atiselsts.eth

@MattFiebach Also the "optimality" where it exists in tradfi is mostly limited to a very small set of actors. For the common guy it's very far from that.

@MattFiebach Mostly agree. DeFi - democratizing finance, not replacing it. But disagree on it already being "structurally" optimal. Settlement remains strictly better in crypto - clear finality, no counterparty risk. Risk surface is smaller, and risk mgmt can be automated to a higher degree

People are mega bearish right now and i think the real reason is one most of us don't want to say out loud: We aren't reinventing the world the way we thought we would. the OG vision was thousands of basement devs spinning up novel financial primitives, disintermediating middlemen, redesigning finance from first principles. The assumption was that permissionless + open source would unlock a cambrian explosion of structurally new things. two realities killed that: 1) Finance is already optimal in a lot of structural ways. Morpho is functionally an ecosystem of fund managers and looks like a lot like traditional credit funds. DEXs are converging on orderbooks. The differences from tradfi aren't structural but rather efficiency, transparency, and composability. 2) Hacks. you cannot have a thousand devs forking experimental code when every bug is a nine fig exploit. What actually works is small, audited codebases with hundreds of high quality eyes on them. Using Morpho as example again: Part of their edge isn't just the code, it's that coinbase and every other distribution partner is also watching that code. Security ends up being a centralizing force on who gets to build. but here's the part people are missing: That's still a massive deal. "the same financial system, but more efficient, more transparent, and composable by default" is genuinely one of the most important upgrades to global finance in decades. It's just not the revolution we pitched for the last 15 years. Crypto being a net-positive refinement of finance instead of a replacement of finance is still worth trillions. we should stop being embarrassed about that and start owning it.

@letsgetonchain @OriginProtocol exactly. and I kind of said that it's not matching the 3rd requirement

@atiselsts_eth @OriginProtocol its a stETH arb redemption strat. not looping. or am i missing someething?

Looking for more managed ETH yield strategies to add to this comparison. Requirements: 1) >1y+ track record 2) >10m TVL 3) strategy scope includes LST looping Returns indexed to oldest common deployment date: @0xfluid Lite ETH: +7.92% @TreehouseFi tETH : +5.45% @etherfi liquidETH: +5.77%

@mcp0x @binance @HyperliquidX The 10.95% APR number always seemed weird to me, thanks for digging deeper

Longs on @binance and @HyperliquidX quietly overpaid $480 million in funding last year on $BTC and $ETH markets alone Almost every major perp exchange copy-pasted BitMEX’s 2017 emergency setting… and "forgot" to touch it for nine straight years Binance carved out an exception for their own token. Here is why🧵

@hrkrshnn the specifics absolutely not - they're pretty impossible to get right in foresight - but I feel I did get the general direction: x.com/atiselsts_lv/s…

One way to tune your judgment on AI: When you saw the GPT-3 demo or the original version of DALL-E (early image model, with glaring issues like producing people with six fingers), would you have predicted where we'd be today?

@newmichwill Agree very much. Posted before the latest hack: x.com/atiselsts_eth/…

So let me start. DeFi is the future of the World Financial System. That's my belief, and this is why we are here. This amount of absolutely preventable hacks we see in DeFi (with root causes attributable to CENTRALIZED points of failure) is enormous recently. This damages out industry, and I build for this industry. So I cannot remain silent. Imagine an average grandma (mass adoption is here?) putting her life savings on Aave. And then BOOM, she cannot withdraw her funds on Monday. Aave (the biggest DeFi protocol btw) said it's operating as intended - just rsETH got exploited. rsETH said that all code is safu - just LayerZero bridge got hacked. LayerZero (the biggest bridge securing quarter of a trillion $) said that everything operating as intended. Yet, she cannot withdraw here funds. WTF? Are we industry of clowns? But here's the thing. All issues like this should be prevented BEFORE they happen, not AFTER. Number of single points of failure should be reduced, not increased. When these points of failure are unavoidable - trust should be split. If there's a reliance on infrastructure - we should share best practices how to configure it. Not to mention that code should be very well checked - everyone gets that already. We should probably come together and develop safety standards for DeFi. How to build safely, and how to verify safety. Probably everyone should bring their best practices, and the projects, auditors and risk assessment groups should know them. Maybe we need @ethereumfndn and @SolanaFndn bringing all the ecosystem projects to participate and come up with principles, rules and recommendations of safe building. And, perhaps, we can even learn something about protecting the few remaining centralized points of failure from traditional finance who have many more of those. DeFi will win

@ivangbi_ @ethereum This is exactly what i've been talking about. Please consider if EF can do something to make running such security scans a norm rather than an exception. x.com/liliangjya5/st…

@atiselsts_eth @ethereum Thanks, as I can see, it's directionally that way!

Low risk DeFi can't be the revenue engine for @ethereum if low risk DeFi does not exist. (Other than a couple of OG protocols like Uniswap) EF is already doing plenty to make the core protocol more secure. Next step is including DeFi too, like Solana has x.com/SolanaFndn/sta…

@DefiIgnas this is literally the opposite of what crypto promised (no middlemen, permissionless access) now middlemen will frontrun transactions, with their priority levels depending on how wealthy they are no wonder this hasn't been tried out before

Optimism might make L2 history here. They're testing paid priority access for transactions. Today every tx competes in a priority gas auction. Pay more, get in sooner. The problem Optimism wants to solve is that this creates spam and gas wars, and traders and market makers can't show commitment beyond gas price. Although this will probably mostly incentivize sandwich attackooors (MEV bots) to stake. Kinda smart. So you can stake 100k OP ($13k USD) and get top-of-block access. - No lockups - instant unstaking - time multiplier prevents quick OP borrowing to frontrun liquidations, you need to hold 15+ days for full boost Phase 1 is first come first served. Phase 2 your stake size, duration, and priority gas creates a single ordering score. This probably first L2 token utility that goes beyond fee revenue (which L2s don't have anyway). plus, Although I wonder if this doesn't end up as sequencer centralization? Because staked sequencer is better than the others. In any case, decentralization is luxury after Base left OP Stack. It was a big hit so $OP needs a real utility narrative and staking is one. Still on testnet, but I welcome innovation in tokenomics. It has been lacking. It seems hard times finally push that innovation.

For one, I believe that audits (for code bugs) are one of the things that DeFi does get right. And better audits or formal verification wouldn't have prevented most of the recent exploits: Resolv, Drift > private key compromise + lack to timelock and other circuit breakers Venus Protocol > economic attack, flagged by audits but ignored Aperture Finance, Solv > bugs in unaudited contracts Makina Finance > vault logic compromise, OOS for audits In TradFi, companies are mandated to do thorough risk management by law. In DeFi, we're not. Solution? More social consensus that DeFi needs to learn to take better care of its risks. This already works with code audits - everyone believes that a protocol that doesn't have code reviewed by security experts can't be taken seriously. It also works for L2s because we have @l2beat. Comparably, we don't have nearly as good insight into the admin control levels of major DeFi protocol deployments. Similarly, we know far more about how to exit L2s in times of crisis than how to exit major DeFi protocols if/when their admin decides to do something funky. EF doesn't need to pick and choose some favorite protocols. But it would be nice to recognize that there's a crisis in "low-risk" DeFi and push for a more principled approach, where risk management goes beyond looking for bugs in the code.

Short reply: in the Ethereum ecosystem, all of this and more has been available for a long time. And in practice, not just in headlines. And all done independently without the EF needing to step in 💡 As for more involved things, look into trilliondollarsecurity.org (more here blog.ethereum.org/2025/05/14/tri…) and the recent thedao.fund. For 1TS, in some cases this means providing grants to teams like @_SEAL_Org, TrustX, @CredShields; collaborating closely, for example with the Clear Signing Working Group to improve transaction clarity; working upfront on security features like Transaction Assertions, etc. Here is a recent post to add to the list: x.com/0xboo/status/2…. ________________ Long reply: this is directionally good, sure. The tradeoff is that it’s a more interventionist foundation model. EF should be careful about becoming the allocator that picks which protocols get subsidized audits, monitoring, or formal verification. A better path for EF is education, standards, coordination, and better risk transparency. Teach a man to fish...you know how it goes. Below is my subjective thinking... Security tooling, auditors, best practices - have been available on Ethereum and in dev-to-dev private discussions. So what’s the reason redundant and non-redundant mistakes are being made? I could that it's the combo of (1) Lack of education around those practices, (2) lack of an incentive to be more secure-oriented and sometimes make harder choices, (3) lack of capital to pay for all this. (1) On lack of education (devs not knowing what to use): we will do more educational content. We’ve shared some tooling briefly during the DeFi rooms sessions in Cannes. There is now better test tooling, new decent ai tools, some formal verification early beginnings, etc. That’s not even a question of money or incentives, this just needs to be more understood & known. 1TS is doing it and will be doing even more on that front. A great one is also @thedaofund (cc @griffgreen) which comprises multiple teams and will not only do some funding for security research but will also push education on that front (auditor names, tooling, etc). Thus, builders would know more tools, know the right auditor names, and have an understanding of how to approach security. It’s not under EF but a separate entity, but it’s composed of OG builders and experts! There is also another great one: Trillion Dollar Security, already explained above. (2) On incentives, that’s a weird blocker. An incentive should be to not get your users rekt, but startups try to “run fast and patch things on the way”. Formal verification (I am not an expert here, please shout at me if this is wrong) should fix this. Because otherwise your only choice is to have a reasonably big team / a ton of money for audits / a ton of money for continuous auditing. With AI tooling, things can change for better and worse at the same time, but going closed-source is the most impractical and wrong way for sure. Anyway, this problem of deploying smart contracts but trying to make them safe has always existed, so it feels like here the incentive fix could be for EF to push forward a dashboard / overview of protocols-assets which are most security-aligned (referencing charles tweet and sam spark tweet). That means issues of multisigs, governance attacks, any access layer permissions, etc. It’s a multi-layered overview, not just one metric. That fixes the problem of incentives to “do better, do more”? Although big APY numbers will always get people fleeced. (3) Great audits are expensive (be it @chain_security @bailsecurity @statemindio @Certora etc.), because there are still large protocols who book many teams and demand the highest quality (as they have the highest experience who to ask for). We’ll see if it gets majorly cheaper - I am not sure it does by much. EF or any foundation can’t be sponsoring these too much because then it becomes like an incubator (since it cannot give even $300K+ to more than a few protocols per year, and even that budget is relatively small in terms of impact, so it just becomes a subjective drain). Some L2s tried to do it, early-stage networks did it. But Ethereum has, in my opinion, outgrown this stage a while ago. It’s a neutral layer, it’s capitalism, not picking a few projects and championing them or productizing them. Not that Ethereum has won everything (although I think its USPs are much stronger, that’s beside the point). What I am trying to say is that great auditors are in decent abundance (enough for the purposes needed), and they don’t need any handholding. Teams have to find a way to finance this or have gradual stages for deployment if they lack capital or find other ways to go live yet remain secure. Great monitoring is relatively not too expensive for teams with decent TVL, and there are various projects who offer it as a service. Hypernative, and add a few other names. They exist. Many teams individually do this in-house and make their own custom monitoring too, if they can. I, subjectively, think that choosing which project to pay for an audit for or run monitoring tools - should NOT be done by a foundation. I am generally against trying to pack everything under one entity, because after a year of sponsoring these activities - you’ll see the issues of those teams running these things not being able to continue since they haven’t learned to get business done and find customers. I’d argue that DeFi is at a market stage / size where companies can for-profit sustain themselves. Anyway this is a specific comment on the $$ question. Better if there is help, and that help will be provided, but not in terms of simply sponsoring audits for established protocols. All of the things mentioned have existed on Ethereum for ages, it feels like. War rooms are there, monitoring tools are there, security researchers are there. All done independently enough and not stopped by layers of bureaucracy under one foundation. ________________ Please poke holes in what you think is wrong / tone deaf / needs elaboration. Let’s put things on the action board that we might still be missing.

mostly two reasons: - realization that LVR is only small part of what makes onchain liquidity challenging (vindication for us who said it all along) - realization that AMMs are typically money sinks, not money generators (vindication for OB folks) x.com/duelinggalois/…

@PropellerSwap @UniswapFND congrats, sounds exciting!

.@UniswapFND gives a grant for Tycho and Fynd to: Make Uniswap pool simulations really fast (down to 900 ns per pool quote). Index >100k Uni pools with 0 inconsistent state, even on Flashblocks and reorgs. Make v4 hooks tradable minutes after deployment. More soon.

@mud2monarch Good point. I said most hooks because i expect that most teams want some kind of beforeSwap/afterSwap logic, not custom delra accounting. The former should now be picked up automatically

Uniswap UI will finally pick up new hooks automatically. This used to be a big friction point for teams looking to build on top of v4. Hooks were permissionless, but getting orderflow was not. Now most new hooks will be autorouted. x.com/Uniswap/status…

@hasufl Re pausing, maybe it's worth considering a two-phase approach: - make protocol easy to pause (circuit breaker or low-threshold multisig) - but hard to keep paused (auto resumes after x days unless governance decides otherwise)

Every Defi protocol should have: 1. Circuit breakers for deposit and withdrawals, and possibly other internal operations as well 2. Timelocks for any change 3. Security councils that can shut down protocols immediately We don't need insurance, we need to do start doing the ffcking basics correctly. It's too early for this space to drive without any training wheels. I beg you, sacrifice a tiny bit of UX to gain a lot of peace of mind. The worst possible UX is losing your user's money.

1/ Drift's admin key was compromised. $213M+ drained from @solana's largest DEX in under 10 seconds. Unfortunately, we've seen similar patterns before: - fake collateral market - a manipulated oracle - disabled circuit breakers Let's break it down 👇 written w/ Chaos AI

@ustas_eth Multi-block MEV would be bad in several different ways if it appeared. There's definitely some social stigma against it, especially if the large builders started doing it

@atiselsts_eth Shit, the letter... Got ahead of myself on this one. The point still stands, partially, the threat model expands and the dominant builders do deliver consequential blocks already. But the example turns out dumb...

A dapp has a rounding error. To exploit it you need an absurdly large position and must withdraw in the same block. No problem, withdrawals require at least 1 block delay. Sounds safe, right? Well, not for long. If your security model relies on what happens within a single block, it may be the time to revisit it.