Also, to clarify, I think it's a very powerful tool that can streamline a lot of your workflows. BUT if you outsource your thinking to it you will become rusty. Also nobody cares about your AI-generated content, don't make humans consume AI garbage

Comparto con ustedes un escrito que realicé titulado "Reflexiones sobre la IA": hdvanegasm.github.io/posts/i…

I agree with this. I hope to finish my blog post "Reflections on AI" where I talk about AI and personal learning.

I’ve been getting back into coding by hand, specifically challenging myself to doing low level Rust, whilst streaming on Twitch. Skill atrophy is absolutely a thing. Kinda embarrassing how difficult the first day was. Second day was a lot better, but it honestly scares me about setting myself up for a future dependency by outsourcing these skills to coding agents. Maybe it won’t matter, but something inside me screams danger about the idea of paying a subscription fee just to be able to write code.

This morning, THORChain was drained of roughly $10.8m Node operators have freezed the network for nearly 13 hours. The full analysis isn't out yet, but according to @jpthor, this could be a MPC exploit. ECDSA and TSS is hard. THORChain's vaults rely on TSS, a flavor of MPC where a quorum of nodes jointly produces a signature without ever reconstructing the private key. Clean for Schnorr or EdDSA; painful for ECDSA, which Bitcoin and Ethereum require. That's why we saw plenty of protocol attempts (Lindell17, GG18, GG20, CMP, CGGMP21, DKLS, KU23...), each patching flaws in the previous one. GG20 has a track record. THORChain's TSS uses GG20, on a fork of Binance's tss-lib. GG20 has shipped two well-publicized critical bugs: CVE-2023-33241 and TSSHOCK. CGGMP21, now cggmp24, are the latest protocols, but GG20 is still widely deployed. I often hear a misconception when I hear about MPC setup: "The key is split across many nodes, so any single co-signer doesn't really matter". In every published GG18/GG20 attack, one malicious or compromised co-signer is enough to extract everyone else's shard and reconstruct the full key. AI changes the threat model. Compromising a full software node, complex Go stack, exposed P2P, custom signing daemons, a churn protocol that admits new participants on a schedule, has always been difficult and acted as a barrier. With LLM-driven vulnerability discovery and exploit synthesis, the bar to compromise one of N validators is dropping fast. Here, it's a plausible TSSHOCK-style playbook: - compromise one operator - wait for it to churn into an active Asgard vault - send malformed proofs during keygen or signing - reconstruct the key offline - sweep in a single transaction It's unclear yet if the attacker used a known-unpatched GG20 weakness, or a fresh cryptographic flaw. But, in all cases, MPC and TSS are not a substitute for hardening every co-signer. They sit on top of co-signers that must each be treated as critical infrastructure, hardware-isolated enclaves, minimally exposed, continuously audited, and running protocol with security proofs. While the investigation progresses, be careful in your interactions onchain. These TSS setup are used in various protocols.

It isn't unexpected that the focus of the Bun Rust rewrite is on the anti-Zig side more than anything, since the internet loves to hate. What is unexpected and unfortunate is that leadership within Bun hasn't tried to steer the conversation away from that at all. There are so many positive and interesting takeaways from this and I'm not really seeing any of them pushed as the primary message. A positive thing that hasn't been talked about at all is how far Bun came thanks to Zig. And even if you dump it now, its meaningful for how good Zig was to even build a product to this point and impact by any metric. I would've loved to see anyone in leadership say this. On the interesting side is how fungible programming languages are nowadays. Programming languages used to be LOCK IN, and they're increasingly not so. You think the Bun rewrite in Rust is good for Rust? Bun has shown they can be in probably any language they want in roughly a week or two. Rust is expendable. Its useful until its not then it can be thrown out. That's interesting! There's been a lot of talk about memory safety and no doubt Rust provides more guarantees than Zig. But I'd love to see a better analysis of why Bun in particular suffered so much rather than take the language-blame path. How could engineering as a practice been more rigorous to prevent this? What were the largest sources of crashes other programs should watch out for? How does Rust prevent them? How could Zig theoretically prevent them? That's interesting. I know the official blog post hasn't come out yet from Bun. But they're smart enough to know that that PR would stir up controversy the moment it opened, or they should've been. And plenty in the company have been tweeting and writing about it. Its somewhat telling to me in various dimensions what they chose to talk about first. I tend to think I'm pretty good at corporate PR/comms (especially when it comes to developer audiences) and I think appealing to the negative is never the right long term strategy; it does work to get short term eyes though.

Plonky3 is the underlying STARK protocol for most zkVMs in production today Yet, there aren't many tutorials to help developers get started with Plonky3 We've just dropped a tutorial detailing how to use Plonky3 to generate proofs for Merkle trees. hashcloak.com/blog/a-tutoria…

Re. Claude Mythos, here's what I think after a decade of security work: these models will become indispensable tools, but they won't replace experienced practitioners. Finding a buffer overflow is not the same as auditing a system. Real security audits — especially at the protocol level — require understanding design intent, deployment context, threat models, the gap between specification and implementation, and the messy realities of how systems actually ship. Side channels, key management ceremonies, composition problems, backwards compatibility constraints — none of this lives in a codebase a model can scan. That said, the economics of the industry will shift. Models will get very good at the commodity end: scanning for known anti-patterns, implementation bugs, standard memory safety issues. The middle of the market — bulk vuln scanning dressed up as an audit — will get compressed. The people who will thrive are those who can use these tools to handle the tedious work faster and focus their time on the judgment calls that actually require deep expertise. For applied cryptography specifically, I expect models will excel at finding implementation flaws (padding oracles, timing leaks, incorrect point validation) well before they can reason about protocol-level design issues or subtle composition problems. The former is pattern-matchable. The latter requires adversarial creativity and domain knowledge that's much harder to learn from code alone. This is exactly why getting the right humans involved early matters more now than ever. If AI can find and exploit your implementation bugs at scale, your security posture has to start at the design level — the protocol architecture, the cryptographic choices, the threat model. That's the work that can't be automated away, and it's the work that determines whether your system survives what's coming. At Symbolic Software (symbolic.software) this is what we do: we help teams design and audit systems that are built to withstand the next generation of threats, not just the last one.

I completed my collection of reference books on my favorite programming languages 😊 🤓

New tutorial just dropped! Integrate @primus_labs's Noir integration into your @aztecnetwork app in just 15 mins 🤯 Who knew privacy could be this easy? hashcloak.com/blog/primus-no…

New project just dropped! Together with @primus_labs, we worked on bringing zkTLS to @aztecnetwork with @NoirLang Super fun project to work on!

Just in time for @aztecnetwork's mainnet launch, we've published a spec-like explainer of Ultrahonk! Our first article of 2026 🥳 hashcloak.com/blog/understan…