Sabitlenmiş Tweet
CryptoCat.🇺🇦
4.3K posts
CryptoCat.🇺🇦
@CryptoCatVC
Pedantic complainer, savage satirist, crypto veteran, ETH maxi & defi OG yield hacker. I meme in production. Pet cat @egirl_capital
Katılım Şubat 2011
226 Takip Edilen7.8K Takipçiler
@odin_free Add?
Do one amount approval, then do the tx with the transferFrom. Baked in the standard. Gotta not be lazy though.
English
Ekubo’s incident was on EVM routers, not Starknet.
The issue: old ERC-20 approvals. Users approve a contract once, sometimes forever, and a later bug can turn that into risk.
On Starknet, account abstraction lets apps bundle approval + action in one tx.
Ekubo@EkuboProtocol
There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected. We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: revoke.cash
English
@AdamBorco @sendmoodz TransferFrom does not reduce the allowance on failure afaik.
Also your example assumes the less common, post swap failure amnesia, compared to the more common, post swap retry.
English
@CryptoCatVC @sendmoodz Also not perfect. You approve, then the swap fails due to high slippage. You probably forget to revoke the approval - same issue. Better than infinite, but still sucks.
English
Just about everyone has said this, but it deserves reiterating that token approvals (of the ERC20 standard) are terrible
We should at least have put an expiration timestamp on them and limited it to 1 day max
Impossible to fix so the next best thing is preventing any separate approval transactions at all, which we have now implemented in our user interface for swaps. Recommend others do the same to force wallets to implement EIP-5792.
Ekubo@EkuboProtocol
There is an active security incident on Ekubo swap router contract on EVM chains only. Liquidity providers are not affected. Starknet is not affected. We are investigating the scope of the issue, but to be safe revoke all outstanding approvals: revoke.cash
English
🚨 Exploit Alert:
Bad error handling attack
Chain: Ethereum
Loss: 17 WBTC ($1.3M)
TX: 0x770bc9a1f7c32cb63a5002b9ceb5c7994cd3af0fc6b2309cb32d3c46f629daa0
etherscan.io/tx/0x770bc9a1f…
English
$Kelp: We blame LZ!
$Aave: We can stay frozen longer than you can stay unmurdered so...
Aave@aave
Update on rsETH incident: According to our analysis, rsETH on Ethereum mainnet is fully backed. Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.
English
@pythianism Fun fact.
sUSDE is just two i's short from sUiSiDE.
English
Why is the yield on a frozen pool only 13.5%?
The answer probably has something to do with sUSDE loopers
sUSDE/USDE loopers are currently earning 3.8% APY on sUSDE and borrowing at 15% on Aave to loop it
The sUSDE loop is now -12% APY, with many people looping 2-3X leverage.
These loopers are already in trouble at these rates
Any further increases in the interest rate means these loopers get BTFO
Heidi@blockchainchick
USDC and USDT on Aave are pinned at 100% utilization. Lenders can't withdraw. So why is the yield only 13.5%? Under the old model, a pool hitting 100% utilization would send supply APY to 40%, 60%, sometimes 80%+ within minutes. That's what everyone remembers from the 2022 USDT squeeze on Aave V2. Rate goes vertical. Borrowers get liquidated. Suppliers feast. That's not happening this time. Here's why. Aave rolled out something called the Slope2 Risk Oracle earlier this year. Instead of rates spiking instantly when utilization pins, the curve escalates GRADUALLY based on how long the pool stays stressed. A 1-hour spike barely moves the rate. A 24-hour spike moves it some. A 72-hour spike starts to hurt. The ceiling is also lower. Stablecoin slope2 now targets 10-12%. Used to be 22-35%. So instead of a panic rate explosion, you get a slow burn. Who wins from this design? Borrowers. Including the attacker still sitting on $236M in WETH debt, paying a fraction of what they'd be paying under the old curve. Who loses? Lenders. The "your pool is frozen but at least you're earning 40% APY" trade is dead. Now it's "your pool is frozen and you're earning 13.5%." This was meant to prevent deleveraging cascades during stress events. It's doing that. It's also suppressing the market signal that usually tells lenders to supply more liquidity and borrowers to repay fast. Every design choice is a tradeoff. This one just got tested live, with $200M of bad debt on the line.
English
Mfs be like
"ain't touching this #Defi shit ever again"
Followed by a dox with their withdrawal of 5800$.
English
@0xSmerfik When was it safe?
You're not getting paid for safe mate
English
Unpopular opinion: rsETH L2 users should bear the loss.
Users are explicitly taking on additional counterparty risk when using LayerZero’s bridge.
Ethereum rsETH holders didn’t take that risk and shouldn’t bear the consequences. Let alone @aave wETH depositors.
jfab.eth@josefabregab
Update on KelpDAO rsETH: Funds were indeed stolen and not minted. The attack is consistent with a failure in a single-DVN verification setup (@LayerZero_Core), releasing pre-funded rsETH on the destination chain (Ethereum), without any source side (Unichain) debit. Rather than dumping >$200M of rsETH into thin liquidity, the attacker deposited into Aave to borrow WETH, avoiding slippage and extracting immediate WETH liquidity. My original post assumed that these positions were backed. Now we know that collateral did exist on Ethereum and was accepted by Aave, but given the funds were drawn from the bridge’s pre-funded inventory and now KelpDAO has paused withdrawals, my original assumption breaks. If rsETH can’t clear at par, there’s bad debt risk. So, the question now remains: who takes the loss? Aave? (Bad debt) rsETH holders? If Aave ends up with bad debt, this becomes a real stress test for Umbrella. Waiting on Aave, Kelp, and/or LZ comms.
English
Aave team is doing great work keeping users safe!
rsETH on L1 is fully backed 🫡
Aave@aave
Update on rsETH incident: According to our analysis, rsETH on Ethereum mainnet is fully backed. Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.
English
@0xJonnyDee Just the contagion is bad.
Many worse months 5-10 at least
covid crash
steth depeg
luna
ftx
bybit
English
@CryptoCatVC April has been truly mental with crime in crypto.
I don't think I've seen a month this bad.
English
Rseth is solid!
We froze it all and anything it touched.
K tnx bye.
Aave@aave
Update on rsETH incident: According to our analysis, rsETH on Ethereum mainnet is fully backed. Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.
English
Update on rsETH incident:
According to our analysis, rsETH on Ethereum mainnet is fully backed.
Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped.
WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea.
Aave is actively validating information and assessing potential resolutions.
English
@CryptoCatVC @zachxbt they built a centralized stablecoin mapped to fiat and keep all that fiat in fucking bank accounts
English
