Adrian 💗

Personal update: I've joined Anthropic. I think the next few years at the frontier of LLMs will be especially formative. I am very excited to join the team here and get back to R&D. I remain deeply passionate about education and plan to resume my work on it in time.

For the first time, all ZK circuits used by Lighter perp DEX L2 were regenerated from sources by L2BEAT! Now you don’t have to trust the Lighter team to perform a permissionless emergency exit. 👇Learn more in the thread👇

We are excited to announce that the L2BEAT Interoperability Dashboard now supports @HyperliquidX and @Lighter_xyz Users can now track cross-chain volume, transfers, tokens & protocols distribution, connecting both ecosystems to the wider landscape.

A must-watch if you'd like to learn more about the zkEVM proposal and the challenges to L1 scaling 👇

We just listed @gnosischain! This is part of our adjusted focus that started with interop and includes more blockchains than those fitting strict Ethereum L2 criteria. Gnosis Chain became of interest because of its strong similarity to Ethereum, not only its EVM execution environment but also its beacon chain and consensus mechanism. It also has a canonical bridge that secures over 300M USD-equivalent value. The recent announcement of the Ethereum Economic Zone (EEZ, @etheconomiczone) teases a tighter integration of chains that join it, possibly allowing synchronous interop between Ethereum and a future Gnosis Chain.

L2BEAT is on the ground for @ETHCluj! @kaereste will be representing our team across several technical sessions. Here is the first batch of events we are participating in, starting with our own governance meetup. 👇

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

We updated the 'Exit window' part of our risk rosette to reflect the worst-case delay, which typically occurs when there's an emergency upgrade path. There are currently only 4 chains with an unconditional non-zero exit window: @aztecnetwork, @0xFacet v1, @ethscriptions, and Zk Money v1 (Aztec v1).

@dadiomov Because then you have to add card fees. Why drag Visa along with us into the future like a software virus?

gm, new proposal to generalize native rollups' benefits to all rollups (even non-EVM) and to all ZK applications in general just dropped ethresear.ch/t/native-proof…

Dear every website: instead of blocking bots, please just request $0.01 x402 payment Thanks

Bisq Protocol Exploit Update This is a brief update on what we have learned so far, the current state of reimbursement planning for affected users, and some broader observations about the growing role of AI-assisted attacks.

crosschain flows: with ethereum and without ethereum

After years of relentless dedication to improve Bitcoin’s privacy, zkSNACKs, the company pioneering the development of Wasabi Wallet, is shutting down its coinjoin coordination service, effective June 1st, 2024. Blog post announcement link: blog.wasabiwallet.io/zksnacks-is-di…

@donnoh_eth @0xmons Ooh, it's improved! That's the canonical one, no fast path for small volumes shenanigans? It used to be the L1 blockhash relay to L2 was really slow iirc

There's a way to let Satoshi keep his BTC without moving them Holders only need to timestamp knowledge of their keys before a quantum break, which can be done silently and efficiently The protocol could support a rescue path by proving one of these timestamps

As more and more admin keys are compromised to drain protocols, here's your check list if you are running one: 1) Learn as much as you can about your external dependencies. Once you learn about them, monitor their setup for upgrades 24/7. It's ridiculous to rely on an audit to tell you "hey, the doors to your house are locked, we checked it on 23rd of March". Today the external token that you may depend on could be L0 4/4 DVN; tomorrow, it may be 1/1 DVN. You should get an alert of a change and react to the news 2) As you should monitor your external dependencies, anyone relying on you should monitor you - for them, you are their external dependency. They should monitor every single MultiSig that you run, every single EOA that you set up - it's potentially their liability. Once an unsafe setup is detected, they may (and frankly should) refuse to use your protocol. So make sure you don't have these freaking EOAs that you set up just for operational efficiency 3) The first people spotting your weak points will be hackers. Then, external teams. Finally, your internal ops team. You need to reverse that order 4) Don't rely on AI slop for risk analysis. This current trend, where we see dozens of "risk-mgmt dashboards that I vibe-coded over the weekend" is frankly beyond scaring and outright irresponsible. You will get beautiful-sounding report, but you will never be sure if it is correct or bullshit or something in between The above you should do on top of code audits of your protocol and impeccable internal opsec, circuit-breaker infra, and whatnot. If you think that's frankly too much or too expensive - gtfo of DeFi And if you are overwhelmed with the complexity of the task - talk to @l2beat 💕

/goal also lands in Codex CLI 0.128.0. Our take on the Ralph loop: keep a goal alive across turns. Don't stop until it's achieved. Built by my co-worker and OpenAI mentor Eric Traut, aka the Pyright guy. One of the GOATs I get to work with daily.

The root cause was a private key compromise. Keys were stored in a password manager accessible to a small number of people to handle chain maintenance and upgrades, without an additional encryption layer separate from the password manager.