Block

If you're not developing/researching in the Solana ecosystem, you're missing out BIG TIME! Huge demand and funding in the sector compared to EVM-related projects imo. In the past month I've been delving into everything Rust/Solana, creating articles and programs for the incoming edition of @RareSkills_io 60 Days of Solana series. I've noticed that compared to the Ethereum ecosystem the amount of security resources and interactive challenges is distinctly lacking or outdated. I've started work on an evolving Solana CTF/Vuln walkthrough repo that will demonstrate common and complex Solana vulnerabilities. (link in thread) I've currently pushed some buggy code relating to memory safety, signer checks and accidental program closure. Planning to use @0xcastle_chain's audit reports to create some more complex challenges soon. Also, thanks to @0xhuy0512 and @Lucrative_Panda for pushing aggregated exploit data, have been developing some interesting content in relation to this that will be published soon 👀

🚨 Community Alert Blockaid's exploit detection system has detected a $230K exploit on the @gondixyz protocol on Ethereum. Around 40 NFTs were stolen, and the exploiter has started selling them. More info in 🧵

@VitalikButerin @blockaid_ & @idobn are fulfilling the transaction simulation and post-assertion transaction validation elements of the model above

How I think about "security": The goal is to minimize the divergence between the user's intent, and the actual behavior of the system. "User experience" can also be defined in this way. Thus, "user experience" and "security" are thus not separate fields. However, "security" focuses on tail risk situations (where downside of divergence is large), and specifically tail risk situations that come about as a result of adversarial behavior. One thing that becomes immediately obvious from the above definition, is that "perfect security" is impossible. Not because machines are "flawed", or even because humans designing the machines are "flawed", but because "the user's intent" is fundamentally an extremely complex object that the user themselves does not have easy access to. Suppose the user's intent is "I want to send 1 ETH to Bob". But "Bob" is itself a complicated meatspace entity that cannot be easily mathematically defined. You could "represent" Bob with some public key or hash, but then the possibility that the public key or hash is not actually Bob becomes part of the threat model. The possibility that there is a contentious hard fork, and so the question of which chain represents "ETH" is subjective. In reality, the user has a well-formed picture about these topics, which gets summarized by the umbrella term "common sense", but these things are not easily mathematically defined. Once you get into more complicated user goals - take, for example, the goal of "preserving the user's privacy" - it becomes even more complicated. Many people intuitively think that encrypting messages is enough, but the reality is that the metadata pattern of who talks to whom, and the timing pattern between messages, etc, can leak a huge amount of information. What is a "trivial" privacy loss, versus a "catastrophic" loss? If you're familiar with early Yudkowskian thinking about AI safety, and how simply specifying goals robustly is one of the hardest parts of the problem, you will recognize that this is the same problem. Now, what do "good security solutions" look like? This applies for: * Ethereum wallets * Operating systems * Formal verification of smart contracts or clients or any computer programs * Hardware * ... The fundamental constraint is: anything that the user can input into the system is fundamentally far too low-complexity to fully encode their intent. I would argue that the common trait of a good solution is: the user is specifying their intention in multiple, overlapping ways, and the system only acts when these specifications are aligned with each other. Examples: * Type systems in programming: the programmer first specifies *what the program does* (the code itself), but then also specifies *what "shape" each data structure has at every step of the computation*. If the two diverge, the program fails to compile. * Formal verification: the programmer specifies what the program does (the code itself), and then also specifies mathematical properties that the program satisfies * Transaction simulations: the user specifies first what action they want to take, and then clicks "OK" or "Cancel" after seeing a simulation of the onchain consequences of that action * Post-assertions in transactions: the transaction specifies both the action and its expected effects, and both have to match for the transaction to take effect * Multisig / social recovery: the user specifies multiple keys that represent their authority * Spending limits, new-address confirmations, etc: the user specifies first what action they want to take, and then, if that action is "unusual" or "high-risk" in some sense, the user has to re-specify "yes, I know I am doing something unusual / high-risk" In all cases, the pattern is the same: there is no perfection, there is only risk reduction through redundancy. And you want the different redundant specifications to "approach the user's intent" from different "angles": eg. action, and expected consequences, expected level of significance, economic bound on downside, etc This way of thinking also hints at the right way to use LLMs. LLMs done right are themselves a simulation of intent. A generic LLM is (among other things) like a "shadow" of the concept of human common sense. A user-fine-tuned LLM is like a "shadow" of that user themselves, and can identify in a more fine-grained way what is normal vs unusual. LLMs should under no circumstances be relied on as a sole determiner of intent. But they are one "angle" from which a user's intent can be approximated. It's an angle very different from traditional, explicit, ways of encoding intent, and that difference itself maximizes the likelihood that the redundancy will prove useful. One other corollary is that "security" does NOT mean "make the user do more clicks for everything". Rather, security should mean: it should be easy (if not automated) to do low-risk things, and hard to do dangerous things. Getting this balance right is the challenge.

BREAKING: Coinbase, $COIN, announces it has integrated Jupiter Exchange directly into its onchain trading stack. This means that millions of Solana-based tokens can now be traded on Coinbase for the first time ever, all through Jupiter. Rather than the slow, manual process of listing tokens on a centralized order book, Coinbase is now using onchain technology to grant instant access to Solana-native assets. Under the new integration, users can deploy existing Coinbase balances and payment methods to trade tokens from a self-custodial wallet. Even centralized exchanges are moving onchain.

Great research from @artemis on stablecoin cards hitting $18B. New technology introduces new security risks. Here’s how stablecoin card architecture works, and how Blockaid helps secure the stack: x.com/artemis/status…

Was a pleasure working with the @nanovest_io team to help onboard them onto the Blockaid Cosigner! Say goodbye to blind signing and supply chain risks 💪

Had the pleasure of working with the @okx and @XLayerOfficial teams to help onboard the chain into the Blockaid ecosystem! Security Research work has never been more fulfilling 🤓

RT @blockaid_: 🚨Blockaid's system has identified a front-end attack on @pepecoineth. The sites contains a code of inferno drainer. https:…

If she’s a 10, you’re an asset 💯😂

For 22 minutes, PayPal's PYUSD Issued by Paxos would not have been GENIUS-compliant. Yesterday, Paxos, one of the most trusted and compliant players in the space, accidentally minted $300 trillion PYUSD. The total supply onchain was greater than the world’s GDP. It was a single administrative error that exposed how easily one anomaly can affect DeFi core systems including stablecoin issuance, collateral ratios, oracles, and liquidation logic across the ecosystem.

.@HyperliquidX HyperEVM is now supported by Blockaid. - Real-time transaction simulation and validation - Token scanning to block scams and impersonators - Continuous monitoring of chain activity - Policy enforcement for multisig wallets With HyperEVM support, Blockaid continues expanding protection across the chains that power Web3.

As DeFi adoption grows, so does its attack surface. Yesterday, I joined @Nasdaq for Cybersecurity Awareness Month to talk about the future of onchain security. ↓ Here are the highlights:

1. Don’t verify calldata 2. Lose $11M

Does anyone in my Security Researcher network have technical knowledge of how investment scam operators are funneling their funds on-chain to evade fraud detection methods? Seeking to share threat intel and work collaboratively on this.

i’m not selling

Girls: men have no fear The fear:

@Coiniseasy @blockaid_ @kbwofficial 🫡🫡🫡

@blockaid_ @kbwofficial @DegenShaker Let's go! 🫰

Blockaid is joining the conversation at EASYCON, hosted by @Coiniseasy. If you’re at @kbwofficial, come see @DegenShaker from Blockaid share insights on “Novel Attack Vectors and How Blockaid Shields End-Users”. 📅 September 25, 2025 ⏰ 18:30 - 19:00 KST 📍 Seoul, South Korea

Face reveal 🤣 come join to understand how EIP 7702 can be abused by wallet drainers

@MedusaOnchain @kbwofficial @blockaid_ @tga_eth Yes we'll be there too! Are you coming?

@DegenShaker @kbwofficial @blockaid_ @tga_eth what about token2049?

Excited to be presenting a session during @kbwofficial on @blockaid_'s work shielding users from Inferno Drainer If you're in Korea come join us at EASYCON SEOUL!! luma.com/EASYSeoul2025

Security is the final boss in mass adoption. That’s why @SuiNetwork and @blockaid_ built the ultimate protection shield. @idobn explains how Blockaid provides end-to-end onchain security, real- time detection and response to threats. Have a secure Friday 🌊