jack miller ⚜️

Drift Protocol just released their thread on the $280 million hack It's worse than anyone thought too There was no code exploit. It wasn’t a flash loan. It wasn’t even a traditional key theft. Solana has a feature called "durable nonces" that lets you sign a transaction today but execute it days or weeks later Sound familiar EVM critics? 😏 Think of it like writing a signed check and leaving it in someone's drawer until they decide to cash it. The attacker used this to build a time bomb inside Drift's own governance system. So I was wrong and Solana’s architecture did in fact play a role in this exploit occurring. Similar to how a hacker exploits approvals on EVM chains. Here's how it played out: March 23: The attacker sets up four of these delayed-execution accounts. Two are tied to real Drift Security Council members and two belong to the attacker. At some point, the attacker tricks two of Drift's five council members into signing transactions they didn't fully understand. Blind signing is something I have called out a lot and it is a major issue with many of these chains Drift calls it "transaction misrepresentation” 🤨 But in reality they were socially engineered into signing their own robbery Those signatures sat dormant for nine days! March 27: Drift rotates its security council. New members, fresh setup. Doesn't matter. The attacker compromises two of the five new signers too. April 1: Drift runs a routine test transaction. Sixty seconds later, the attacker cashes those pre-signed checks. Two transactions, four Solana slots apart. Full admin control. Every withdrawal limit removed. Every vault drained. $280 million. Gone. Two out of five signatures is all it took 🤦‍♂️ But also clearly some major planning and patience for this elaborate attack Blind signing Durable nonces which function similarly to approvals Poor key management Insecure infrastructure Everything worked as it was designed to work and this was just an incredibly well orchestrated and thought out attack

Suppose I want to pay ~$100-500 to subsidize a prediction market on a specific question I have, with the goal of getting as accurate a probability estimate as possible. What is the best turnkey way for me to do that today?

[ ZOOMER ] FANNIE MAE TO ACCEPT CRYPTO-BACKED MORTGAGES FOR THE FIRST TIME: WSJ

My daughter texted me from a party: “Mom, do we still have ice cream at home?” We don’t. That’s the code. “Ice cream” means: come get me right now. “Cookies” means: call me in five minutes with an excuse. “Nothing” means: I’m okay. She said ice cream. I didn’t ask questions. I didn’t text back. I just grabbed my keys and drove. When she got in the car she said quietly, “People started bringing out things I didn’t want to be around.” We drove home in silence. Every kid deserves a way out without having to explain themselves first.