nikos.sui

Most people hear “DeFi” and think it’s too complicated. That’s exactly why we’re doing this. Two beginner friendly sessions at SuiHub Athens for anyone who wants to understand blockchain, DeFi and Sui without needing a technical background. Day 1 is about foundations Wallets, blockchain basics, smart contracts, Sui ecosystem and first onboarding Day 2 is about practice dApps, DEXs, Cetus, Bluefin, DeepBook, Ember Vaults and first onchain interactions. Athens builders, students, Web2 users and curious minds, this is for you Day 1: https://t.co/IV0D4bLll1 Day 2: https://t.co/TG09BfCSk6

Interesting findings, appreciate your sharing these with our team ahead of the publication of this paper, and we are in agreement that web-based authentication ecosystems require security practices beyond what ZKPs alone can offer. 
 As the creators of zkLogin, and as our team shared during that conversation, we fundamentally disagree with a few points:  1. You argue that zkLogin’s security relies on several environmental assumptions that are not enforced at the protocol level. On Sui, there is an explicit allowlist of providers, rendering this scenario impossible. You can see for yourself on the Mysten Labs github: https://t.co/GVNsVqrhON. The issuer checks are not prover-local as you seem to have assumed. 2. You suggest that impersonating real users is possible. A malicious AWS Cognito issuer cannot produce JWTs with a different issuer string than the one they have been assigned. Therefore, impersonating real users on Sui is impossible even with an attacker-controlled issuer, and zkLogin remains secure. 3. You argue for enforcing strong, specification-compliant JWT parsing and that validation be enforced at the RP side. Presumably, your idea is to protect against a malicious OP (issuer). Since OPs are trusted in our setting, it is not clear what this protection is for. We did find these areas of the paper helpful and wanted to share how we’re using your findings:
 1. You note that zkLogin does “ad-hoc selective parsing,” a finding echoed by the original zkLogin paper itself as you note. Thank you for highlighting more such patterns. However, this class of attacks remain out of scope since zkLogin assumes a trusted standard-compliant issuer. 2. You suggest that proving and salt services adopt strict verification rules such as canonical JSON enforcement. Thank you for suggesting that, we plan to adopt it into our service. However, as noted before, our system was designed assuming a standard-compliant issuer. Working in zk, a constantly evolving design space, necessitates close collaboration across researchers in the community, and even if we disagree on findings, I welcome further discussion and will continue to follow the work of this paper’s authors.

⚡️ Blockchains execute transactions, but they don't automatically preserve history. Nodes prune data, providers go offline, and critical records become harder to access and verify. The Sui Archival System, powered by Walrus, solves this. 30TB of Sui's checkpoint history is now publicly accessible and verifiable. No single provider. No proprietary databases. This isn't just for Sui. It's a design pattern for any system where historical data matters. Settlement, risk management, governance, AI decision-making. Same approach, different data. Chain-agnostic, open source and ready to use 🦭

BTC users will soon be rewarded on Sui! 1st testnet demo of connecting a Bitcoin address with a Sui address. - What does this mean for Bitcoin users? - You will receive airdrops, assets and NFTs on Sui, even if you never leave the Bitcoin network! Welcome to the future of BTC interop.