roadmap/content/weeklies/2025-09-01.md

title, tags, date, lastmod, draft

title	tags	date	lastmod	draft
2025-09-01 Vac weekly	vac-updates	2025-09-01	2025-09-01	false

Vac 2025/09/01

highlights

• TKE: all TKE-related docs and specs were approved by Nomos team
• QA: Waku RLN contract edge-case tests expanded with reentrancy protection fix in progress.
• QA: Waku REST API interop tests merged; rendezvous tests blocked pending infra fixes.
• QA: Waku Lite protocol testing started using Zoltan’s scripts for Store protocol.
• QA: Nim-libp2p rendezvous tests refactored and fixed pagination issue.
• QA: Status E2E desktop tests now working on Windows locally; CI support ongoing.
• QA: Working on extending Status Mobile framework with accessibility hooks and seed phrase tests.
• DST: Started working on a libp2p cross implementation repository
• SC: Uncovered and fixed a bunch of security vulnerabilities in StakeVault
• ACZ: Anounced MLS RFC on X
• ACZ: Release the SN RLN prover benchmark doc regarding prover repo
• RFC: Completed the first draft of qaku rfc
• NES: Finished research Sprint 2 and already started Sprint 3.

vac:p2p:

• ift:2025q3-nimlibp2p-mix:mix-core
  • mix#78 feat: replies (SURBs)
  • mix#79 fix: dont use global variables
  • WIP:
    • benchmark metrics for DST (requested by @Akshaya to take priority over other mix tasks)
    • cleanup reply table for cases in which reply never arrives
• ift:2025q3-nimlibp2p-maintenance:maintenance
  • nim-libp2p#1645 fix: dont send GoAway for unknown streams and mark streams as closed on conn close
    • Issue reported by @Ivansete: streams were not being marked as closed on disconnect
    • I noticed that a GoAway was being sent once streams were being closed, causing other active streams to be dropped as well
  • nim-libp2p#1647 chore: temporarily disable performance plots from being published
    • Issue reported by @arnetheduck: libp2p repository exceeded 500mb
    • I'll ask Infra to setup some storage where we could push the performance reports
• ift:2025q3-nimlibp2p-maintenance:maintenance
  • more QUIC refactoring and improvements
    • stream states improvements nim-quic#107
    • refactor(streamstate): more consistent actions when entering states nim-quic#110
    • chore(streamstate): add switch and write to BaseStreamState nim-quic#112
    • chore: unused imports as errors nim-quic#111
  • resolved issues related to read() ocasionally locking nim-libp2p#1636
    • tested and merged: chore(perf): follow up for PR#1600 nim-libp2p#1620
• ift:2025q3-nimlibp2p-autonatv2
  • Merged AutonatV2 message types nim-libp2p#1637
• ift:2025q3-nimlibp2p-autonatv2:client
  • Send DialRequest
  • Receive DialDataRequest
  • Send DialDataResponses
  • Receive DialResponse
• ift:2025q3-nimlibp2p-autonatv2:server
  • Receive DialRequest
  • Send DialResponse
  • Amplification attack mitigation
    • Check observed IP address against chosen IP address
    • Send DialDataRequest
    • Receive DialDataResponses until requirement is met
  • Send DialBack & get DialBackResponse
  • Send DialResponse
  • Fixed a DialDataResponse bug where the server was not receiving messages from the client
• admin/misc
  • Helped run Nescience interview for Senior Rust Engineer role
  • Close some older PRs and non-relevant issues (still a lot to go, tho)
  • Assist in queries related to circuit-relay behavior on waku

vac:tke:

• admin/misc
  • wrote down the team's monthly report of deliverables
• ift:logos-token::logos-strategy
  • addressed team feedback about ecosystem incentivization doc
  • ad-hoc research
• nomos:stress-test::review-pos-sims
  • reviewed the state of our PoS simulation
• nomos:stress-test::review-nomos-da
  • addressed a few outstanding comments from Alvaro
• waku:services-incentive
  • finalized reviewing the Service Incentivisation MVP
  • continuing research
• status:karma-incentives
  • closely follow the Karma "emergency fix" and discussion around Karma distribution periods
  • fixing bugs in staking demo app
• ift:tokenomics-research-forum::grantico
  • continuing work in spare time
• status:cf
  • Work with Matt on GTM
  • Finished scraper for product research
• ift:tokenomics-research-forum::control
  • Kept pushing reserch on Control Problem
  • Reviewed and attended research call
• ift:tokenomics-research-forum::token-valuation
  • finalized the report
  • presented the work at our Research Call

vac:qa:

• status:2025q3-status-go-functional-testing:accounts
  • Continue with remaining accounts methods
  • Move draft PR in review and get it merged
• waku:2025q3-rln-smart-contract-testing:edge-cases
  • PR 31: RLN contract unit test expansion - in progress
  • Issue 32: reentrancy protection - open
• waku:2025q3-interop-testing:REST-APIs-Extended
  • PR #134 merged
• waku:2025q3-interop-testing:rendezvous-peer-discovery
  • Issue 3549 opened; debugging with Simon
• waku:2025q3-interop-testing:liteprotocoltester
  • Started Store protocol tests using Zoltan’s repo
  • PR #135: Store test scripts opened
• vac:2025q3-nim-libp2p-testing:rendezvous
  • PR 1644: Refactor Rendezvous tests - merged
  • PR 1646: Fix pagination offset - merged
• status:2025q3-status-qa-desktop:maintenance
  • e2e tests running on Windows locally; working on CI with Marco
  • PR 18735: Fix contacts selection - merged
  • PR 18726: Copy/paste functionality - implemented
• status:2025q3-status-qa-mobile:framework-adjustments
  • Hook to expose Qt properties via accessibility framework - in progress
• status:2025q3-status-qa-mobile:port-tests
  • Started backup seed phrase test implementation
• admin/misc
  • OOO: 7 cc Day

vac:dst:

• admin/misc
  • Review candidates for DST position
  • Got flights to Budapest and informed Pops
  • Call with Codex
    • Discussed differences between both frameworks, and approaches that could be taken
    • Created notion document for next steps on the framework
      • Notion Document
  • Machine for AZC
    • Github PR
    • Coordinate with Nescience to use this machine next week
  • Went over the deployment code and open PRs
  • Track and participate in gossipsub metrics spec draft
• status:2025q3-status-go-chat-protocol-benchmarks:delay-and-store
  • TODO notion document
  • Call with Waku to investigate waku connections
    • Peers were missing in admin endpoint. Missing information was fixed in nwaku v0.36
    • Confirmed that peers added through staticnode argument are not exposed to be discovered even they have discv5 enabled.
• vac:2025q3-libp2p-evaluation:mix-re-evaluation
  • Github commit: pwhite/dst-changes-build-fix
    • Fix for building Docker image
  • Github PR: mix node deployment changes
  • Still seeing violations where the first message is seen in the network from a non-exit node (normal gossipsub instead of mixnet route).
  • Still seeing a discrepancy in delay with 0 delay 0 jitter for mixnet nodes. Some plots where message delay is less than zero.
  • Gathering data sometimes seems to fail.
• ift:2025q3-dst-tooling:general-tooling
  • Deployment - Workflow
    • Made some comments on this. Good discussion going.
    • Tried full workflow with mixnet where the analysis script automatically grabs the parameters from experiment output.
• ift:2025q3-dst-tooling:shadow-integration-scaffold
  • Completed shadow integration for nim-libp2p, new repo created
    • Shadow test runs with both, docker executable and build method
    • Prometheus metrics were failing for large networks with metrics/httpclient.
    • Prometheus metrics working fine with curl and staggering (slightly increases simulation time)
    • The run script allows using custom configurations

vac:sc:

• ift:2025q3-fv-tools-research
  • applied Kontrol to some of our Karma tests
  • chatting with the Kontrol team to provide feedback on the errors we have running Kontrol on our repo
  • tried the opensource version of certora in local
• status:2025q2-sn-native-bridge-yield-bearing-module:research-design
  • finished importing the Status contracts to the status network monorepo
• status:2025q3-maintaining-status-contracts
  • Implement fix for lockUntil vulnerability
    • https://github.com/status-im/status-network-monorepo/pull/7
  • Allow for setting rewards when there's a pending reward period
    • https://github.com/status-im/status-network-monorepo/pull/8
  • Prevent bug that's caused by StakeVault being transferrable
    • https://github.com/status-im/status-network-monorepo/pull/12
  • Clean up StakeVault integrity checks
    • https://github.com/status-im/status-network-monorepo/pull/13
  • Fix vulnerabilities related to withdraw() that allows users to withdraw their staked funds while their are locked
    • https://github.com/status-im/status-network-monorepo/pull/16
  • Fix lockUntil not being reset during migration
    • https://github.com/status-im/status-network-monorepo/pull/17

vac:acz:

• ift:2025q3-de-mls-tesnet:consensus-layer
  • Fully finished real voting, fixed some issues around removing user, added docs for part of the functionality PR
• ift:2025q3-libp2p-mix-testnet:update-rfc
  • Began drafting Section 9: Security Considerations mix-rev1-security branch.
  • Parts of Section 8 still pending.
• ift:2025q3-gossipsub-relay-rfc:relay-rfc
  • Completed the GossipSub Relay Protocol RFC PR #178.
• ift:2025q3-zerokit:libp2p-mix-repo
  • Reviewed PRs #78 and #79.
  • Discussed limitations of exit ≠ destination with P2P team.
  • Documented detailed comparison between exit == destination and exit ≠ destination in the Notion Page.
  • Aligned with team to proceed with exit ≠ destination in both RFC and implementation, with security implications captured in Mix RFC.
  • Synced with P2P team and on implementing logging on the latest branch for benchmarking.
• ift:2025q2-zerokit:zerokit-maintaining
  • FFI rework discussions: Discord channel about FFI + Nim POC
    • • comments FFI rework discussions on GIthub
• ift:2025q3-rln-status-l2:stress-test
  • Provided server was a VM with CPU usage sharing (+ no AVX/AVX2) - requested another & dedicated server
  • Prover benchmark page: https://www.notion.so/Prover-Benchmarks-25d8f96fb65c80a1bef2e317338f528b
  • PR benchmark + many RPC subscirbers
• nes:2025q3-nescience-consulting:dex-research
  • Prepared AMM on NSSA document.
• ift:2025q3-rln-status-l2:rln-spec-maintain
  • Review and comment on abusing RLN rights on doc.
  • Read slashing doc
• ift:2025q3-rln-status-l2:maintaining
  • Merge this PR
  • Reviewed PR
  • PR for fixing issue - merged
  • Update dependencies PR - merged
• ift:2025q3-de-mls-tesnet:multi-steward-rfc
  • Worked on steward rotation by extracting requirements such as how to determine steward list and todos on malicious steward.
• ift:2025q3-de-mls-tesnet:consensus-rfc
  • Applied feedbacks PR, on final review.
• nes:2025q3-nescience-consulting:privacy-projects-analysis
  • Review privacy projects vs NSSA document
  • Worked on privacy projects vs NSSA document.
• admin/misc
  • Review RLN think-tank doc
  • Look into zk-creds paper for Waku research team credential requirements.
  • Responded to Waku's question about Fractional message transfer
  • Provided feedback on FURPs: SN RLN and Zerokit. Due to this, added a question to SN RLN document
  • Nescience review (for peer programming interview)

vac:rfc:

• codex:2025q3-rfc-iteration
  • Started work on rfc for codex DHT
• waku:2025q3-rfc-iteration:qaku
  • Completed the first draft of qaku rfc, ready for review - https://github.com/waku-org/specs/pull/77
• admin/misc
  • OOO: 5 cc Day

vac:sec:

• ift:2025q3-wallet-policy-update:write-and-review-new-version
  • Tested signing requests and add new signatory procedures
  • Pending to final review with Finance
• ift:2025q3-awareness-program:web3-security-essentials
  • Shared web3 news about crime, phishing, malware, hacks and IoC with Finance (Weekly Update)
  • Continued working on the integration with n8n
• ift:2025q3-multisig-secondary-interface-deployment:write-guides-and-best-practices
  • Continued writing the guidelines to use Onchain Den when required
• ift:2025q3-wallet-policy-update:backup-and-recovery-policies
  • Started updating/creating backup and recovery policies and processes
• ift:2025q3-cicd-security-review:status-design-reviews
  • Completed secure code review on Status browser and messaging PRs, focusing on encryption, IPC, and storage access
  • Manually tested wallet PRs for insecure key handling and authentication bypass risks
  • Reviewed CI/CD pipeline configurations for hardcoded secrets and improper access controls
  • Validated recently merged fixes through diff-based code review to confirm vulnerabilities were resolved
• ift:2025q3-vulma-and-ir:incidents
  • Reproduced SNT phishing attack flow in a controlled test environment to validate threat scenarios
  • Performed log-based hunts for suspicious wallet activity linked to phishing indicators
  • Investigated new bug bounty submissions and validated PoCs against staging
  • Verified IR alerting pipeline by simulating phishing indicators across test accounts
• ift:2025q3-vulma-and-ir:remediation-tracking
  • Manually validated 5 high-severity CodeQL findings, confirming impact through code path analysis
  • Reviewed and tested PRs addressing unresolved Dependabot alerts, confirming upgrades locally
  • Cross-checked static analysis findings with runtime logs to assess exploitability
  • Coordinated with repo owners to close several high/medium security issues via patch review and testing
• ift:2025q3-iam-operations:remove-unnecessary-users
  • Refactor logic for identifying Inactive CCs in Notion, Github, Google, Discord
    • due to Blocker, add a page of Inactive CCs in Notion
    • manually run and update Inactive CCs in Notion daily
    • all user management processes will refer to the Inactive CCs Notion page
• ift:2025q3-security-automation
  • Finalized new version of privacy news alert
• ift:2025q3-security-automation:automatic-wallet-index-updates
  • Started python script inclusion, dependence on Python n8n docker
• ift:2025q3-finance-automation
  • Pending approval from Finance
  • Deploy to prod pending the ending of payments for August
• admin/misc
  • Interviewed a candidate for the App Sec Engineer position. Moved forward to next stage

vac:nes:

• 2025q3:state-separation-architecture-poc:fee

  • Finished a first draft on fee mechanism.

• 2025q3:state-separation-architecture-poc:specs-impl

  • Looked into alternatives to solve the encryption issue inside R0.
  • Updated PR 101 on wallet CLI
  • Started PR 105 on sequencer specs implementation
  • Investigated performance of Diffie-Hellman shared secret derivation inside a risc0 guets program. Couldn't find a feasible alternative and refactored the testnet code to leave that part out in NSSA v0.1
  • Added tests, polished the code and marked PR 103 for review.

vac:nim:

• ift:2025q1-nimble
  • Adds support for some when expressions in the declarative parser. (https://github.com/nim-lang/nimble/pull/1457)
    • Adds support some when expressions in the declarative parser.
    • Uses StringTableRef to hold the defines
  • WIP Support for filepath in requires (https://github.com/nim-lang/nimble/pull/1452)
    • Reverts "patch" feature
    • Builds a filepath package graph
    • Prevent deps not pulled from file:// to have filepath requires
    • Adds test case "should not allow filepath deps in a top level package that is not being in development"
    • Adds support for "requires" file. When present will parse the requires and add it to the main nimble file.
    • Skips root validation
    • allows to lock filepaths packages
• ift:2025q3-nim-core-libs:nim-cbor-serialization
  • nim-cbor-serialization (https://github.com/vacp2p/nim-cbor-serialization/pull/1)
    • setup CI workflow: tests, nph lint
    • added docs, book, examples
    • plugable bignum support
    • refactored bigints into a plugin
    • added missing CborRaw type to parse/write raw CBOR data