معاذ
461 posts
Another bridge hack another $292 million gone.
An attacker forged a cross-chain message on Kelp DAO's LayerZero bridge minted 116500 rsETH out of thin air and used them as collateral to drain real ETH from lending protocols. The emergency multisig paused everything 46 minutes later but the damage was already done.
This keeps happening because bridges rely on trusting messages from other chains. When that trust layer gets exploited there is nothing underneath it.
Native assets don't have this problem.
When you swap on THORChain nothing gets minted nothing gets wrapped and no third party vouches for anything. Real cryptos move between chains validated by the network itself. That is the only model that removes this attack surface entirely.
Native or nothing.
Lookonchain@lookonchain
Due to the KelpDAO exploit, the attacker deposited $RSETH into #Aave to borrow $ETH, creating bad debt on #Aave. Many whales have already rushed to withdraw their $ETH from #Aave. $ETH Utilization Rate on Aave has now reached 100%.
English
@raynalytics @THORChain Feeding wallets and nodes should be priority to scale up faster, bear markets are for consolidating bull market are for profit.
English
This week's THORSday recap just dropped.
$XMR is targeting v3.18, one month out.
Chad proposed dynamic fees that adjust pricing per wallet and per trading pair.
Plus: why he thinks the protocol should be doing its own arbitrage.
Full breakdown 👇🏻
blog.thorchain.org/monero-full-st…
English
Update: +$292M from @KelpDAO. Now $750M+ stolen in 2026.
This time, preliminary shows it's a validator being compromised. Not a smart contract bug.
Weak code. Weak opsec. Weak key management. Every layer is being exploited.
Is AI the biggest hack multiplier of this cycle?
Blckhv@blckhv
🚨$7.6M gone from @rhea_finance Attacker deployed fake tokens, added liquidity to fresh pools, and fooled the oracle layer. ~$470M stolen YTD. We as whitehats aren't doing enough.
English
Everything you need to know about the rsETH exploit ($292 million):
attacker targets insecure bridge configuration
Verifier setup:
Only one approval is required, and this is the single point of failure.
Attacker forges cross-chain message.
Tricks Bridge into Release:
116,500 fake $rsETH worth ~$292 million
About 36% of total supply
Unbacked ETH tokens created from thin air by the attacker (minted)
Attacker receives fake rsETH on
Ethereum
Immediately deposits it into Aave as collateral
then borrows:
106,467 ETH (~$250M)
Started selling and swapping rsETH.
bad debt created of more than $177 million.
WETH pool utilisation hits 100%
Aave freezes rsETH market
exploit was not in core rsETH backing
exploit hit bridged rsETH version
attacker wallet publicly tracked
funded via Tornado Cash
one of the biggest bridge failures of 2026
English
معاذ retweetet
We are continuing to investigate the L0/rsETH incident, initial reports seem to indicate a private key compromise/bad config allowed ~200m worth of rsETH to be stolen, this was then deposited into Aave to borrow ETH (since rsETH has insufficient liquidity). a) the position is technically backed b) if it wasn't, Aave's token and security module exists to be the first line of defense for bad debt. Aave does not have a way to subsidize losses for users, so it would become a bank run, given Aave has 7b in ETH vs 100m withdrawn vs PUT's 17m exposure, this is all largely irrelevant.
All that being said (just to explain our position) our primary goal is always user PUT liquidity, so we did withdraw all the ETH in Aave to the wrapper itself, this was simply because the available Aave liquidity had dipped below our min threshold.
flyingtulip.com@flyingtulip_
ETH PUT holder update. Available liquidity in Aave ETH dropped below the minimum liquidity threshold. All ETH was withdrawn. The system prioritizes liquidity above yield. No action required.
English
As expected.
Goodbye Osmosis.
Goodbye Cosmos.
Likely the final nail.
Ed | AirdropGlideApp@AirdropGlideApp
Hands up if you think Osmosis is going into the famous Cosmos Maintenance Only Mode? 🙋♂️
English
English
English
Hey @sunnya97 , if any talent is looking for a next place to land, @THORChain is a natural landing spot. It's both a cross chain dex and the 2nd largest cosmos chain. 9th largest chain in the world by revenue.
English
معاذ retweetet
$RAVE Seeing a lot of people confused/complaining, expecting every pump to instantly dump:
Team holds a huge % of supply = they can bid their own chart.
They’re rotating capital into their own token (similar to stock buybacks, but unregulated).
Why?
Long perps + buy spot → push price up → nuke shorts → farm funding.
Low float + concentrated supply = they control the game, with minimal risk.
They’ll likely pull the rug once funding cools, but by then the job will be completed.
English
Screw Binance ✊🏻
ZachXBT@zachxbt
Pump and dump activity for $RAVE originated on @bitget @binance @Gate Call to action for both @heyibinance @GracyBitget to do better and launch internal investigation offboarding the responsible actors. Offering up to $10K bounty of my personal funds for whistleblowers to come forward privately to share evidence about parties involved We cannot allow this blatant market manipulation by insiders controlling >90% RAVE support to further extract from retail investors.
English
@lynk0x @THORChain solved this with streaming swaps should be an industry standard by now.
English
@stacy_muur It depends on how you define volume cause CEX don’t actually trade shit they just change entries in a spreadsheet. DEX organic trading volume as in daily inflows + outflows probably already surpass CEX.
English
Unpopular opinion:
DEXs will never be able to surpass CEXs in spot volume.
English
Rhea Finance published their exploit post-mortem. $18.4M drained - attacker opened margin positions, routed borrowed funds through his own pools, and force-liquidated the empty positions against the reserve pool.
This wasn't a simple hack. The attacker combined two known DeFi attack vectors into something new.
The setup: deploying tokens, creating many pools on Rhea with prices he controls, and preparing hundreds of accounts. Two days of infrastructure work before the actual drain.
The exploit: margin trading lets you borrow tokens and swap them into a position. Slippage protection sums outputs across all swap steps to make sure you got enough back. But it doesn't track that output of one step becomes input of the next.
Attacker builds a swap chain through his own pools:
- Step 1: 1000 USDC → 999 AttackerToken (min_amount_out: 999)
- Step 2: 999 AttackerToken → 1 USDC (min_amount_out: 1)
Slippage check: 999 + 1 = 1000. Looks healthy.
Reality: 1 USDC returned to the protocol. 999 USDC sitting in attacker's pool.
The check counted AttackerToken from step 1 as final output. But they were just transit - immediately spent as input for step 2. Attacker removes liquidity from his pools and walks away with the borrowed funds.
Closest precedent: KyberSwap ($54.7M, 2023) - same principle of counting the same value twice across sequential operations.
~$9M of $18.4M already recovered/frozen. Post-mortem is one of the most detailed in DeFi - full chronology, tx hashes, exact code line.
The Near Intents team (@AlexAuroraDev) clearly implied that the attacker has been identified, and it’s even someone with a public X account whom he may be following.
Rhea Finance@rhea_finance
English
@Mining_losses @unstoppablebyhs Banks keep your money safe by printing. Crypto has the same security problem as keeping physical gold bars at home cause both make you a target.
English
@m3aadh @unstoppablebyhs Even multisig gets hacked. Wasn't that long ago that an exchange that used multisig wallets was hacked. I just heard about a guy losing all his to a fake ledger app on the apple store. I hear about fake devices being shipped out all the time. Self custody is tough.
English
They still want you to believe hardware wallets are your only option
Meanwhile:
→ Fake devices. Fake apps. Fake supply chains.
→ you have to trust where you bought the device
→ you hope your physical address never leaks
→ you carry a device identified as “wallet”
→ you have to trust the app you install
→ you regularly receive phishing emails
→ you still have to write your seed on paper
In this new age you need privacy, obscurity and wallet designed for the new world threats.
Be Unstoppable!
TFTC@TFTC21
A security researcher just documented a large-scale counterfeit Ledger Nano S Plus operation selling compromised devices across multiple online marketplaces. The fake units look identical to the real thing but contain completely different hardware. Instead of Ledger's secure element chip, the counterfeits run an ESP32 microcontroller with modified firmware labeled "Nano S+ V2.1." Seeds and PINs are stored in plain text and transmitted to attacker-controlled servers. Any wallet initialized on the device is drained. The operation goes beyond the hardware. The sellers also distribute a fake version of Ledger Live built with React Native and signed with a debug certificate. It intercepts transactions and exfiltrates sensitive data to multiple command-and-control servers. The campaign spans five attack vectors: compromised hardware, Android APKs, Windows executables, macOS installers, and iOS apps distributed through TestFlight to bypass App Store review. This comes days after ZachXBT documented a separate fake Ledger Live app that made it through Apple's Mac App Store review process. That operation drained over $9.5 million from more than 50 victims, including musician G. Love, who lost 5.92 BTC after entering his recovery phrase into what he believed was the legitimate app. The pattern is clear: the attack surface for hardware wallet users has shifted from firmware exploits to supply chain and distribution fraud. The devices themselves remain secure. The problem is that users are being intercepted before they ever touch a real one. Ledger's own "genuine check" feature can be bypassed when the hardware itself is compromised at the source, which makes where you buy the device as important as how you use it. The rules haven't changed, but they've never been more important: buy hardware wallets only from the manufacturer. Never enter your recovery phrase into any software. If a companion app asks for your 24 words on a screen, it's a scam. Every time.
English
@Mining_losses @unstoppablebyhs Honestly it depends how much you have, multisig is peak protection for most people. You could do work, home, and one with you all the time.
English
@kayabaNerve Instead of focusing on what Serai isn’t better to tell us what it actually is. You could have said all this without mentioning Thorchain gossip.
English
I've heard a few false claims recently, so try and set the record straight:
- I never set out to rewrite THORChain in Rust ( 🤮 )
- I have not taken any code from THORChain ( ??? )
- No one from THORChain/the THORChain ecosystem has provided any funding to Serai AFAIK
English