Ali Azam

581 posts

Ali Azam banner
Ali Azam

Ali Azam

@Ali2251

Founder and CEO @ Canary / ex Vp of eng @ Ondo https://t.co/aFxuQ6Hcaf

London, England Katılım Ağustos 2016
1.6K Takip Edilen763 Takipçiler
Ali Azam
Ali Azam@Ali2251·
If you are not using canary dvn today? Why is that? What can we improve?
English
0
0
0
3
Alex Nabutovsky
Alex Nabutovsky@nabutovsky·
Re: the KelpDAO incident — we’ve reviewed our network and confirmed Quicknode infrastructure was not compromised.
English
3
4
23
3.2K
brale
brale@brale_xyz·
We turned off our LayerZero DVN this weekend. It was 1-of-1, the same shape as the one that got compromised in the KelpDAO incident. Here's the full story of what we did, what we read, and what other DVN operators should take from it ↓ brale.xyz/blog/containin…
English
5
0
28
4.6K
Ali Azam
Ali Azam@Ali2251·
The first question every app will ask is: are you using canary dvn?
English
0
0
2
73
Ali Azam
Ali Azam@Ali2251·
@0xyanshu Its time to do better and while we can blame a lot, its time to make sure the billions are now secure and have the best configuration possible. Attacks are getting sophisticated and hence security needs to improve and match that.
English
0
0
1
111
Ali Azam
Ali Azam@Ali2251·
@ErikVoorhees If they had used canary dvn which was told to them a year ago
English
0
0
0
22
Ali Azam
Ali Azam@Ali2251·
Been building and running the Canary DVN for the last 2 years, AMA
English
2
0
3
327
Ali Azam retweetledi
cryptogoblin
cryptogoblin@Crypto_Goblinz·
You're about to see a lot of projects spin up their own DVNs claiming to do this and that. Canary has been building for over 2 years and live in production for over 1. We're trusted by the biggest and best protocols in the space @OndoFinance, @ether_fi, @MorphoLabs, @TheoNetwork, @MidasRWA, wBTC, and many more. Don't trust a random company launching a random DVN with unbattle-tested tech and no independent audits. Your users' funds deserve better than that. Canary secures over $30B in assets and has processed over $4B across chains, with the most secure technology stack in the DVN market today: • Bespoke Go client (removes correlated risk) • Runs inside TEEs • K-of-N consensus across multiple independent node providers • SSL/TLS certificate pinning on all data sources (silent reroutes & MITM killed off) • Onchain attestations for tamper-evident execution Battle-tested. Audited. Institutional-grade. Full configuration guide for OApps dropping soon. In the meantime, DM me or the Canary team.
English
4
3
25
5.8K
Ali Azam
Ali Azam@Ali2251·
Canary already does all this and more and we have been in production for 2 years. Please dont launch anything without actual audits, its nice to have competition but this is not the way to do it. Productionising is hard and its a cool vibecoding project, making it a secure dvn is hard!
English
2
0
3
125
Peter
Peter@realpeterjm·
Today I built a DVN on @LayerZero_Core that doesn't just verify messages, it actively prevents bridge exploits before they happen. Powered by @SEDAProtocol oracles. Here's how it works 🧵
Peter tweet media
English
11
11
63
3.6K
Ali Azam
Ali Azam@Ali2251·
There isn’t anything wrong with this design as it allows protocols to pick for themselves and thats why we built the canary dvn to have opinionated security guaranteed, we have our own overrides for confirmations alongside k of n rpc nodes, all running inside a TEE and verifying everything in hardware encrypted instance with zk proofs on chain so even if a single private key is compromised, you would have to run the right code and produce the right result
English
0
0
0
80
based16z
based16z@based16z·
Ironically re this recent hack my first job interview was to write a bull or bear case on layer zero in 2022 and I wrote a bear case partially based on this attack vector.
based16z tweet mediabased16z tweet media
English
4
1
102
11.2K
based16z
based16z@based16z·
Honestly confused by the bid on crypto. Btc basically now consensus has to re org delete satoshi coins + Saylor complex 4% ownership on high interest levg / ETH defi + addresses + smart contracts post mythos and re ent hacks are probably 3x previously accepted risk premium. You can say markets bottom on bad news, anti government asssts also make sense atm. risk up across the board etc. I guess I’ll just keep buying 2 week tails that expire worthless.
English
72
28
801
132.7K
Ali Azam
Ali Azam@Ali2251·
The security of brdiges is much more difficult then just x validators, if all those validators are reading from a compromised rpc then its irrelevant, achieving security requires multi cloud, hardware attestations with zk proofs and scaling the number of validators as value goes up along with rate limits and even manual approvals
English
0
0
2
319
Travis 💡
Travis 💡@ProofOfTravis·
Honestly someone should start a crypto company with the sole focus of being a +1 independent signer. Where you contact this company to add 1 signer to your multisigs, DVNs, DAOs or whatever else needs signatures that hackers attack. They’re available 24/7 and are cold signers.
English
10
0
19
717
Ali Azam
Ali Azam@Ali2251·
We achive pretty much all of these with canary, canary dvn is powered by TEE from multiple regions (multiple clouds and multiple hardware coming soon) with k of n quorum of rpc nodes as well as verifying the TEE attestations on chain through zk proofs (also have restaking as well)
English
0
0
1
179
deAlex
deAlex@AlexSmirnov·
The core issue: you can’t afford vendor lock when billions are at risk. Every messaging protocol has smart contract + validator/DVN risk. Consensus shouldn’t stop at a single protocol’s validation layer. It should be across multiple messaging protocols (e.g. 2/3), each with independent security assumptions. Breaking one provider is realistic. Breaking several simultaneously is far less likely. For any custody handling 10-figure assets, multi-provider consensus isn’t optional — it’s the baseline. As an industry, we need to treat security accordingly. At scale, anything that can happen eventually will. The goal is to understand all attack vectors, assess their probabilities, and systematically minimize them.
zerolore@zerolore

@syvxbt USDT0 is not running on a glorified multisig. We run a 2/2 DVN set up with custom code built to withstand exactly this incident. Also: until you know the root cause of this, its totally stupid to even reccommend other solutions that may be exposed to a similar exploit path.

English
4
1
29
7.9K
Mike Silagadze🛡
Mike Silagadze🛡@MikeSilagadze·
When we designed the cross chain system for @ether_fi we spent a lot of time to ensure the core asset doesn’t get rekt in case of L2 or bridge issues. Rate limits everywhere. Multiple DVNs. Hypernative active monitoring. Seeing these kinds of hacks really pisses me off.
English
25
16
424
29.2K
Ali Azam
Ali Azam@Ali2251·
@michael_lwy This is layerzero v1 design, v2 is completely different
English
0
0
2
78
michaellwy
michaellwy@michael_lwy·
refresher on layerzero's DVN architecture and security assumptions
michaellwy tweet media
English
3
0
3
191
Ali Azam
Ali Azam@Ali2251·
Canary doesn’t build yield products but it powers them through its verification layer, today all 70+ projects using canary are unaffected and not even having to pause their contracts, verification layer for RWAs and DeFi is missing and thats exactly what we have built and productionised over the last 2+ years
English
0
0
0
249
Rob Hadick >|<
Rob Hadick >|<@HadickM·
Two weeks ago after the USR hack @santiagoroel said defi is not worth the risk. I pushed back and said that while I agree broadly, there are select founders I trust that I know have not cut corners, have been far more thoughtful and security conscious than the average builder, and who are building lasting useful products. @gdog97_ was the first person on my mind when I said that. There are too many founders in the space who cut corners like they are hacking on a new piece of random software and not like that software is safeguarding millions of dollars of other people’s money. Capital keeps chasing these shiny new rewards programs, but the market will end up realizing this is a trust business - and there are only a few people I would trust going forward. Pod here: x.com/jasonyanowitz/…
G | Ethena@gdog97_

Agree with this and would also encourage all asset issuers to consider rate limits at the mint & redemption level, as well as a custom rate limit configuration on top of LZ OFTs. We built a solution on top of the standard OFT to throttle cross chain transfers at $10m per hour for every DVN, in addition to the $10m per block rate limit on the mint contract. The former would have prevented Kelp, the latter Resolv. In a disaster scenario where the LZ DVN is compromised you can at least contain the damage to $10m per chain per hour before stepping in to shut down transfers entirely. Yes it’s a slightly annoying inconvenience for users 99% of the time, but a worthwhile trade off to avoid going to zero. If you would like support on adding the same custom OFT configuration please reach out directly to myself or the team.

English
11
6
116
18.5K
Ali Azam
Ali Azam@Ali2251·
@gdog97_ What if a DVN could rate limit itself too and wasn’t reliant on a single RPC and was not controlled by a private key alone and used zk proofs + private key + hardware security?
English
0
0
1
1.7K
G | Ethena
G | Ethena@gdog97_·
Agree with this and would also encourage all asset issuers to consider rate limits at the mint & redemption level, as well as a custom rate limit configuration on top of LZ OFTs. We built a solution on top of the standard OFT to throttle cross chain transfers at $10m per hour for every DVN, in addition to the $10m per block rate limit on the mint contract. The former would have prevented Kelp, the latter Resolv. In a disaster scenario where the LZ DVN is compromised you can at least contain the damage to $10m per chain per hour before stepping in to shut down transfers entirely. Yes it’s a slightly annoying inconvenience for users 99% of the time, but a worthwhile trade off to avoid going to zero. If you would like support on adding the same custom OFT configuration please reach out directly to myself or the team.
Keone Hon@keoneHD

Feels like pooled lending protocols would benefit from a rate limit on the supply of an asset being deposited for collateral Like, if the current supply is 100m and the supply cap is 300m, the supply should only be allowed to go to 110m in the next 10 minutes. Nobody needs to deposit all 200m in one shot This matters because if/when an exotic asset is hacked, the impact of the hack is constrained by the size of the exit paths for that asset. Especially when you consider that many hacks are infinite mint bugs… there the size of the exits literally determines the size of the hack. Lending protocols are often the largest exits (DEX liquidity is usually pretty small). Having a “smart cap” that is a bit above current supply, which can adjust over a few hours to the true cap, would make a huge difference. It would have saved rsETH depositors $200m today This also raises an interesting point: asset issuers should want this too. If you are an asset issuer who issues receipt tokens which have a redemption delay, then you actually aren’t worried about a hacker redeeming with you. But you need possible exits to be as small as possible while not impeding normal users. High supply caps need to be seen as a liability, rather than a sign of stature.

English
46
52
555
177.3K

Keşfet

@sujithsomraaj @mitchellftracy @Crypto_Goblinz @LayerZero_Labs @nabutovsky @brale_xyz @withAUSD @0xyanshu