Olivia
Online
Harper
@hrpr
blockchain security/engineering @4d4m4n7 | @GoMaestroOrg @txpipe_tools @cr0wn @siginthq
UK
Joined March 2009
250 Following
231 Followers
109 Posts
ย Pinned Tweet
New post describing important security considerations for web-apps interacting with Cardano wallets, in particular projects utilising multi-sig transactions. Any feedback welcome!
New write-up: Multi-Sig Concerns, Mangled Addresses, and the Dangers of Using Stake Keys in Your Cardano Project (Atomic Swap & TradingTent Bug)
https://t.co/OtUuidzGb7
๐ Maestro is leveling up!
We're thrilled to announce our $3M seed round, co-led by Wave Digital Assets and Draper Associates. This funding fuels our mission to revolutionize Bitcoin DeFi and bridge the gap between traditional and decentralized finance.
๐ Why it matters
Empowering builders: Our state-of-the-art UTXO indexing and developer tools are designed to help onboard millions to Bitcoin.
Bridging finance worlds: We're breaking down barriers between traditional and decentralized finance with scalable, user-friendly solutions.
Ecosystem synergy: Our partnerships with innovators like Arch Network and Saturn are pushing the boundaries of what's possible on Bitcoin.
Trusted by industry leaders, Maestro is paving the way for a new era of innovation on Bitcoin. Join us as we unlock BTC's full potential.
Click the link below to find out more โฌ๏ธ
๐ Cardano Summit 2023 Awards
๐ Congratulations to the winners in the category Developer or Developer Tools
๐ @txpipe_tools
๐ @StricaHQ
#CardanoSummit2023 #CardanoCommunity
Maestro placed 1st in the Battle of the Builders #cardanosummit2023
The competition was fierce. There were so many brilliant, innovative projects, and we were simply happy to take part.
We are truly humbled by this experience and want to thank our fellow competitors.
@dzcodes @nullHashPixel The Solana thing is just catching a bug (or they made it at least plausible that it was a bug). If the wallet creators wanted to be malicious/was compromised they wouldn't do something so obvious
@dzcodes @nullHashPixel Backdoored key generation, replacing addresses in transactions/showing different information to the user in the UI to make them send all their funds to a different address, sending 1 bit of the private key per request hidden in normal calls to an API endpoint... etc
@dzcodes @nullHashPixel Seems reckless to say that monitoring your traffic is a way to minimise most risks of using a closed-source wallet when you are only minimising the specific situation that the wallet is transferring your key phrase (while u happen to be monitoring it) in a way that is detectable
@zygomeb @PhilippeVleLong So users trust auditors to point out security flaws, maybe we can also make it expected that the auditors will report any points of centralisation in the code (think auditors already do this in ETH) so users can choose to trust a reputable firms analysis of CS contract
@zygomeb @PhilippeVleLong Thanks! But I think if you are getting an audit and if you think the attestation idea could be good then maybe discuss with the auditor who will already be looking over and understanding the code. Then users can have more confidence in the contract until it is OS - what u think?
@zygomeb @PhilippeVleLong If it is to be closed-source contract to temporarily protect IP I think having documentation of how to build txs is a significant improvement while still protecting the source. Also a trusted auditor could attest to/describe any centralised points of the closed-source contract
@zygomeb @PhilippeVleLong At least with the former you can read the code and know exactly what you are signing up for, opting in to have centralised jpg enforce royalties. If itโs closed source, you donโt know everything the contract can do and have to reveng txs in order to build your own. Sounds worse
@zygomeb @PhilippeVleLong You just called jpgโs new smart contracts โmootโ because it requires jpg to build some txs. Will anyone other than OptimFi be able to build OptimFi transactions for the closed-source contracts? Or is Tx building too arcane?
@TheAvatarNick So the issue is the message is too general, and an attacker could have you sign this to use another dApp, without you realising its actually for Mercury Chat. Where as if it said "Please sign this to log into Mercury Chat:" it would be much more obvious
@TheAvatarNick To be extra safe I would add something to the msg which indicates that the data is for a particular site, to avoid attacker trying to log into your account, getting this message then asking you to sign it when using another dApp. Then you would realise this sig is for smth else
@amw7 @ADAOcommunity One note on this is that someone could make the tx cancel another signers MinSwap/MuesliSwap order and claim the funds, but the wallet wonโt detect these funds belong to the user so wonโt warn them of their funds being spent. The SC only checks the order owner has signed the tx.
@zygomeb Agree, current batching model used by SS and MS is not satisfactory
@zygomeb Or when the article describes SS and MS using batching it is just outlining the issues with batching, not that they should be using the pending utxos/chaining technique instead
@zygomeb So do you think the AMMs should let people spend the pool UTXOs but the frontend should constantly update with the newest pending pool UTXO? It sounds like it would work until the traffic is high, then the contention issue kicks in
Last Seen Users on Sotwe
๐๐๐ก๐ฑ๐๐๐๐ข&๐๐ ๐๐๐๐๐๐
Seen from Thailand
Aaa
Alp๐
Seen from Singapore
nOt VirGin
Seen from Pakistan
Trแบงn ฤแปฉc Vฦฐฦกng
Seen from Vietnam
Kencing Enak
Seen from Singapore
Firat
Seen from Turkey
Susu Manis Cap Nona
Seen from Indonesia
Familygiof_+
Seen from United States
ChiBromo
Seen from United States
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers