choose your search relays first
Followers and Followed: see who someone follows, and who follows them
Undo Send - for 10 seconds (or whatever you configure) you can undo sending
Thread replies now sorted by date, except author replies come first
Feeds no longer inject new events and scroll while you are trying to read.
Relays can now be tested to see whether they are fit for purpose
NIP-46 replies with NIP-44 encryption if the client used it
NIP-44 encryption now used for private contacts and private lists
Nostrudel v0.42.0
Add support for olas media posts and NIP-22 comments
Add tools menu under thread post
Add favorite DVM feeds
Add templates to event publisher
Update timelines to use applesauce
Add open and share button to stream view
Add “Proactively authenticate to relays” option to privacy settings, defaults to off
Support searching local relay
Add support for cashu v4 tokens
0xChat App Desktop v1.0.0
The first desktop beta version supports macOS, Linux, and Windows
Future plans:
Support NIP-46 login
Optimize the UI & UX for the desktop version
Improve the performance of the desktop version
nos.social v1.0.4
Add feed picker view (UI only)
Add feed source customizer drop-down view
Add empty state for lists/relays drop-down
Add support for decrypting private tags in kind 30000 lists
Add remembering which feed source is selected
Citrine v0.6.0
Show notifications when importing, exporting, downloading events
Change database functions to be suspending functions
Update dependencies
Honeypot v0.1.0
Improve onboarding flow
Nowser v0.0.3
Add build-in relay for remote signer
Bookmarks support add to app index
Bookmarks support quick action for mobile
Bookmarks support add to desktop for android
Reject private zap decrypt request from amethyst
Haven v1.0.3
Add support for count events
Remove dynamic relay handler
Feature/blossom http range requests
Pokey v0.1.3
Add notifications center
Views rearrangement
Amber v3.0.3
Better pin entry screen
Add a close application config in the ui
Separate the service notification in a group
Always return a hex key for the get_public_key method
Openvibe v1.5.0
Multiple profiles: add multiple accounts from the same network (e.g., Mastodon or Bluesky) and organize them into sets like personal or work.
Boosts
01:13:47 Thanks to everyone who streamed sats, and shoutout to our top boosters:
[🏆 TOP BOOSTER] @Ape Mithrandir (17,777 sats) “(Craig Raw)’s feature request for Broadcast Pool is much needed and we should get more eyes on it. [Feature request]”
@Ape Mithrandir (7,777 sats) “Epic rant at the end. Craig Raw always worth listening to.”
@shadowysuperbadger (1,000 sats) “Cool episode. Thanks for putting it together.”
@user40113771 (1,000 sats) “🙏”
@user40113771 (500 sats) “🔥🔥🙏🔥🔥”
@btconboard (300 sats) “SO MUCH WINNING 🫡🫡”
@Leurico8 (100 sats) “Fucking epic episode”
@Juan “May need to find a new sleep therapy solution as I made it thru this whole episode, on a night-flight. great rip guys, learned a lot. happy thanksgiving ;)”
Bitcoin Optech Newsletter
Highlights from recent Bitcoin Optech Newsletters
2024 Year-in-Review Special: The seventh annual Bitcoin Optech Year-in-Review special summarizes notable developments in Bitcoin during all of 2024
Vulnerability allowing theft from LN channels with miner assistance: David Harding announced to Delving Bitcoin a vulnerability he had responsibly disclosed earlier in the year.
Deanonymization vulnerability affecting Wasabi and related software: a developer of GingerWallet disclosed a method a coinjoin coordinator could use to prevent users from gaining any privacy during a coinjoin.
Insights into channel depletion: René Pickhardt posted to Delving Bitcoin and participated, along with Christian Decker, in an Optech Deep Dive about his research into the mathematical foundations of payment channel networks (namely LN).
Poll of opinions about covenant proposals: /dev/fd0 posted to the Bitcoin-Dev mailing list a link to a public poll of developer opinions about selected covenant proposals.
Incentive-based pseudo-covenants: Jeremy Rubin posted to the Bitcoin-Dev mailing list a link to a paper he authored about oracle-assisted covenants.
Bitcoin Core developer meeting summaries: many Bitcoin Core developers met in person in October, and several notes from the meeting have now been published.
News & Noteworthy
Bitcoin
pqcBitcoin: A Post-Quantum Cryptography (PQC)-enhanced fork of Bitcoin [Github]
pqcBitcoin is a fork of Bitcoin Core that integrates post-quantum cryptography (PQC) algorithms, such as Kyber, FrodoKEM, and NTRU, to address potential future threats from quantum computing. The developers have proposed this feature to the Bitcoin community for review and consensus.
Timechainindex is shutting down on January 10, 2025 after one year of operation. [Announcement]
Timechainindex is a platform that tracks Bitcoin holdings across exchanges, funds, ETFs, and companies, offering real-time data and insights into Bitcoin’s market distribution.
Lightning + L2+
Diamond Hands, Japan-based Bitcoin community and organization, announces the closure of the DH Node, a Lightning node which has been operational since June 2021, citing challenges in maintaining large-scale routing operations [Announcement]
Nostr
Orange Pill App integrates nostr login [Announcement]
Business & Finance
SeedHammer announces SeedHammer II: A smaller, lighter and more secure machine than the original off-the-shelf product, with an integrated controller. [Announcement]
Canadian broker Bull Bitcoin officially launches in Europe with a brand-new platform [Announcement]
Casa implements deepfake-resistant verification codes to enhance security for Premium, Enterprise, and Private clients [Blog post]
The system uses shared cryptographic keys to generate matching codes, protecting against impersonation during live support interactions.
Unchained improves its Connections feature, allowing collaborate on key security without revealing vault details, maintaining control over shared information. [Announcement]
Strike now enables USDT deposits and withdrawals for customers in 17+ countries. [Announcement]
Strike adopts Travel Rule regulation [Explainer]
The Travel Rule, established by the Financial Action Task Force (FATF), requires financial institutions to collect and share information about the originators and beneficiaries of financial transfers. In the EU, this is implemented through the Transfer of Funds Regulation (TFR).
For users in the EU or UK, sending or receiving Bitcoin via crypto-asset service providers will require sharing personal information such as name, address, and identification details.
Digital Currency Group divides Foundry’s mining business into two separate entities. Fortitude Mining will oversee Foundry’s former self-mining operations and physical infrastructure, while Foundry will retain its pool operations and other Bitcoin mining services [Blockspace]
Encryption
01:16:45 NIST proposes to standardize wider variant of AES [Proposal]
NIST is considering a new version of Rijndael with 256-bit blocks, driven by the need for larger block sizes due to increased data processing demands.
Funding
01:17:40 OpenSats announces its Ninth Wave of Nostr Grants, supporting five innovative projects that advance and strengthen the nostr ecosystem:
AlgoRelay
Pokey
Nostr Safebox
Persian NIPs
LumiLumi
01:17:47 Spiral renews its grant to BTCPayServer [Announcement]
01:17:49 The Human Rights Foundation donates 7 bitcoin to fund Bitcoin development and projects: [Bitcoin Magazine]
Stratum V2 Reference Implementation (SRI), Public Pool, Naiyoma, Daniela Brozzoni, Michael Haase, No Bullshit Bitcoin, Tando, YakiHonne, SeedSigner Multi-language Support, Vexl, Tomatech, Krux, Iris, African UX Bitcoin Bootcamp, Bitcoin History, Cashu-ts, Unify, The Financial Freedom Policy Coalition, Jon Atack and Brink.
01:17:53 Btrust announces its Q4 2024 Btrust grant recipients: Abdullahi Yunus Ahmed, Enigbe Ochekliye, and Tobechi Chukwuleta
Chaincode Labs awards its inaugural Bitcoin Scholarship to 17-year-old Ishaana Misra, the youngest Bitcoin Core contributor. The scholarship covers one year of academic expenses and is renewable for her undergraduate education. [Bitcoin Magazine]
Relai secures $12 million in a Series A funding round led by Ego Death Capital, bringing its valuation to $72 million. [The Block]
Lava raises $10 million in a Series A funding round led by Khosla Ventures and Founders Fund. The Bitcoin lending platform plans to expand its offerings, including Bitcoin purchasing and payment services. [Forbes]
Mining
01:18:12 GreenpeaceUSA’s ‘Change the Code’ campaign, aiming to modify Bitcoin’s energy-intensive proof-of-work system, likely shut down [Batcoinz’ blog post]
The campaign has been inactive since January 2024 and its former campaign director has since departed GreenpeaceUSA to join another organization.
Cango Inc., a Chinese automotive services firm listed on the NYSE, purchases 32 EH/s of Antminer ASICs from Bitmain for $256 million, securing approximately 4% of Bitcoin’s network hashrate. [Blockspace]
An additional 18 EH/s acquisition is under contract with Golden TechGen Limited, owned by former Bitmain CFO Max Hua, elevating Cango’s total hashrate to 50 EH/s, comparable to leading miners like Marathon Digital Holdings.
Foundry USA refunds overpaid Bitcoin transaction fee [Twitter post]
Foundry USA Pool mined block 875475 on December 19, which included a transaction with an 8.18 BTC overpaid fee, which was 91,127 times higher than necessary.
MicroBT introduces WhatsMiner M6XS++ series with a hashrate of 218 TH/s and 15.5 J/TH efficiency, including air-cooled, hydro-cooled, and immersion-cooled models [The Miner Mag]
Russia enacts six-year bitcoin mining ban to both individual and pool mining activities, across multiple regions [CoinDesk]
Partial restrictions will also affect three Siberian regions from November to March each year, aligning with high energy demands.
e4pool, an open source mining pool, is closing due to new mining regulations in Russia. [Announcement]
Reasons cited are that mining pools now must register in a special list of mining operators, and provide user data to the tax office.
Privacy
Byte Federal, a U.S.-based Bitcoin ATM operator, reports a data breach compromising personal information of approximately 58,000 customers [TechCrunch]
The breach, discovered on November 18, resulted from a vulnerability in third-party software, specifically a bug in the GitLab developer platform.
Exposed data includes names, birthdates, addresses, phone numbers, email addresses, government-issued IDs, social security numbers, transaction activity, and user photographs. [Notice of data breach]
Privacy and security focused open-source mobile operating system, DivestOS, announces the end of its mobile updates in December after 10 years. [Announcement]
NSO Group found liable for spyware attacks on WhatsApp users [Infosecurity Magazine]
A U.S. court ruled NSO Group liable for using zero-day exploits to deploy its Pegasus spyware on at least 1400 WhatsApp devices. The attack targeted journalists, activists, and government officials, violating both state and federal laws.
NoviSpy: Serbian authorities deploy NoviSpy spyware and Cellebrite forensic tools to surveil journalists and activists [Security Lab’s report]
NoviSpy captures personal data and can remotely activate microphones or cameras on targeted devices
Cellebrite is used to unlock phones, facilitating the installation of NoviSpy during police interviews
01:18:29 Samourai Wallet pretrial hearing postponed to March 12, 2025, due to additional discovery batches, with the trial now set for November 3, 2025. [The Rage]
The U.S. government is reviewing data from 45 devices seized from developers, with over half of the total 17 TB of data already shared.
01:19:59 Russian government directs ISPs to identify users accessing blocked content via VPNs [CyberInsider]
ISPs must implement Technical Means of Countering Threats (TSPU) to monitor user traffic and report in real-time.
Security
Cryptocurrency thefts rise in 2024, according to a Chainalysis’ report
In 2024, digital currency platform theft reached $2.2 billion, a ~21% increase from 2023. These attacks increased in both frequency and size, signaling a growing threat.
A shift in targets was observed in 2024, with centralized services becoming more vulnerable, particularly to private key exploits.
FBI, DC3, and Japan’s NPA alert the public to TraderTraitor, a North Korean cyber group responsible for a $308M cryptocurrency theft in May 2024. The group targeted Japan-based Bitcoin.DMM.com using sophisticated social engineering tactics. [FBI’s Press release]
Protocol
Bitcoin Core #31096: Package validation: accept packages of size 1. This change relaxes the RPC checks as enables the AcceptPackage flow to accept packages of a single transaction. [Merged]
Bitcoin Core #31112: Improve parallel script validation error debug logging [Merged]
Bitcoin Core #31175: rpc: Remove submitblock pre-checks [Merged]
BIPS #1535: BIP 348: OP_CHECKSIGFROMSTACK [Merged]
BTCPayServer #5743: Multisig/watchonly wallet transaction creation flow proof of concept [Merged]
LDK #3446: Support Trampoline flag in BOLT12 invoices [Merged]
BOLTs #1180: Include BIP 353 name info in
invoice_requests. Update BOLT12 to allow optional inclusion of BIP353 human-readable Bitcoin payment instructions in invoice requests. [Merged]NUT-20 – Signature on Mint Quote: an optional specification that locks a mint quote to a user-defined public key and requires a valid signature for minting. [Merged]
Government & Political
01:20:14 Craig Wright is handed a one-year suspended sentence in the UK for contempt of court after violating an earlier ruling. The judge confirmed Wright continued his legal action against Bitcoin developers, despite a ban on such claims. [Reuters]
The court also ordered Wright to drop his $1.15 trillion lawsuit against Square and Bitcoin developers.
El Salvador agrees to scale back Bitcoin policies to secure $1.4 billion IMF loan [Bloomberg] [IMF Press release]
The government will make Bitcoin acceptance voluntary for the private sector and limit public sector involvement in Bitcoin-related activities.
The Chivo wallet will be gradually phased out, and taxes will be payable exclusively in U.S. dollars.
Russian companies embrace bitcoin in international payments to bypass sanctions, following legislative changes aimed at countering Western sanctions. [Reuters]
Finance Minister Anton Siluanov confirmed that cryptocurrencies, including bitcoin, are being used in foreign trade and are expected to expand in 2025.
EU-regulated exchange updates on digital currencies deposits and withdrawals exceeding €1,000 in value. [Stacker News post]
Starting December 30, 2024, deposits and withdrawals in select European countries will require additional verification, users must now verify their private wallets.
The European Securities and Markets Authority (ESMA) releases the final set of regulatory technical standards and guidelines, facilitating the full implementation of the Markets in Crypto Assets Regulation (MiCA). [Press release]
The regulation requires crypto service providers to obtain licenses, adhere to organizational standards, and implement robust governance measures to ensure consumer protection and market integrity.
Financial Accounting Standards Board (FASB) approves new standard requiring Bitcoin to be valued at fair value for fiscal years starting after December 15, 2024. [FASB Media Advisory]
This change aims to simplify accounting processes, reduce complexity, and provide more relevant information to investors about digital asset holdings, including Bitcoin. It mandates disclosures about significant holdings and changes during reporting periods.
The IRS finalizes two regulations affecting digital asset users and developers: a KYC dealer-broker rule for DeFi front-ends and IRS Safe Harbor Transitional Relief. [The Rage]
The KYC dealer-broker rule, effective by 2027, may require noncustodial services to implement KYC/AML measures.
Update: Industry groups, including the Blockchain Association and DeFi Education Fund, are suing the IRS over new KYC requirements for “DeFi front-end services”.
Early bitcoin investor receives a two-year prison sentence for underreporting capital gains on $3.7 million in bitcoin sales [Bitcoin Magazine]
He reportedly misled his accountant about purchase prices and concealed additional profits using mixers and cash exchanges. This case is noted as the first criminal tax evasion prosecution centered exclusively on cryptocurrency.
The Bank of Italy identifies platforms facilitating Bitcoin transactions without user identification as “crime-as-a-service,” citing the website kycnot.me, which lists P2P platforms operating without KYC checks. [Atlas21]
The institution highlights that money launderers exploit pseudonymity in cryptocurrency transactions to conceal illicit funds, using methods like mixers, tumblers, chain-hopping, and anonymous wallets to evade detection.
Events
Undermine Heatpunk Summit: The first Bitcoin Heat Reuse conference
February 21-22, 2025 in Denver, United States
bitcoin++ Florianopolis: bitcoin++ is hacking at the beach
February 19-22, 2025 in Florianopolis, Brasil
Reads
Here’s a list of our top recently published reads:
Choosing a hash function for 2030 and beyond: SHA2 vs SHA3 vs BLAKE3, by Sylvain Kerkour [Blog post]
OpenSats’ 2024 Year in Review [Blog post]
Stone Ridge 2024 Investor Letter, by Ross Stevens [NYDIG]
The DOJ’s Dangerous New Legal Theory: Implications for Samourai Wallet and Bitcoin Self-Custody, by Bitcoin Policy Institute [Policy brief]
Can Nostr fix app distribution? by @franzap [Blog post]
P2QRH/QuBit chain growth rate calculations: An evaluation of the number of P2QRH transactions that can fit in a block under various attestation discount scenarios. [Analysis]
Episode submission ideas
We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
Nostr & LN ⚡nvk@nvk.org (not an email!)