The bittensor protocol has made several staking changes over time.

• https://github.com/opentensor/subtensor/pull/2218: New KeepSubnets setting to be specific about which subnets one wants to set to Keep and which to Swap.
• https://github.com/opentensor/subtensor/pull/2282: Default change to Keep and requiring one to manually change to Swap if desired (Spec 352).
• https://github.com/opentensor/subtensor/pull/2053: Manual vs. Auto-sell.

As these changes have rolled-out, it has become increasingly important to double-check specific setting(s) to make sure it matches intent. Mainly: are key(s) set to Keep or Swap as desired?

In that vein, check out this small site: https://taokeeporswap.com

Input an address and check the most recently published claim type.

This is not meant to be expansive or complex - just a simple tool that the community can try as it desires.

One can already do this today with PolkadotJS or the btcli of course, but those both require somewhat specialized knowledge.

If working on these types of networks and utilities is interesting to you, check out our current open positions here.

By Joel Nordell, Lead Accounting Engineer

At Unit 410, we’re obsessed with building a complete and accurate picture of on-chain accounting activity for our clients. This mission requires us to translate the raw, cryptic data from the Ethereum Virtual Machine (EVM) into a clear accounting narrative. To provide meaningful support, we need to understand the function calls (traces) and events (logs) emitted by smart contracts. The traditional approach to this problem relies on Application Binary Interfaces (ABIs), which are JSON files that describe a contract’s functions and events.

However, in my experience, relying on ABIs introduces a significant bottleneck. They aren’t always available, especially for new or closed-source contracts. Managing a large number of them is a complex task in itself, and an outdated ABI can be worse than no ABI at all. We needed a better way—a system that could decode EVM data universally and at scale.

This post explores how we built a robust and scalable decoding pipeline that does not depend on ABIs. I’ll walk through the basics of EVM data, the specific challenges that led us to this approach, and the innovative solutions we implemented to overcome them.

EVM Signatures 101: The Hashing Problem

To understand our approach, one first needs to understand how the EVM identifies functions and events. Every function and event in a smart contract has a “signature.” For a function, this is its name and argument types (e.g., transfer(address,uint256)). For an event, it’s the same pattern (e.g., Transfer(address,address,uint256)).

This signature text is then hashed using Keccak-256. It’s critical to understand that this is a one-way encoding; it is computationally impossible to reverse the hash to get the original signature. This is the foundational challenge of ABI-less decoding. Given the correct signature, we can decode the binary data, but how do we find the signature (without using an ABI) when all we have is a hash?

For Events: The full 32-byte hash is used as the first “topic” (topic0) of a log. Because the full hash is used, it is effectively unique for all practical purposes. A collision is theoretically possible, but so astronomically unlikely that we can reasonably treat it as a unique identifier.

For Functions: The process is different, and this is where the main problem arises. The Keccak-256 hash of the function signature is truncated to just the first 4 bytes. This 4-byte value is called the “function selector.” Because of this severe truncation, it is not a rare or theoretical problem for different function signatures to have the same selector—it’s a common, practical issue known as a “hash collision.”

This ambiguity is more than a data-parsing nuisance; it’s a security vulnerability. Malicious actors can deliberately craft contracts with function signatures that collide with common, legitimate ones (like transfer(address,uint256)). Their goal is to trick users and wallets into misinterpreting a malicious transaction as a benign one, a technique often used in phishing and other scams. A robust decoding system must be able to navigate this ambiguity to address these risks by providing a clear and accurate picture of what a transaction is truly doing.

Our Solution: A Centralized Signature Database

Since reversing the hashes is impossible, our approach is to build a massive, forward-looking lookup table. The heart of our system is a comprehensive database that maps these hashes back to their human-readable signatures. We work with an open-source database that has crowd-sourced millions of function and event signatures from the community. In addition to consulting this database to fill in the gaps whenever we can’t find a signature, we also regularly contribute back by submitting new signatures we discover through our own indexing efforts.

This database acts as our dictionary. When we encounter a function selector or an event topic hash, we query the database to find all known matching signatures. But what happens when multiple signatures produce the same hash? Let’s explore how we handle that in our decoding pipeline.

The Decoding Pipeline in Action

With our signature database in place, we can now process blocks in real-time. As our indexer ingests each new trace and log, it sends them through the following decoding pipeline.

A. Decoding Logs (Events): The Straightforward Case

For logs, the process is refreshingly straightforward, thanks to the full 32-byte topic hash. We extract the topic0 from the log, query our database, and get a single, unambiguous event signature.

Just as with traces, this signature is the crucial schema we need. It tells us the data types for both the indexed arguments (which are stored in the log’s other topics) and the non-indexed arguments (which are packed into the log’s data field). Using the signature as our guide, we can parse all the event’s parameters into a structured, human-readable format.

-- Simplified pseudo-code for our log decoding logic

FUNCTION DecodeLog(log):
  -- For logs, the topic hash is unique, so we expect only one signature
  IF log.signature is null THEN:
    RETURN error "No signature found for this log"
  END IF

  -- Decode the log's data and topics using the signature as a schema
  decoded_arguments, error = DecodeEvent(log.data, log.topics, log.signature)

  IF error is not null THEN:
    RETURN error "Failed to decode log"
  END IF

  RETURN decoded_arguments
END FUNCTION

B. Decoding Traces (Function Calls): The Real Challenge

When our indexer processes a trace (a function call), the first step is to extract the 4-byte selector from the calldata.

Because of the truncation-caused collisions, this selector is not a unique identifier. A query to our database for that selector might return multiple candidate signatures. So, why do we need the signature text?

This is the most important part of the process: the signature string, like transfer(address,uint256), is the essential “schema” or “guide” we need to parse the rest of the calldata. Without this guide, the calldata is just an opaque, meaningless blob of bytes. The signature tells us the exact data types (address, uint256) and the order of the arguments packed into that binary data.

Our resolution process is a multi-stage filter designed to find the single best match. We treat each candidate signature as a potential schema and attempt to parse the calldata.

First, we apply a “strict mode” check. A signature might successfully decode its required arguments but leave a trail of unused, extraneous bytes at the end of the calldata. This is a “sloppy” match. To prevent this, our strict mode performs a clever test: after a successful decode, it tries to decode the calldata again with the last few bytes truncated. If this second, shorter version also decodes successfully, it proves the original data had extra bytes. We discard these sloppy matches, as they don’t perfectly account for the entire calldata.

After filtering for only the most precise matches with strict mode, what if we still have multiple candidates? This is where our second layer of defense comes in: prioritization. We don’t treat all signatures equally. If multiple high-priority signatures still match, our system flags the transaction for human review to help ensure the highest level of accuracy.

This two-step process of strict validation followed by prioritization allows us to resolve collisions with a reasonably high degree of accuracy.

-- Simplified pseudo-code for DecodeCalldata, showing the strict mode check

FUNCTION DecodeCalldata(input_data, signature, strict_mode):
  -- First, try to decode the arguments from the input data
  decoded_arguments, error = UnpackArguments(input_data, signature)

  IF error is not null THEN:
    -- The data doesn't match the signature at all
    RETURN error
  END IF

  -- If we're in strict mode, we perform an extra check
  IF strict_mode is true THEN:
    -- Remove the last few bytes from the input data
    truncated_input = remove_last_bytes(input_data)

    -- Try to decode AGAIN with the truncated data.
    -- We call it non-strictly this time, as we only care if it succeeds at all.
    _, error = DecodeCalldata(truncated_input, signature, false)

    IF error is null THEN:
      -- If the SHORTER version also decodes, it means the original
      -- input had extra, unused data. This is a "sloppy" match.
      RETURN error "Strict mode failure: input data has extraneous bytes"
    END IF
  END IF

  -- If we get here, the decode was successful and passed the strict check
  RETURN decoded_arguments, null
END FUNCTION

-- Simplified pseudo-code for our trace decoding logic

FUNCTION DecodeTrace(trace):
  -- If we have multiple candidates, we must use strict mode
  use_strict_mode = (length of trace.signatures > 1)

  successful_decodes = []

  FOR EACH signature IN trace.signatures:
    -- Try to decode the trace's input data using the current signature
    decoded_arguments, error = DecodeCalldata(trace.input, signature, use_strict_mode)

    IF error is null THEN:
      -- If successful, add the result to our list of candidates
      result = new DecodeResult(signature, signature.priority, decoded_arguments)
      add result to successful_decodes
    END IF
  END FOR

  IF successful_decodes is empty THEN:
    RETURN error "Could not decode trace with any signature"
  END IF

  -- From our list of successful candidates, find the one with the highest priority
  best_match = FindHighestPriority(successful_decodes)

  RETURN best_match.arguments
END FUNCTION

Innovative Solutions for Complex Cases: Safe Wallet & Proxies

The power of this ABI-less approach is most apparent when dealing with the complexities of modern smart contracts, particularly proxy patterns. A great example is the Safe Wallet, a popular multi-signature wallet.

When a user interacts with a Safe, the top-level trace isn’t the true function call (e.g., a transfer), but rather a call to the Safe’s own execTransaction function. To a naive indexer, the real transaction is hidden inside the calldata of this outer function.

Our pipeline handles this recursively. When we successfully decode a call as execTransaction, we don’t stop there. We extract the internal transaction data from its arguments and feed that data right back into the start of the decoding pipeline. This allows us to unwrap the proxy call and decode the true underlying function, providing a high degree of confidence that a complete and accurate picture of the on-chain activity is captured.

Why Go ABI-less? The Advantages.

Building this system was a significant effort, but it provides powerful advantages:

• Universality: We can decode data from virtually any smart contract, whether it’s newly deployed, closed-source, or a complex proxy. As long as we can determine the correct signature, we don’t need to wait for an ABI.
• Scalability: The signature database is highly optimized, which promotes the ability to perform this decoding in real-time at a massive scale.
• Resilience: The system is self-contained. We are not dependent on external ABI sources, which can be a single point of failure.

Conclusion

Transforming opaque blockchain data into meaningful, structured information is a fascinating challenge. By moving away from a dependency on ABIs and instead tackling the decoding problem head-on with a comprehensive signature database, we’ve built a system that is more scalable, resilient, and complete than traditional approaches. It’s a journey from an opaque blob of bytes to meaningful, structured information, and it’s this kind of deep data work that allows us to provide industry-leading on-chain accounting data.

In blockchain validation, security is paramount. Berachain’s Proof-of-Liquidity consensus relies on validators actively directing protocol rewards, but managing these rewards previously required frequent use of the operator key, increasing the risk of costly compromises. In August 2025, Berachain introduced the ValRewardAllocator role, allowing validators to delegate reward allocation tasks to a separate key while keeping the primary operator key offline. This update, detailed in BRIP-0004, marks a significant step toward more secure validator operations.

What Changed: Secure Delegation for Reward Management

The ValRewardAllocator role separates the responsibility of managing BGT (Berachain Governance Token) allocations from the operator key. Previously, validators had to use their operator key for every adjustment to the Cutting Board mechanism. Now, a designated address can handle these updates, authorized by the operator but executed independently.

This new functionality is implemented in the BeraChef contract, which governs reward distribution 0x4fad86f3ef82478db6cdbe70c43e8dd38390dcac. The key function is:

function setValRewardAllocator(
    bytes calldata valPubkey,
    address rewardAllocator
)
    external
    onlyOperator(valPubkey)
{
    if (rewardAllocator == address(0)) {
        ZeroAddress.selector.revertWith();
    }
    valRewardAllocator[valPubkey] = rewardAllocator;
    emit ValRewardAllocatorSet(valPubkey, rewardAllocator);
}

This setValRewardAllocator function allows the operator to assign a reward allocator for a validator’s public key, protected by the onlyOperator modifier. Once set, the allocator manages reward adjustments without further operator key interaction.

Why This Matters: Mitigating Critical Risks

In Berachain, the operator key controls critical validator functions, but prior to the ValRewardAllocator role adjusting BGT allocations required signing with the operator key, increasing exposure risks. A compromised operator key could allow an attacker to:

• Replace the operator key with one under their control.
• Divert incentive rewards.
• Modify validator commission rates.
• Prevent recovery, as only the active operator key can authorize a replacement, forcing validators to exit entirely to regain control.

These vulnerabilities could result in digital asset losses and reputational damage. The ValRewardAllocator role addresses this by delegating reward allocation tasks to a separate key, significantly reducing the operator key’s exposure to potential risks.

Current Operator Key Management Practices

Without the ability to delegate the allocation function, operators had to balance efficiency with risk tolerance. This trade-off is evident in current practices, as shown by this Dune dashboard which provides insight into how different validators approach operator key management. The overwhelming majority of reward allocations appear to be validators with hot keys—private keys connected to the internet—running on scheduled services or cloud platforms, making them more vulnerable to attacks. Currently, 5 operator keys make up over 80% of daily reward allocation calls, with some exceeding 50 calls per day.

Looking deeper at the data, it appears two primary approaches exist:

1. Externally Owned Account (1:1): A single externally owned account (EOA) is tied to one validator public key. In a few observed cases, the operator key appears to be hot based on the frequency of reward allocation transactions. These setups often include recurring transfers of incentive rewards to secure assets, but the operator key remains online, increasing risk.

2. Smart Contract Operator (1: Many): Custom setups, such as Infrared, manage multiple validators by setting the operator address to a proxy contract. This contract enables a permissioned hot key to be set (0x3e08c3728a69ab3804af74f55f500ceedb342ac7) which is the only key that can call the QueueNewCuttingBoard function on the Infrared contract. The Infrared contract, which is set as the operator on multiple validators, then makes this call to the Berachef contract. This setup streamlines validator management, enforces strict access controls, and enables recovery if the hot key is compromised, while also supporting recurring asset sweeps. The ValRewardAllocator role now offers this functionality natively, eliminating the need for custom contract development.

The Opportunity: Security and Efficiency

The prevalence of operator hot keys underscores the need for safer practices. The ValRewardAllocator role presents a transformative opportunity for Berachain validators to enhance both security and efficiency. By delegating BGT allocation tasks to a separate key, validators can keep their operator key in secure cold storage, significantly reducing the risk of compromise while meeting the operational demands of frequent reward adjustments. With this update, validators can now adopt more secure practices without sacrificing efficiency, leveraging Berachain’s infrastructure to protect their assets and reputation.

Adoption Status: We’re Early

The ValRewardAllocator role, quietly introduced in August 2025, offers significant potential for enhancing validator security and efficiency, yet it remains untapped as validators take time to plan and implement this new feature. A Dune query tracking ValRewardsAllocatorSet events shows no transactions since launch as of this writing. This presents an opportunity for Berachain validators using hot keys to adopt more secure and efficient practices with this tool.

Future Integrations: Enabling Strategic Flexibility

Not only does the ValRewardAllocator role improve security, it also provides the foundation for future improvements such as BRIP-0005, which will utilize the ValRewardAllocator role to enable automated reward allocation strategies. Together, these tools allow validators to optimize allocations for delegates, enhancing efficiency without compromising on security.

As Berachain continues to make protocol improvements, adoption of these features is expected to grow. Validators should audit their key management practices, prioritize cold storage, and leverage delegation to minimize risks. The infrastructure is in place for validators to be more secure and efficient—now is the time!

With the halfway point of 2025 past, stablecoins have become one of the most consistent and rapidly expanding segments of the crypto world. These cryptocurrencies, whose stability is designed to be maintained by aligning their values with the values of fiat currencies like the U.S. dollar, have grown from being niche trader tools to essential infrastructure for cross-border payments, remittances, and more. Even after falling from a mid-year high of $290 billion to $230 billion today, the combined market capitalization still represents roughly 7% of the entire crypto market. The increase is fueled by record-high volumes of transactions, which for 2024 hit $5.7 trillion and increased by 66% alone during the first quarter of 2025. Dominant players like Tether’s USDT, with a market cap of over $150 billion, continue to lead, but the landscape is growing more diversified. Nearly 240 stablecoins have been launched and new entrants are launching all the time, such as Hype’s USDH, whose bid was recently won by Native Markets to bring its HypeEVM stablecoin to market. With the substantial growth in stablecoins, both in projects and market value, TradFi has begun to take notice since it provides substantial revenue opportunity.

Recent and Future Launches: Innovation Speeds Up

The world of stablecoins has seen a plethora of activity in 2024 and 2025, fueled by anticipated and increasing regulatory clarity, technological advancements, and the quest for local solutions. Among the recent highlights is Wyoming’s Frontier Stable Token (FRNT), which became live on mainnet in August 2025. The nation’s first state-backed stablecoin, FRNT aims to provide a government-backed digital dollar for streamlined public sector transactions, a milestone move in fintech adoption to the level of the government.

At the country level, South Korea’s BDACS just introduced KRW1, the country’s first stablecoin pegged to the Won, on the Avalanche blockchain . This move is to address domestic demand for a stable, fiat-collateralized asset in the face of rising crypto adoption across Asia. Looking a bit further back, Paxos introduced its Global Dollar (USDG) in November 2024 through its Singapore branch, introducing yield-paying stablecoin options for international users.

Subsequent launches are set to introduce even more momentum. Tether, maker of the world’s largest stablecoin, stated on September 12, 2025, that it would introduce USA₮ (USAT), a U.S.-regulated dollar-backed stablecoin for American citizens. Teaming with Cantor Fitzgerald and Anchorage Digital Bank, Tether has appointed former congressional candidate Bo Hines as CEO of the project, a sign that the company is strategically increasing compliance and eyeing towards U.S. expansion. Meanwhile, Plasma, a blockchain tailored for stablecoins, will launch its mainnet beta in late September 2025, possibly opening the door to quicker, cheaper issuance and transfers for issuers globally.

Among other forthcoming releases is MetaMask’s MetaMask USD, which is set to be launched later in 2025 on Ethereum and Linea networks and is planned to be easily integrated into tens of millions of crypto wallets belonging to an array users. Fiserv is also gearing up its FIUSD stablecoin over the coming months, leveraging its vast infrastructure to bridge off-chain banking with onchain finance. In Hong Kong, a new system of stablecoin licensure enters effect later this year, with issuers having until October 31, 2025 to file an application paving the way for regulated Asian stablecoins that may rival the existing largest.

These trends suggest more emphasis on more regulated jurisdictional stablecoins, which increases the viability of onshore options and appeal to institutional players concerned about volatility of emerging market currencies.

Deepening Involvement of Traditional Finance

What was once seen as a crypto fad is now a strategic priority for banks and established financial institutions. The U.S. GENIUS Act of 2025, which gave explicit regulatory guidance on payment stablecoins, accelerated this trend by encouraging TradFi adoption and stablecoin mainstreaming in finance. Notably, the CFTC’s September 2025 initiative to integrate stablecoins as tokenized collateral in derivatives markets, dubbed the “killer app” by Acting Chairman Caroline Pham, further signals regulatory support for their role in modernizing financial infrastructure. Banks are no longer sitting around and merely observing; they are now issuing actively, investing, and cooperating.

Bigger players like JPMorgan are writing in-depth reports on the benefits of stablecoins for cross-border payments, emphasizing their speed and efficiency compared to wires. This illustrates the shifting landscape alone as they previously spoke out against crypto in the past. Fiserv’s plan to roll out FIUSD shows how payment processors are folding stablecoins into their central business, possibly handling trillions in volume annually. Even states like Wyoming are piloting sovereign stablecoins, growing synergies between public finance and blockchain.

Institutional investment in stablecoin infrastructure has gone into overdrive, with corporate funding rounds for these startups piling up in 2025 while the long standing companies have started to IPO. The IMF and Bank for International Settlements (BIS) already look into stablecoins’ place in the future monetary system, mentioning their use to complement CBDCs while introducing private-sector innovation. McKinsey sees 2025 as a critical year, with tokenized cash driving a global realignment of the world’s payments infrastructure. This intervention is not without its challenges; banks need to navigate regulatory barriers and prevent stablecoins from eating into deposit bases.

What This Means for the Future of Finance

The intersection of stablecoins and TradFi has the potential to fundamentally redefine how money flows, maintains value, and mediates exchange. Stablecoins enable fast, low-cost cross-border transactions, addressing traditional banking’s multi-day settlements and potentially saving billions in fees yearly. With wider adoption, they could underpin the U.S. dollar’s supremacy in a digital era, with over 90% of stablecoins anchored to USD, continuing American economic influence to all corners of the globe without employing physical currencies.

Stablecoins could democratize access to finance, particularly in developing markets where remittances over platforms like Ripple or Solana already outpace Western Union, while interoperability with traditional finance may strengthen systemic stability through regulated issuers under frameworks like the GENIUS Act. Barclays has described stablecoins as the “new generation of financial infrastructure,” enabling use cases from tokenized securities to micropayments, but the key question is whether crypto-native networks will lead this transformation or whether incumbents such as MoneyGram will integrate stablecoins into their existing services through partnerships with chains like Stellar.

Challenges lie ahead: cross-jurisdictional regulatory fragmentation has the potential to hinder interoperability and de-pegging risks underscore the need for reasonable regulation. Stablecoins can aggravate financial vulnerabilities if poorly managed, though, so calls for FDIC-style insurance or central bank guarantees may grow. Ultimately, 2025’s momentum ensures that stablecoins won’t just sit alongside traditional finance but they’ll reinvent it, as blockchain ease of use meets institutional trust to form a hybrid system.

Are stablecoins the future of money?

TL;DR

• A recent phishing attack caused many NPM (Node Package Manager) packages to be compromised with malicious code targeting crypto users.
• Fortunately, it appears that a large-scale theft of digital assets did not occur.
• Given the nature of the attack, however, it serves as an important reminder for crypto users to take security seriously and utilize extra precautions for protecting digital assets.

What Happened?

On September 8, 2025, reports of a NPM package developer being compromised began circulating. This was quickly picked up in crypto circles, as the attacker misused the developer’s account to publish malicious versions of popular NPM packages, which in turn could then be used to steal digital assets.

Specifically, the NPM packages believed to be compromised include chalk, strip-ansi, color-convert, color-name, is-core-module, error-ex, simple-swizzle, and has-ansi. A growing list has been assembled here.

Notably, none of these packages have a crypto focus, and, reportedly, the codebases for individual projects were not directly targeted. Instead, the wide usage of these packages means they are highly likely to be used by some digital asset holders (e.g. as dependencies on often-used websites) and, as a result, might be used to trick them into signing a malicious transaction.

Fortunately, this attack seemingly did not result in a large amount of stolen digital assets.

What’s the nature of the attack? How did it work?

There are a few mechanisms that appear to be at play in this attack. At a high level, a malicious package could be used to inject new code into someone’s web browser, which changes the webpage and its behavior to trick the user.

The first attack vector is to quietly change crypto addresses on a webpage to the attacker’s. Then, the malicious code listens to requests made by the webpage; checks if an Ethereum, Solana, Tron, Litecoin, or Bitcoin Cash address is present; and, if so, swaps in a malicious address that is most similar to the intercepted, correct address (here’s a list of addresses associated with this attacker). An unsuspecting user could then transfer digital assets to the attacker’s wallet without realizing it.

The second attack vector begins by checking for website components used by browser wallet extensions. If a relevant extension is found, the malicious code waits for the user to create a transfer, intercepts the generated transaction before the user is prompted to sign it, and replaces the recipient of the transfer with an attacker’s address. Unless the user carefully inspects the entire destination address when signing to ensure it matches the intended address, they could accidentally sign the transfer to the malicious wallet. This is likely true even when using a hardware wallet, such as a Ledger.

What can I do?

At this juncture, suggested best practices often include:

1. Use a hardware wallet, such as a Ledger device. As noted above, this may not be a silver bullet. But, while browsers and their extensions may be manipulated to show anything, a hardware wallet’s screen cannot be manipulated. You can be confident that you are signing what you see there.
2. Verify every character of addresses before signing. As attacker tradecraft has become more sophisticated, we suggest reviewing the entire address, as an attack may have generated an address with the same starting and ending characters as the intended address.
3. Start with a test transaction before sending digital assets. In each vector used by this NPM attack, a test transfer would likely catch that digital assets didn’t end up where intended, which is a sign that something might not be right.

Also, depending on the circumstances, consider reaching out to Unit 410 👇

Unit 410 self-custody wallets were not impacted

While many self-custody products rely on web browsers or hot wallets when signing (even within multisigs), Unit 410’s unique, proprietary design for self-custody wallets:

1. Signs offline (cold) using protected code paths that are carefully curated;
2. Moves mission-critical elements outside browsers, where many attack vectors tend to exist; and
3. Supports multi-party verification and automated checks helping to ensure the addresses used are known and secure.

Beyond that, we take security seriously. For example, in any cases where an external library must be used, we often pin versions so we do not automatically pull updates that might be malicious.

All of the above are big reasons why our clients use Unit 410 to support their self-custody needs, particularly when dealing with high-value positions in bleeding-edge projects.

We’re here to chat

At Unit 410, security isn’t just a feature - it’s the foundation of everything we build. Our institutional-grade self-custody solutions utilize cryptographically-secured offline storage, helping clients protect their digital assets against sophisticated attack scenarios. Public company, venture capital, and foundation leaders have chosen Unit 410’s security infrastructure to support their high-value self-custody since 2018.

And, if you love security and are interested in contributing to cutting-edge solutions for digital asset wallets and infrastructure, reach out! We are hiring!

Public company, venture capital, and foundation leaders have chosen Unit 410’s security infrastructure to support their high-value self-custody since 2018. Digital Asset Treasuries (DATs) are a natural extension of this work - corporate treasury operations applied to digital assets.

The security and operational requirements for DATs align directly with what we’ve been building for years: multi-signature architectures, cold storage systems, compliance tooling, and infrastructure that handles institutional scale.

What Makes Our DAT Infrastructure Different

Digital Asset Treasuries require a fundamentally different approach to digital asset operations than traditional cryptocurrency holdings. They demand institutional-grade security, comprehensive reporting, and seamless integration with existing corporate systems. Our infrastructure is purpose-built around three core pillars:

⚙️ Comprehensive Tooling

Advanced Infrastructure

Our purpose-built technology stack is designed specifically for public-company-grade digital asset operations. Every component has been architected with scale, security, and reliability in mind.

Key Features:

• Multi-signature wallet architecture: Advanced cryptographic security with configurable signing thresholds and distributed key management
• API-first design: Complete programmatic access enabling seamless integration with existing treasury and accounting systems
• Custom approval workflows: Configurable authorization rules and testing environments for operation approval processes
• Participation: Early staking, governance, and other participatory support with the ability to help capture unique opportunities at launch

We’re the original authors of foundational multi-party computation signing technology like Tendermint Validator for Cosmos, which became the basis for Strangelove’s implementation. This MPC signing infrastructure that secures high-value staked assets today and directly applies to DAT operations.

🔒 Cold Storage

Hardened Security

Security isn’t just a feature - it’s the foundation of everything we build. Our institutional-grade self-custody solutions utilize cryptographically secured offline storage, helping clients protect their digital assets against sophisticated attack scenarios.

Security Infrastructure:

• Hardware security modules (HSMs): Tamper-resistant hardware for cryptographic key generation, cold storage, and sophisticated operations
• Air-gapped infrastructure: Isolated systems beyond the internet, eliminating entire classes of remote attacks
• Distributed key storage: Keys distributed across multiple secure locations using advanced secret sharing strategies
• Assurance options: Built-in flexibility for varying institutional assurance needs

Our approach to cold storage goes beyond simple offline key management. We’ve implemented a multi-layered security architecture that includes physical security, cryptographic protection, and operational security measures that lead the industry.

📊 Industry-leading Reporting

Forward-Looking Transparency

DATs require comprehensive audit trails and real-time visibility into all operations. Our reporting infrastructure provides the transparency and compliance capabilities that public companies and other corporate clients demand.

Reporting Capabilities:

• Real-time tracking:: Live visibility into all digital assets and operations across multiple networks and digital asset types
• Annual penetration test reports: Regular third-party security assessments for continued security posture
• Custom audit trails: Detailed operation histories with complete provenance tracking for compliance and internal auditing
• External audits: Support includes working directly with clients’ independent auditors

The reporting infrastructure is designed to meet the most stringent compliance requirements while providing the real-time visibility that modern treasury operations demand.

Recent DAT Launches

The market has seen significant momentum in DAT adoption, with several high-profile launches demonstrating institutional appetite for sophisticated digital asset operational solutions.

• BTC ex: Microstrategy
• ETH ex: Bitmine
• SOL ex: SOL Strategies
• Story Protocol
• The Open Network

These launches suggest a broader trend toward institutional adoption of digital assets as an asset class requiring sophisticated treasury capabilities.

Why This Works for Us

DATs map directly to our existing infrastructure. The self-custody wallets we support for validator operations work for treasury operations. The cold storage systems we use to support regulated funds and other institutions work for treasury digital assets. The monitoring and reporting we built for institutional compliance works for treasury operations.

We’re already running this infrastructure across venture capital, public company, and foundations. DATs just formalize the treasury operational layer on top of security infrastructure we’ve been operating for years.

The result is that institutions can run DATs using the high operational and security standards they apply to traditional assets, backed by infrastructure that’s already protecting institutional digital assets at scale.

Ethereum’s transition to Proof of Stake introduced several mechanisms to maintain network security and efficiency. One critical but often overlooked component is the sync committee - a rotating subset of validators responsible for helping light clients stay synchronized with the beacon chain. For validator operators, understanding sync committee mechanics isn’t just academic knowledge; it’s essential for avoiding penalties when planning validator exits.

Details about the Sync Committee:

• Size: 512 validators per sync committee
• Duration: Each sync committee serves for exactly 256 epochs (~27.3 hours)
• Selection: Validators are pseudo-randomly selected based on the RANDAO reveal
• Overlap: New committees are selected one epoch before the current committee’s term ends
• Duties: Sign beacon block headers during their assigned period

Selection is also deterministic which is quite cool:

def get_sync_committee_indices(state, epoch):
    MAX_RANDOM_BYTE = 2**8 - 1
    active_validator_indices = get_active_validator_indices(state, epoch)
    active_validator_count = len(active_validator_indices)
    seed = get_seed(state, epoch, DOMAIN_SYNC_COMMITTEE)

    sync_committee_indices = []
    random_byte = hash(seed + uint_to_bytes(0))

    for i in range(SYNC_COMMITTEE_SIZE):
        shuffled_index = compute_shuffled_index(
            i % active_validator_count,
            active_validator_count,
            seed
        )
        candidate_index = active_validator_indices[shuffled_index]

        if hash(seed + uint_to_bytes(i // 32))[i % 32] * active_validator_count < MAX_RANDOM_BYTE:
            sync_committee_indices.append(candidate_index)

    return sync_committee_indices

Validator Exit Process Overview

When a validator operator decides to exit, they submit a voluntary exit message. However, the exit doesn’t happen immediately:

• Exit Epoch: The earliest epoch when the validator can exit
• Withdrawable Epoch: When the validator’s balance becomes withdrawable (typically 256 epochs after exit)
• Queue Management: Exits are rate-limited to maintain network stability

Validator Exits by Epoch (past 2yrs)

The Sync Committee Penalty Research

Timing matters because exiting isn’t instantaneous. Committees are selected 256 epochs in advance, so even if a validator submits an exit, they can still be assigned to the next sync committee. The exit itself will process on schedule, but it doesn’t cancel that pending duty — the validator remains in the committee for the rest of the period and is expected to keep signing, with the risk of penalties if they fail to do so.

The following calculation shows how these penalties are applied when a validator misses their sync committee duty, with up to 8,192 individual penalties possible over the course of a single sync committee period.

Penalty Calculation:

penalty = base_reward_per_increment * SYNC_REWARD_WEIGHT * (1 - sync_aggregate.sync_committee_bits[index])

Where:

• base_reward_per_increment: Base reward scaled by effective balance
• SYNC_REWARD_WEIGHT: Currently set to 2
• Missing all duties for a full sync committee period can result in penalties of ~0.1-0.2 ETH

There’s currently no on-chain protocol that prevents a validator from exiting even if they’ve already been selected for an upcoming sync committee.

The distribution shows a clear divide: the overwhelming majority of validators continue fulfilling their duties with very low miss rates, while a smaller subset effectively shuts down, abandoning all responsibilities after exit.

How often do Validators exit with pending Sync Committee responsibilities? And, what is the impact?

To understand the actual impact, we developed a Python script that directly analyzes beacon chain data, scanning for validators that exited in the last 30 days and had pending sync committee responsibilities. The results are striking and provide concrete evidence of a concerning divide.

Real-World Analysis: 2-Year Comprehensive Dataset

Using the above script, we analyzed validator exit behavior over a full 2-year period. The script identified 894 validators who exited while still holding pending sync committee responsibilities. From our research, this dataset provides the first comprehensive evidence of validator performance post-exit: while most continued to meet their duties, 1 in 5 (19.91%) significantly abandoned responsibilities, leading to measurable financial penalties and network reliability concerns.

The Good News: Engaged Majority (716 Validators, 80.09%)

The majority of validators who exited with sync committee duties continued to fulfill their obligations:

• 4 validators — Perfect performance (0% miss rate)
• 712 validators — Excellent performance (0.14% – 9.99% miss rate)
• Average miss rate (well-performing group): ~3.2%

The Concerning Reality: Disengaged Minority (178 Validators, 19.91%)

However, 1 in 5 validators did not fulfill their obligations, creating a spectrum of abandonment:

• Complete Infrastructure Shutdown (93 validators)
• Significant Degradation (85 validators)

While 4 out of 5 validators met their obligations, the remaining 19.91% introduced reliability risks for light clients and incurred financial penalties. This suggests a significant education and tooling gap within the validator ecosystem.

Financial Impact: The Real Cost of the 19.91%

Total Dataset: 894 Validators with Sync Committee Duties

• 716 well-performing validators: Minimal penalties (avg ~0.013 ETH each)
• 178 abandoning validators: Significant penalties

Complete Infrastructure Shutdown:

• 93 validators with 100% miss rates = ~17.8 ETH total penalties (~$75,000 @ $4,250/ETH)

Degraded Performance:

• 85 validators with varying degrees of missed duties = ~13.6 ETH combined penalties (~$58,000 @ $4,250/ETH)
• Average penalty per degraded validator: ~0.16 ETH (~$680)

2-Year Impact from Abandoning Validators:

• 178 validators with sync committee issues
• Estimated penalties: ~31.8 ETH (~$135,200 @ $4,250/ETH)
• Average penalty per abandoning validator: 0.178 ETH ($756)
• Well-performing validators: minimal penalties (~$55 average)

While the individual financial penalties might seem modest (~$756 per abandoning validator), the 19.91% abandonment rate creates an annual cost of ~$68k across the ecosystem, with more significant implications for network reliability and light client security.

How Validators Can Prevent This Issue

The good news is that avoiding penalties and ensuring reliable performance is straightforward if operators take a few extra precautions. The most critical step is checking whether the relevant validator has pending sync committee duties before shutting down the host/turning off the validating software.

Here’s one method using a Lighthouse archival node that we’ve used:

Check Current Sync Committee

VALIDATOR_INDEX=1801123
curl -X GET "http://localhost:1099/api/v1/validator/$VALIDATOR_INDEX/sync_committee" \
  -H "accept: application/json"

Check Next Sync Committee

VALIDATOR_INDEX=1801123
NEXT_EPOCH=$(( $(curl -s http://localhost:1099/eth/v1/beacon/headers/head \
                  | jq -r '.data.header.message.slot') / 32 + 256 ))
curl -s "http://localhost:1099/eth/v1/beacon/states/head/sync_committees?epoch=$NEXT_EPOCH" \
  | jq --arg v "$VALIDATOR_INDEX" '.data.validators | index($v)'

• If an integer is returned, your validator is part of the committee and expected to perform duties.
• If null is returned, your validator is not scheduled for committee participation.

Why this matters: Even some block explorers (like beaconcha.in) may suggest it’s safe to shut down when in fact your validator still has pending sync responsibilities. This subtle edge case is exactly what leads to penalties and reliability issues.

By running these checks — both for the current and upcoming sync committee — operators should be able to confidently plan exits without unintentionally abandoning duties.

Key Takeaways

This extensive analysis of 894 validators over 2 years reveals a clear pattern: while 80.09% of validators maintain excellent sync committee performance after exit, the 19.91% who abandon their duties create an annual cost of $65,000 and weaken network reliability. The stark contrast—with abandoning validators facing 14x higher penalties—suggests this isn’t a technical limitation but an education gap.

The solution is straightforward and already demonstrated by the majority:

1. Check sync committee status before exit
2. Wait for sync committee period completion
3. Maintain infrastructure until all duties are fulfilled

Based on this analysis, we’ve updated our validator management tools to automatically check sync committee status and provide countdown timers for period completion. With proper tooling and awareness, this entirely preventable issue can be reduced to near zero, strengthening Ethereum’s network while eliminating these unnecessary penalties.

If this type of analysis and work is interesting to you, check out our open roles here.

Sometimes you just need to be in-person to do your best work. This is particularly true with cross-team projects and complex re-architectures.

We’ve written about how we work before and that we are a remote company with some locations having centralized teams. While we do all get together for Offsites multiple times a year (and have some pretty fierce pickleball + basketball games with only minor injuries), these are not focused on heads-down work.

Recently, we had a complex project come up that involved two teams: our Product Engineering team and our Encryption Engineering team. During initial discussions it was clear that we would be defining a new schema, a new way for the Product to coordinate with a new API, and begin building a completely new UX.

For a project like this, we pondered a few questions:

• Did we want to attempt to do this remotely?
• If we did, would the result be enabled as quickly?
• Would the cross-team learning / outcome be as valuable?
• Could we ship a demo by end-of-week if done remotely?

It was quickly concluded that the best way to accomplish the highest value outcome was going to be a Coworking Week.

Planning a Coworking Week

We use Slack for team communication and created a dedicated channel + kick-off so that everyone could coordinate.

Slack Channel Kick-off

Choosing Location

The first and most important discussion is of course: Where should we all meet? The team chose Austin, TX where the average temperature was 99°F each day with a 65°F dewpoint. I can’t say I truly understand this choice but they chose it!

Coordinating the time is the first step with the team selecting a week, confirming availability, and then finding a suitable location. Key requirement: Fast and secure WiFi.

Choosing a week

For an Offsite a hotel is great, everyone gets their own space / privacy but for a Coworking Week it is common for a smaller group to prefer a roomy AirBNB / VRBO with a kitchen and various amenities to make collaboration space / time the most optimized.

Not the BnB we chose

Setting Goals

After the location is chosen, the next step is to map out which restaurants… I mean, to plan the goal for the week. This isn’t a cheap endeavour in dollars or time: we are asking people to step away from their lives, families, et cetera, and spend a week together in another city.

The team spun-up a document and started to outline the Goals, Non-Goals, and specifically: What is actually in-scope?

Setting Goals

Go Go Gadget Coworking

Once the team lands and acquires their first taco (and maybe a second), the work begins. Typically supplies are procured such as extension cords, power bricks, and a white board but this varies based-on location.

Work begins on really decomposing the work and fleshing out what is going to be done during the week. This process takes time, and sometimes an additional taco. This phase is not rushed nor should it be. Most work in Engineering is actually non-technical and involves figuring out how you actually want something to work / how it should work, and the outcome(s).

Which team will own which interfaces, where / how is the schema going to be designed, which APIs may be needed / exposed, and what questions are unanswered that we need Product / Other input on?

All of this information is captured and eventually distilled into a shared document.

As the first day ends, a recap post is shared out to the rest of the team. This is done to keep everyone in the loop (incl. folks that are not physically present) but also to make it clear to the broader team what is being done and the value of the in-person time.

Day 1 Recap

Each day concludes with similar daily updates and photos of IRL activities:

Day 2 Recap

IRL Activities, probably Tacos (Blues on the Green)

End of Week

Once the week draws to a close, two final items take place:

• A team demo of the work accomplished.
• A more detailed recap of the week.

Our team holds a Demo Day every Friday afternoon and Product Demos as part of our Weekly Team Meeting on Mondays. The team put together a Live Demo (required) and shared the state of what they built / executed on during the past week. Even if rough and unfinished it is important to demo.

And, a larger recap post was published.

Top secret recap

Demo

Wrap-up

Once everyone completes their journeys back home, the work continues. The original document that was used to plan, is used to continue the work on the project. The remaining scope is discussed, planned, and agreed upon for upcoming sprints. And, the project ships!

We are hiring for a number of roles. Even if now isn’t the right time, we are happy to keep in touch and let you know when a role that may interest you becomes available. Check out our roles here.

Read Unit 410's letter to the SEC Crypto Task Force requesting regulatory guidance and proposing a Qualified Self-Custodian (QSC) framework for registered investment advisers (RIAs) to self-custody when secure and reasonable Qualified Custodian (QC) options are not available: https://www.sec.gov/files/unit-410-050725.pdf.

At Unit 410, we prioritize security and efficiency for the dozens of networks we support (Bittensor included). Our team operates using advanced infrastructure, secure practices, and custom-built tools as illustrated by our proxy pallet solution.

Bittensor Proxy Pallet

In April 2024, proxy pallet support was added to the Bittensor network. The proxy pallet is a substrate module that allows one account (a “proxy”) to act for another (“proxied”) account with specific permissions. This is useful for cold wallet users seeking to delegate execution of certain actions to another key.

Using the proxy pallet, a coldkey can designate a proxy account to perform specific actions for the coldkey. These permissions are (link):

Owner
NonCritical
NonTransfer
Senate
NonFungible
Triumvarate
Governance
Staking
Registration
Transfer
SmallTransfer
RootWeights
Childkeys
SudoUncheckedSetCode

Unit 410 Proxy Support

A proxy can be utilized in place of frequently utilizing asset-bearing keys for common, low-risk operations like childkeying to subnets.

In the above model, a user’s coldkey retains full control and ownership, while the proxy only receives CHK-related permissions. If the above proxy key is compromised, asset transfers are programmatically disabled - which cuts off the potential for coldkey asset loss.

The recent Bybit hack illustrates the importance of transaction preparation and review - and illustrates the unintended consequences that transaction validation errors can lead to. While proxy-type accounts do not solve for this entirely, they do limit the general use of cold, asset-bearing accounts - with necessary spending protections in place to avoid catastrophe in the case of account compromise. In the case of Bybit, if the compromised multisig were a proxy account without spending permissions, attackers would not be able to siphon assets via malicious transaction bytes.

Proxy Example

// Import dependencies
const { ApiPromise, WsProvider, Keyring } = require('@polkadot/api');
const { cryptoWaitReady } = require('@polkadot/util-crypto');

// Used to represent "max balance" (100% of validator balance) being delegated to a single child key on a subnet.
const MAX_U64 = BigInt('18446744073709551615')

async function main() {
    const mnemonic = process.env.PROXY_ACCOUNT_MNEMONIC;
    const netuid = parseInt(process.env.NETUID, 10); // NetUID from environment
    const hotKey = process.env.HOT_KEY_ADDRESS;
    const coldKey = process.env.COLD_KEY_ADDRESS;
    const childKey = process.env.CHILD_KEY_ADDRESS;
    const providerEndpoint = process.env.PROVIDER_ENDPOINT;

    // Validation: Ensure all required environment variables are provided
    if (!mnemonic) {
        console.error("Error: MNEMONIC must be provided as an environment variable.");
        process.exit(1);
    }

    if (isNaN(netuid)) {
        console.error("Error: NETUID must be provided as a valid number environment variable.");
        process.exit(1);
    }

    if (!hotKey) {
        console.error("Error: HOT_KEY must be provided as an environment variable.");
        process.exit(1);
    }

    if (!coldKey) {
        console.error("Error: COLD_KEY must be provided as an environment variable.");
        process.exit(1);
    }

    if (!childKey) {
        console.error("Error: CHILD_KEY must be provided as an environment variable.");
        process.exit(1);
    }

    if (!providerEndpoint) {
        console.error("Error: PROVIDER_ENDPOINT must be provided as an environment variable.");
        process.exit(1);
    }

    // Initialize Polkadot.js and wait for crypto initialization
    await cryptoWaitReady();
    const provider = new WsProvider(providerEndpoint);
    const api = await ApiPromise.create({ provider });

    // Initialize keyring and accounts
    const keyring = new Keyring({ type: 'sr25519' });
    const proxy = keyring.addFromUri(mnemonic); // Replace with Proxy seed

    console.log(`Proxy Address: ${proxy.address}`);
    console.log(`ColdKey Address: ${coldKey}`)

    // Use proxy call for setting children
    const children = [[MAX_U64, childKey]]
    const chkTx = api.tx.subtensorModule.setChildren(hotKey, netuid, children);

    console.log('chkTx', chkTx.toHuman());

    const proxyCall = api.tx.proxy.proxy(coldKey, 'ChildKeys', chkTx);

    console.log('proxyCall', proxyCall.toHuman());

    console.log(`Sending CHK transaction for netUID ${netuid}.`);

    const proxyCallHash = await proxyCall.signAndSend(proxy);

    console.log(`Bittensor chk successfully: ${proxyCallHash.toHex()}`);
}

main().catch(console.error).finally(() => process.exit());

Note that the above script does not require a coldkey mnemonic - only a proxy account mnemonic. This means that coldkey assets are not at risk in this transfer - only proxy actions can take place.

Multi-Proxy Architecture

Childkeys follow a one-to-many relationship with proxy accounts. Proxy accounts can be uniquely used for different operations (e.g., one account for Staking, another for Childkeying). A coldkey’s active proxies can be monitored using the proxy::proxies(address) method.

api.query.proxy.proxies(coldKeyAddress, (result) => { console.log("Current proxies:", result.toHuman()); });

Proxy Risk Mitigations

While proxy accounts do provide enhanced security around direct asset loss, they should still be used with caution. For example, insecure usage of the “Staking” role can lead to the swapping of arbitrary quantities of alpha tokens (at high slippage), and insecure usage of the “Registration” role can lead to burned registration fees. Secure key practices around proxy accounts remain a top priority when using proxies.

If a proxy account compromise is detected, proxy::removeProxy(delegate, proxyType, delay) may be used to revoke permissions.

async function removeProxy() {
    const { ApiPromise, WsProvider, Keyring } = require('@polkadot/api');
    const { cryptoWaitReady } = require('@polkadot/util-crypto');

    // Environment variables
    const mnemonic = process.env.COLD_KEY_MNEMONIC; // Coldkey mnemonic (should be securely stored)
    const proxyAddress = process.env.PROXY_ADDRESS; // Address of the proxy being removed
    const providerEndpoint = process.env.PROVIDER_ENDPOINT; // Bittensor Substrate node

    if (!mnemonic || !proxyAddress || !providerEndpoint) {
        console.error("Error: Missing required environment variables.");
        process.exit(1);
    }

    // Initialize crypto
    await cryptoWaitReady();
    const provider = new WsProvider(providerEndpoint);
    const api = await ApiPromise.create({ provider });

    // Initialize keyring and coldkey account
    const keyring = new Keyring({ type: 'sr25519' });
    const coldKey = keyring.addFromUri(mnemonic);

    console.log(`Removing proxy ${proxyAddress} from coldkey ${coldKey.address}`);

    // Create removeProxy transaction
    const removeProxyTx = api.tx.proxy.removeProxy(proxyAddress, 'Any', 0);

    console.log('removeProxyTx:', removeProxyTx.toHuman());

    // Sign and send transaction
    const removeProxyHash = await removeProxyTx.signAndSend(coldKey);

    console.log(`Proxy removed successfully. Tx Hash: ${removeProxyHash.toHex()}`);
}

removeProxy().catch(console.error).finally(() => process.exit());

Conclusion

At Unit 410, we take a detailed approach to Bittensor validation. By combining performant hardware, secure practices, and innovative tooling, we have engineered solutions designed to maximize stability and uptime.

If topics and insights like this are interesting to you, check out our open roles here.