Sabitlenmiş Tweet
Tripathi
122 posts
Tripathi
@0xTripathi
building @tradehotstuff | Security Researcher | prev @iitroorkee
EVM Katılım Ocak 2021
883 Takip Edilen588 Takipçiler
So the guy ran a small test first.
Swapped MON → eBTC on Uniswap, deposited into Curvance, borrowed a tiny bit of WBTC just to confirm the flow worked.
Then the compromised admin granted DEFAULT_ADMIN_ROLE to the attacker.
The attacker immediately:
• revoked the old admin
• granted himself MINTER_ROLE
• minted 1,000 eBTC
With the earlier tested flow, he deposited 45 eBTC into the Curvance ceBTC vault.
First borrow attempt actually reverted but the retry went through and pulled out ~11.29 WBTC , basically the entire WBTC pool, leaving just ~$60 of WBTC behind.
Within 4 minutes, that ~11.29 WBTC was already bridged out via LiFi.
Gone.
Seems like the thin liquidity on Monad saved a lot of funds here, as the guy still holds 955 eBTC and 45 ceBTC :)
DCF GOD@dcfgod
gm @EchoProtocol_ may be hacked on @monad Someone minted 1k ebtc out of nowhere, max borrowed wbtc against it on @Curvance, bridged, and tornado away
English
Tripathi retweetledi
People frame RFQ vs CLOB like one replaces the other
In reality they optimize for different constraints
CLOBs maximize immediacy, visible depth and price discovery
RFQs maximize inventory efficiency and large size execution through external venues
The interesting part is when both compete inside the same execution engine
Native makers still set the touch and dominate latency-sensitive flow
RFQ liquidity compresses spreads on larger clips where external inventory access matters more
That is where hybrid market structure starts becoming structurally better instead of just theoretically better
We are starting it with spot equities, ETFs and deep spot liquidity, coming soon on RWA perp pairs next
Tripathi@0xTripathi
English
Tripathi retweetledi
RFQ vs CLOB isn’t a design choice. It’s a tradeoff between latency, inventory risk and information leakage.
There’s been a lot of discussion on CT around which model wins.
Venues like @variational_io and @Ostium are leaning RFQ, while @HyperliquidX and @Lighter_xyz are doubling down on CLOBs.
We’ve been going deep on this ourselves to figure out the right direction.
To us it’s becoming clear hybrid fits both retail and institutions.
Users choose between latency and spread.
Makers can quote on book and respond to RFQs, improving capital efficiency and inventory control.
Spot equities RFQ is already live on @tradehotstuff Perps next.
Hybrid books win. Price on book, size via RFQ.
Tripathi@0xTripathi
English
RFQ quotes get published onchain continuously with short expiries, similar to how @bebop_dex publishes quotes with 5sec and 75sec expiries on ethereum. Multiple entities could participate, and traders can choose between best-of-book and external quotes based on their preferred speed vs. spread tradeoff
English
@0xTripathi really solid writeup, the hybrid routing logic for GTC/IOC/Post-Only is genuinely clever and solves the bootstrapping problem without killing maker incentives.
My only real question is how the engine dynamically senses 'price discovery location' in production.
English
Silver doing more vol than most crypto pairs wasn’t on my 2026 bingo card ngl
Feels like people still don’t get how big the RWA trading market can get once this all moves on-chain
Kinda explains why Hotstuff volume has been ripping lately 👀
Courtesy of @LorisTools
English
thorchain exploit seems to be related to this fix gitlab.com/thorchain/thor…
English
Buy/sell spot @xStocksFi tokenized assets and broader crypto assets through our hybrid model, combining best of book + RFQ liquidity.
This is Phase 1 of the hybrid model, where all orders are routed through the RFQ path. You can now run basis trading strategies, systematic investment plans, and many more sophisticated strategies through @tradehotstuff
DM us if you have any questions or ideas to build around our builder program.
Hotstuff@tradehotstuff
Introducing Hotstuff Invest 24/7 spot markets for Tokenized Stocks, ETFs & Crypto, powered by @xstocksFi Built on a Hybrid RFQ + order-book model with @bebop_dex as our 1st RFQ venue and more venues being integrated over time The $147T equity market is coming on-chain.
English
Tripathi retweetledi
Equities and ETFs tokenised by @xStocksFi enable access to world’s most important financial assets to anyone.
Bebop works to ensure these assets are seamlessly tradeable - 24/7, at great prices, and at size.
We’re proud to be @tradehotstuff’s first RFQ partner liquidity to their new spot markets.
Hotstuff@tradehotstuff
Introducing Hotstuff Invest 24/7 spot markets for Tokenized Stocks, ETFs & Crypto, powered by @xstocksFi Built on a Hybrid RFQ + order-book model with @bebop_dex as our 1st RFQ venue and more venues being integrated over time The $147T equity market is coming on-chain.
English
Nice read ser 🙏
Two questions:
1/ As the signal gets crowded, how often do later slot participants disrupt or block the hedging venue long enough to force slot 1 to abandon edge and rotate to a less crowded signal?
2/ Does slot 1's ~4 bps impact directly cause the negative markout for later slots, or is it primarily signal decay? How do you decompose edge destruction between slot 1's footprint vs. natural expiry?
English
@banteg Actually, I frontrunned this one and broke down gasolina yesterday 😉
x.com/0xtripathi/sta…
Tripathi@0xTripathi
From a first glance at gasolina‑aws, only 3 fields actually drive the DVN's RPC behavior. - srcChainName - srcTxHash - blockConfirmation None of them can produce a verifiable proof of packet execution on the source chain. srcTxHash, only helps fetch the receipt + logs and blockConfirmation is fully RPC‑dependent If the configured RPC is malicious or compromised, it can return forged logs and the DVN signs them without any cryptographic check but It would be naive to use single RPC, or multiple RPCs from the same upstream provider but there could be other failures like signing‑key compromise, a compromised S3 bucket repointing providers.json, or a compromised gasolina host ::(
English
went through layerzero gasolina aws deployment repo + extracted app source.
tl;dr concerning
the reference deployment is public by design. and the sample providers.json ships with rpc quorum: 1 on every mainnet chain.
1. the recommended cdk stack puts a public api gateway in front of a private alb in front of fargate in private subnets. publicLoadBalancer: false, taskSubnets: PRIVATE_WITH_NAT, and an HttpApi with HttpAlbIntegration. the readme literally tells operators to send the resulting ApiGatewayUrl to layerzero labs.
2. no authorizer, no iam auth mode, no ip allowlist, no waf, no route-level policy anywhere in the repo. the app itself (bootstrap.ts) registers /provider-health, which leaks configured rpcs. server.listen(port) without host arg binds to public ip.
3. cdk/gasolina/config/providers/mainnet/providers.json sets quorum: 1 for ethereum, bsc, polygon, arbitrum, optimism, fantom, and the rest. multiple rpc urls are configured as failover, not consensus. the multiprovider code only enforces quorum when quorum > 1 and explicitly bypasses the wrapper when it's 1. rpcs are mostly public endpoints (llamarpc, publicnode, ankr).
4. provider config lives in an s3 bucket that the cdk stack creates, uploads to, and passes via env vars (PROVIDER_CONFIG_TYPE, CONFIG_BUCKET_NAME). so the trust boundary is the app + the mutable config plane + the upstream rpc tier + whatever's in front of api gateway.
5. operators are told to validate by curling the public url for /available-chains, /signer-info?chainName=ethereum, /provider-health (again, leaks rpc). external reachability is an encouraged documented requirement.
caveats: this is the public repo and extracted non-public source. it doesn't prove the config they had for kelp bridge. but the public info and the defaults the operators are pointed at look concerning.
read more here: gist.github.com/banteg/2fde29d…
English
DVN signed the payload which was never executed on the source chain
I'd be surprised if the DVN signing happened based on some centralised RPC provider data without verifying the source chain's block headers or transaction roots.
banteg@banteg
it's really crazy that layerzero doesn't have some redundant sanity check and allows to bridge 116,500 rseth from a chain with a supply of 49 anyway here is my investigation gist.github.com/banteg/705d028…
English
• Users have stuck aWETH on Aave
• Fluid had borrowed aWETH from Aave
• If a user gives their aWETH to Fluid, Fluid returns it to Aave and gives the user an exit in wstETH at some haircut
Users get an exit and Fluid saves the spiked borrowed APR.
GG
Fluid 🌊@0xfluid
Introducing aWETH Redemption Protocol With ETH utilization at 100% on Aave, many lenders are currently unable to withdraw and face increasing risk if markets move. aWETH Redemption Protocol allows ETH lenders to: • Exit into wstETH or weETH • Regain immediate liquidity • Reduce exposure to liquidation risk If you’re just lending ETH — you can fully exit. If you have ETH collateral and another debt — your collateral is seamlessly swapped into wstETH or weETH while your debt remains the same. We’re working alongside @LidoFinance , @ether_fi, @0xProject, @1inch, @KyberNetwork, and other ecosystem partners to: • Reduce systemic risk in DeFi • Ease utilization pressure • Support a healthier DeFi market Our goal is simple: protect users while reinforcing the foundations of DeFi. Capacity is initially limited to $1B in ETH. fluid.io/lite/aave-v3/e…
English
From a first glance at gasolina‑aws, only 3 fields actually drive the DVN's RPC behavior.
- srcChainName
- srcTxHash
- blockConfirmation
None of them can produce a verifiable proof of packet execution on the source chain. srcTxHash, only helps fetch the receipt + logs and blockConfirmation is fully RPC‑dependent
If the configured RPC is malicious or compromised, it can return forged logs and the DVN signs them without any cryptographic check but It would be naive to use single RPC, or multiple RPCs from the same upstream provider but there could be other failures like signing‑key compromise, a compromised S3 bucket repointing providers.json, or a compromised gasolina host ::(
English
