Pinned Tweet
CodePhobic
1.4K posts
CodePhobic
@codephobic
Core dev building defi protection at @usd8_fi. Auditor @openzeppelin. I post about blockchain trends. Tweets are my own opinion.
EVMs Joined Nisan 2020
678 Following670 Followers
@griffgreen @thedaofund I will be very keen to collaborate and contribute
English
@codephobic @thedaofund Hopefully! Definitely looking into creating a coalition... but it will be a few months. We have a lot of things on the to do list ;-)
English
Introducing: Ethereum’s top security experts
TheDAO’s ETHSecurity Badges are a new onchain primitive recognizing the people securing Ethereum.
40 have been selected. 160 open spots are left.
Are you one of Ethereum’s top 200? 👇
English
@yieldsandmore @_SEAL_Org We need an local dapp system that’s not in the cloud
English
DeFi protocol teams, PLEASE go over your domain and DNS security setup before this happens to you.
@_SEAL_Org's recommendation: choose a secure registrar such as Cloudflare, MarkMonitor, or AWS Route53, lock registrar access with hardware security keys, enable registry lock + DNSSEC, set CAA, protect against domain expiry, and monitor for registrar, NS, A/AAAA, DNSSEC, CAA, TTL, and certificate changes.
Here is @_SEAL_Org’s excellent documentation on best practices for domain & DNS security for DeFi protocols. Give it a read: frameworks.securityalliance.org/infrastructure…
Neutrl@Neutrl
Update on the ongoing security incident: We are currently working with @0xGroomLake on the investigation. Initial findings suggest the DNS provider hosting the app domain was socially engineered, allowing an attacker to redirect the domain. Neutrl smart contracts remain secure and have been temporarily paused as a precaution. Please do not interact with the protocol until further notice is provided. We will continue to share updates as more information becomes available as well as a full post mortem.
English
@systematicls Yep, agree. Funny I actually enjoy grinding on issues that’s not in the spot light instead of chasing it. But it does come with risk of sunk cost fallacy tho.
English
@codephobic pivoting to reflect market sentiment is fine but if you're willing to jump ship on a whim you obviously didn't care about that ship too much!
English
One of the things that annoys me about some new entrepreneurs is that they don’t carry about a passion for the problem they’re trying to solve.
It’s almost this disease where they’ll do anything to get funding. Like change their entire product or idea on a whim if that means that’ll get them funded.
Obviously then, their goal here is that they want to be a “entrepreneur/founder” more than they want to bring their idea into life. Because if they are willing to abandon their idea at the first point of friction they must not be very passionate about it.
Imo, building anything from 0 to 1 is so egregiously difficult that unless you’re willing to chew glass for it, the chances of you being able to generate enough escape velocity to be relevant is almost 0.
Be passionate. It’s an endlessly renewable source of fuel.
English
@web3bee @systematicls Thanks appreciate it. For me solving the security issue for defi is an industry priority.
English
@codephobic @systematicls yo dude as someone whos actually audited at openzeppelin and still grinding real defi shit your take on real passion over funding-chasing vibes is straight fire and way too rare in this space whats one problem youve been chewing glass for lately that keeps you going
English
@systematicls As much as I hate to admit, it dos makes sense from a fundamental business pov.
English
CodePhobic retweeted
The incentive is long broken in security. This is not the first case.
f4lc0n@al_f4lc0n
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…
English
CodePhobic retweeted
If we want to make Ethereum more secure. We need more insurance experiments.
This is pretty cool.
CodePhobic@codephobic
English
Zero crypto at home.
It's not perfect but it's the only path I see.
x.com/RyanSAdams/sta…
youtube.com/watch?v=Fw4gxy…
YouTube
The Block@TheBlockCo
Armed attackers force French couple to transfer $1 million in bitcoin during home invasion theblock.co/post/393036/ar…
English
interesting read about how trading intents can be MEVed via multiple blocks from propellerheads.xyz/blog/ev-intent
However a simple solution would be to submit a fake reverse quote, ideally a large one, to trick those malicious searchers, then do your intended trade to back run their transaction.
Would this work? @PropellerSwap
English
was using X's new function to read articles out loud, it literally manifested a bunch of content not in the article at all.
This is terrible.
I loved this function but now I can't trust it anymore.
English
@BreakingOtter Agree. I think realistically it’s unlikely to be worth while, but still worth implementing indirect prevention mechanisms tho.
English
This seems very hard to solve. If an attacker behaves like a normal user from another account and performs legitimate actions to maximize reimbursement, it’s almost impossible to distinguish them.
You might notice red flags (e.g., repeated deposits/withdrawals), but those are only weak signals.
English
Good observation. At this stage we have yet to find a direct prevention for hacker double dipping, there are indirect preventions like banning flash loans so the hacker can't get a large amt protected LP tokens. My assumption is double dipping is unlikely worth while comparing to the usual TVLs accessible by hacker in protected protocols if it requires hacker's liquidity up front. Love to learn any solution you might have in mind tho.
English
Interesting idea!
One question about the incentive design though: What prevents a “self-insurance” attack?
Example scenario:
1. An attacker uses wallet X to behave like a normal user - building a large usd8 usage history to maximize coverage.
2. Wallet X deposits a large amount into a covered protocol.
3. The attacker then uses wallet Y to exploit that same protocol.
4. Wallet X claims reimbursement (up to 80%) from the Cover Pool, while wallet Y keeps the stolen funds.
Since wallets are independent, it seems difficult to link X and Y. In that case the attacker could capture both the stolen funds and the insurance payout, which might make the attack economically attractive.
Is there a mechanism in the design that prevents or mitigates this type of incentive?
English
CodePhobic retweeted
This is the philosophical root of Usd8, as well as why it’s a major issue crypto needs to solve immediately.
CodePhobic@codephobic
English
While the article raises a great fact, it is a relatively small ambition for what crypto is set to do.
The big issue is we the crypt industry just plainly ignore the fact that there are so many scams in our industry, we don’t think how to stop these but just try to convince others it’s ok. This imo is the greatest irresponsibility of the crypto industry.
Unless this is solved, crypto might never become a better option to the fiat system. @VittoStack
Vitto Rivabella@VittoStack
English
Hey @VitalikButerin @usd8_fi is precisely aiming to make defi more secure on ethereum by offering direct coverage for hacks. we can make it a universal unconditional coverage for all eth users if we can work with the EF.
vitalik.eth@VitalikButerin
Defi is a central part of the value that Ethereum provides. Financial empowerment is a central part of what it means to have agency and freedom in our current world. Finance is far from the only thing that Ethereum is good for, but it is an important thing. This post discusses how the Ethereum Foundation is approaching defi. Defi today makes the world's best savings, risk management and wealth-building opportunities permissionlessly available worldwide. We need to build on that. Ethereum's early defi era was great because it dared to dream and innovate and come up with totally new paradigms (eg. AMMs). Defi tomorrow will bring back that spirit. Don't just "make a better stablecoin", dig a layer deeper, and think about the underlying problem (risk management, hedging one's future expenses), and come up with an even better solution. But also, as the EF, we are not interested in supporting "onchain finance" or even "defi" indiscriminately. We have a specific vision of what we want to see out of defi: permissionless, open-source, private, security-first global finance that maximizes people's control over their own assets, minimizes centralized chokepoints and trusted third parties, and democratizes risk management and wealth building (the two key goals of finance according to modern portfolio theory) as well as payments. We want protocols that pass the walkaway test: that keep working even if the original team suddenly disappears without warning (or even: becomes hostile / compromised without warning). Bringing this vision to reality will inevitably take a lot of work. Defi is a complex toolchain, including various onchain components, user-side offchain components (ie. wallet, local agent...), other offchain components, etc. The things that we care about include areas like: * Improving security of defi through "traditional" means, eg. audits, standards, wallet-side safeguards * Improving security of defi through "new" means, eg. AI-assisted formal verification, user-side agents as safeguards * Oracle security and decentralization (there's A LOT of skeletons in the closet here, we as an ecosystem really need to point a big eye of sauron at it for a while) * Privacy. Both privacy-preserving payments, and privacy of more complex use cases (eg. what does it mean to have a maximally privacy-preserving CDP? there are clearly benefits in reducing liquidation-sniping risk, but it requires hard tech to get there) * Open source, and improving the licensing / forkability situation in defi Ethereum is a permissionless protocol, and nothing stops people from deploying insecure protocols, protocols that enshrine ultimately unneeded centralized trust in the name of convenience, or dopamine-maximizing gambleslop. However, we *are* interested in working with anyone aligned to make permissionless, open-source, intermediary-minimizing and security and user-agency-maximizing defi ecosystem as strong as possible, so that it can be not just individuals and institutions' first choice in Ethereum, but also a globally compelling way to manage funds for anyone who needs its properties.
English