Bitcoin.Review Podcast with NVK & Guests

BR093 - ECDSA Key Extraction, ESP32 Security Concerns, COLDCARD, Cove Wallet, Krux, Nunchuk, Invalid Mining Jobs, Javascript Injection Attack, CTV Back on the table? + MORE ft. Rob & Vivek

Mar 13, 2025

In this conversation with Rob Hamilton, a Bitcoin security expert from Anchor Watch, the focus is on vital issues in cryptocurrency security. They dive into ECDSA vulnerabilities and the importance of robust cryptographic practices. Rob and host Vivek discuss hardware wallet security, particularly regarding ESP32 technology. The duo also covers advancements in wallet policies and the significance of user-friendly security measures. Additionally, they explore the evolving landscape of Bitcoin mining technologies and the growing sophistication of cybersecurity threats.

01:28:17

Creator website

Episode guests

Rob Hamilton

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

A serious vulnerability in JavaScript cryptographic libraries can lead to ECDSA private key extraction, underscoring the importance of using well-reviewed libraries for security.

Significant security weaknesses in the ESP32 platform highlight the risks of using undocumented features in hardware wallets, stressing the need for stringent security measures.

The complexity of multi-signature wallets necessitates effective key management and the use of simplified expressions to enhance user experience while ensuring security.

Deep dives

Vulnerability in JavaScript Libraries

A serious vulnerability regarding ECDSA private key extraction was identified in a JavaScript cryptographic library. This flaw arose because the library accepted hex strings as input without proper type validation, leading to potential security breaches. The discussion highlights the risks associated with using non-standard libraries in critical applications, particularly in the context of blockchain technology where security is paramount. Alternatively, using well-reviewed and open-source libraries, such as those in Bitcoin Core, is emphasized as a necessary practice to mitigate such risks.

Intro

3min

Cryptography Security Challenges

21min

Advancements and Debates in Bitcoin Technology

18min

Enhancing Crypto Wallet Security

23min

Bitcoin Key Innovations and Security Insights

11min

Exploring Cybersecurity Vulnerabilities in Cryptocurrency and Software

6min

Innovations in Bitcoin Mining and Noster Technology

4min

Community Engagement and Exciting Bitcoin Innovations

3min

I'm joined by guests Rob Hamilton & Vivek to go through the list.

Housekeeping
(00:01:18) Unleashed.chat rebrands to dataMachine

Urgent Vulnerability Disclosures
(00:01:52) Private key leak via malformed ECDSA input
(00:09:12) ESP32 Security Concerns
(00:21:32) Coinos revokes NWC connection secrets

Vivek's Corner
(00:22:51) Invalid mining jobs by AntPool & friends during forks

Bitcoin
• Software Releases & Project Updates
(00:37:44) COLDCARD
(00:52:47) Sparrow Wallet
(00:54:33) Lark
(00:55:03) Krux
(00:56:37) Cove Wallet
(00:59:09) Nunchuk Desktop
(01:00:32) BTCPayServer
(01:00:44) Bitcoin Keeper
(01:01:25) BlueWallet
(01:02:08) Bitcoin Safe
(01:03:15) Bitkey App
(01:04:05) libwally-core
(01:06:00) Bisq2
(01:06:04) RoboSats
(01:06:08) Boltz Exchange
(01:06:10) Zaprite
(01:06:13) Blockstream Explorer API
(01:07:22) Mempal
(01:07:29) Iris Wallet desktop
(01:07:31) Utreexo
(01:07:34) ESP Miner

• Project Spotlight
(01:07:38) Reorg Calculator
(01:07:51) Bitcoin Core Config Generator
(01:09:05) Bitcoin Core Snapshots
(01:09:11) Boot Protocol
(01:09:18) multisig-backup
(01:09:58) Wallet backup
(01:10:04) regtest-in-a-pod

Vulnerability Disclosures
(01:11:56) JavaScript injection attack
(01:15:05) Malicious PyPI package 'set-utils' steals Ethereum private keys
(01:16:57) OpenSSH vulnerabilities expose clients and servers to attacks
(01:17:05) USB side-channel attacks
(01:17:37) Cellebrite
(01:17:49) Messengers vulnerabilities
(01:17:56) GitVenom
(01:18:10) Stablecoin payment firm Infini loses $50M in exploit
(01:18:18) Five dollar wrench attacks
Audience Questions
(01:20:00) Comment on a flaw in Bitcoin Core regarding mining pools and their vulnerability against block withholding attacks

Nostr
• Project spotlight
(01:22:32) 24242.io
(01:22:49) nostr.media
(01:22:58) Frostr
(01:23:33) nostr-double-ratchet
(01:23:44) DVMCP
(01:23:53) Samiz
(01:24:00) Welshman
(01:24:09) Norma
(01:24:20) Wallet Relay
(01:24:27) Nostr0
(01:24:35) nAuth Protocol
(01:24:43) Hostr

Boosts
(01:25:36) Shoutout to top boosters @sean, @pink monkey, @Anonymous, @martinbarilik, @Momo Tahmasbi & @jespada.

Links & Contacts:
Website: https://bitcoin.review/
Substack: https://substack.bitcoin.review/
Twitter: https://twitter.com/bitcoinreviewhq
NVK Twitter: https://twitter.com/nvk
Telegram: https://t.me/BitcoinReviewPod
Email: producer@coinkite.com
Nostr & LN: ⚡nvk@nvk.org (not an email!)
Full show notes: https://bitcoin.review/podcast/episode-93

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Bitcoin.Review Podcast with NVK & Guests

BR093 - ECDSA Key Extraction, ESP32 Security Concerns, COLDCARD, Cove Wallet, Krux, Nunchuk, Invalid Mining Jobs, Javascript Injection Attack, CTV Back on the table? + MORE ft. Rob & Vivek

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Vulnerability in JavaScript Libraries

Security Concerns with ESP32

Discussion on Multi-Signature Security

Innovation in Hardware Wallets

The Future of Bitcoin Mining and Decentralization

Remember Everything You Learn from Podcasts