Crypto proof verifier flaw & Universal DO_NOT_TRACK telemetry opt-out - Hacker News (May 3, 2026)
Dusk zk-proof bug that could mint coins, Windows 11 Insider reboot, Ladybird browser leaps, Haskell reliability at Mercury, and DO_NOT_TRACK privacy.
Today's Hacker News Topics
-
Crypto proof verifier flaw
— Researchers found a soundness bug in Dusk Network’s PLONK verifier that could let attackers forge zero-knowledge proofs and mint coins from nothing—highlighting verifier-binding and KZG opening checks. -
Universal DO_NOT_TRACK telemetry opt-out
— A proposed DO_NOT_TRACK=1 environment variable would standardize opt-out for telemetry, crash reporting, and other non-essential network calls across CLIs, SDKs, and developer tools—privacy by default. -
Haskell reliability at fintech scale
— Mercury’s engineering write-up shows how a large Haskell codebase stays reliable by designing for graceful degradation, encoding safe defaults in types, and using Temporal for durable workflows and retries. -
Ladybird browser performance sprint
— Ladybird’s April update delivered big usability gains like an inline PDF viewer plus faster parsing, smoother rendering, and better responsiveness—evidence the independent browser is maturing quickly. -
Windows 11 Insider program reset
— Microsoft is reshaping Windows 11 Insider into Experimental and Beta channels, reducing surprise rollouts, tuning Windows Update restarts, and “right-sizing” AI surfaces like Copilot integrations. -
3D Gaussian splats in-browser
— The ml-sharp-web project demonstrates end-to-end 3D reconstruction in the browser—ONNX Runtime Web, workers, and exports—while exposing real constraints like COOP/COEP and model licensing. -
Why brain averages mislead
— A Stanford Medicine study shows group-averaged fMRI results can hide or reverse within-person brain–behavior links, supporting individualized models for cognition and conditions like ADHD. -
Neanderthal bone-grease “fat factory”
— Archaeologists report Neanderthals processed bone grease at scale 125,000 years ago, implying coordinated labor and planning—pushing back timelines for complex resource management. -
Building usable maps on Watch
— A six-year Apple Watch mapping effort highlights the tradeoffs of on-device tile rendering, tiny-screen UI design, and why some developers bypass MapKit to achieve better outdoor navigation.
Sources & Hacker News References
- → How Mercury Runs a Two-Million-Line Haskell Codebase in Production
- → ml-sharp-web Brings Apple’s SHARP Gaussian Splat Generation to the Browser
- → Ladybird April 2026 Update Brings Inline PDFs, Faster Parsing, and Major Performance Gains
- → Pedometer++ Creator Details Six-Year Push for Better watchOS Maps
- → Stanford study shows group-averaged brain scans can misrepresent individual cognitive control
- → Microsoft details Windows 11 quality improvements rolling out to Insiders
- → Critical Bug in Dusk’s PLONK Verifier Allowed Forged Proofs and Token Minting
- → Proposal Introduces DO_NOT_TRACK Environment Variable to Disable Telemetry Across Tools
- → Study Finds Neanderthals Rendered Bone Grease in a 125,000-Year-Old ‘Fat Factory’
Full Episode Transcript: Crypto proof verifier flaw & Universal DO_NOT_TRACK telemetry opt-out
Welcome to The Automated Daily, hacker news edition. The podcast created by generative AI. I’m TrendTeller, and today is May-3rd-2026. Here’s the hook: a critical zero-knowledge verifier mistake reportedly let researchers mint crypto from nothing on a test network—exactly the kind of bug that sounds impossible until it isn’t. Let’s get into it.
Crypto proof verifier flaw
First up, a serious security disclosure in the zero-knowledge world. Researchers say they found a soundness flaw in Dusk Network’s dusk-plonk verifier—the component that decides whether a cryptographic proof is valid. The issue wasn’t about a clever new attack technique so much as a missing check: some values the verifier relied on weren’t properly bound to the trusted commitments. In plain terms, that can turn “math-proof security” into “attacker gets to pick the answer.” Why it matters: the authors demonstrated a proof-of-concept where they created new coins from zero and sent funds to an honest wallet on a local testnet, with nodes accepting the transactions. Dusk has shipped a patch, but the bigger takeaway is ecosystem-wide: verifier implementations need more mechanical, standardized safeguards so “unbound evaluation” bugs don’t quietly slip into production code.
Universal DO_NOT_TRACK telemetry opt-out
Staying on trust and control, there’s a new proposal aimed at cleaning up the mess of telemetry opt-outs in developer tools. The idea is a single environment variable—DO_NOT_TRACK=1—that would tell CLIs, SDKs, and frameworks to disable non-essential network calls like usage analytics, crash reporting, and similar reporting. Why it matters: today, every tool seems to invent its own switch, which means privacy becomes a scavenger hunt. A universal signal wouldn’t fix the broader debate about what software should collect—but it could make user intent unambiguous, and it nudges the industry toward opt-in instead of opt-out defaults.
Haskell reliability at fintech scale
On production engineering, Mercury published a detailed look at running a roughly two-million-line Haskell system while moving real money at high volume—much of it maintained by people who learned Haskell after joining. The core argument is refreshing: reliability isn’t the absence of failure; it’s “adaptive capacity”—systems that fail in predictable ways, are understandable under pressure, and make the safe path the easiest path. A key theme is using the type system as an operational tool, not an ideology. Mercury’s engineers encode institutional knowledge into APIs so that critical actions—like emitting the right transactional events—are hard to forget by accident. But they also warn against over-encoding invariants so tightly that teams can’t evolve. And one very practical reliability win: adopting Temporal for durable workflows, so retries, timeouts, and crash recovery are handled consistently in a way that fits nicely with Haskell’s “pure core, impure shell” mindset. The post also calls out a perennial Haskell pain point—observability—and recommends patterns like explicit instrumentation hooks and avoiding library-level logging so production teams can trace behavior when it counts.
Ladybird browser performance sprint
Now to browsers—specifically, the Ladybird project’s April progress report. They merged hundreds of pull requests, brought in new contributors, and landed meaningful user-facing upgrades like an inline PDF viewer powered by Mozilla’s pdf.js. That’s paired with profiling-driven work to keep large PDFs from bogging down the experience. Under the hood, Ladybird is also pushing on the stuff that makes a browser feel “fast” in daily use: getting earlier starts on parsing, moving more work off the main thread, improving rendering responsiveness with more parallelism, and tightening up the JavaScript engine’s speed and memory use. Why it matters: independent browser engines are rare, and Ladybird’s steady climb in standards testing and performance work suggests it’s moving from “interesting experiment” toward “credible alternative,” which is healthy for the web ecosystem.
Windows 11 Insider program reset
Microsoft also shared a progress update—this time on Windows 11 quality improvements and how it’s reworking the Windows Insider Program. The headline is simplification: two main channels, Experimental and Beta, with fewer confusing rollout mechanics. Beta is positioned to be more predictable, while Experimental becomes the place to try new features more explicitly—without trapping people in a maze of hidden switches. They’re also trying to make Windows Update less disruptive, including efforts to consolidate restarts and keep shutdown options visible even when updates are pending. And in a notable bit of restraint, Microsoft says it’s “right-sizing” AI integration—removing “Ask Copilot” from some app surfaces and making AI entry points feel more intentional. Why it matters: Windows reliability isn’t just about fewer crashes; it’s also about fewer surprises. Clearer channels, calmer defaults, and less forced AI could rebuild some trust with power users who’ve felt like involuntary beta testers.
3D Gaussian splats in-browser
On the AI-in-the-browser front, a new open-source project called ml-sharp-web shows a complete, browser-based playground for generating 3D “Gaussian splats” from a single image using Apple’s SHARP model. It runs end-to-end in the browser: inference happens with ONNX Runtime Web in a worker, then the result is previewed and exported as a downloadable file. Why it matters: this is a concrete demo of heavyweight AI workloads moving closer to the client side, which can improve privacy and reduce server costs. But it also documents the less glamorous reality: browser constraints like cross-origin isolation requirements for high-performance WebAssembly, real deployment friction around large model files, and licensing gotchas where model weights have very different terms than the surrounding code.
Why brain averages mislead
Switching to science, Stanford Medicine published results that challenge a common habit in brain imaging: averaging people together and assuming the result reflects individuals. Using fMRI data from thousands of children doing an inhibitory-control task, the researchers compared group-level results with within-person, trial-by-trial dynamics. In some cases, the relationship flipped—what looked true in the average wasn’t true inside an individual. Why it matters: it’s a reminder that “one chart for everyone” can be misleading in neuroscience, especially when the goal is understanding behavior and mental health. The work also suggests conditions linked to inhibitory control—like ADHD—may involve multiple underlying pathways, which argues for more tailored interventions rather than a single story built from averages.
Neanderthal bone-grease “fat factory”
And now for a deep history datapoint: a study reports that Neanderthals in central Germany were rendering bone grease at scale around 125,000 years ago. The evidence points to a deliberate, repeated processing operation—bones smashed into massive quantities of fragments and heated to extract fat—at what appears to be a centralized lakeside work site. Why it matters: this pushes sophisticated food processing and coordinated labor further back in time than many people assume. It also adds weight to the picture of Neanderthals as strategic planners who managed resources across landscapes, not just opportunistic hunters.
Building usable maps on Watch
Finally, a developer story from the small-screen frontier: one engineer described a multi-year effort to build a genuinely usable map experience on Apple Watch. Early approaches leaned on server-generated images, which meant latency and no offline capability. Over time, the project shifted toward on-device rendering for speed and reliability, and a lot of the work was simply interface design—making panning, zooming, and metrics readable on a tiny, one-handed display. Why it matters: wearables keep getting marketed as “mini phones,” but they succeed or fail on interaction design. This story is a good reminder that performance, offline behavior, and UI constraints are inseparable—and sometimes the default platform tools aren’t flexible enough for demanding outdoor navigation use cases.
That’s our run through today’s most interesting Hacker News threads—from a zk-proof verifier bug with very real consequences, to a proposed universal “do not track” switch for developer tools, to steady progress in browsers, operating systems, and practical AI running locally in your web page. Links to all the stories are in the episode notes. I’m TrendTeller—thanks for listening to The Automated Daily, Hacker News edition.