DCG714104

Nobody in crypto has the skillset, credibility, and reach to take on RAVE and the broader extractive coin meta the way @zachxbt does. Proven track record, high signal, zero grift. Sending him 10K for future bounties specifically on these manipulated scam coins. Every large KOL who monetizes should follow through and fund this. If he kills this meta, it will be a far bigger win for crypto than most people realize. We need to back him.

@zachxbt @MeCo_ICE Zach is on a killstreak

Hello I saw you try to blur out photos posted however I noticed you forgot to blur the third one. Do I go ahead and report your other foreign team member living in the US to ICE? You may be able to bribe third worlders with your small giveaways however I have zero limitations on how far I am willing to go.

@DeanEigenmann @maineguy202 We’ve got full on psyop energy over this reality on the DVN compromise… there is weird, political, “don’t believe your own eyes” energy afoot

@maineguy202 That’s not at all what happened, the DVN got compromised which was ran on L0 infra

LayerZero hasn’t made a statement on a hack that affected assets in their bridge through what seems like a key compromise, either infra breach or rogue employee the silence to me signals that authorities are likely involved

Why did you delete the tweet @andyyy? Did one of those podcast sponsors reached out or something?

@uttam_singhk @banteg Yes because it is the only logical explanation when we discuss the actual mechanics of the hack not this nonsense LZ put out to cover its ass

@banteg It’s an insider job ???

layerzero attack was not rpc poisoning in networking poisoning is when the attacker outside the trust boundary taints a shared lookup (dns, arp, cache). the consumer has no reason to distrust the source. this was not that. the attackers got inside layerzero's trust boundary. they accessed the rpc list, compromised two nodes the dvn depended on, and swapped the op-geth binaries. that's an infra breach within the perimeter. supply-chain shaped, not network shaped. and the payload was surgical. the malicious binary cloaked by ip, served forged payload only to the dvn, told the truth to scan and every other caller, then self-destructed to wipe logs and binaries. rpc poisoning makes it sound like something that happened to the infra from the outside. the real story is a targeted implant operating inside the trust boundary. that's a meaningfully scarier attack than the label suggests.

@0xngmi Won't anyone ask whether it was an insider job, and why no one thought it was a bad idea to rely on a single signer for a roughly $1.3 billion protocol? It is far too convenient to blame these "hacks" on North Korea with no evidence pointing to them.

So.. LayerZero blames the project in totality for using a quorum of 1 on their DVN. Their defaults in their code are for a quorum of 1. Loads of projects use a quorum of 1 in prod and not only do they know about it, they run it for them. And.. it’s them that got hacked.

@0xWave It makes Drift look contrite by comparison … what a joke

Crazy how much this is written to distance themselves from blame when it was fundamentally a successful attack on their infrastructure. Yes, the kelp team should’ve multi-DVN’d. But they still lost control over multiple incredibly sensitive parts of their stack and have clear blame here. It’s not like they weren’t internally aware that they had clients with 1/1 DVN setups with 9 figures at stake. Also whoever pulled this off seems to have deep insight to the internal security architecture of LZ.

@hosseeb Nope. Bullshit. Needed LZs key to pull this exploit. Which had to come from inside LZ. There’s shitload of contagion risk since LZ is obviously compromised.

TL:DR: * LayerZero says it was Kelp's fault for running 1/1 DVN setup, their docs warn against that (although LZ operated the actual DVN) * Yep, North Korea again * LayerZero had solid opsec but still got pwned (they're not disclosing the original compromise path it seems) * Crazy sophisticated attack. North Korea didn't actually fully compromise the LZ machine. But once they got in, they grabbed the set of RPCs the LZ machine used, and then hacked 2 of the RPC servers it was pulling from, installing fake versions of op-geth on those RPC servers. They then DDOSed the main RPC to cause failover to one of the hacked RPCs, and then the hacked RPCs reported the malicious transaction (hiding their tracks by giving different RPC responses to observability infra). Then once the attack was done, the malicious binary self-destructed, deleting the logs on the compromised RPCs. Very, very complex attack. * Boy, LZ really are not doing themselves favors with lines like these: "We want to be unambiguous on this point: the LayerZero protocol itself functioned exactly as intended throughout this event. [...] The entire attack was isolated to a single application – zero contagion risk throughout the system, zero other OFTs or OApps impacted." 😬

@_weidai 100% layerzero's fault. their node approved the transaction, they controlled the "keys"

@banteg It’s amazing how every DeFi protocol keeps trying to lie about this reality every time there’s a hack

@daurenkm @SuhailKakar @rektmando Nope. They just had the keys for the DVN. LZ is playing hide the football

@SuhailKakar @rektmando What exactly did they swap after compromising the nodes? Got a link to the full post-mortem? Sounds like a masterclass in infra attacks

the kelp rsETH post-mortem is wild lazarus (dprk) compromised two rpc nodes that layerzero dvn was relying on. swapped the op-geth binaries. wrote a custom payload that forged messages *only when the dvn queried* - every other IP, including monitoring, saw clean truthful data. then they DDoS'd the healthy RPCs to force failover onto the poisoned ones. drained $290M. self-destructed the malicious binaries to erase tracks. they targeted rsETH because kelp ran a 1-of-1 DVN config with layerzero as sole verifier

Ethereum is dying because of a private key compromise that lost 300 million dollars but Solana is fine after a private key compromise that lost 300 million dollars because the dog has a hat I finally get it now

@syvxbt Your points about Uniswap aren’t wrong… but the exploit was to LayerZero’s DVN signing key — the hackers could have spoofed any chain the adapter trusted; Unichain was just the one they picked. Doesn’t really have anything to do with Uniswap

People focusing on LayerZero and Aave but no one mentioning illiquid dead chain that shouldn’t exist where the funds got stolen - Unichain Uniswap already left this experimental project, their X account is barely active, full of recycled protocols, no Uni employees (overpaid matcha folks that don’t understand defi) are pushing it anymore publicly since incentives ended and TVL dropped from $1B to 40M Not to mention the “fee-switch” was a total scam because they mint $120M $UNI to subsidize Labs for “development”. Guess how much revenue they make, a few times less than that. To make a new iteration of a launchpad recently, what a joke. Oh, and their COO gets paid like $800k/year, for what?

The only way to make the LayerZero exploit work is to have the DVN sign a wholly forged packet. The attacker had to obtain/control the actual private signing key of that specific DVN node. The ONLY way this exploit works is with an LZ insider... so.. we going to talk about that??

@lichthauch Nonsense sophistry

The age of smart is over. what's coming belongs to people who can still cry, people whose hands shake before they do something honest, people who walk out of rooms midsentence because their body told them to, people who kneel down to God. people who pray without words, people who touch trees, people who know when to go home. the smart ones will call this regression, they'll write essays about it, how dangerous it is, how primitive it is, and meanwhile their marriages are dry, their kids are strangers, their bodies are betraying them with insomnia. they feel the door closing and they look for the key inside the same room that locked them in. seeing was never their gift, and now the bill is due

it's a bit suspicious that these "leak keys" some how started leaking more often after market turns to shit and when a lot of teams closing shop in past few months

I'm pretty at ease keeping my money in Hyperliquid knowing that it's completely centralised.