👨🏻‍💻 Is Ledger Safe?

$12B stETH Withdrawals(?) | $6B Layer 1 Bug

Marco Manoppo & Karon Pangestu
May 17, 2023

📢 Sponsor | 💡 Telegram | 📰 Past Editions

Good Morning,

It has been an eventful week for crypto. Ledger faces a massive backlash thanks to its new wallet recovery feature. Lido, the largest DeFi protocol, finally enables its stETH token to be withdrawn — there is currently $12 billion of stETH in the protocol.

In Today's Email:

What Matters: Ledger faces criticisms 😠
Case Study: $6 billion Move L1 bug 🔒
Governance & Features: $12B stETH available for withdrawal 🤔

Narratives: Still on Lido, pay attention to stETH market dynamics. Also, Axie will launch its mobile app on the Apple Store. This might re-catalyze interest in GameFi.

WHAT MATTERS

Ledger Faces Criticisms

Ledger

State of play: Crypto hardware wallet manufacturer Ledger faces backlash after launching its new wallet recovery feature.

The new feature enables users to recover their seed phrases — to achieve this, Ledger shares an encrypted version of the users’ private keys with 3 companies: Ledger, Coincover, and EscrowTech.
Ledger claims that there’s no backdoor or security vulnerability, and that the feature is completely optional for users that desire a backup mechanism.
Critics said that the core issue is that Ledger has enabled APIs for the enclave to send encrypted key shards to 3rd parties regardless — which should never be possible under any circumstances.

Dan from Paradigm VC summarized the issue perfectly.

The scariest thing about the Ledger announcement is not as much what they're doing, but the revelation that they can do it at all
Like if the government announced that anyone could now opt in to an over-the-air vaccine update
— Dan Robinson (@danrobinson)
4:38 PM • May 16, 2023

Simply put, Ledger has broken the number one hardware wallet security assumption.

The devices should have no API to expose seed phrase.

Ledger has also shown poor crisis management.

Social media team straight-up lying to zachxbt. Zero way around it, they're just bad people. They know this is false because they did it themselves, and they're so stupid that they try to gaslight the best investigative journalist in the space about it. Clowns
— foobar (@0xfoobar)
11:49 PM • May 16, 2023

Why it matters: The point is that if Ledger can recover your seed phrase — they would be able to do the same thing when asked by the government, when insiders collude, or when the infrastructures got hacked.

For builders and investors: If you’re above a certain capital threshold, there’s no reason to self-custody your crypto assets. Specialist custody firms exist for a reason. Do your diligence and engage their services accordingly.

Treat them like a bank. Spread your risks across multiple companies and create an infrastructures that enable you to trade or conduct payrolls in the most efficient (yet secure) manner.

IN PARTNERSHIP WITH

BackScoop

Get smart on the latest in Southeast Asia (SEA) tech. How? Meet our friends at BackScoop, a daily newsletter that helps you stay on top of the must-know news about Southeast asian startups.

Why? SEA is one of the fastest-growing regions in the world by GDP, after China and India.

Unlike your typical tech news… BackScoop is fun, easy-to-digest, and tell you all you need to know in 5 minutes.

Join 10,000+ of leading founders, investors, and operators, in SEA reading BackScoop every morning.

CASE STUDY

Move Billion Dollar Vulnerability

Zellic | The intern deserves a raise for this graphic

Original thread by Zellic.

State of play: Zellic, a blockchain security and audits firm, has identified and fixed a critical vulnerability affecting all Move-language based L1s, including Aptos and Sui.

Mysten Labs, the founder of Sui blockchain, engaged Zellic to conduct a pre-launch review.

Zellic discovered a multiple mutable references bug that will allow hackers to completely break the Move language and virtual machine.
For instance, hackers can drain a coin they no longer own and not repay a flash loan.
This critical bug was silently fixed on March 30th, 2023 by Aptos and other Move-based platforms.

The full explanation is available here, which is too long for this newsletter.

The two most high-profile L1 blockchains that were recently launches, Aptos and Sui, are using the Move language.

Combined, both chains have a total valuation of $6 billion — the bug would’ve affected both chains and their dApps ecosystem.

Our take: Building smart contracts are hard. L1 blockchains should not “move fast and break things” as the codes are immutable and the products themselves directly handle real capital owner by the users.

Take a peek at our new referral reward at the bottom of this issue. Share this newsletter and receive our list of 100 smart crypto investors' wallet addresses 👇

INSIGHTS

Institutional Traders Sentiment

Twitter

Avi Felman of GoldenTree ($47B AUM) and Jonah Van Bourg of Cumberland (part of DRW, one of the world’s top 5 largest trading firms) has a podcast called 1000x where they talk about the crypto markets.

Here’s a summary of the latest episode from May 12th. Credits to @Hundert1000.

In the case of a US default, BTC price will most likely soar to $30,000 - $35,000.
Every additional bank failure means less stimulus for the market. However, it might also be bullish as the Fed will be forced to print money.
EIP-1559, which makes ETH deflationary, is attractive for institutional capital.

FEATURES & GOVERNANCE UPDATE

Lido Enables stETH Withdrawals

@apes_prologue

The largest liquid staking protocol (and all DeFi) by TVL has enabled withdrawal. Lido has $12 billion+ in TVL, primarily consisting of stETH. After the V2 upgrade, owners of those stETH can finally withdraw their tokens.

Lido has 448,000 ETH as a buffer to support a smooth withdrawal process.
97% of the withdrawal requests came from Celsius, amounting to 428,083 stETH, worth ~$632M.
Further details about stETH withdrawal process can be seen here.

Why it matters: A huge supply of ETH (that was previously locked) will hit the open market. It remains to be seen whether the owners of those funds will sell their ETH, and/or move it to a different staking provider.

Other notable feature updates:

Compound launches v3 on Arbitrum.
Aevo launches OTC altcoin options trading.
Loopring launches block trade.
Rook DAO transitions to Incubator DAO.
IndexCoop launches money market index.
zkLend launches on Starknet
Chiliz launches EVM-compatible L1 chain.
LooksRare launches its mobile app (beta).
Klaytn launches on-chain governance.
Cosmos Neutron goes live.

QUICK BITES

Ledger faces criticism over wallet recovery service.
Coinbase expands Singapore services.
Axie Infinity to launch on Apple store in SEA and LatAm.
SEC responds to Coinbase’s lawsuit, called it baseless.
DOJ promises to crackdown on illicit behavior on crypto exchanges.
SEC can’t seal documents related to Hinman’s Ethereum speech.
UK considers regulating crypto trading like gambling.
Anchorage brings snapshot voting for institutional clients.
US Prosecutors drop charges against early ETH adviser.

MEME & NOTEWORTHY READS

Luca Prosperi’s read on Tether reserves.
@RunnerXBT’s thread on FTX 2.0
Ryan Selkis’ thread on what to do as crypto leaders.

LMAOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
— nani (@naniXBT)
10:54 PM • May 16, 2023

If you enjoy reading this issue, please consider subscribing. It takes 1 minute of your time but it would mean the world to us 🙇

Disclaimer: All the information presented in this publication and its affiliates is strictly for educational purposes only. It should not be construed or taken as financial, legal, investment, or any other form of advice.