alcueca

3.4K posts

alcueca banner
alcueca

alcueca

@alcueca

Previously @optimism Co-Founder & CTO @yield (defunct) Co-Author ERC4626 (Tokenized Vaults), ERC3156 (Flash Loans) ERC7266 (Oracles) Judge @ Code4rena, Cantina

Portugal Katılım Mart 2020
167 Takip Edilen5K Takipçiler
alcueca
alcueca@alcueca·
@jack__sanford Chainanalysis reported that "the attacker compromised Resolv’s cloud infrastructure to gain access to Resolv’s AWS Key Management Service (KMS) environment where the protocol’s privileged signing key was stored." chainalysis.com/blog/lessons-f…
English
2
0
1
89
Jack Sanford 🛡️
Jack Sanford 🛡️@jack__sanford·
@alcueca Important article. I think Optimism has been a leader in taking threat modeling seriously. I'm curious - why do you say it's likely that the key compromise was likely AWS credential theft?
English
1
0
2
356
alcueca
alcueca@alcueca·
Those are all valid mitigations, but the question is how to prioritise those eight against the rest of the risks that a company faces. Manpower is not infinite, and a pre-product-market-fit company has different security needs from a $10B TVL protocol. The point of the article is that instead of shooting a list of generic mitigations to implement, just because there is a permissioned account, you can look at the protocol with more detail, and tell which ones are critical right now, for this protocol, at this time, and which ones are best implemented later when some milestones are achieved. Otherwise, all of them get ignored, as with Resolv. Or you get a random set implemented, which might not protect you the way you need.
English
1
0
0
40
RajΞΞv
RajΞΞv@0xRajeev·
In my experience, they usually assume opsec will be managed well. For protocols with privileged roles, we typically recommend, for e.g.,: * Enforcing separation of privilege across roles where they are backed by different accounts to minimize single points of failure. * Enforcing highest levels of operational security appropriately to accounts/roles by using hardware wallets, multisigs with reasonably high signature thresholds and other infrastructure security measures to avoid, minimize, mitigate, compartmentalize and contain risks. * Enforcing appropriate timelocks to privileged actions affecting protocol/users. * Limiting the impact of malicious/compromised or misconfigured roles by enforcing in-protocol guardrails. * Documenting all the roles and their responsibilities. * Warning users appropriately about relevant risks. * Preparing an incident response playbook for exploit scenarios. * Practicing war game exercises for incident response preparedness.
English
1
0
1
34
alcueca
alcueca@alcueca·
x.com/alcueca/status… Once again, a protocol is hacked in a completely avoidable way. Everyone knows to audit their code, and to run a bug bounty, but beyond there, confusion is the norm. Threat modelling protects your protocol as a whole: infrastructure, code, processes, people.
alcueca@alcueca

x.com/i/article/2036…

English
1
0
4
964
alcueca
alcueca@alcueca·
@0xRajeev That is because they don't get a clear view of the centralization risks, and what are the actions that they should take. It's not enough to tell them that they have centralization risks, not everyone can build a permissionless protocol.
English
1
0
0
27
RajΞΞv
RajΞΞv@0xRajeev·
@alcueca And protocols continue to downplay "centralization risks" :(
English
1
0
0
104
alcueca
alcueca@alcueca·
Some highlights: - Made clear that the OP Labs bug bounty is the best in the space - Established a security roadmap backed by threat modelling - Created a comprehensive AI-led incident management process - Introduced a roadmap for intensive but safe use of agents
English
0
0
8
533
alcueca
alcueca@alcueca·
Yesterday was my last day at @OPLabsPBC. During the year a shared with its incredible team, I helped shape up its security practice. New processes made it more efficient, scalable and targeted. I loved doing that, if you are building an L1/L2, hit me up. Still bullish OP.
Optimist Prime@jinglejamOP

Today we shared difficult news with the OP Labs team. Our priority was to communicate with the impacted people & give the team time to process the news before sharing publicly. This decision reflects a narrowing of our focus, not our runway. I’m sharing the note I sent to the team earlier today, and I strongly encourage teams across the ecosystem to reach out to the people leaving OP Labs because they are talented engineers, operators, and builders who helped build Optimism into what it is today. If you are genuinely hiring, feel free to shoot me a DM with your open roles and I will make introductions (with dual consent).

English
5
4
74
14K
alcueca
alcueca@alcueca·
@fifikobayashi Coming back from the dead four years after with a one-liner. Bravo ♥️
English
0
0
1
32
Fiona Kobayashi 🧠
Fiona Kobayashi 🧠@fifikobayashi·
I'm back. What's been happening since... *checks timeline*...April 2021?
English
21
1
78
6.3K
alcueca
alcueca@alcueca·
It feels good to be back in the arena
Optimist Prime@jinglejamOP

I’ve been wanting to talk about this for a while. The truth is… Optimism did too much and focused too little. We massively over-hired without a clear strategy. And token price is in the gutter. We’ve been bathing in tactics for a long time, clinging to previous successes like launching Base, Ink, Unichain, Worldchain, Soneium… without building the operating machinery to continue that momentum into a market that’s dramatically different today. Sun Tzu says: “Tactics without strategy is the noise before defeat.” For a long time, I rationalized our difficulties as due to regulatory uncertainty, market noise, and the impossibility of coordinating 3+ independent organizations. But at this point, doesn’t matter. The world today is vastly different than when Optimism started. So we’ve been upgrading Optimism for this new world. We’ve parted ways with many talented teammates, re-unified execution under a single entity, and re-built our engineering and enterprise sales orgs. The goal is simple: 1. Build the most scalable financial infrastructure 2. Bring enterprises and their assets onchain 3. Maximize the productivity of those assets Enterprise deals are now a competitive space. When we talk to these enterprises, we see Solana, Tempo, Arbitrum, Avalanche, all trying to help enterprises come onchain. But I’m confident OP Stack is going to beat them all. Why? The OP Stack is the only stack that has successfully brought & scaled multiple enterprises onchain. We’ve seen what works & what doesn’t work. We’ve earned this knowledge by—honestly—wasting a lot of money. We’ve seen every single enterprise blockchain failure mode because we’ve been doing this longer than anyone else. Here’s why enterprises consistently end up choosing OP Stack: enterprises’ expectations on scale and reliability are far beyond what Web3 is used to, and the OP Stack is the closest to what enterprises need. That’s not a coincidence - we’ve co-developed this infrastructure alongside the fastest growing enterprise in web3: Base. At the end of the day, enterprises want to control their own economics. They aren't gonna be sharecroppers on Stripe's blockchain. The OP Stack vision will win. Shared standards balanced with chain autonomy. The starting gun is now. See you in the ring.

English
1
0
8
1.3K
alcueca
alcueca@alcueca·
@juanfranblanco @jinglejamOP We have been in conversation with many enterprises for a good while, and they haven't been asking for any of that. They ask for higher level features, customisability or performance specs.
English
1
0
0
69
Juan Blanco ☀️☀️🍞🍞🦇🔊
Juan Blanco ☀️☀️🍞🍞🦇🔊@juanfranblanco·
@jinglejamOP Does this mean that you are going to focus more into providing enterprise integration support and common development stacks like java, dotnet. python etc, including integration patterns for common clouds or systems that enterprises use?
English
3
0
3
614
Optimist Prime
Optimist Prime@jinglejamOP·
I’ve been wanting to talk about this for a while. The truth is… Optimism did too much and focused too little. We massively over-hired without a clear strategy. And token price is in the gutter. We’ve been bathing in tactics for a long time, clinging to previous successes like launching Base, Ink, Unichain, Worldchain, Soneium… without building the operating machinery to continue that momentum into a market that’s dramatically different today. Sun Tzu says: “Tactics without strategy is the noise before defeat.” For a long time, I rationalized our difficulties as due to regulatory uncertainty, market noise, and the impossibility of coordinating 3+ independent organizations. But at this point, doesn’t matter. The world today is vastly different than when Optimism started. So we’ve been upgrading Optimism for this new world. We’ve parted ways with many talented teammates, re-unified execution under a single entity, and re-built our engineering and enterprise sales orgs. The goal is simple: 1. Build the most scalable financial infrastructure 2. Bring enterprises and their assets onchain 3. Maximize the productivity of those assets Enterprise deals are now a competitive space. When we talk to these enterprises, we see Solana, Tempo, Arbitrum, Avalanche, all trying to help enterprises come onchain. But I’m confident OP Stack is going to beat them all. Why? The OP Stack is the only stack that has successfully brought & scaled multiple enterprises onchain. We’ve seen what works & what doesn’t work. We’ve earned this knowledge by—honestly—wasting a lot of money. We’ve seen every single enterprise blockchain failure mode because we’ve been doing this longer than anyone else. Here’s why enterprises consistently end up choosing OP Stack: enterprises’ expectations on scale and reliability are far beyond what Web3 is used to, and the OP Stack is the closest to what enterprises need. That’s not a coincidence - we’ve co-developed this infrastructure alongside the fastest growing enterprise in web3: Base. At the end of the day, enterprises want to control their own economics. They aren't gonna be sharecroppers on Stripe's blockchain. The OP Stack vision will win. Shared standards balanced with chain autonomy. The starting gun is now. See you in the ring.
English
189
90
992
251.2K
alcueca
alcueca@alcueca·
@WhiteHatMage @Optimism That's a way more thoughtful response that I could ever have imagined. I really appreciate it. I'm going to think carefully about it.
English
0
0
1
154
alcueca
alcueca@alcueca·
@WhiteHatMage How do you rate max bounty size against likelihood of getting paid? In other words, should we at @Optimism increase the max bounty size, or make clear that we will pay for a critical, maybe in some legally binding way. What do you think would be better EV for us?
English
0
0
0
287
alcueca
alcueca@alcueca·
@samczsun @WhiteHatMage With the appropriate comms, obviously. You need to sell the idea that instead of a x chance of getting 100% rekt you have a y chance of getting 10% rekt, with a couple caveats. The less-than-critical BB payments wouldn't move the TVL in any significant way.
English
0
0
0
175
samczsun
samczsun@samczsun·
@alcueca @WhiteHatMage how do you enact a mechanism for taking global haircuts without your protocol being dead on arrival
English
1
0
1
437
samczsun
samczsun@samczsun·
so how do we secure protocols after they earn "survived the test of time" status? seems like - bug bounty doesnt justify low ev - not worth paying for new audits if its clean - impossible to insure because no way to estimate risk are we cooked or am i missing something (please)
English
72
23
288
64.6K

Keşfet

@jack__sanford @0xRajeev @devtooligan @Ehsan1579 @adeolRxxxx @OPLabsPBC @fifikobayashi @juanfranblanco