14976
sudo rm -rf --no-preserve-root /
@pcaversaccio #14976
𝐖𝐨𝐫𝐤𝐢𝐧𝐠 𝐨𝐧 𝐰𝐡𝐚𝐭'𝐬 𝐧𝐞𝐱𝐭.
https://github.com/pcaversaccio
3618 Follower 154 Following
ffs, please don't ask ChatGPT or other LLMs if a file is safe. First, new malware is not part of past training data used for the LLMs (even tho certain, e.g. infostealer pattern, are recycled over time), second ChatGPT cannot execute files (needed to detect behaviours that only manifest during execution), and usually malware also uses advanced obfuscation, which cannot be analysed. Use your brain and upload it to eg VirusTotal (not fool proof!), don't fucking delegate your security to an over calibrated language model.
I have come to the conclusion that 95% of security products in our industry are nothing more than vaporware, offering the illusion of security rather than actual protection.
Every time I skim through the (updated) EOF specs, it's a reminder of how we've drowned in complexity for the sake of flexing. There is no reason this monstrosity should ever see the light of day. Sorry. Let’s get back to KISS.
Rust devs after their 101th rewrite-in-rust
a sweet story from "RIP Solidity" to "must have eventually" within 3 days
https://github.com/ethereum/solidity/issues/14208#issuecomment-2523104434
https://github.com/ethereum/solidity/issues/14208#issuecomment-2523104434
gents, amidst the whirlwind of SEAL 911 tickets, I somehow managed (don’t ask me how!) to add support for off-chain message hashes to my Safe transaction hashes Bash script over the past few days. The updated script now outputs the raw message, along with the domain, message, and Safe message hashes, making it easy for you to verify them against the values shown on your Ledger hardware wallet screen. This can be particularly useful for security councils using 1/1 multisigs to sign into governance tools or for logging into platforms like OpenSea with your multisig. Always remember: Don't trust, verify! https://github.com/pcaversaccio/safe-tx-hashes-util/pull/10
On a side note, I've been asked a few times over the last weeks how people can support my open-source work. Everything I create is for the community. If you feel like showing your appreciation, you can find my donation address here https://github.com/pcaversaccio/snekmate/blob/main/FUNDING.json#L4
On a side note, I've been asked a few times over the last weeks how people can support my open-source work. Everything I create is for the community. If you feel like showing your appreciation, you can find my donation address here https://github.com/pcaversaccio/snekmate/blob/main/FUNDING.json#L4
Sometimes (tbh multiple times a day), I wish we could rewind to the early crypto days—when everything felt like the wild west, principles-based, and full of endless possibilities.
Can people please stop fucking getting rekt by interacting with malicious websites?? Like seriously, since 5 days we get non-stop draining victim tickets in SEAL 911. Look I will be totally frank: all of your security products help shit to prevent people getting drained. It's almost 2025 and we're nowhere solving this.
So this morning I found a rather annoying bug in the Safe UI for older Safe versions `<=1.2.0`. TL;DR: the domain hash displayed is wrong.
https://x.com/pcaversaccio/status/1864643674304373121
https://x.com/pcaversaccio/status/1864643674304373121
This is such a retarded take. A VPN is your digital armour. People might use a public Wi-Fi or want to prevent government/ISP tracking when logging into Coinbase. I'm not sure if this a personal view or a Coinbase view, but if it's a company-wide opinion you're fucking anti-privacy clowns! First, you celebrate the legal win to overturn OFAC sanctions against Tornado Cash, and now using a VPN is uncool? A very, very moronic take. https://x.com/scottshapiro/status/1863691538661883925
Sooner or later, we'll come to a powerful realisation: the most pivotal move for L2s will be acknowledging that, in the long run, we may not need them at all. In hindsight, Layer 2 solutions will appear as temporary stopgaps. Not now, not in 6 months, but in 3-5 years' time. That's my bet.
It amazes me how L2s think that it's a great idea to modify the source code of one of the most successful smart contracts to date. If you ask me, this is just insane. What can go wrong? hint: insufficient approval to self. Can we fucking stop this fragmentation, it only hurts. Welcome to Blast's WETH version.
For those who want to exercise their privacy rights and want to use an uncompromised Tornado Cash interface, here are some secure IPFS hashes:
- bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri
- bafybeia7cu2axyyxsarmaemvlpdpofa4q23lzpltbl4jbrnfixdn573h4y
- bafybeiduouhoquhndpzlqrhcfb7wt2jme7qdp4omldal3kulbx63dsrigq
- bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa
- bafybeiezldbnvyjgwevp4cdpu44xwsxxas56jz763jmicojsa6hm3l3rum
https://x.com/iampaulgrewal/status/1861549058797772874
- bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri
- bafybeia7cu2axyyxsarmaemvlpdpofa4q23lzpltbl4jbrnfixdn573h4y
- bafybeiduouhoquhndpzlqrhcfb7wt2jme7qdp4omldal3kulbx63dsrigq
- bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa
- bafybeiezldbnvyjgwevp4cdpu44xwsxxas56jz763jmicojsa6hm3l3rum
https://x.com/iampaulgrewal/status/1861549058797772874
So we have an "official" (i.e. NIST-based) deadline now: ECDSA should be deprecated by 2030 (for 112 bits only) and completely disallowed by 2035. Thx for the crazy ride secp256k1 (and secp256r1). https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
Vitalik is back writing Vyper code - what a beautiful day https://github.com/ethereum/research/blob/master/sublinear_staking/code.vy
today I was looking again into BLAKE3 and I'm getting more and more convinced that we should add it to the EVM. Thoughts? Like, it's way more efficient than SHA-256 and - maybe this is just my paranoia - SHA-256 was designed by the NSA... interesting fact, the Beacon deposit contract uses SHA-256 12 times.
for reference: https://github.com/BLAKE3-team/BLAKE3
for reference: https://github.com/BLAKE3-team/BLAKE3
One thing that the Bitcoin ecosystem does better IMHO than the Ethereum ecosystem is that it doesn't trade principles for money. Too many such cases. Principles built Ethereum into what it is—don't let it sell out. It's not too late yet, but it could be soon.
Ethereum is fucking missing the plot. Looking at Devcon talks, everyone's obsessed with scaling the thing, but (almost) no one's talking about what really matters—financial privacy. It's like we've all collectively forgotten that financial privacy is the real fucking foundation of freedom. We're too busy trying to pump throughput, but here's the thing: if Ethereum truly wants to be the backbone of global financial freedom, it needs to go all in on privacy. If that means sacrificing some scalability for true privacy, so be it. Let's stop pretending we're building the global economic base layer without giving a damn about who's watching.
Today I deployed `CreateX` on the 100th EVM-based chain. I'm fucking proud of the traction and the ecosystem-wide utility the contract factory I built with @msolomon.eth has generated. On the other hand, I'm genuinely concerned about the insane number of chains out there. EVM fragmentation is fucking real, and I'm really questioning why we need this many chains in our ecosystem. I'm sorry guys, but that's not how we scale Ethereum IMHO. Either way, the contract factory is out there, free for anyone to use—even if you don't agree with me: https://github.com/pcaversaccio/createx
PS: We also have a nice website here: https://createx.rocks.
PS: We also have a nice website here: https://createx.rocks.
Ever wondered how to locally sign and encrypt an email with GPG? Maybe not—but if you're curious, I've got a quick guide for you. You might ask, *why bother?* Well, some people prefer to keep their PGP private key(s) on a super-minimal cold device. With this setup, you can sign and encrypt an email on that offline device, transfer the encrypted file however you like (QR code, USB stick, etc.), and send it from a more accessible, "hot" device. Or maybe you've got a basic Gmail account but still want to send signed and encrypted emails directly from the web client without installing any extensions. Now you can.
https://github.com/pcaversaccio/gpg-sign-and-encrypt
https://github.com/pcaversaccio/gpg-sign-and-encrypt
Give me a break. Vyper has been in talks with the EF for months about a grant, only for them to turn us down for a single year of funding while throwing support behind the Argot Collective for 5–10 years? EF, do whatever you fucking want with your money—but understand this: Vyper is building a real compiler that's powering _real_ projects in production like Curve, Lido, and Yearn. It's free, independent, and foundational to Ethereum's infrastructure. If you can't recognise that, then you're absolutely blind to what actually matters in this space. This is a fucking bad signal!
https://x.com/argotorg/status/1851947523910316105
https://x.com/argotorg/status/1851947523910316105
Look, over a year ago, we knew we fucked up. A vulnerability in older Vyper compiler versions hit several Curve Finance liquidity pools hard. Did we back down? Fucking no. We own that shit and are hell-bent on ensuring it never happens again. Since then, the compiler team has been relentlessly focused on security. We've pulled off 12 audits, locked in 2 security experts, launched 2 bug bounty programs, hosted a security contest, and set up a monitoring system—all while addressing over 100 findings. Vyper is dead—long live Vyper!
PS: We're still heavily underfunded as a compiler team, thus any support is highly appreciated!
https://x.com/vyperlang/status/1850919610280710316
PS: We're still heavily underfunded as a compiler team, thus any support is highly appreciated!
https://x.com/vyperlang/status/1850919610280710316
In light of the recent incident at Radiant and the clear challenges of verifying multisig transactions on a Ledger device, I've built a simple Bash script designed to simplify the process. This script generates the domain, message, and Safe transaction hashes, making it easier to cross-check them with the values displayed on your Ledger hardware wallet. All you need to provide are the network name, multisig address, and transaction nonce. It supports all Safe networks, and I hope it will serve as a useful tool to temporarily ease the burden of blind signing verification for multisig transactions. Eventually, make sure to check out the trust assumptions laid out in the README for this script. https://github.com/pcaversaccio/safe-tx-hashes-util
To be honest guys, the last few days hit hard—it's obvious we're nowhere near "solving" hacks in our industry. "Fixing" security? It feels like chasing a mirage. Anyone out there claiming they can prevent this or that? Nice try, but threat actors will always find other backdoors. Security is a holistic game, and right now, we're fucking failing to secure holistically our entire ecosystem. I know the truth hits hard, but it has to be said.