nicoserranop.eth

For years, we've been implementing opsec standards internally and pushing the same recommendations to every client we work with. With recent exploits, we saw a gap in the market that we were fit to address. So we teamed up with @_SEAL_Org and studied the last 100 opsec incidents in digital assets. That became the foundation for DARC. We are proud to introduce the @DARCStandard: Digital Asset Risk & Compliance.

The Interfold Launch Primer starts today. Over the next several weeks, we'll explain the system, the network, ciphernodes, and the path to participation. First: How Interfold works, from private inputs to collective outcomes.

Getting to a natively private Ethereum for payments: “Hegota” is an upcoming upgrade of the ethereum network, and it may include 4 features that change the whole game, the features are: > FOCIL: “you cannot just ignore my transaction” FOCIL gives Ethereum a stronger way to force valid transactions into blocks so If a valid transaction is seen by the network, block builders should not be able to pretend it never existed. This matters for privacy because private transactions are exactly the kind of thing some providers may want to censor, with FOCIL, they can’t. > Frame Transactions: “smart transactions” They let a transaction define its own validation and gas payment logic which matters for privacy because users should not need a trusted relayer just to make a private withdrawal or private payment. > Keyed nonces: “lots of people are using the same mailbox, let’s make it more efficient” Privacy systems usually want lots of users to transact through the same sender address for masking but the problem is that one sender normally has one nonce, so everyone can get stuck in the same line. Keyed nonces give different users different lanes, even if they are using the same shared sender. > Recent Roots: “prove against a recent record safely” Private transactions need users to be able to to say: “I am allowed to spend from this pool, but I do not want to reveal which deposit was mine.” To do that, the transaction needs to refer to a recent cryptographic record. Recent Roots would give Ethereum a safer way for these proofs to reference recent state without making public mempool validation messy or dangerous. Once enforced at the protocol level, privacy becomes a default right and not a a luxury feature. These things still need to be formally included into Hegota, and there is a lot of ongoing discussion, but it’s interesting to see how Ethereum seeks to dominate on privacy.

The latest work from the Client Side Proving team- Spartan-WHIR: a transparent (no trusted setup), post-quantum SNARK with 128-bit security.

I want to get a bit more public about the work we at the Kohaku Initiative inside the EF are doing I notice there's hype but there's also confusion. Best way to clarify things is to speak candidly and openly about what I'm working on day-to-day 🧵time (bc i dont pay twitter $)

Ethereum already has private transfer capabilities. In fact, Ethereum already has the most sophisticated, general-purpose, programmable private smart contract capabilities in the world. It's called Aztec. Aztec is a part of Ethereum. It is as much a part of Ethereum as any of the less-advanced approaches to privacy, with all the hallmark commonalities: - it has circuits whose proofs settle on Ethereum; - its notes and nullifiers are broadcast to Ethereum; - users can deposit/withdraw from/to Ethereum. If those features form the essence of native Ethereum privacy, then Aztec is Ethereum's native privacy layer... Aztec (and therefore Ethereum) is years more advanced than basic private transfers. Aztec (and therefore Ethereum) is capable of executing arbitrary and private contractual terms in complete private. Aztec (and therefore Ethereum) has achieved privacy.

“Armen un partido y ganen las elecciones”. La Ethereum Foundation no se va a comportar de la forma en la que todos desean. Siempre han invitado a co-crear. Se ríen de la narrativa del jardín infinito. Pero para mí siempre fueron claros. Aya en Devcon Bogotá se subió al escenario y dijo clarito que lideraba para desparecer. El concepto de substraction iempre fue un pilar filosófico, sus acciones van encaminadas a no acapara poder siempre estuvo claro. Tomo una frase de un post reciente de Vitalik: “Ethereum is a unique object and has a unique role in the world. Its role is to be a sanctuary technology, to preserve technological self-sovereignty, to enable cooperation without coercion, domination or rugpulling, and to provide an escape hatch, to ensure that no single person, organization or ideology's victory in cyberspace can be total.” Ahí se ve clarísima la dirección. Podés estar de acuerdo o no. Pero renegar porque la Ethereum Foundation no se comporta como empresa, o con lógicas como Solana (encarando negocios) es inútil. El ethos de Ethereum de hoy es el mismo que terminó “expulsando” en sus inicios de su estructura a Charles Hoskinson. Quien fue y se armó su negocio, a su gusto y a su medida. Si los token holders de $ETH no la ven, van a vender. Si hay suficientes empresas o focos de poder que la vean, van a nacer no una, sino varias organizaciones que tengan peso y decisión. Y si no, va a morir. En lo personal, creo en $ETH, quiero al $ETH y apuesto al $ETH. Llorar por lo que pasa en ciclos tan cortos (1-2 años) me parece muy “fraco”, como dicen los brasileños. Si estás comprado en Ethereum, y más o menos leíste a Vitalik y seguiste a Aya, entendiste que piensan a muy largo plazo. Si querés cashear, probablemente tengas que comprar otra monedita. Y de paso, te ahorras el tiempo de andar llorando en Twitter o grupos de Telegram.

A first just happened in DeFi history. The first PRIVATE decentralized stablecoin minting on @ethereum just executed. Complete capital freedom: borrow against your assets with zero on-chain trace linking back to you. I talked about this vision weeks ago on a space with @jchaskin22 from @ethereumfndn. Now it's real: etherscan.io/tx/0x10f5ca84e…

Ethereum is about to fundamentally change how blocks are executed. With the upcoming Glamsterdam hardfork, it's shipping EIP-7928: Block-level Access Lists, a proposal that brings parallelization to the EVM. Here's a short explainer of what it is, how it works, and why it's a big deal for scaling. Let's start from the top. Alongside EIP-7732 (ePBS), EIP-7928 is the execution-layer (EL) headliner for Glamsterdam. Like ePBS, the main focus has been scaling Ethereum, though both proposals come with a bunch of other, equally important properties on the side e.g. removing trust requirements from the PBS pipeline or improving sync. EIP-7928 adds a Block Access List (BAL) to every Ethereum block. A BAL is a list of accounts and storage slots that the block touches, but that's not all: it also contains post-transaction state diffs (this part is critical!). Post-transaction state diffs tell you what the state looks like after each transaction. Quick example: user A swaps 1 ETH for DAI on DEX B. The BAL tells you that user A's ETH balance decreased by 1 ETH + tx fees and their nonce went up by 1; that DEX B's ETH balance went up by 1 ETH; and that inside the DAI contract, user A's DAI balance increased while DEX B's decreased. In other words, all of that info becomes statically available, something that previously required tracing the transaction. Client software (Geth, Nethermind, Besu, Erigon, Reth, Ethrex, Nimbus) can use this to do a few very powerful things: 1. Parallelize transaction execution. Knowing the post-state of each tx resolves the dependencies between them. No transaction has to wait on the previous one anymore, so execution can be perfectly parallelized. Instead of large parts of block validation sitting idle waiting on sequential execution, clients can finally make much better use of modern hardware. 2. Batch prefetch. One of the most cumbersome jobs for a node has been fetching the state needed for execution from disk. Because state locations (e.g. the exact storage slot in the DAI contract where user A's balance lives) are only discovered along the way, while executing, state-fetching has been a real drag on scaling: it blocks execution, takes time, and eventually slows everything down. With BALs, everything a node needs for execution is known upfront and can be loaded into cache in one go, in parallel. This speeds things up even further. 3. Parallelize post-state root calculation. Another expensive task is walking the updated state tree to compute the post-state root, which is needed so that everyone agrees on what's on disk after executing the block. With the post-tx state already in the BAL, nodes can do this in parallel while executing. A heavy task that used to wait until all transactions had finished can now run alongside prefetching and execution. 4. Snap sync (v2). An often overlooked, less sexy aspect of blockchains is syncing. Nodes need to catch up with the chain, and they need to catch up faster than the chain progresses. Today, most nodes do snap sync: downloading blocks, headers, and state in parallel while chasing the tip, and then "healing" the database once they're close to the head. Healing means asking peers for trie nodes, receiving them, validating them, and updating the local DB. It's iterative, networking-heavy, can take a while, and especially higher throughput pushes that phase to its limits. BALs help here too: with snap v2, nodes can catch up to the tip and skip the healing phase entirely. Syncing at higher throughput becomes more robust and reliable. So, to summarize, a BAL contains two things: -> The state locations the block accesses -> The state changes after each tx (incl. the new values) We're already seeing big performance gains today: on 6-core machines, EL clients validate blocks up to 5x faster, making block gas limits of 300M a very realistic outcome. ePBS will add to that by decoupling the block from the payload, giving validators 2-4x more time for execution. To not overshoot (security stays priority #1), the fork will likely ship with a 200M gas limit, but we shouldn't be stuck there for long before pushing to 300M and beyond. That's a 10x in scaling since we started taking the topic seriously, without touching hardware requirements. None of this would have happened without people going all-in, heads down, shipping: so many hours spent in calls debating the right design, so many iterations refining the specs, and tons of test cases written (and still being worked on). The road from whiteboard to production-ready code has been a journey, and we're not at the finish line yet, but from what I can tell, things look super bullish for Ethereum. Glamsterdam will be a fork that shows what's possible when a distributed, decentralized community works on a shared goal, laser-focused on providing enough block space to onboard the next wave of users.

PSE's Private Transfers Engineering team interviewed 38 teams building in the private transfers space to find the technical problems holding the ecosystem back. See threads for the full blog and summary of what we heard 🧵

Si estás usando npm install, estás en peligro. ¡Así de crudo te lo cuento para que reacciones! Ayer se comprometieron paquetes de TanStack en npm. De las bibliotecas más usadas en el mundo JavaScript. Y de ahí saltó a Mistral, OpenSearch, UiPath, PyPI... Porque muchos ataques no necesitan que importes nada. Basta con una instalación para infectarte. ¿Cómo? Colando scripts como preinstall o postinstall que se ejecutan durante la instalación. Lo importante es que tiene solución: ① Usa pnpm 11 Viene con defensas por defecto contra este tipo de ataques. ② Si sigues usando pnpm 10, npm, yarn o bun Activa minimumReleaseAge y ponle 1440. Evita instalar versiones publicadas el mismo día. ③ Bloquea scripts de instalación por defecto pnpm evita que cualquier dependencia ejecute código en tu máquina solo por instalarla. Por favor, comparte esto para que le llegue al máximo número de personas y paremos la cadena de ataques.

everybody calm down. i got this.

Privacy should be the universal default, not a cypherpunk flag. Every on-chain read and write leaks metadata to multiple observers: ISP, DNS, RPC, indexer, bundler, chain. Hermetic is a modular playground for access-layer privacy. Still very alpha. A self-contained local binary that stacks privacy-preserving layers and exposes sound solutions, with stated tradeoffs, over simple APIs. Today: - Railgun shielding, unshielding, queries. - Every egress request over an isolated Tor circuit, including DNS (next: DoH). - Rust host + embedded Tor via Arti, no separate sidecar. How: - SDK code runs sandboxed in @deno_land, stripped of most permissions. - No fetch, no node:net, no host writes. Modules are cut off from the world. Untrusted. - Every SDK network call crosses the Deno boundary, Hermetic intercepts and routes via Tor. No escape possible. Doesn't yet defend against broadcaster trust, query-pattern inference, timing leaks, or mempool exposure. Exploring: - Aztec and other on-chain privacy backends. - Wasm modules, light clients, messaging. - Account isolation. - Local, agent-friendly APIs. Would appreciate help. DM if interested!

1/ At Wonderland, we care deeply about Ethereum security. That's why we built Canon Guard: an open-source security layer for Safe multisigs designed to reduce offchain transaction risk. We’re excited to be included in @TheDAOFund’s Ethereum Security QF round alongside the teams strengthening the ecosystem.

Last week I travelled to the North Pole to film 100 core developers building Ethereum. But there was a twist... They had 5 days to build the first devnet for Glamsterdam, Ethereum’s next major upgrade, helping secure a $500 billion network. It was the most magical experience of my life. I’ve never experienced energy like it. It very quickly became, to me, the ultimate hackathon. With the stakes of Ethereum’s uptime. But how does anything stay together when no one is in charge? At one point @TimBeiko said: “we're about to turn 1 month of async work into 1 day”... From 4am technical drama (shit gets hot), To the most beautiful coordination between client teams, All the way to people really explaining why they do this. These are THE heroes you’ve never heard of. This is about the people keeping Ethereum alive. This is THE story. The people who have put a decade of work into Ethereum’s uptime. Full documentary coming soon.

A car company sells you a car, the instruction manual says "wear a seatbelt". You do not wear a seatbelt, and get into a fatal accident. The car company later adds a feature: the car will not drive if the driver's seatbelt is not fastened. Is this an admission of guilt? Are you, the driver, absolved of blame because the car company did not have this feature before, and because other drivers also do not wear seatbelts?

🚨#AlertaDigitalEC Se denuncia filtración de 14,8 millones de registros de datos (10,8 GB en SQL) y 10,6 millones de imágenes en alta definición de tarjetas de identidad nacional para posible biometría (165 GB) de @RegistroCivilec, vía @rocurun cc @EcuCERT_EC

1/Introducing ACTA: Anonymous Credentials for Trustless Agents. A composable privacy layer above ERC-8004 so agents can prove: personhood, reputation, model provenance, user jurisdiction, and more — without publishing the interaction graph. 🧵 ethresear.ch/t/anonymous-cr…

Pool-based privacy has a known failure mode: heuristic deanonymization gets better the longer the pool runs. A May 2025 paper trained a deanonymization model on Tornado Cash with just 10 labeled examples. It correctly linked mixing transactions to their source ~97% of the time.

Thorchain cofounder says they are launching XMR and it’s going to be great and everyone’s going to make fuckloads on from fees because bad actors are going to funnel stolen money to XMR and back via Thorchain. Someone please get these fucking retards a lawyer.