Vac 2025/09/01

highlights

  • TKE: all TKE-related docs and specs were approved by Nomos team
  • QA: Waku RLN contract edge-case tests expanded with reentrancy protection fix in progress.
  • QA: Waku REST API interop tests merged; rendezvous tests blocked pending infra fixes.
  • QA: Waku Lite protocol testing started using Zoltan’s scripts for Store protocol.
  • QA: Nim-libp2p rendezvous tests refactored and fixed pagination issue.
  • QA: Status E2E desktop tests now working on Windows locally; CI support ongoing.
  • QA: Working on extending Status Mobile framework with accessibility hooks and seed phrase tests.
  • DST: Started working on a libp2p cross implementation repository
  • SC: Uncovered and fixed a bunch of security vulnerabilities in StakeVault
  • ACZ: Anounced MLS RFC on X
  • ACZ: Release the SN RLN prover benchmark doc regarding prover repo
  • RFC: Completed the first draft of qaku rfc
  • NES: Finished research Sprint 2 and already started Sprint 3.

vac:p2p:

  • ift:2025q3-nimlibp2p-mix:mix-core
    • mix#78 feat: replies (SURBs)
    • mix#79 fix: dont use global variables
    • WIP:
      • benchmark metrics for DST (requested by @Akshaya to take priority over other mix tasks)
      • cleanup reply table for cases in which reply never arrives
  • ift:2025q3-nimlibp2p-maintenance:maintenance
    • nim-libp2p#1645 fix: dont send GoAway for unknown streams and mark streams as closed on conn close
      • Issue reported by @Ivansete: streams were not being marked as closed on disconnect
      • I noticed that a GoAway was being sent once streams were being closed, causing other active streams to be dropped as well
    • nim-libp2p#1647 chore: temporarily disable performance plots from being published
      • Issue reported by @arnetheduck: libp2p repository exceeded 500mb
      • I’ll ask Infra to setup some storage where we could push the performance reports
  • ift:2025q3-nimlibp2p-maintenance:maintenance
    • more QUIC refactoring and improvements
      • stream states improvements nim-quic#107
      • refactor(streamstate): more consistent actions when entering states nim-quic#110
      • chore(streamstate): add switch and write to BaseStreamState nim-quic#112
      • chore: unused imports as errors nim-quic#111
    • resolved issues related to read() ocasionally locking nim-libp2p#1636
  • ift:2025q3-nimlibp2p-autonatv2
  • ift:2025q3-nimlibp2p-autonatv2:client
    • Send DialRequest
    • Receive DialDataRequest
    • Send DialDataResponses
    • Receive DialResponse
  • ift:2025q3-nimlibp2p-autonatv2:server
    • Receive DialRequest
    • Send DialResponse
    • Amplification attack mitigation
      • Check observed IP address against chosen IP address
      • Send DialDataRequest
      • Receive DialDataResponses until requirement is met
    • Send DialBack & get DialBackResponse
    • Send DialResponse
    • Fixed a DialDataResponse bug where the server was not receiving messages from the client
  • admin/misc
    • Helped run Nescience interview for Senior Rust Engineer role
    • Close some older PRs and non-relevant issues (still a lot to go, tho)
    • Assist in queries related to circuit-relay behavior on waku

vac:tke:

  • admin/misc
    • wrote down the team’s monthly report of deliverables
  • ift:logos-token::logos-strategy
    • addressed team feedback about ecosystem incentivization doc
    • ad-hoc research
  • nomos:stress-test::review-pos-sims
    • reviewed the state of our PoS simulation
  • nomos:stress-test::review-nomos-da
    • addressed a few outstanding comments from Alvaro
  • waku:services-incentive
    • finalized reviewing the Service Incentivisation MVP
    • continuing research
  • status:karma-incentives
    • closely follow the Karma “emergency fix” and discussion around Karma distribution periods
    • fixing bugs in staking demo app
  • ift:tokenomics-research-forum::grantico
    • continuing work in spare time
  • status:cf
    • Work with Matt on GTM
    • Finished scraper for product research
  • ift:tokenomics-research-forum::control
    • Kept pushing reserch on Control Problem
    • Reviewed and attended research call
  • ift:tokenomics-research-forum::token-valuation
    • finalized the report
    • presented the work at our Research Call

vac:qa:

vac:dst:

  • admin/misc
    • Review candidates for DST position
    • Got flights to Budapest and informed Pops
    • Call with Codex
      • Discussed differences between both frameworks, and approaches that could be taken
      • Created notion document for next steps on the framework
    • Machine for AZC
      • Github PR
      • Coordinate with Nescience to use this machine next week
    • Went over the deployment code and open PRs
    • Track and participate in gossipsub metrics spec draft
  • status:2025q3-status-go-chat-protocol-benchmarks:delay-and-store
    • TODO notion document
    • Call with Waku to investigate waku connections
      • Peers were missing in admin endpoint. Missing information was fixed in nwaku v0.36
      • Confirmed that peers added through staticnode argument are not exposed to be discovered even they have discv5 enabled.
  • vac:2025q3-libp2p-evaluation:mix-re-evaluation
    • Github commit: pwhite/dst-changes-build-fix
      • Fix for building Docker image
    • Github PR: mix node deployment changes
    • Still seeing violations where the first message is seen in the network from a non-exit node (normal gossipsub instead of mixnet route).
    • Still seeing a discrepancy in delay with 0 delay 0 jitter for mixnet nodes. Some plots where message delay is less than zero.
    • Gathering data sometimes seems to fail.
  • ift:2025q3-dst-tooling:general-tooling
    • Deployment - Workflow
      • Made some comments on this. Good discussion going.
      • Tried full workflow with mixnet where the analysis script automatically grabs the parameters from experiment output.
  • ift:2025q3-dst-tooling:shadow-integration-scaffold
    • Completed shadow integration for nim-libp2p, new repo created
      • Shadow test runs with both, docker executable and build method
      • Prometheus metrics were failing for large networks with metrics/httpclient.
      • Prometheus metrics working fine with curl and staggering (slightly increases simulation time)
      • The run script allows using custom configurations

vac:sc:

vac:acz:

  • ift:2025q3-de-mls-tesnet:consensus-layer
    • Fully finished real voting, fixed some issues around removing user, added docs for part of the functionality PR
  • ift:2025q3-libp2p-mix-testnet:update-rfc
  • ift:2025q3-gossipsub-relay-rfc:relay-rfc
    • Completed the GossipSub Relay Protocol RFC PR #178.
  • ift:2025q3-zerokit:libp2p-mix-repo
    • Reviewed PRs #78 and #79.
    • Discussed limitations of exit ≠ destination with P2P team.
    • Documented detailed comparison between exit == destination and exit ≠ destination in the Notion Page.
    • Aligned with team to proceed with exit ≠ destination in both RFC and implementation, with security implications captured in Mix RFC.
    • Synced with P2P team and on implementing logging on the latest branch for benchmarking.
  • ift:2025q2-zerokit:zerokit-maintaining
  • ift:2025q3-rln-status-l2:stress-test
  • nes:2025q3-nescience-consulting:dex-research
  • ift:2025q3-rln-status-l2:rln-spec-maintain
  • ift:2025q3-rln-status-l2:maintaining
  • ift:2025q3-de-mls-tesnet:multi-steward-rfc
    • Worked on steward rotation by extracting requirements such as how to determine steward list and todos on malicious steward.
  • ift:2025q3-de-mls-tesnet:consensus-rfc
    • Applied feedbacks PR, on final review.
  • nes:2025q3-nescience-consulting:privacy-projects-analysis
    • Review privacy projects vs NSSA document
    • Worked on privacy projects vs NSSA document.
  • admin/misc
    • Review RLN think-tank doc
    • Look into zk-creds paper for Waku research team credential requirements.
    • Responded to Waku’s question about Fractional message transfer
    • Provided feedback on FURPs: SN RLN and Zerokit. Due to this, added a question to SN RLN document
    • Nescience review (for peer programming interview)

vac:rfc:

  • codex:2025q3-rfc-iteration
    • Started work on rfc for codex DHT
  • waku:2025q3-rfc-iteration:qaku
  • admin/misc
    • OOO: 5 cc Day

vac:sec:

  • ift:2025q3-wallet-policy-update:write-and-review-new-version
    • Tested signing requests and add new signatory procedures
    • Pending to final review with Finance
  • ift:2025q3-awareness-program:web3-security-essentials
    • Shared web3 news about crime, phishing, malware, hacks and IoC with Finance (Weekly Update)
    • Continued working on the integration with n8n
  • ift:2025q3-multisig-secondary-interface-deployment:write-guides-and-best-practices
    • Continued writing the guidelines to use Onchain Den when required
  • ift:2025q3-wallet-policy-update:backup-and-recovery-policies
    • Started updating/creating backup and recovery policies and processes
  • ift:2025q3-cicd-security-review:status-design-reviews
    • Completed secure code review on Status browser and messaging PRs, focusing on encryption, IPC, and storage access
    • Manually tested wallet PRs for insecure key handling and authentication bypass risks
    • Reviewed CI/CD pipeline configurations for hardcoded secrets and improper access controls
    • Validated recently merged fixes through diff-based code review to confirm vulnerabilities were resolved
  • ift:2025q3-vulma-and-ir:incidents
    • Reproduced SNT phishing attack flow in a controlled test environment to validate threat scenarios
    • Performed log-based hunts for suspicious wallet activity linked to phishing indicators
    • Investigated new bug bounty submissions and validated PoCs against staging
    • Verified IR alerting pipeline by simulating phishing indicators across test accounts
  • ift:2025q3-vulma-and-ir:remediation-tracking
    • Manually validated 5 high-severity CodeQL findings, confirming impact through code path analysis
    • Reviewed and tested PRs addressing unresolved Dependabot alerts, confirming upgrades locally
    • Cross-checked static analysis findings with runtime logs to assess exploitability
    • Coordinated with repo owners to close several high/medium security issues via patch review and testing
  • ift:2025q3-iam-operations:remove-unnecessary-users
    • Refactor logic for identifying Inactive CCs in Notion, Github, Google, Discord
      • due to Blocker, add a page of Inactive CCs in Notion
      • manually run and update Inactive CCs in Notion daily
      • all user management processes will refer to the Inactive CCs Notion page
  • ift:2025q3-security-automation
    • Finalized new version of privacy news alert
  • ift:2025q3-security-automation:automatic-wallet-index-updates
    • Started python script inclusion, dependence on Python n8n docker
  • ift:2025q3-finance-automation
    • Pending approval from Finance
    • Deploy to prod pending the ending of payments for August
  • admin/misc
    • Interviewed a candidate for the App Sec Engineer position. Moved forward to next stage

vac:nes:

  • 2025q3:state-separation-architecture-poc:fee

    • Finished a first draft on fee mechanism.
  • 2025q3:state-separation-architecture-poc:specs-impl

    • Looked into alternatives to solve the encryption issue inside R0.
    • Updated PR 101 on wallet CLI
    • Started PR 105 on sequencer specs implementation
    • Investigated performance of Diffie-Hellman shared secret derivation inside a risc0 guets program. Couldn’t find a feasible alternative and refactored the testnet code to leave that part out in NSSA v0.1
    • Added tests, polished the code and marked PR 103 for review.

vac:nim:

  • ift:2025q1-nimble
    • Adds support for some when expressions in the declarative parser. (https://github.com/nim-lang/nimble/pull/1457)
      • Adds support some when expressions in the declarative parser.
      • Uses StringTableRef to hold the defines
    • WIP Support for filepath in requires (https://github.com/nim-lang/nimble/pull/1452)
      • Reverts “patch” feature
      • Builds a filepath package graph
      • Prevent deps not pulled from file:// to have filepath requires
      • Adds test case “should not allow filepath deps in a top level package that is not being in development”
      • Adds support for “requires” file. When present will parse the requires and add it to the main nimble file.
      • Skips root validation
      • allows to lock filepaths packages
  • ift:2025q3-nim-core-libs:nim-cbor-serialization