saefstroem

The KelpDAO hack meant $292M lost because their verifier depended on a fixed set of RPC nodes. Attackers compromised those nodes and fed fake data. If they had randomized node resolution as a fallback, the attack model breaks. Today I announce NRS: Node Resolution Service. A free service that gives you a working RPC endpoint for any blockchain in milliseconds. Once your request hits, we pick a healthy node from a curated pool, and redirect you there. Every request goes to a different node i.e no single point of failure. Live now with $ETH $BNB $POL $ARB $IGRA and testnets. Open source, free, MIT licensed.

@AppKaskad This is great

What what ? ? ? 🔥🔥🔥🔥 $1.6M for our first day! We have now 350,000 USDT and 1,000,000 USDC available for our users. Let's stay liquid shall we?

@AppKaskad It would be cool to see TVL for each asset

What a support! We just broke $500,000 in TVL in just 8 hours 🥳 ! $350,000 available for borrowers in USDT Who wants stablecoins??? Check it out: 👉app.kaskad.live

@CarlosA70413115 Migrate krc20 to krc20++?

@asaefstroem is krc-20 the standard we agree on?🧐

Native assets on $KAS would be quite cool. We just need to agree on a standard, similar to ERC20. Who’s down to buidl?

@p4bpj ++ sounds like a good extension

@asaefstroem KRC-20++

New version of t.me/Igra_watch_bot: - /stats now returns actual liquidity and network information - New /bridges command monitors inflows and outflows across all Hyperlane routes - Backup RPC failover via nrs.pub by @asaefstroem - Performance and stability fixes

@ibuypow Its only internal GH repos, we’re fine.

Could this impact $KAS repos? Does anyone have verified good copies?

@kimmonismus We should just start pushing obfuscated assembly

Holy: Leaked audio from a Meta all-hands on April 30: Zuckerberg told employees the company is using them to train AI models before mass layoffs hit. His argument? Meta's engineers are smarter than any external workforce, so having them solve coding tasks internally will make Meta's models better, faster than competitors. The layoffs are expected Wednesday at 4 a.m. Train your replacement, then get walked out. That's the deal now.

@LayerZero_Core Why did 1/1 DVN configurations exist in the first place?

The ZK SDK is reaching maturity. This short snippet demonstrates how easy it will be to verify a ZK proof on $KAS!

@2zM00N @michaelsuttonil @Max143672 @OriNewman Not automatically, but yes with you can create time locks. In fact, this is already possible on mainnet

@michaelsuttonil @Max143672 @OriNewman Will covenants allow users to have their funds route back to the sending wallet after ~x amount of time or similar? Thanks in advance

Toccata consensus feature freeze is finally here after a heroic last-mile push by kas core devs. Aiming to reset TN12 tonight, or tomorrow at the latest. Genesis update: + 0x6b617370612d746573746e6574 // kaspa-testnet - 12, 2 // TN12, Launch 2 + 0x544f4343415441 // TOCCATA + 12, 3 // TN12, Launch 3

@KasMaporg Why is it not open source?

#KasMap & #MyKAI are making it simple to run a node. 1-click-download & 1-click-install. You can even run it on your PC or Laptop in the background. mykai.dev more info in the thread below.

@syndicateio Its time teams started focusing on deployment security.

The root cause was a private key compromise. Keys were stored in a password manager accessible to a small number of people to handle chain maintenance and upgrades, without an additional encryption layer separate from the password manager.

Syndicate Labs experienced a security incident. A private key compromise enabled malicious upgrades to bridge contracts on two chains, moving ~18.5M SYND and ~$50,000 of tokens from customer chains. All impacted parties are being made whole. Details below ↓

$IGRA looking sweet, $KAS. Get your RPC at nrs dot pub.

@vxunderground Have you used a blockchain? Do you know the architecture of Polymarket? All data is public. Just because its an aggregate doesn’t constitute it being called a ”breach”.

I don't think it is Polymarket's best interest to mock Threat Actors who are claiming to have exfiltrated data from them. I also don't think it's in their best interest to give a AI-like response. While they are correct in asserting a majority of the data is on the block chain, it appears the motivation in this alleged "leak" is information aggregation. This isn't uncommon and can be used for targeted attacks toward high profile individuals. It is (probably) in their best interest to keep an eye on this and not mock criminals who are obviously interested in their organization. Alternatively, they can continue memeing financially motivated Threat Actors and pray they do not fall victim to a much larger Threat Group or (heaven forbid) an Insider Threat. I don't know, man. I don't think this stuff is a joke.

@KaspaPQ Why not just join the kaspa dev chat and help real $KAS be PQ-safe?

@DarkWebInformer lol imagine pulling onchain data, thinking you compromised user information 😂

‼️ Polymarket, the decentralized prediction market platform, has allegedly been breached, with 300,000+ records and an exploit kit leaked on a popular cybercrime forum. The actor states Polymarket has no bug bounty program and was not notified. ⠀ ‣ Threat Actor: xorcat ‣ Category: Data Leak / Exploit Kit ‣ Victim: Polymarket ‣ Industry: Cryptocurrency / Prediction Markets ⠀ The actor states the data was pulled via undocumented API endpoints, pagination bypass, and CORS misconfiguration on Polymarket's Gamma and CLOB APIs. The pack also includes working POCs for multiple CVEs and an auto-dump script. Date of extraction: 2026-04-27. ⠀ What's in it: ⠀ ▪️ 300,000+ total records ▪️ ~750 MB extracted / ~8.3 MB compressed JSONs ▪️ 10,000 unique user profiles with full PII (name, pseudonym, bio, profile image, proxy wallet, base address) ▪️ 4,111 comments with attached profile objects ▪️ 1,000 report records containing 58 unique ETH addresses + admin_auth_addr indicator ▪️ 48,536 gamma markets with full metadata, condition IDs, token IDs ▪️ 250,000+ active CLOB markets with FPMM addresses ▪️ 292+ events with submitter/resolver ETH addresses and internal usernames ▪️ 100 reward configurations with USDC contract addresses and daily rates ▪️ 9,000 follower profiles with names, pseudonyms, proxy wallets ▪️ Internal user IDs exposed in createdBy/updatedBy fields ⠀ Vulnerabilities included (POCs in ZIP): ⠀ ▪️ CVE-2025-62718: Axios NO_PROXY Bypass (CVSS 9.9, SSRF to internal services) ▪️ CORS Misconfiguration on CLOB API (wildcard origin + credentials=true) ▪️ CVE-2024-51479: Next.js Middleware Auth Bypass (CVSS 7.5) ▪️ CLOB Pagination Validation Bypass (limit=999999 accepted, no rate limiting) ▪️ Unauthenticated /comments/{id} endpoint (brute-forceable, leaks full profiles) ▪️ Unauthenticated /reports endpoint (leaks user activity + admin indicator) ▪️ Unauthenticated /v1/data/followers/{address} (full social graph enumeration) ⠀ Pack contents: ⠀ ▪️ All dumped JSONs (markets, events, profiles, comments, reports, rewards, series) ▪️ 5 working POCs (CORS exploit, Axios SSRF, Next.js bypass, pagination DoS, WebSocket exploit) ▪️ Auto-dump script (continuously pulls fresh data until endpoints are patched) ▪️ Full redteam report with MITRE ATT&CK mapping ▪️ Additional 350MB data dump

Fair point. The difference is attack surface. nrs.pub is a stateless redirect no keys, no funds, no chain state, no verification logic. Could nrs.pub redirect to a malicious node? Yes, if someone compromised the server and injected a bad endpoint into the pool. Because the architecture is so light, the time to recovery of an nrs.pub node is much shorter than lets say a full node infrastructure.

@asaefstroem Idea is great. But isn‘t nrs.pub again a single-source of failure? What if someone hacks nrs.pub?

The KelpDAO hack meant $292M lost because their verifier depended on a fixed set of RPC nodes. Attackers compromised those nodes and fed fake data. If they had randomized node resolution as a fallback, the attack model breaks. Today I announce NRS: Node Resolution Service. A free service that gives you a working RPC endpoint for any blockchain in milliseconds. Once your request hits, we pick a healthy node from a curated pool, and redirect you there. Every request goes to a different node i.e no single point of failure. Live now with $ETH $BNB $POL $ARB $IGRA and testnets. Open source, free, MIT licensed.

Check it out here: nrs.pub. No API keys, no accounts, no provider setup. Just use nrs.pub/1 for Ethereum, nrs.pub/56 for BSC, and so on.