bc1

copy.fail All Linux Kernel since 2017 are affected. I got out of bed to ensure all our company infra is patched and you should also do it.

Earlier today, Tulipa Capital identified unusual on-chain activity involving @yieldbasis (YB) contracts. The YB team was alerted within minutes of detection. What we know so far: - An attacker deployed a custom contract to claim fees and drain assets from 3 vaults - ~$1.25M in wrapped BTC (cbBTC, WBTC, tBTC) was extracted - The affected vaults appear to be owned by @giddydefi YB core contracts are not affected or at risk. The exploit targeted individual vault positions, not the protocol itself.

Tulipa Capital is actively monitoring the rsETH and Aave situation. Tulipa Capital has no direct or underlying exposure to rsETH or Kelp DAO. Our vault positions on Aave were migrated to alternative markets. We are monitoring exposure across protocols with Aave dependencies and continue to evaluate second-order effects across the broader DeFi ecosystem.

the issue with the @KelpDAO 280m$ hack was that it was just secured by just 1/1 validator set (DVN) on @LayerZero_Core . Which means one faulty transaction from a validator is all that's needed. my belief is that the root cause was possibly that the LZ validator on Unichain was compromised. the contagion effects are going to be quite bad. I don't think many people have realized it yet. - kelp was looping on aave with stETH for a few percentage here and there. Aave is going through a bank run so that means they'll need to unwind their positions - multiple protocols and chains are now going to be bad debt because their rsETH will get depegged. - aave's bad debt is more than what they can cover rn so almost anyone who has deposited into their safety net (60mn$) is 100% rekt. all for just staking for a few % in extra yeild. - trust on LZ & Aave will deteriorate. this is bad for the industry. - the kelp team (amazing founders) will go through debt i'd say i feel sorry for everyone who is going to go through the next few hours but unfortunately this is the industry we live in.

If anyone's at EthCC and wants to grab a coffee, hit me up! ☕

Tulipa Capital is actively monitoring the ongoing Resolv/USR exploit. Our vault positions do not hold exposure to the affected assets or markets. To our Gearbox users: we have disallowed position increases on the relevant assets and will take further protective action if the situation warrants it. Tulipa Capital is committed to ensuring lenders are fully protected. We will continue to monitor as Resolv works toward a recovery plan. @GearboxProtocol

@0xSero Let's talk !

Let’s train a model: github.com/0xsero arxiv.org/html/2603.0816…

Effective treasury management requires more than strong returns. It demands specialized expertise across multiple disciplines. For our GnosisDAO proposal, we've partnered with @flowdesk_co and @Accountable to deliver institutional-grade execution, real-time transparency, and rigorous reporting. Three teams. One aligned mission. Read our full proposal: forum.gnosis.io/t/request-for-…

“Mom, how did we get so rich?” “Your father and I lived in the era of the $200 claude code max plan”

Never forget

We heard that builders and API traders are struggling with integration of HIP-3 markets, multisig support and/or EVM<>Core interaction. Therefore, we built an SDK for Hyperliquid, one SDK to rule them all. github.com/infinitefield/…

I have not taken any meaningful hit to my portfolio since 2022. During this time, I've applied conservative risk parameters, and my portfolio has grown relatively slow but steady because of it. The feeling of engulfing stress and despair from seeing your hard-earned money disappear over a hack, exploit or simple market risk is just a memory to me. Losing a good chunk of your net worth, for which you spent countless hours that will never return and sacrificed invaluable moments you'll never get to experience again, is like dying a little bit. And it sure feels like that in the moment. Risk is unavoidable, but the amount you underwrite should serve a clear purpose. When your portfolio's size starts yielding marginal happiness returns, the EV equation starts turning negative. Risking a huge hit to your wealth, health and mind when you no longer need the money or feel satisfaction with the added returns is bad risk management. I remember quite vividly @AlgodTrading tweeting "I don't ever want to feel like this again" (now delted) after losing what I recall to be 50% of his net worth on FTX. I carry that thought with me in my actions. It reminds me to think about the objectives in all of my decisions. No inertia, no greed, no denial. Pure +EV. I invest to make money, I live to be content. Take a moment and reassess if your actions align with your objectives. Don't psyop yourself.

Live now. Don't sign all required signatures on a multisig and expect it not to be executed. :)

This is a massive loss. It's unclear how this will be settled in between xUSD/xBTC/xETH holders and lenders against these tokens, so let’s go over all stablecoins/vaults that have (in)direct exposure to Stream. Best we can tell, these stablecoins have indirect exposure: Elixir’s deUSD: Elixir is lending 68m USDC to Stream: debank.com/profile/0xaf8d… This represents 65% of deUSD backing. The main stream wallet is borrowing these funds against xUSD collateral. Elixir claims: “Elixir has full redemption rights at $1 with Stream for its lending position. We are the only creditor with these 1-1 rights.”. Stream team said: “ They have a contract. We told them explicitly that we cannot pay them out until lawyers determine who is owed what.“ Nevertheless, it’s rational to be careful before this debt is actually repaid. Treeve’s scUSD: eliteRingsScUSD is backed by veUSD. veUSD is backed by locked stkscUSD. stkscUSD is backed by staked scUSD that specific scUSD is rehypothecated to Mithras. Mithras scUSD (about 92% = 13m) is currently borrowed by xUSD collateral on Silo & Euler. This is not an extensive list, there likely are more stables/vaults affected, and the information presented here is not guaranteed to be accurate. Overall debt to lenders on various lending markets: $284.96M.* *Not counting indirect exposure through deUSD and other loops, this is a sum of all debt against Stream assets, debt owned both by Stream and by regular users. Totals by Curator: TelosC: 123.64M Elixir (kinda?): 68M MEV Capital: 25.42M Varlamore: 19.17M Re7: 14.26M Enclabs: 2.56 M Mithras: 2.3M TiD: 0.38M Invariant Group: 0.072M Here is a list of all markets that lend to xUSD/xBTC/xETH directly, their current exposure, and the curators which allocated money into there markets: EULER: Ethereum: TelosC Stream - only includes Stream assets - 1623.5 ETH ($5.89M), $14.31M USDC, 87.09 BTC ($9.65M) borrowed = $29.85M overall - Curator: TelosC app.euler.finance/market/telosc-… Plasma: TelosC Stream - $90M USDT, $2.89M plUSD, 900k msUSD - Curator: TelosC app.euler.finance/market/telosc-… Plasma: Re7 Labs xUSD - $14.26M USDT - Curator: Re7 app.euler.finance/market/re7labs… Sonic: MEV Capital Cluster - Hard to tell exact exposure, but the vault has $7M scUSD, $3.5M USDC, $2.7M scETH - 9.87M xUSD and 500 xETH deposited. - Curator: MEV Capital app.euler.finance/market/mev-cap… SILO: Ethereum: xUSD/USDC market - $1.2M USDC borrowed - Curators: Varlamore ($850k) app.silo.finance/markets/ethere… Arbitrum: xUSD/USDC market - $15M USDC borrowed - Curators: Varlamore ($14.2M), TID ($346k) app.silo.finance/markets/arbitr… Avalanche: xUSD/USDC, xUSD/USDT, xUSD/AUSD - $1.9M USDT, $816k AUSD, $9.3M USDC borrowed = $12.01M overall - Curators: MEV Capital ($7.2M), Varlamore ($2.5M), TiD ($28.5k) app.silo.finance/markets/avalan… app.silo.finance/markets/avalan… app.silo.finance/markets/avalan… Avalanche: xBTC/BTC - 272 BTC ($29.1M) - Curators: MEV Capital ($17.6M) app.silo.finance/markets/avalan… Sonic: xUSD/USDC, xUSD/scUSD - $2.3M scUSD, $4M USDC - Curators: Mithras ($2.3M), Varlamore ($1.6M) app.silo.finance/markets/sonic/… app.silo.finance/markets/sonic/… MORPHO: Plume: The Elixir Market: - 68M USDC borrowed - Lender: Elixir Arbitrum: xUSD/USDC - 628k USDC - Curator: MEV Capital app.morpho.org/arbitrum/marke… GEARBOX: Plasma: Invariant Group USDT0 - 72.45k xUSD. This market had a LOT more xUSD, but it was all exited. GGWP, @GearboxProtocol! app.gearbox.finance/pools/9745/0x7… ENCLABS: Sonic: 4.21M xUSD, about $2.4M in exposure? Plasma: 150k xUSD, about $160k in exposure? Again, there might be more, this is all we found.

Be VERY careful interacting with unverified @merkl_xyz campaigns. A bad actor is creating triple digit APR incentives on Sonic for depositing USDC into an Euler vault, and drains all deposits. This is how it works: Because Euler is permissionless, the attacker was able to deploy a 'fake' market using scUSD as collateral and USDC as debt. The market has a 1$ deposit cap for scUSD - fully taken by the bad actor. The scUSD oracle price is set to $1M per token, allowing the attacker to borrow 700,000 USDC against a single scUSD (at 70% LTV). The attacker controls the oracle and can raise the price further to extract more funds if needed. Next, the attacker created an unverified, fake campaign on Merkl to attract deposits. Any USDC deposited to this market is borrowed, swapped into ETH, and transferred to @RAILGUN_Project. Current losses: roughly $145,000, and growing. As the attacker is not actively monitoring the vault for new deposits, it allowed 0xc0f8feab321f8ffe97666768451747d16da8cad5, a victim who previously deposited USDC into this vault, to withdraw USDC before the attacker managed to borrow it. While we don't think @merkl_xyz or @eulerfinance are at fault here, as they both clearly flag the campaign/market as unverified, @merkl_xyz should likely make depositing into an unverified campaign much more annoying with more pop-up warnings, just to prevent this from happening in the future. Main operator: 0x8ba913e764c5cc9b22ee63737841059ad9caac5f Final receiver before railgun: 0xa86399e78fb3d9fb5be053825a016e32d390fc12 The list of victims can be found here: #balances" target="_blank" rel="nofollow noopener">sonicscan.org/token/0x683dbC… Campaign (SCAM, don't deposit): app.merkl.xyz/opportunities/… Euler Market (SCAM, don't deposit): app.euler.finance/positions/0x9A… cc @zachxbt

As a general risk framework, if you suspect that an asset, exchange, or any place holding your funds might be insolvent, the most rational decision is to exit first and ask questions later. The cost of exiting is typically far lower compared to the risk-adjusted loss (expectedLoss * probability). Its also important to look for secondary exposure. You might not be holding a stablecoin you suspect is insolvent directly, but that stablecoin can be a part of backing of another stablecoin you’re holding, or you might be lending money on Euler/Morpho/Silo in a managed vault that lends against this stablecoin. @Tiza4ThePeople always gets us thinking about correctly assessing risks we take farming away in DeFi, you should follow them.

Became an $ASTER spot market maker for the weekend. I'd highly recommend anyone wanting to dive deeper into markets give it a go. Read about the strategy, how it performed, and where I would take it from here: blockbandit.xyz/adventures-in-…