Markus Perdrizat

Gentlemen, start your twitter engines!

Everything in this thread is noteworthy, but I want to give my two cents on a couple points: 1) Hardware wallets *must* be part of your workflow. Any serious amount of funds deserves a hardware wallet. 2) SEAL is funded by donations. IMO, if your incident response plan is "call SEAL", then you obviously see the value to the community and should consider supporting SEAL. This support can be through donations, through employee time, there are many options.

The holidays and end of the year are arriving, and it's an opportunity to look back at some of the achievements made in 2025, and the Frankencoin ecosystem state heading into 2026. Key points: - 4% DeFi yield on $ZCHF using the savings module - ZCHF spending available using @gnosispay - Yield is available using @zealwallet as well - Onramp, offramp, and personal crypto IBAN available using @mtpelerin, including 1:1 swaps from CHF to ZCHF - Real world integrations for using ZCHF such as Quitt, PlusPlus and @SPARInt - Swiss equities investing via @aktionariat - DeFi integrations using @Morpho - Layer 2's and multichain availability on @base, @arbitrum, @Optimism, @0xPolygon, @avax, @SonicLabs and @gnosis_ - Simple bridging using @chainlink's CCIP - CEX integration with @MEXC_Official - First FXSwap pool ZCHF/crvUSD on @CurveFinance Read all about it and more in detail, and about goals for 2026, in the recent article by the Frankencoin Association Managing Director @jonk93. Thank you Frankencoin community, Merry Christmas, happy holidays and Happy New Year!

A lot of people in Bitcoin are still saying quantum can't factor 21 or 15. Here is a full ECDLP solve using quantum computers.

Something not talked about enough is how beneficial the release of ChatGPT was for Google Besides just winning the legal case that would have forced them to divest Chrome or break up the business, it has completely changed public perception around the company Google used to be viewed as the sleepy big tech giant that was riding the success of a few early good decisions. There was no excitement about the company. No "new thing" Even the show Silicon Valley loosely based the fictional company Hooli after Google. The theme was bureaucracy and lack of innovation. Google was the company that overpaid engineers just to have them sit around all day The release of ChatGPT completely shifted the narrative. People talked about Google losing its competitive position. Some even pronounced that Google would die in a few years Wall Street bought into the narrative. You can see the multiple that Google traded at soon after the release of ChatGPT. One of the greatest companies in the world was trading way below the average S&P 500 company Now the vibe has shifted in the opposite direction. Gemini is now the underdog of the AI LLMs. Sergey Brin is back. Google is releasing AI products at incredible speed All of a sudden, people are taking another comprehensive look at the entire company. People are realizing the value of YouTube, Google Office, Waymo, DeepMind, the TPU business, and all the other tentacles Google has in the technology space Stock price has recovered and even higher than before. People finally want Google to win again. It is truly a PR masterstroke, handed to them by OpenAI

I’m not religious about SLH-DSA vs ML-DSA. Scheme choice is the last 10% of the work. We can do hybrids, multiple algorithms and even non-NIST PQ schemes in parallel. Using a NIST-standardized primitive in 2025 is not the same trust model as picking an NSA-tuned curve in 2009. This isn’t “turning our back on Satoshi,” it’s doing what he did: use the best openly-scrutinized tools available. 2.Social coordination is hard, but not unprecedented. SegWit/Taproot were ugly at times, yet they shipped. A “rotate or your coins become trivial to steal in X years” narrative is a much stronger coordination driver than witness discount debates. Also, everyone (banks, governments, HSM vendors) will be in PQ-migration mode; Bitcoin won’t be the only one trying to move. 3.On block size: I don’t think “50 MB forever” is the only future. There are ways to structure migration (hybrid signatures, key-rolling schemes, one-time PQ addresses, clever use of script/witness) that front-load the temporary bloat and then let the system re-converge to something conservative. Your work visualizing signature sizes is super useful input, but it’s not the end of the design space. 4.The scary 70–74 days / 6+ month timelines implicitly assume we start from zero after a CRQC is demonstrated against ECDSA. In reality, we’ll see weaker cryptosystems fall first. That buys years of warning for: (a) picking schemes, (b) implementing and testing, (c) allowing gradual opt-in rotation before the “oh shit” moment. 5.Unmigrated coins (including Satoshi’s) is fundamentally a governance / values question, not a math question. My bias: no special rules, no targeted freezing for one entity. Whatever rules we pick should apply to all unmigrated keys. Reasonable people can disagree here, but this doesn’t decide whether Bitcoin survives; it decides how we treat abandoned or inert balances in a PQ world. So yes I agree PQ is a serious long-term technical risk. I just see it as a slow, visible coordination and engineering problem—not an instant death blow. The right response is exactly what you’re doing: research, modeling, concrete upgrade paths, testnets. Happy to dig deeper on models and migration designs; I just push back on the “existential in a couple years” framing vs “hard but solvable over a decade+ signal horizon.”

This is actually really big. 👇 Most on-chain hacks today are not caused by smart contract vulnerabilities--they're caused by opsec failures. Someone gets spearphished, or hit by malware, and boom, a multisig gets compromised. Today, we think of the standard of security as being an audit, but if most hacks are caused by opsec failures, audits don't cover that, they only cover smart contracts. How can you be confident that your team actually follows best security practices internally? @_SEAL_Org is solving that by launching SEAL Certifications, which cover opsec, not code. Reach out to your favorite teams and demand that they get SEAL certified for opsec! We have to level up security as an industry, and that will only happen if users demand their protocols operate at the highest levels of security.

After years running SEAL 911 and coordinating incident response, we've identified a critical gap: while many protocols have strong smart contract audits, there's no standardized way for them to demonstrate operational security maturity. Today we're issuing an RFC for our newest initiative: SEAL Certifications Full announcement: radar.securityalliance.org/request-for-co…

We often get asked about our story and what makes ChainSecurity different. Here’s a thread about a small ETH Zurich research project that grew into a leading Web3 security firm. 🧵

2/ ...long journey, particularly @maol who opened the door to get this moving. Now the bigger challenge comes which is completing the development and launch. In addition to that, I am now starting the coding of a privacy layer for ICP as I've been tweeting about over the past...

Yesterday was a crazy day. The @Balancer hack shook the entire community. Many analyses emerged, but unfortunately, some missed the point of what's most important at a time like this and why such analyses are being done. User safety and helping projects should ALWAYS be our first priority. As usual, @SEAL led the way, but we know that many other good people also abandoned their current tasks to analyze fixes and consult on strategies with affected teams. Analyzing the root cause of a hack shouldn't be about gaining as many followers as possible because you were the first to write about it. The point is to share information responsibly. Firstly, to limit losses, and secondly, to prevent these kinds of vectors in the future. Was it a re-entrancy ? No, there was no a callback and no user data specified in the swap data. Was it an access control issue? No, the attacker was executing operations on his behalf. The root cause was that ... 1️⃣ The attacker used a pool with 3 tokens: A, B and the POOL token itself. 2️⃣ Swapped a lot of POOL token for a lot of A and B: transfer in POOL and transfer out A and B. The balances of A and B are *small*, while balance of POOL is *huge* (see the balances picture). 3️⃣ Make swaps back from A and B to POOL. All swaps are "exact amount out" swaps and the "amount in" is calculated. However, the swaps from A/B to POOL drop the POOL token from balances when calculating amount in. 🚨 The effect: to get a big amount of POOL (to return the pool back to the initial state) the attacker needs to transfer in a small amount of A/B, because the amount is calculated based on small amounts of A and B only (POOL is excluded from the calculation). As you can see, it was not a trivial attack, and removing this vulnerability is not easy either. The straightforward recommendation would be not to exclude POOL token from the invariant, but I bet there was business logic reason for that. Final thoughts: ➡️ Multi token pools are tricky. Especially those that have its own token in it. ➡️ Any changes to invariants calculations are super important to check carefully. Inflating and resulting balances (point 1): Attack (point 3):

Last week, at Lugano's @planb_network Forum, Marcus M. Dapp (@DCentSociety) held a workshop and asked: "What Bitcoin knowledge are you missing?" 🔸 Wallets 🔸 Custody 🔸 Network/Nodes 🔸 Lightning 🔸 L2 (Ark) 🔸 Finance & Economy 🔸 Energy & Climate 🔸 Social & Human Rights 🔸 Geopolitics 🔸 Policy 🔸 Technology & Innovation What would you personally like to know more about? Let us know. Comment below.

This is not the first time the "old guard" in tech feels the "new guard" is reckless / doesn't care about the craft / doesn't respect software like they do, and yet get similar or better results on first glance Part of the challenge, part of what makes this so unique + special

Move $15+ BILLION from TradFi onchain. All it takes is a 5% shift from CeFi>DeFi stables. CeFi stables support Wall Street. DeFi stables support Ethereum. Swapping into DeFi stables like... - $BOLD: ETH & LSTs coll - $crvUSD: BTC/ETH & crypto coll - $fxUSD: ETH & BTC coll - $GHO: ETH, BTC & crypto coll - $USDaf: BOLD & crvUSD coll creates demand for their crypto backing. Crypto stables becoming onchain DATs 🤩 👉 Diversify 5% of your stables. believe in somETHing. 👀 @ethereum , @VitalikButerin , @Consensys , @fundstrat , @sharplink

Nevada regulators just served crypto custodian Fortress Trust with a cease and desist. And - surprise! - Fortress owes clients $12M in fiat + crypto but only has ~$1M available. The craziest thing to me out of this article is that the new CEO knew of financial troubles when joining in 2023, but the regulators didn’t step in until late 2025? Why is it only now that they are unable to produce financial statements - shouldn’t they have checked that in 2024? This is the second major crypto trust failure out of Nevada. Regulation ≠ safety. If you’re going to use a custodian, you better really know what they’re doing with your assets. You can’t necessarily count on a regulator to do that for you, as we’ve seen time and again over the last decade. Custodians were necessary in the legacy financial system. You can’t keep thousands of paper dollars, tons of gold bars, or reams of stock certificates safe by yourself. We now have better technology. You can secure the cryptographically backed hard money that is Bitcoin with a simple app and a thumb drive. It is easier than ever in history to have full control of your money, not trust some black box custodian. It’s your savings. You care about it more than anyone else. And with the right tools, you can secure it better than anyone else.

The @LuganoPlanB Forum is a really, really good event. The organization team did an excellent job again, crazy quality level. See you next year again!

My gut reaction: “this is upsetting” …but the more I work in the industry I start to understand these moves more. I’ve dedicated mine and my teams life to doing everything we can to make people’s lives easier in web3. Free tools like Solodit and Updraft so everyone can learn security, and we try to figure out how to make them both free and financially sustainable (ads, jobs board, even our audits to some extent, etc). It can be tough to spend engineering resources on free stuff. Ledger has salaries to pay, and I want them to keep making a wallet that is secure. However, if I was a wallet competitor, the door seems WIDE open to make a better product. Some wallets already have transaction decoding like: - @gridplus - @KeystoneWallet And neither of them charge a fee, so just keep that in mind. The most egregious part of the ledger post though, is them saying it’s free. This is blatantly false. Ship a product like this, sure, justify its costs, sure, but don’t lie.

Take the risk. Learn about Bitcoin.

My talk about financial history, from Florence to Lugano @LuganoPlanB starting in a few minutes at P2P stage

We’ve joined forces to launch a global phishing defense network that can protect more users across the entire ecosystem. Security gets stronger when we work together. 🤝

Meet me at @LuganoPlanB too. Let's talk Bitcoin adoption and what we can do in Tech to speed up