what a season. GSG ❤️‍🔥❤️‍🔥❤️‍🔥❤️‍🔥

⚡"Breaking Post Quantum Cryptography with AI" A non-profiled deep-learning side-channel attack on an unprotected reference implementation. The convolutionnal neural network just plays the role CPA's correlation used to play. The @DonjonLedger 's PQC journey continues. They pointed their open-source deep-learning SCA tooling at the NIST-standardized ML-KEM reference. No clone device. No profiling phase. No fixed leakage model. Only EM traces, chosen ciphertexts, and a small MLP trained per key hypothesis. The correct key is the one under which the network actually learns. ~400 traces. Unprotected target, no masking, no shuffling. - ML-KEM is mathematically sound and standardized. - A reference implementation running on a real chip, without countermeasures, leaks the secret in minutes. PQC security does not stop at standardization. It starts when implementations meet real-world attackers, with probes, not just headlines. Read the article: donjon.ledger.com/blog/non-p…

Proof that the Agent Stack is for shipping, not just reading docs. Nice work here 🤝 Got your own build? Show us what you made: we'll reshare the best ones. developers.ledger.com/docs/a…

lock in. always. 🔒

Tokenized stocks, now swappable natively inside @Ledger Wallet. Powered by @1inch intent-based swaps, bringing gasless execution and hardware-backed clear signing to Ondo Global Markets. Self-custody, now for 260 tokenized stocks, spanning the world's most in-demand assets.

You can now swap @OndoFinance tokenized stocks natively through the Ledger Wallet™ app. Access global markets 24/7 with the efficiency of @1inch routing. No gas fees. No bridges. Just best-execution swaps secured by the clear signing of your Ledger signer. True digital ownership. Free from compromise. 🔐

Try this w/ your agent. Reply with your roast. @Ledger RTs best: "You are a savage stand-up comedian and my advisor. Read developers.ledger.com/docs/a…. Install Wallet CLI skill. Read-only: check balances history. Roast my wallet. What did I miss?" Introducing Ledger Agent Stack. 🧵👇

Everyone is racing to give agents a wallet. We spent twelve years building something else: the guarantee that a human has the final word. Agents propose. Humans approve. The Ledger signer enforces. More from me soon. But for now, read Ian's exciting thread 🧵

Three games, all three decided in the last minute. Wemby in a hostile Garden again tonight. He is built for this 👽 and so are 🦊🏰🪉 GSG!!!

⚛️Post-Quantum Cryptography: The Migration No One Can Outsource There is no quantum computer breaking Bitcoin today. None breaking Ethereum, your bank, or the internet. Anyone selling that headline has a product to sell. The honest version is more uncomfortable. The timelines are pulling forward, the public record probably does not show the full frontier, and most of the ecosystem is still ordering caipirinhas at the bar while the water pulls back from the beach. I was hesitant to put it in such direct terms. But this is a migration we collectively agreed to do, with a deadline, and we are late. So let me call it what it is. 1. Quantum is not a fast computer Fix this in your head first. A quantum computer runs on qubits with superposition and entanglement, only holds its state near absolute zero, and does not do more of what classical computers do. It does different things. One of them is Shor's algorithm, which breaks the asymmetric cryptography (RSA, ECDSA) that protects almost everything you do online. 2. What changed in the last few weeks (Wild) estimates of "Q-day" have moved from "10% by 2030" to "50% by 2032" in serious recent work. Then two things happened back to back. Google published a paper showing Shor's algorithm breaks ECDSA, the signature scheme used by almost every blockchain, with far fewer logical qubits than previously assumed. They published the result without the construction, attaching a zero-knowledge proof instead. We now know this was the outcome of US government pressure to keep the details classified. Then the open source community used Google's ZK verifier as a reward function in a reinforcement learning loop. An LLM generates candidate Shor circuits, the verifier scores them, the loop iterates. Two days in, the model matched Google. By the time we recorded the podcast, it was already 20% better, it's now 41%!! (cf. ecdsa.fail) Read that again. AI is now actively compressing the path to Q-day, using a verifier that exists because the result was classified. 3. "When" is the wrong question Cryptography is a trust mechanism. It does not fail on Q-day. It fails the moment the trust is no longer credible, which is much earlier. The threat splits into two pieces with very different deadlines: Authentication. A quantum attacker recovers your private key from your public key and signs as you. As long as we migrate signatures before Q-day, this is contained. Encryption. Harvest now, decrypt later. An attacker captures encrypted traffic today and decrypts it the day they get the machine. For anything that needs to stay confidential in ten or fifteen years, it is already late. Nothing you do tomorrow fixes 2026. 4. The migration is happening, unevenly NIST standardized the first post-quantum algorithms in 2024 (ML-KEM, ML-DSA, Falcon, SPHINCS ). The deadline is 2030 for critical systems, 2035 for the long tail. Two years are already gone. Most of the industry has not started. Centralized systems will get there. The path is painful but linear, and compliance forces it. PQC readiness is becoming an institutional due diligence requirement. The interesting drama is somewhere else. 5. Bitcoin's hard problem is not cryptography Blockchain cryptography is simple. The cryptographers in this industry know exactly what to migrate to. The bottleneck is social consensus, on a system designed to make governance expensive. That is the property that keeps Bitcoin credibly neutral. It is also the property that makes a coordinated migration genuinely hard. The trade-offs are real. Hash-based signatures (SPHINCS , the Blockstream "SHRIMPS" line) are conservative and well understood, but roughly an order of magnitude larger than what Bitcoin uses today. They would push throughput from around 7 transactions per second to under 1 (without blocksize change). Lattice-based signatures (ML-DSA, Falcon) are smaller and faster, but have only ~25 years of public cryptanalysis. The world outside blockchain is converging on ML-DSA. Almost no blockchain wants to follow. You also lose properties you have come to rely on. Threshold signatures and MPC, which underpin a meaningful slice of modern custody, are awkward or impossible on hash-based schemes and clunky on lattice ones. Call it what it is: post-quantum cryptography is resistant against quantum adversaries and worse on almost every other dimension we care about. There is no free-lunch version. 6. The Satoshi question Migration must be one way. If users can move freely between legacy and PQ addresses, most will not move, and half a migration is no migration. A 50% migrated chain is still a chain a quantum attacker can drain to zero. That leaves dormant coins. Satoshi's million BTC. Lost wallets. Dead keys. Three options, none of them comfortable: Leave them. Honest to the original ethos, operationally suicidal. Burn them. Honest accounting. The 21 million was always an upper bound. Politically explosive. Freeze and redistribute as block reward over time. Rebuilds the long-term security budget that, mathematically, is going to struggle. Of the three, the least bad. The uncomfortable part is admitting that "do nothing" is itself a choice with consequences. 7. Hard forks are the most likely path Honest prediction. The community will not reach a single clean social consensus in time. Several opinionated groups will ship their own post-quantum forks, with different signature choices, different migration windows, different stances on dormant coins. Then the market decides. Liquidity, miners, custodians, exchanges, ETFs. The "real" Bitcoin will be the chain people trust against a quantum threat. At that point cryptography becomes timing, marketing, and politics as much as math. That is the downside of the decentralization we asked for. Pretending otherwise is theater. 8. The glimmer This ecosystem is resilient. We have the best (applied) cryptographers in the world working on this. The migration will be ugly. It will get done. What we need is urgency, and the urgency is arriving. Not because Q-day arrived, but because the timeline is collapsing in public, in the papers, and in the AI loops chewing on classified results in real time. The biggest risk is not quantum arriving early. The biggest risk is crypto starting late. No panic. But no cappuccinos by the beach either. The water is pulling back. Serious people should start moving. 🎬 Video version below

🦊 👽 🏰 🪉 GSG!!!

👉For 4 years, 1 day, and 10 hours, anyone who understood the Orchard circuit could have minted ZEC out of thin air, silently, with no on-chain signature. The bug was disclosed this week. It was found by an AI-driven audit running Opus 4.8, not by an attacker. 1. Call the bug what it is Two lines in halo2's variable-base scalar multiplication gadget used assign_advice() where copy_advice() was required. As a result, the diversified-address integrity check pk_d = [ivk]·g_d could be satisfied for arbitrary inputs. A malicious prover could spend the same note multiple times with different nullifiers, i.e. counterfeit ZEC inside the Orchard pool, undetectable on-chain because the privacy of the ZK proof hides exactly the inputs that would reveal the attack. We do not know whether it was exploited. We will probably never know. 2. Four years. Multiple audits. Top-tier reviewers. Orchard was reviewed by some of the strongest cryptographers in the field before activation. They missed it. Earlier automated audits with Opus 4.7 missed it. Opus 4.8 catches it in roughly 1 in 4 runs when prompted generically. The bug is hard. And ZK inflation bugs are not new. Zcash itself shipped a counterfeiting vulnerability in Sprout (BCTV14) that survived years before being silently neutralized during Sapling. Similar soundness issues have appeared in circom, halo2, and rollup verifiers since. The pattern is consistent: when the protocol is private, exploitation is undetectable. You patch the bug and hope. 3. What Zcash did right This was a textbook decentralized incident response: ▶️Audit: a full AI-assisted soundness audit of halo2 Orchard, scoped end-to-end. ▶️Discover: the agent flagged the missing constraint and worked out the algebra to turn it into an exploit. A working RPC-level PoC in ~6 hours, mostly waiting on tokens. ▶️Coordinate: a soft fork disabling Orchard, prepared and distributed without leaking the bug, activated 2 days and 15 hours after acknowledgement. Coordinating a soft fork across miners, exchanges, and nodes without disclosing why is genuinely hard. They did it. ▶️Disclose: timeline, code lines, math, open questions. No spin. Worth naming explicitly: Zcash's turnstile invariant caps the value that can ever leave a shielded pool by the value that entered it. Privacy and verifiability inside the same protocol. That is not an accident. That is good engineering, and it is what kept the worst case bounded. 4. The economics of security just changed AI does not change whether bugs like this exist. It changes the cost of finding them. I wrote about this x.com/P3b7_/status/203643721…: a missing constraint in a 4-year-old production ZK circuit used to require a top-tier cryptographer with months of context. It now requires a few tokens, an API key, and a well-framed prompt. The defender benefits. The attacker benefits more, they only need to find it once, and they never disclose. Orchard is the optimistic version of this story: defense got there first. The pessimistic version is the one we cannot rule out, because the chain is private by design. 5. The only real exit You do not patch your way out of this asymmetry. You raise the floor. Formal verification of consensus-critical circuits, every assign_advice audited by SAT solvers and AI for under-constraint, as the reporter himself recommends. Proof-grade engineering that used to be too expensive is now cheap enough to be mandatory. Hardware roots of trust, secure enclaves, certified secure elements, WYSIWYS. Cryptographic guarantees the user can actually verify, not promises a host can lie about. Continuous AI-assisted audit of every consensus-critical commit, re-run immediately on the release of any new frontier model. Zcash didn't just patch a bug. They demonstrated the new defensive playbook: AI-driven audits, decentralized coordination, radical transparency, verifiable invariants. That is the direction the rest of the industry needs to follow. And those who don't raise the bar for security will be rekt in this new world. Stay safe. Stay honest about your trust assumptions.

Ledger researchers find flaw in chip used by Trezor Safe 7; Trezor says user funds safe theblock.co/post/403492/ledg…

.@Ledger researchers discovered a way to bypass firmware signature verification in the TROPIC01 chip used in @Trezor Safe 7. Before you panic: Attack requires physical device access Expensive lab equipment needed Researchers could not access any user private data TROPIC01 is only one of three security layers on the device User funds remain safe. A hardware-level fix is already in development. This is responsible disclosure working as intended: vulnerability found, vendor notified, patch incoming before anyone gets hurt. Hackless.io

The @Ledger Agent Stack: Build & Show bounty is now live on college.xyz! > Build with Ledger's new open-source Agent Stack (DMK Wallet CLI) > $100 per qualifying submission. > 5 random participants will win a Ledger device. Find more details below 👇

GAME ONE

🔒 What good security practices looks like in 2026: a short story about a laser, a chip, and a vendor that responded well. The @DonjonLedger just published their evaluation of the @tropicsquare TROPIC01 chip, the secure chip designed by Tropic Square and used, among others, in the Trezor Safe 7. It's worth a read, not only for the technique, but for the process. The attack, in plain words. A secure chip is the tamper-resistant chip that guards the secrets inside a hardware wallet. Before running any new firmware, its bootloader checks a cryptographic signature. That's the gate. Using laser fault injection, the Donjon fired a precisely-timed infrared pulse at the silicon, at the exact microsecond the chip was deciding "is this signature valid?". One well-placed glitch later, the chip happily accepts firmware that was never signed by the legitimate vendor. Enough to run arbitrary code. 👍Tropic Square's response was exemplary. They acknowledged the finding immediately, engaged in deep technical discussion, shipped mitigation samples, proactively dug further themselves, and aligned on a coordinated public disclosure. No defensiveness, no spin. Just engineers helping engineers make the product better. It was appreciated by the team, it's unfortunately not always the case. Sincere thanks to Tropic Square for the collaboration and the standard they're setting, and a hat-tip to @DonjonLedger team for the research. Full writeup: donjon.ledger.com/blog/tropi…

GSG!!!

AYOOOOO

🔥🔥🔥 to say we are proud is an understatement. this team. this moment. LFG @spurs ‼️‼️