Summary: Enterprise teams are really finding themselves in a tough spot lately. They've got to deal with a wave of new regulations coming their way--things like the SEC's new requirement for 4-day cyber disclosures, the EU's DORA, MiCA, and the Travel Rule. On top of that, they’re also trying to keep up with all the fast-paced changes in protocols like EIP-4844, EIP-1153, and the latest from OpenZeppelin v5. It's definitely a bit of a juggling act! These changes really mix things up when it comes to auditability, privacy, and keeping everything up and running. Hey everyone! In this post, we’re going to chat about how 7Block Labs is making waves with their smart contracts that are designed to be compliant right from the start. We'll also explore their cool ZK identity tech and how they ensure security that you can actually prove. The best part? These innovations are super practical! They help speed up the procurement process, cut down on risks, and hit those ROI targets--all without messing up the delivery flow. Let’s get into it!

7Block Labs’ Insights on Regulatory Compliance and Security

Pain

These days, your engineering roadmap isn’t just focused on writing code anymore; compliance is really taking center stage.

So, the SEC just rolled out a new rule about cyber disclosures. This means that if a public company experiences any significant incidents, they need to file a Form 8-K within four business days after noticing a serious issue. It's a pretty quick turnaround! Also, they have to be careful not to go into too much detail in their disclosures, or else they might unintentionally hand attackers a playbook. This really puts a lot of pressure on both the Investor Relations team and the engineering folks. They’ve got a lot on their plates right now! (sec.gov).

Hey there! Just a heads up - the Digital Operational Resilience Act (DORA) in the EU officially came into play on January 17, 2025. It really expands the range of ICT governance, incident reporting, sharing threat intelligence, and keeping an eye on third-party providers for just about all financial entities in the EU. This includes Crypto Asset Service Providers (CASPs) too! (mayerbrown.com).

So, back in 2024, the rules for stablecoins under MiCA officially kicked in. Now, here’s where it gets interesting: starting in 2025, the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) are really stepping up their game. They're going to be on the lookout for any asset-referenced tokens (ART) or electronic money tokens (EMT) that aren’t playing by the rules. The complete CASP regulations are now in effect, but keep in mind that the end dates for the transition can vary depending on the state you're in. Just a heads up, don't forget about the EU Travel Rule (Reg. So, just to give you a quick update, the thing we're talking about has been in motion since December 30, 2024. (esma.europa.eu).

So, the New York Department of Financial Services (NYDFS) is in the process of updating 23 NYCRR 500, and they're planning to keep this going all the way through 2025. They’ve really clamped down on what BitLicense holders can expect when it comes to coin listings and delistings. This added scrutiny definitely impacts how you handle your vendor checks and listing processes. (hoganlovells.com).

When it comes to protocols, Ethereum’s EIP-4844 is really making waves with its fresh take on data availability economics. So, here's the deal: the "blob" data from Layer 2 hangs around for just a few weeks. That means those simple audit trails you’re counting on could vanish before you know it. Also, with EIP-1153 shaking up transient storage and EIP-6780 tweaking how SELFDESTRUCT affects security and gas costs, it’s definitely a good moment to take a step back and rethink how you approach these changes. (eips.ethereum.org).

In the meantime, the pressure from all these threats keeps building, and it feels like everyone’s keeping a close eye on things.

Chainalysis has been closely monitoring just how much money gets lost to crypto theft every year, which adds up to billions! As we look toward 2025, it’s clear that we're bracing for some significant breaches and a rise in personal wallet hacks. These are definitely things that the top executives should keep an eye on. (chainalysis.com).

So, here's the deal: you’re juggling a bunch of scattered controls, like SOC 2 and ISO 27001:2022. On top of that, you’ve got identity guidelines that are constantly shifting. Just take a look at NIST SP 800-63-4, which is set to roll out in 2025, along with W3C VC 2. It can feel like a bit of a whirlwind, right? 0). It seems like all of this is clashing with your sprint plans. So, when procurement gets stalled, folks start to doubt the SLAs and RTO-RPO. And out of nowhere, security reviews turn into a critical step in the whole process. It's crazy how quickly things can shift like that! If you want to dive deeper into this topic, feel free to check it out here: pages.nist.gov. Happy exploring!

Agitation

Hey, if you overlook the SEC 8-K disclosure or misinterpret what counts as “material,” you could find yourself in hot water with some enforcement issues and hurt your reputation. This is especially crucial when you need your legal, communications, and investor relations teams to be on the same page as your development and operations folks. (sec.gov).

Hey there! Just a heads up that DORA is officially in play now. If your ICT and third-party risk programs aren’t fully operational yet--like making sure you have your asset inventory sorted, testing your business continuity plans, keeping those vendor lists up to date, and having your threat intel playbooks ready--you could see EU entities and CASP partners getting a bit stricter with contracts and access. So, it’s definitely time to get those programs rolling if you haven’t already! (mayerbrown.com).

Hey there! So, the MiCA regulations and the EU Travel Rule are really changing the game for stablecoins and how transfers are handled. If you happen to integrate a non-compliant ART/EMT or overlook some of those important VASP-to-VASP data payloads, you could be looking at getting delisted. And that’s not all - it might also cause some serious hassles with withdrawals and settlements, which could lead to a whole lot of support headaches at Level 1. Trust me, that’s the last thing you want to deal with! (esma.europa.eu).

EIP-4844 introduces these cool temporary blobs that shake up the traditional mindset of “the chain holds onto everything forever.” If you don't have solid data retention and evidence-gathering strategies in place, you could run into some trouble down the road. This could be during audits, when resolving disputes, or even when digging into incidents for forensics. So, it's definitely worth making sure you’ve got your bases covered! (eips.ethereum.org).

So, here’s the scoop: starting in 2023 and rolling through to 2025, the NYDFS is making some serious changes. They’re really upping the standards for things like multi-factor authentication (MFA), privilege control, logging, and Class A requirements. Also, if you’re looking to update your policy for listing and delisting, just a heads-up - you won’t be able to self-certify until the DFS gives you the thumbs-up on your updated policy. Just something to keep in mind! If there are any gaps here, it could hold up your exchange releases and partnerships. (hoganlovells.com).

When something goes down on public chains, you can bet it’s going to make the news. When it comes to staying in the loop, 8-K filings, NYDFS notices, and ESMA statements are the reliable go-tos for customers, partners, and analysts alike. If you don’t speak up or keep things too vague, you might end up losing their trust. It's all about being clear and open! (sec.gov).

Here's the deal: when there are delays, it means missed opportunities for making money, listings get stuck, and those InfoSec questionnaires take way longer to fill out. Your teams have to roll out features that meet the rules, and they also need to provide proof that they’ve done it--whenever it’s needed.

Solution

7Block Labs

At 7Block Labs, we're super focused on blending Solidity, zero-knowledge proofs (ZK), and solid infrastructure. Plus, we're always keeping an eye on the latest regulations and what’s needed in the procurement game. We've got a pretty simple approach, and you can easily test it out to see how well it works.

1) Governance and Control Mapping (SOC2, ISO 27001:2022, DORA-Ready)

Let’s make sure your control stack is in sync with the SOC 2 2017 Trust Services Criteria (TSC). We’ll also want to weave in the latest 2022 points of focus and the ISO 27001:2022 standards. Sound good? Annex A has been streamlined to just 93 controls, and we're diving into some new areas. We're exploring topics like Threat Intelligence, Cloud Services Security, Data Deletion, Data Leakage Prevention, and Secure Coding. Exciting stuff ahead! We’ve got everything you need for procurement covered! That includes the Statement of Applicability (SoA), control narratives, evidence runbooks, and test plans. You won’t be missing anything! Take a look at this: AICPA-CIMA. You might find it really helpful!

Alright, moving on! We're going to take DORA's ICT risk and third-party requirements and turn them into some handy CI/CD guardrails that we can actually use. So, basically, it involves pulling together some key stuff like asset lists, supplier info, and version control. Plus, you'll be putting together a Software Bill of Materials (SBOM) for contracts, which needs to include build metadata and a tool called Sourcify. On top of that, we’ll run some incident drills to make sure you’re all set for whatever comes your way. If you're looking for more details, check this out: Mayer Brown. They’ve got some great insights!

2) Compliant identity and ZK attestations

Build privacy-friendly KYC/AML gates with W3C VC 2. You’ve got zero credentials, plus ZK verification, which includes stuff like Privado ID or Polygon ID. So, what this means is that users can share a ZK proof, like saying they're "over 18" or "an EU resident not on the sanctions list," with your contracts without having to expose any of their personal info. All that sensitive information stays safe and sound, away from Layer 1. Pretty neat, right? We make sure this connects straight to your access control and checks on-chain policies. Take a look at this: (w3.org). You might find it interesting!

So, when you're thinking about custody and signing policies, make sure to look into using FIPS 140-3 Level 3 HSMs--like the CloudHSM hsm2m.medium model. Also, don’t forget to check out threshold signatures, specifically FROST. They really enhance security! This will make it easier for you to get on the same page with your company's crypto policies and stick to NIST's recommendations when it comes to threshold cryptography. So, what’s the bottom line? You’ll be way better equipped to handle any signer hiccups and you’ll have clearer stories to share with the auditors. Dive deeper here: (docs.aws.amazon.com).

To stay compliant with the Travel Rule, it’s important to ensure that data payloads and sanctions screening are really enforced at the VASP boundary. If we notice that any necessary information about the originator or beneficiary is missing, our safety measures will kick in and stop the settlement from going through. If you’re looking for more info, check this out: eba.europa.eu. There’s a ton of details waiting for you!

3) Smart Contract SDLC That Stands Up in Audits

Static + Dynamic Testing: We're diving into static analysis with Slither, and on top of that, we’re firing up Echidna and running some Foundry invariant campaigns that focus on coverage-guided fuzzing. It's a pretty solid combo to ensure everything’s running smoothly! On top of that, we're rolling out Scribble properties for our preconditions, postconditions, and invariants. This is particularly important for our financial and authorization logic. These tests really turn into key pieces of our releases. Check it out here.
Upgradeability Discipline: We're really focused on making sure we're using UUPS/Beacon with those ERC‑1967 slots. We also pay attention to storage gap patterns and have solid proxy admin practices in place. After we roll out a deployment, we make it a point to do some thorough checks. It helps us steer clear of those annoying storage collisions and the admin key risks that auditors like to point out. If you want to dig deeper into this topic, you can check out more details here.
Cool New EVM Features with Safety Measures: We’re excited to introduce EIP-1153, which brings transient storage for those gas-efficient reentrancy guards. Big thanks to OpenZeppelin v5 for making this possible! We’re all about keeping things secure with our setup, so we’ve got the ReentrancyGuardTransient in place. Plus, we’re using P-256/RSA verification libraries and some handy Merkle utilities. We’ve run the numbers to check the gas efficiency and gave everything a good once-over to make sure we're not missing any new risks. Safety first, right? Want to learn more? Check it out here!
Source Verification and Reproducibility: We’ve taken a big step by automating Sourcify and explorer submissions, which now include build metadata, commit SHAs, and clear-cut settings. It’s a game-changer for ensuring everything is spot on! Our audit pack comes with bytecode diffs and verification receipts to make sure everything's running smoothly. If you want to explore it further, you can check it out here. Happy diving in!

4) Data Availability and Evidence Under EIP-4844

Alright, let’s break down what EIP-4844 is all about. The way it works is pretty interesting--blobs are pruned, which means they don’t stick around for long, but those KZG commitments? They’re here to stay. With that in mind, we’ve devised a two-part strategy for gathering evidence.

To kick things off, we'll be sending out organized events that focus on just the key info you need--all while keeping things privacy-friendly. This way, you’ll have everything ready for any disputes or audits that might come your way. On top of that, we're planning to securely back up rollup data in our own archive. Picture it like object storage that has WORM policies. We’ll be indexing everything by transaction hashes and versioned blob hashes to keep everything organized. We'll also be storing periodic Merkle roots directly on layer 1. (eips.ethereum.org).

No need to stress--we've got your back with straightforward docs on how to handle retention and retrieval procedures. With this approach, our legal team and auditors can easily go back and track state transitions, even after we’ve pruned the blobs. It's a handy way to keep everything clear and accessible!

5) SEC- and NYDFS-Ready Incident and Disclosure Runbooks

Materiality Sprints (4-Business-Day 8-K Rule): These playbooks bring together forensics, chain analytics, and legal standards into a unified game plan. It's really crucial to give the disclosure draft a good red-team review. We definitely want to avoid creating a “roadmap for attackers,” which is something the SEC has warned us about. If you want to dive deeper into the topic, you can find more info here.
NYDFS 23 NYCRR 500 Rollouts (Milestones in May/Nov 2025): Buckle up! We’ve got some exciting things coming your way--think privilege management that actually works, strong defenses against malware, automated password protections, and super detailed Class A logging.
Oh, and just a little reminder: make sure you grab those templates for the DFS coin listing and delisting policies. You’ll also want to collect the evidence folders for any examinations. Don't overlook those! If you want to learn more about this, feel free to check it out here. It's a great resource!

6) Procurement Acceleration and ROI

Don’t worry, we’ve got your back with our enterprise-ready package! It comes with all the essentials, like SOC2 control mapping and a fresh remap of the ISO 27001:2022 Statement of Applicability. On top of that, we carry out a DORA gap analysis, show proof of our Secure SDLC practices, set up data retention policies for DA, and manage controls for sanctions and the Travel Rule. We also compile thorough pen-test and audit reports. What this really means is that you can shorten your RFP and InfoSec questionnaire processes quite a bit!
But wait, there’s more! We also offer a bunch of fantastic services to go along with our delivery. If you’re diving into Web3 SDLC and need some help with integration, take a look at our awesome offerings! You can explore our custom blockchain development services to get started, check out our blockchain integration options, and don’t forget to look into our security audit services to keep your project safe and sound. We’ve got you covered! Hey there! Need some help with solution delivery? We've got you covered with our awesome services like smart contract development, dApp development, and cross-chain solutions development. Whatever you're looking for, we can help make it happen!

ZK‑KYC Gate with VC 2.0 + Polygon/Privado ID

Flow:

So, an off-chain KYC provider gives a venture capital firm a heads-up on something important. You'll transfer the credential over to the user's wallet. So, the user goes ahead and creates a ZK proof to make sure they meet all the policy requirements. Basically, they're checking that they're "age ≥ 21," "in a jurisdiction that's either in the US or EU," and "not on any sanction lists."
”. So, there's this contract that works on the blockchain - we call it an on-chain verifier contract. Alternatively, you can use an off-chain service that provides attestations. Either way, it checks the proof and marks you on the allow-list. Plus, the cool part is that it does all of this without storing any personal information. Pretty neat, right? (w3.org).

Engineering Notes:

Keep an eye on the version and pin verifier keys. Don't forget to rotate and revoke them during events! Hey, it might be a good idea to think about setting up a “sell-only” option for stablecoins that don’t quite hit the mark with EU compliance according to ESMA guidelines. This could help prevent users from getting stuck with them. (esma.europa.eu).

Business Impact:

This setup makes it easy for us to handle AML requirements and the Travel Rule data exchange right at the VASP boundary, all while keeping the on-chain state nice and streamlined.

Solidity Testing That Puts Auditor Concerns to Rest

First things first, let’s put together some Scribble specs for those key invariants we can’t overlook. For instance, we need to make sure that “the sum of liabilities equals the sum of assets.” Also, don’t forget that “only the Risk Committee is allowed to set the caps.” Alright, now let’s dive into it! You can kick things off by running Foundry invariant campaigns with coverage-guided fuzzing. It's a great way to really get into the rhythm of it all! Hey, just a quick reminder to add in some Echidna property tests to make sure you're covering those underflows and limits. It’ll really help catch any edge cases! Take a look at the info here. You'll find all the details you need!

Next, go ahead and add Slither into your CI process. This way, you’ll make sure that any critical issues will stop merges right in their tracks. It's a fantastic way to keep everything tidy! Oh, and don’t forget to export those HTML/JSON artifacts! It'll really help the auditors out and make their job a whole lot simpler. Hey! If you're looking for Slither, you can check it out right here. Enjoy exploring!

Go with OpenZeppelin version 5. 1 or 5. 2. These new versions come packed with P-256/RSA verifiers to help with corporate PKI interoperability, plus we've added some cool transient storage reentrancy guards. Oh, and don’t miss the shiny updated Merkle utilities--they're pretty neat! Hey, just a quick reminder to keep an eye on those gas reports both before and after you make any changes. It's really important to track them! If you're curious to learn more about it, just check this out here. You’ll find all the details you need!

3) EIP‑4844 Evidence Retention

Alright, so when you're saving your evidence, just remember to trigger an event that includes a few key pieces of info: the versioned blob hash, the rollup batch ID, and the content hash of your off-chain archive object. It's super important to have all that on hand! Just a quick reminder: make sure you save the entire payload in WORM storage. And don't forget to regularly anchor a Merkle root of those archived objects on L1, alright? It’s super important to keep everything secure!

When it comes to retrieving documents, if there’s ever any disagreement, all you need to do is grab the object and make sure that the KZG commitment lines up with the versioned hash on the blockchain. Simple as that! Next, you’ll want to go ahead and replay the state transition. This method does a great job of closing those gaps in the audit trail that pop up when blob pruning happens. For more info on this, just head over to eips.ethereum.org. You’ll find all the details you need there!

4) Key Management Policy That Passes Enterprise Scrutiny

Hey, let’s go ahead and shift those essential protocol keys over to the FIPS 140-3 L3 HSMs--specifically, the CloudHSM hsm2m.medium. Let’s get quorum signing set up with FROST so we can keep everything running smoothly. And hey, don’t forget to log all the key ceremonies! It's super important for keeping track of everything. Let's make sure that signer liveness is connected to our recovery time and point objectives (RTO/RPO). It's really important to keep everything in sync! If you're looking for more info, feel free to check it out here.

When it comes to our wallet products, we need to make sure we're on the same page with the NIST SP 800-63-4 guidelines for authentication assurance. You might want to consider using synced passkeys and phishing-resistant authenticators, especially when it comes to our ops dashboards. It really adds an extra layer of security that can make a big difference! If you want to dive deeper into this topic, you can check out more details here.

5) NYDFS and SEC Disclosure Readiness

Let's whip up some draft procedures for delisting tokens that fall short of the new DFS policy standards. We should also come up with a “kill-switch” for those tokens, just in case they don’t make the cut. Let's also throw in some dashboards that display the concentration limits. And don't forget to include those protocol flags we rely on when we do our listing risk assessments. (dfs.ny.gov).
How about we create some SEC 8-K templates that break down the details in a simple way? We want to capture what’s going on, the reach of it, and its effects, but without diving too deep into technical jargon. Hey, just a quick reminder to make sure you log all the materiality assessments following the “without unreasonable delay” standard for our legal team. Thanks! (sec.gov).

6) Sanctions/Travel Rule Controls by Design

Create workflows for sanctions screening that align with OFAC guidelines. Don’t forget to set up blocking and reporting for any hits you come across! Also, make sure to whip up the needed documents for your 10-day and annual reports. You got this! To handle mixing exposure effectively, consider using a FinCEN NPRM-style approach for event tracking. This can really help in spotting and reporting any suspicious activity. Take a look at this link: (ofac.treasury.gov). You’ll find some interesting stuff there!

GTM metrics (what we target and measure)

Speeding up procurement: We've noticed a pretty impressive reduction in the InfoSec and Legal review processes, with timelines dropping by 30 to 60 days! How? Well, it’s pretty straightforward! We’re incorporating SOC2 and ISO 27001:2022 mappings, DORA gap evidence, and reproducible builds right from the get-go in the initial package. This way, everything’s laid out clearly and ready to roll!
Listing Velocity: Want to speed up your exchange listings? We’ve got you covered! You can now get your listings approved 2-4 weeks quicker. We’re working to align our listing and delisting policies with the NYDFS, and we’re making sure that coin risk memos are right there on your dashboards for easy access.
Check it out here.
Incident Economics: Thanks to our materiality sprints and handy playbooks, we've managed to cut the time it takes to draft SEC 8-K reports from weeks to just a few days. And the best part? We’ve done this while sticking to the “no roadmaps for attackers” principle. Pretty neat, right? If you're looking for more details, you can check them out here.
Run-rate savings: We're noticing a pretty cool 10-25% boost in gas efficiency for those hot paths, all thanks to the new OZ v5 utilities and some smart transient storage solutions. We're also cutting down on those late-stage audit issues by using Slither, Echidna, and Foundry for some smart fuzzing that's guided by coverage. Get the scoop here.
Audit resilience: We’re thrilled to say that we’ve nailed it with zero “insufficient evidence” nonconformities when it comes to DA retention under EIP-4844. We owe this to our unique blend of on-chain commitments, off-chain WORM archives, and those regular Merkle anchors we use. Check out all the details here!

Why 7Block Labs

We bring together Solidity, zero-knowledge engineering, and governance, risk, and compliance (GRC) to deliver procurement results that truly make an impact. We've got your deliverables all set to fit right into your RFP, auditor portal, and board deck from the get-go! If you're after a complete build and launch experience, we've got you covered! We blend security architecture with streamlined delivery, and here’s how we do it:

Check out our web3 development services and our security audit services! You can find more details about what we offer through the links. Check out our services in blockchain bridge development and dive into the world of asset tokenization. We've got some really cool offerings to explore! Check out our DeFi development services that we customize to fit your unique institutional framework whenever necessary.

Quick reference: “money phrases” you can take to your leadership

We're super excited to announce that we're launching a new SDLC that’s mapped to SOC2 and ISO-27001:2022, and it's all set to be DORA-ready! This means you’ll get reproducible builds and easy access to audit evidence whenever you need it. ". Hey there! Just wanted to share some info about our ZK-KYC and VC 2. Our strategy is designed to protect your privacy while making sure we follow the Travel Rule and do the necessary AML screening right at the VASP boundary. It’s all about keeping things secure and compliant! ". "We've set aside some funds for keeping EIP‑4844 data, and we can totally show you how the state transitions work after we do some pruning." ". Our incident response plan aligns perfectly with the SEC’s requirement for a 4-business-day, materiality-based 8-K disclosure. And don’t worry--we’re keeping all the sensitive, exploit-ready details under wraps! ". "Thanks to the FIPS 140-3 HSM and FROST quorum signing, we've got our bases covered when it comes to resilience. Plus, it gives us solid proof for our auditors, which is always a bonus!" ".

If you want to kick things off with a clear roadmap and dodge those annoying last-minute surprises, it's a good idea to loop us in early on. We’re here to help every step of the way!

Book a 90-Day Pilot Strategy Call

Are you excited to elevate your project? Let's jump into a 90-Day Pilot Strategy Call! It's a fantastic chance for us to brainstorm and create a customized plan that fits your needs perfectly.

What to Expect:

Let's take a good look at where you stand right now and what you're hoping to achieve.

Here's a tailored action plan for you to follow over the next 90 days!
Here are some handy tips and insights tailored just for your industry and what you need.

How to Book:

Just hit the link below to snag some time on my calendar! Can't wait to chat!.

Book Your Call Here!

Citations:

NIST CSF 2. 0, and we're really honing in on governance here. (nist.gov). Hey there! So, let's chat about the SEC's 8-K rule when it comes to cyber incidents and what that all means. Basically, this rule is all about making sure companies report any significant cybersecurity events to their investors. It's their way of keeping things transparent and ensuring that everyone is in the loop about potential risks. Plus, they’ve put together some guidance to help companies figure out how to handle these situations. It’s pretty important stuff, especially with how much we rely on technology these days! (sec.gov). Just a heads up--DORA is set to kick in on January 17, 2025. That’s when things will really start to roll, and don’t forget about the CTPP oversight timeline that’ll be coming along with it! (mayerbrown.com). So, when is the EU Travel Rule actually going to start? (eba.europa.eu). So, let’s talk about the launch of MiCA and what’s going on with ESMA and stablecoin compliance by 2025. MiCA is set to roll out soon, and ESMA is really taking the lead when it comes to making sure stablecoins meet the necessary regulations. They’ve got a plan in place to ensure everything's in line by 2025, which is pretty exciting as we look towards a more regulated crypto landscape. (esma.europa.eu). So, we’ve got a few important Ethereum Improvement Proposals to look out for: EIP-4844, which is all about blob transactions, EIP-1153 that focuses on transient storage, and EIP-6780 that brings some updates to the SELFDESTRUCT functionality. Exciting stuff! (eips.ethereum.org).
Take a look at the theft trends for 2024-2025 based on insights from Chainalysis. (chainalysis.com). So, there's been some buzz about the NYDFS (New York Department of Financial Services) and their rollout of Part 500 along with a fresh coin-listing policy. It’s an interesting move on their part, and it's definitely getting everyone talking in the crypto space. (hoganlovells.com). Here’s a quick rundown of what OpenZeppelin v5 has to offer! 1/v5. You’ve got access to some cool stuff, like P‑256/RSA, transient reentrancy, and some handy cross-chain and account abstraction tools. All of this training can really help you out! (openzeppelin.com). Here's the lowdown on some handy tools for testing:

First up, there's Slither, alongside Echidna and Foundry, which are pretty great for invariant testing. They each have their unique strengths, so they’re worth checking out if you're diving into smart contract security.

Then we have Scribble, which is perfect for runtime verification. It helps make sure everything behaves as it should while the code is running.

These tools can really help you catch issues before they become big problems! (github.com).

So, if you're looking to verify with Sourcify using their API v2, here's a quick rundown of how to get started. (docs.sourcify.dev).
So, we’ve got FIPS 140-3 supporting CloudHSM along with some cool threshold signatures, like FROST. (docs.aws.amazon.com).
Here's some info on OFAC sanctions and the FinCEN's notice of proposed rulemaking regarding mixers. (ofac.treasury.gov). So, just a heads up--NIST SP 800-63-4 is expected to wrap up and be finalized by 2025. (pages.nist.gov).