Nanak Nihal Khalsa ππββ¬
@NanakNihal
Followers
842
Following
3K
Media
54
Statuses
1K
Protocol Architecture | Security | ZK | Occasional Posts About Neuroscience. Founder @0xHolonym building tools for privacy, civic infrastructure, & onboarding
Joined November 2021
@xkcd the real question is do you go the path that minimizes walking or try to predict where the passenger street crossing signs will be in your favor to minimize wait time.
1
0
158
Humanity Protocol just raised at $1.1b. They claim to use ZK and other privacy enhancing technology to keep biometrics secure. So I looked through their privacy policy and holy shit it's WILD:. First off, all personal data by default is stored on their servers.
14
16
85
There is a name for this and itβs BLIND SIGNING. Please please please stop using hardware wallets and multisigs and thinking you are safe. Hereβs how it happened and most importantly how to prevent it:.
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing.
9
7
62
I found a way to copy private keys from Friend Tech with two user clicks, making it as easy as prompting toπpaste to steal wallets. @friendtech and @privy_io teams fixed it in hours. FT gave a bounty despite not having a bounty program. Major kudos for taking security seriously!
13
10
56
It's not about using a TEE, it's about how you use it. Most TEEs are *mostly* useless. And most ways projects use TEEs are *mostly* useless. Spicy opinions on TEEs:.
8
3
57
After the recent blind signing attack we decided to launch Human Wallet in alpha mode. What is our radical security fix?. Allowing you to see transactions on your hardware wallet in a human-readable way.
3
10
37
fighting for privacy with @0xHolonym team at the @0xbowio event. the privacy / compliance protocols seem to really like knife fighting. GG @jhscheufen @ameensol. Fuck North Korea
5
3
39
I am thrilled to announce that we have raised $5.5 million to build human keys.
1/ π Big news! Holonym Foundation has secured $5.5M in seed funding to advance global digital personhood through β¨Human Keysβ¨ . Led by @FinalityCap & @Papervc and .
5
1
33
People are wrong. Crypto and cryptography have tons of use cases. Just not where investors and developers live.
1
4
35
Hereβs why ZK matters in developing countries:.
1
2
31
@Bybit_Official This type of attack is called blind signing and is increasingly common. Here is how to prevent it.
There is a name for this and itβs BLIND SIGNING. Please please please stop using hardware wallets and multisigs and thinking you are safe. Hereβs how it happened and most importantly how to prevent it:.
0
0
11
FYI: the @magic_labs team still hasn't paid me three months after I disclosed a critical vulnerability which saved their users millions of dollars in their official bounty program. They even publicly bragged they fixed it, yet are ghosting me. How can we hold them accountable?.
3
8
28
Ranking Bangkok side events for coolness based on how willing attendees were to get our temporary tattoos:.1. @FundingCommons clear winner. tattoos, tramp stamps everywhere, no fear to represent bringing digital human rights to everyone through cryptography.
5
3
27
We havenβt spoken loudly our metrics because we havenβt felt a huge need. But when worldcoin thinks theyβre bigger than you, I think itβs time to clarify:.
@NanakNihal @Rahul__Ghangas @HumnPassport I mean you can, but it's always a question of how many people use that solution or provide a good app experience using that tool. Nothing comes close to the distribution and UX of World App and World ID.
1
5
28
DO NOT BUY THIS COIN. This is without a doubt one of the most supremely evil people in the world. First reason not to buy, he and his government is sanctioned. More reasons:.
The Government of Myanmar will launch the first national coin today at 8:00 AM UTC. We welcome all to participate in this historic step of Myanmar`s digital economy.
3
4
25
eliminating blind signing attacks has been achieved internally.
2
5
25
Here are two critical vulnerabilities I found in Magic Link to steal usersβ entire wallet balances. Theyβve been publicly implying these didnβt exist and never paying me for a bug bounty. After months of waiting, @magic_labs finished fixing them yesterday so I can now share π§΅.
3
6
23
Weβre literally the biggest now by most metrics. And no eyeball scanners (though I love the excellent research for privacy technology worldcoin has done π). Still feels like day 1 at @0xHolonym.
3
2
22
We are working on having this live tomorrow or Tuesday. Not for full treasuries or serious funds. But to *pilot the first practical/convenient solution to blind signing*. There couldnβt be a better time to make this so we are focusing full effort ASAP. If you / your company is
4
0
20
Thanks for this well-thought-out blog post on wallets, Vitalik. Here are my thoughts:.
What I would love to see in a wallet:.
1
1
20
While most people know Myanmar is in turmoil, the extent of it is shocking and not reported often:.
3
2
17
Sad to see when the attack you have been warning about happensβ¦itβs frustrating that so few people cared. But at least now people do.
Multisigs can have many signers but the frontend is still a weakly guarded point of failure.
3
2
19
@LefterisJP @Bybit_Official @pcaversaccio You should probably use more than just that tool. Verification is great but not if device is compromised. You need separate device just for signing, ideally with Qubes or if not something like Windows secure sandbox mode.
2
0
1
2
2
17
privacy is a right and when itβs eroded slowly we donβt notice. But a world without privacy is pretty scary.
digital privacy isnβt a luxury β itβs a human right. the case for a private-by-default world, and why itβs time to wake up:.
1
2
18
the one question that haunts zk engineers
0
2
17
Vitalik is right on 99% of everything he says. Which is why itβs so surprising he would have maximalist opinions like this about MPC vs. AA. I think most ppl knowledgeable about AA and MPC would not hesitate disagree with him here.
@yugacohler MPC-based EOAs are fundamentally flawed because they cannot revoke keys (and no, re-sharing doesn't count; the old holders can still recover the key). Smart contract wallets are the only option.
1
1
15
I know this will come as a shock, but I think this is the time to announce it: Iβm not Satoshi Nakamoto.
2
2
12
So happy to have this absolute legend on our team now @0xHolonym!.
What once started as an internal project to prevent Sybil attacks in the @gitcoin Grants program, has now evolved into one of the largest user generated identity credential solutions in web3. So excited to be joining Holonym to further sovereign digital identity. Learn more π.
0
1
14
craziest thing at eth denver was that a bunch of people whose first time it was at any crypto conference said βthe people are so coolβ. WHAT HAPPENED. HOW ARE WE COOL NOW.
5
0
14
Hereβs the issue. Everyone says best practice is βuse a multisigβ, βuse hardware walletsβ, etc. Yet we have seen two high profile attacks in recent years following them. What is wrong with these ideas, and what should we do instead?.
this level of attack is really scary. to my knowledge, the compromised signers have followed the best practices. they also used different combinations of os, software and hardware wallets, as well as simulated every transaction. where do we go from here? magical amulets?.
1
3
14
i have no words at this point. i don't think anything else needs to be said.
1
0
14
It was great speaking with @tomerweller @marek_ and @lucycoulden about how crypto not only can be but *is* used to provide access to digital rights and prosperity. Even in our space, most people donβt know that crypto already is super useful beyond speculation. Thanks for.
The Human Algorithm: Building the Soul of Crypto .- @tomerweller from @StellarOrg.- @NanakNihal from @0xHolonym.- @marek_ from @Celo.- @lucycoulden from @Polkadot . How do we ensure technology serves human flourishing?. Full video below ππ§΅
0
0
14
Culture shapes technology. More important than building tech is building culture.
"We need a refresh of the culture around technologyβsomething transcultural, rooted in our shared humanity.". In our open conversation with by @0xHolonym, @hebbianloop and @NanakNihal explored how to build privacy-first infrastructure that centers people.
1
1
14
This is an incredible improvement. The asynchronicity, weighted shares, and permissionless joining and exiting are make it way more robust and practical.
1/ Introducing 2PC-MPC V2. Weβve introduced significant improvements to the 2PC-MPC framework, which now supports not only threshold ECDSA but also Schnorr (and EdDSA) signatures. This thread details what has changed compared to the previous version.
0
3
13
Again, thanks @friendtech and @privy_io for having a quick response, and FT for awarding a bounty despite not having a bounty program. This encourages whitehats. As frontends are controlling wallets now, it's not just smart contracts where this type of security mindset is needed.
0
0
12
But they only disclose personal data to their employees, contractors, marketing partners, AI model training, the Chinese government, other governments, and to anyone they want if it would "prevent financial loss"
1
0
13
Yes, ZK can actually make consumer lives easier and safer.
0
1
13
This is the best time to be building real use cases of crypto: stable coin payments, remittances, high yield, financial infra for developing counties, etc. When everyone is skeptical of anything other than memes, yet infra has caught up to the point where real uses are possible.
1
0
10
Just arrived in Denver, itβs a little cold but Iβm so excited to network with everyone!
0
0
11
the goat @Muzzamil_01 at a rare time he needs to eat instead of constantly shipping @silkysignon
0
1
10
Burmese friend sent me this. If youβre wondering how to help you can donate here. It took like 30s to donate. Itβs a small org and money goes a long way
1
1
11
ethdenver this year is great β despite the complaints on CT, itβs a super small group of committed people who work in a bear. this is so much better than bull marketsβ¦.
0
0
12
See you π letβs talk about 2PC-MPC.
Gentle reminder tonight I will host a space with as guest speaker, @NanakNihal from the @0xHolonym team. Nightly βοΈ at 8PM US Central time. They been building on @ikadotxyz . Go check them out and get your questions ready to be asked.
2
2
11
this was an incredible day of talks.
Live with Restream, March 14
0
2
11
Friendtech fixed this by setting X-Frame-Options to DENY, preventing malicious dapps from embedding their wallets. This is something every project with a dapp-specific wallet should begin to put in their headers. Yet most don't developers donβt know they should add those headers.
1
1
11
it's fun when you're building a wallet and check to see how other wallets have implemented basic security features and it turns out they haven't at all oops lol.
4
0
10
Excited to be building on Keelung.
Hello, Keelung! Our team has been working on a zero-knowledge cryptography development toolkit for fast, private and secure applications. Learn more:
5
4
10
running your code nitro enclave doesn't automatically make it secure. enclaves can't handle persistence, so you need to store data somewhere, encrypted to a key outside an enclave. If you use KMS, you're storing it in a centralized way a cloud account can access!.
1
0
11
So should we use SGX instead because it's less centralized / not in the "cloud"? Definitely not. SGX and any other TEE still struggles when it comes to persistence. TEEs don't have persistent storage.
2
0
10
In our space itβs rare to find organizations where everyone cares about building meaningful technology. Funding the Commons is one of the few spaces where people come together to focus on crypto for good. Itβs easily the top quality event in crypto.
Identity shouldnβt be a barrier to financial access or basic rights. π. @hebbianloop and @NanakNihal, the co-founder of by @0xHolonym, explore how zero-knowledge identity proofs are securing privacy and autonomy where institutions fail.
0
0
10
For what itβs worth: we have never experienced any request or pressure from the to send the @eigenlayer team tokens. They have been professional in every interaction with them.
2
0
10
To try it out, go to and add your hardware wallet as the 2FA method in Privacy & Security settings:
1
0
8
UPDATE: ITS LIVE on chrome webstore. No need for walletconnect.
After the recent blind signing attack we decided to launch Human Wallet in alpha mode. What is our radical security fix?. Allowing you to see transactions on your hardware wallet in a human-readable way.
1
0
10
They use your biometric palm print, name, social media, content viewing habits, etc. for marketing
1
0
10
Also big thanks to @samczsun and the Paradigm team for helping coordinate everything so quickly.
1
0
8
Again, this is a $1.1b company and have been claiming ZK and privacy as one of their largest value props:.
1
0
10
The most fun part about having company treasury onchain is the accidentally finding $100k on some random chain.
2
0
10
we are proud to be building privacy preserving civic infrastructure @0xHolonym. This is one of many uses cryptography can have in real life.
0
0
8
Crypto adoption will likely come from cypherpunk value props as these are the primary value props crypto has. These can only be enforced via the infra layer, but infra alone is insufficient without also focusing on adoption.
2
3
7
We started this as a hackathon project. Really cool to see our relayer is now often #1 gas spender on @Optimism, and we're grateful to be part of this ecosystem that values public goods funding.
π΅οΈββοΈwhereβs Holonym?. πhint: weβre just a hop over . π thanks to OP badge holders for voting us #155/643 . ZK verifications place us as one of the largest gas guzzlers on OP. These fees go straight back to public goods π«¦.
1
0
9
looks absolutely gorgeous.
something big is coming
0
0
9
ZK prevents this liability. If no one holds sensitive data, no one can hand it over to hostile governments.
1
0
9
sad news for everyone involved. wonder if fidelity has heard of zk.
JUST IN: $5.4 trillion asset manager Fidelity confirms 77,000+ customer records were hacked, including license, social security numbers, and personal information.
0
0
8
Hard to use this app when half of the timeline is anti-woman, anti-black, and anti-Indian. Not even well reasoned arguments just hatred. Does this happen to everyone / ppl people twitter thinks are right wing because of crypto? Or is this just a me thing.
5
0
9
Arrived in London and the Burger King is playing slow classic Hindi songs. I love this city.
1
0
9
Human ID has issued over 34M credentials. Last time I checked, thatβs more than World.
1
0
9
Refugees need identities (like everyone else). But they have not trusted orgs to give them identities.
1
0
9
The attack worked because for some reason, most webservers typically do not set X-Frame-Options leaving websites vulnerable to clickjacking by default.
1
0
7
@DCbuild3r @Rahul__Ghangas @HumnPassport dude you need an orb to verify and itβs broken half the timeβ wdym nothing comes close to your UX? And ppl refuse to use an orb bc they feel like itβs selling the windows of their soul to our AI overlord. Not ideal UX. With passport you only need a browser, no orbs. We have.
1
0
8
NOTHING LIKE A 4AM DEBUGGING SESSION TO GET YOU IN THE ZONE.
2
1
7
What the fuck @magic_labs .- has bounty program of $3k max.- critical bug that can steal whole wallet.- pays $1k and refuses to create a timeline to fix it.- another report of same severity.- ignores it after I mention it ~8x.- fixes, brags about fix, never pays, ghosts.- posts:.
π At Magic, we prioritize product security through proactive measures and collaboration with ethical hackers via @Hacker0x01. Our goal? Strengthen security and safeguard user data & digital assets through community-driven bug bounties. π#BugBounty.
0
2
8
when your founders are 2/3 vegan but marketing team isn't π
.
2
0
8
i'm noticing that scaling a company should be done with education, not processes. aligned teams that understand vision, mission, and execution and can then be autonomous >>> teams with clear instructions. it takes time to onboard but allows the team to be wayyy more productive.
0
0
7
Crowdstrike is old news. But what does it mean for your crypto?.Itβs actually really bad:.
1
1
8
Catch us tonight at the antalpha hacker house if youβd like a deep dive on how Holonym works and how to incorporate privacy into your dapp with ZK about how ZK works.
0
3
8
I think we have caused a flawed mental model by echoing the classic advice that startups solve problems, and phrasing every pitch in terms of solving a problem. There are so many great companies that don't clearly solve a problem.
1
0
6
Highly recommend longhash accelerator for any early stage founder!.
Excited to share that.@0xHolonym., an alumni of LongHashX Accelerator Cohort 9, has closed their seed round! It's been incredible to have worked closely with @NanakNihal, @hebbianloop and the rest of the team through - . β’ Weekly problem-solving sessions with a dedicated.
1
1
8
So what should you do?.There are two answers. One option is use a dedicated device and.OS (e.g. Qubes, tails, grapheneOS). The other is use 2PC (such as @silkysignon or @ZenGo) where even if your device is compromised tx sim is done remotely as well.
1
0
8
warning for those in Thailand: google translate for English->Thai automatically shows the translation of βI love youβ when you type βIβ. This just caused a very funny circumstance.
0
0
6
waking up to tornado cash being legal vibes β¨.
0
0
7
I love this spicy tweet. Have always wanted a wallet security ranking, so I will check it out. sad for the victim, tweets like this will fix it in the long term.
IT IS WEB3 WALLET'S FAULT.We believe many wallets are phishing traps putting users at risk. Since we can't prove who's behind them, we've created an objective Wallet Security Ranking to help protect everyone.
0
1
7
- You can get killed for using internet. Internet has become illegal, with starlink as the only option. The military dictatorship has bombed starlink sites, causing new internet hotspots to be made with bomb.shelters.
2
0
7
What To Do?.Ask @magic_link and companies in general to change their culture around security, including fixing bugs *before* they are taken to the public, not leaving security researchers unpaid, and being transparent about vulnerability+audit reports ;).
0
0
7
For friend tech, a straightforward clickjacking attack doesn't work since it takes three clicks to perform dangerous actions. Parent websites can't track these clicks, so they can't respond sufficiently to attack the user.
1
0
6
the first decentralized oblivious pseudorandom function!.
Big news here:. @0xHolonym's Mishti Network is now live on @symbioticfi.This collaboration marks a major step forward in decentralizing and fortifying Human Key Infrastructure to harden natural digital rights through crypto-economic security.
0
0
7
The other class of attacks to be careful of is replay attacks. Enclaves don't have trusted data about the external world, much like the walled gardens of blockchains that require trusted oracles to function. When you restart an enclave, you can replay some or all of the encrypted.
1
1
7
Thanks @Lightshift_xyz for the awesome article and being a stellar investor in @0xHolonym π.
𧡠Identity is broken. Centralized systems expose users to risks and security breaches. Learn how @0xHolonym is changing this, building a decentralized identity framework that puts users back in control of their data β.
1
0
6
Thank you frens from Myanmar who will remain unnamed (for safety) for educating me about this.
0
0
6
0
0
7
@basedkarbon bro she literally shot the attacker and youβre saying women have bad opsec. women are statistically more risk-averse in many ways such as finances. this is a wrong take.
2
0
6
I will write more on this but wanted to put this out there. we need a lot more accurate information on how to better secure funds.
0
0
7
Here is a reminder *multisigs arenβt necessarily safe even with hardware wallets*. Itβs a tragedy their customersβ funds were lost. The only thing good that can come out of it as an opsec lesson nobody seems to knowβ¦.
WazirX hacked for over $230m USD (2,000 cr INR). Their safe multisig was compromised and drained. The hackers started practicing the hack onchain at least 8 days ago and finally executed it today. It's a very methodical and organized attack, pointing towards DPRK as the hacker.
2
1
7
If anyone ever finds the private key to 0x01234567890abcdef01234567890abcdef012345 itβs theirs π.
the first ZK NFC verification of an e passport is now immortalized on chain. deep fakes no longer a threat.
0
0
6
