Patrick Collins

We need to talk about hardware wallets. 1. If you have one, you're probably signing transactions without checking calldata. 2. If you don't have one, you're more susceptible to hacks. One of these needs to change.

@0xusmanf @cyfrin Yes!!

THE .ENV PLEDGE is a public oath started by @PatrickAlphac. It started as a GitHub discussion. Now it's a permanent on-chain commitment, and @Cyfrin has made it mintable as a soulbound NFT. Here's the summary of THE MOTHER OF ALL PLEDGES 👇

What is that PLEDGE that Patrick keeps talking about and won't stop?? If you've gone through @CyfrinUpdraft Solidity course, you've seen it. Let me break it down and explain why every Solidity dev needs to take it seriously. 🧵

Wonderland CTF prizes are in: $30,000 on the line. $15k, $10k & $5k for the top 3. Plus a few surprises. May the best teams win.

@charliermarsh Congrats ser. uv is goated. I’m terrified OpenAI is going to ruin it 🫠

We've entered into an agreement to join OpenAI as part of the Codex team. I'm incredibly proud of the work we've done so far, incredibly grateful to everyone that's supported us, and incredibly excited to keep building tools that make programming feel different.

I have no idea how I feel about this if true. I love uv. I do not love Codex

Vote for us in the Nominee Selection of the Security Council. Voting is open from March 22nd, 2026 - 12:32 pm UTC until March 29th, 2026 - 12:32 pm UTC. Member Election starts Apr 12, 2026. tally.xyz//gov/arbitrum/…

@pashov @cyberthirst Pashov and I know the importance of physical safety

@cyberthirst @PatrickAlphaC @PatrickAlphaC doing OpSec right

At least 7 "wrench attacks" since the start of the month, 5 of which in France. A "$5 wrench attack" shows that your crypto can often be stolen by bad people with malicious intent and just $5 "weapon" like a wrench. Learn personal OpSec. Protect your data and stay safe.

A website can always be hacked. Which means, you cannot trust calldata.

We are proud to have been a part of this attack save 🫡

@__leahy @OpenZeppelin Congrats!

~ Career Update ~ I'm joining @OpenZeppelin as Ecosystem Development Lead. I’ll be focused on growing protocol and enterprise partnerships. OpenZeppelin is the standard for secure onchain applications, helping leading financial institutions, DeFi protocols, and blockchain platforms build and secure mission critical onchain systems. It's been an amazing run with @Spire_Labs. They have a incredible future ahead. I’m grateful to have worked alongside such talented builders. Huge thanks to @CoffeeTimesTW and @mteamisloading. I've never been more bullish on crypto. We're entering the next phase where real world adoption, security, and scale will matter more than ever.

Damn

I still see developers storing private keys in plaintext. .env files, config files, and even random text files. It feels harmless until one mistake exposes everything. There is a better way to handle this.

@0xvector_ @claudeai FFFF

Ouch!! this hurts in so many different ways @claudeai It's 2026 and you still tells devs to store private keys in place text in .env files. Patrick might actually hurt himself if he sees this

All blockchain hardware wallets are worthless unless either: 1. You spend 20 minutes per transaction verifying your calldata 2. All hardware wallets adopt a transaction legibility standard "oh but my hardware wallet is EAL6+ rated with a secure element and a MCU made from minerals mined from pluto's ultra secure crust that-" - It doesn't matter. If you do not check calldata, you're essentially saying "I trust 100% that this website has not been hacked, because I trust whatever data they send to my wallet". It doesn't matter if your wallet is the most badass piece of security tech that's ever been, because you're letting hackers send whatever they want to your wallet, and you'll blindly sign! We've seen websites hacked all the time. @Compound_xyz was hacked just last week!! Reference: x.com/Compound_xyz/s… And we've seen MASSIVE losses from these hacks across both retail and enterprise use. - Bybit ($1.4B) - Radiant Capital ($50M) - WazirX ($200M) Some wallets have done a great job of getting the ball rolling on their own like @gridplus and @KeystoneWallet who both offer calldata decoding at the device level. @Ledger and @Keycard_ offer EIP-712 digests for signatures which are easier to verify than EIP-712 structs. @MetaMask snaps allow me to build my own custom AI bots and custom decoders to read calldata easier. But it's not enough. Calldata is still very annoying to read, and decoding it can be more confusing. Not enough wallets support EIP-712 digests. The good news... Is that transaction legibility is finally coming... Once we have a standard in place for human-readable transactions, it will be unacceptable to use a hardware wallet that does not have such a feature. And we can FINALLY use hardware wallets the correct way! I'M QUITE EXCITED.

@BTCtokoloshe Kek

@PatrickAlphaC this is a shitcoin problem

@PamphileRoy @BTChip You still have to trust DNS, unless we think the whole word should understand hashes for URIs

@PatrickAlphaC @BTChip It’s not like there is a way to hash a website/dapp and distribute it on a decentralized network. Oh wait… IPFS. Just clown industry.

@bitcoin_eagle Lmao

@PatrickAlphaC Shitcoin problem. It turns out that Turing complete financial translations are a really bad idea. It turns out that people just want to send money from account A to account B and be really sure that of doesn't go to account of Evil thief

@hayotensor …

@PatrickAlphaC Technically compound website wasn't hacked, it looks like they hacked the DNS or redirect of the domain

@0xJabr0nie Shoot me

@PatrickAlphaC I use a hardware wallet and I store my private key in plain text - it’s still safe right?