Alex Beszedin 🧬

Can't believe this NFT cost me 0.35eth & now it's worth 0! IYKYK, this is Morse from the Mitosis community > The NFT is only as valuable as the community > And the community is only as valuable as the team Besides this one, I have another 5 NFTs from the same collection Beautiful collection, but sadly the team just gave up post-TGE

@robinmoods @Luke_onair

Day 42: I successfully didn’t receive my MITO for choosing tMITO. Thanks @Luke_onair, my king, my lion 🦁

👀 omg

Two days ago, Kelp DAO suffered a $292 million exploit, the largest DeFi hack of 2026. The attack is elegant in its simplicity, terrifying in its implications, and a case study in how a single misconfiguration can cascade through the entire DeFi stack. ▶ The Setup Kelp is a liquid restaking protocol. It creates rsETH -- a liquid token representing ETH restaked on EigenLayer. DeFi being DeFi, users want these tokens available across multiple chains. So Kelp uses LayerZero, a cross-chain messaging protocol, to bridge rsETH between networks. The core idea behind any cross-chain bridge is straightforward: - A user locks (or burns) tokens on Chain A - An oracle observes and verifies that transaction - The bridge mints an equivalent amount of tokens on Chain B LayerZero's oracle mechanism is its Decentralized Verifier Network (DVN), a set of independent verifiers that must agree a cross-chain message is legitimate before it is executed. The critical word here is "independent." And that's where things went wrong. ▶ The Vulnerability For reasons that remain unclear, Kelp had configured a 1-of-1 DVN setup. One verifier. No redundancy. No independent confirmation. LayerZero had explicitly warned against this configuration. Kelp ignored the warning. A single point of failure in a system securing hundreds of millions of dollars. ▶ The Attack The attackers, preliminarily attributed to North Korea's Lazarus Group, didn't need to break any smart contract. They went after the infrastructure layer. To verify blockchain state, a DVN relies on RPC nodes, the servers that synchronize and serve blockchain data. The attackers compromised two RPC nodes used by Kelp's lone DVN, then launched a DDoS attack against the remaining healthy nodes, forcing failover to the poisoned ones. From there, it was trivial. The compromised RPC nodes presented a fabricated blockchain state to the DVN, pretending that 116,500 rsETH (~18% of total circulating supply) had been legitimately deposited on the source chain. The DVN, seeing no contradicting signal from any other verifier, approved the message. The attacker retrieved 116,500 rsETH freshly minted on the destination chain. ▶ The Liquidation The attacker deposited the stolen rsETH as collateral on Aave V3 and Compound V3, then borrowed approximately $236 million in (W)ETH against it. By the time lending protocols reacted, freezing rsETH markets, halting new deposits, restricting withdrawals, the damage was done. Aave now carries an estimated $177-196 million in bad debt. Its TVL plunged from ~$26.4 billion to ~$17.7 billion as panic withdrawals exceeded $5.4 billion. Whether Aave's safety module can fully absorb the loss remains an open question. Not the decentralized and trustless ideal we went for... The Deeper Problem Poisoning a handful of RPC nodes and DDoS'ing a few others was enough to fabricate $292 million out of thin air and erodes trust across the entire DeFi ecosystem. No smart contract exploit. No zero-day. Just a misconfigured verifier and an infrastructure-level attack on the nodes it relied on. But the root cause runs deeper than Kelp's configuration. The fundamental problem is the trust model. Kelp's bridge, like most bridges and many Layer 2 rollups, relies on oracles reading blockchain state from RPC nodes and attesting that "this thing happened." The security of the entire system reduces to one question: can you trust the nodes feeding data to your verifier? The Kelp hack proves the answer is no. Not the decentralized and trustless ideal we went for... There is a fundamentally different approach: validity proofs. Instead of trusting oracles to honestly report what happened on another chain, you require a cryptographic proof, a zero-knowledge proof, that the state transition actually occurred according to the protocol's rules. The verifier on the destination chain doesn't trust any RPC node, any oracle, or any DVN. It checks the math. Either the proof is valid or it isn't. This is exactly the model ZK rollups use to settle on Ethereum. The L1 doesn't ask an oracle "did these transactions happen?" It verifies a succinct proof that they did. ▶ The Goose That Lays the Golden Eggs One could argue the attacker showed restraint. With a 1-of-1 DVN, they could have minted any amount, $292 BILLION, if they wanted. There are liquidity arguments (you can only extract what lending markets will let you borrow against) and detection arguments (the larger the mint, the faster the response). But there's a more cynical reading. The Lazarus Group and similar state-sponsored actors are in a peculiar position. They could mint an amount large enough to collapse the entire DeFi ecosystem. But doing so would kill the very system they profit from. So they calibrate, enough to fund their operations, not so much that the ecosystem loses confidence and collapses. The goose must keep laying. The DeFi ecosystem likes to talk about trustlessness and decentralization. But when a handful of poisoned RPC servers can drain nine figures and trigger a systemic crisis, we should be honest about where we actually are, and serious about the cryptographic tools that can actually get us there. Stay safe.

defi rip

OK — Kelpdao hacker, how much you want? Let’s just talk. With KelpDAO’s help, of course. It’s simply not worth it to sacrifice both Aave and KelpDAO and let them go down over this hack. You can’t spend $300 million anyway.

@0xwhysomad @AggrNews

@AggrNews bigL

KELPDAO'S LIQUID STAKING TOKEN POTENTIALLY EXPLOITED FOR OVER $100M: ONCHAIN

Today, Drift is announcing a collaboration with @tether and other partners totaling up to nearly $150 million to support our commitment to a relaunch with USDT at the center, and a path to user recovery. These funds encompass a $100M revenue-linked credit facility, an ecosystem grant, and loans to market makers, designed to fund a dedicated user recovery pool. Learn more 👇

@0xwhysomad @Redacted_John @typefully Need proof

me 😭 wen recognize @Redacted_John last draft on @typefully was a post about tMITO to $MITO convert ~1 month ago and since than nothing new is pre-written and posted. 🌄

@0xNIC0 @reflectmoney In the end, I did not understand what the essence of the above was.

A week in, and I want to speak directly. We put out an official update from @reflectmoney earlier this week. If you haven't read it, please do. What follows here is personal, not an official statement from Reflect. It's how I'm thinking about this, and what you should expect from me going forward. I'm not going to dress this up. This week has been rough. I know it's been rough for some of you too. And I know that nothing I write here fixes that. I started Reflect because I believe deeply in what this infrastructure can be. That conviction hasn't changed. If anything, this week has sharpened it. But I also understand that, on my end, conviction means very little right now if you're sitting there wondering what happens next. So let me be straightforward about where things stand rather than ask you to take my word for anything. The situation across the ecosystem is still developing, and the team is monitoring every part of it closely. Drift today publicly acknowledged the impact this has had on builders who integrated with them. I can't give you a timeline or a guarantee right now, and I'm not going to pretend otherwise. This space has a pattern of promises made in the heat of the moment that quietly disappear weeks later. I refuse to add to that. As developments relevant to affected USDC+ holders arise, including through our ongoing contact with Drift and counsel, we will communicate them clearly and promptly. I know the pause on USDC+ is frustrating, and I know that waiting without a clear picture is harder than most things in this space. Any changes to its status will be communicated as part of these updates. I want to acknowledge the people who have reached out this week. Some of you have had hard questions. Some of you are frustrated. Some of you are angry. All of that is completely understandable. But many of you have also reached out with support, with patience, and with genuine belief in this team. I don't take that lightly. I appreciate all of it, and it matters more than you know. I'd rather be straight with you about where things are than give you something that sounds good today and falls apart tomorrow. That's not how I operate, and it's not how this team operates. If you've followed this journey from the start, you know that. If you're new and still figuring out whether we're the kind of team that shows up when it matters, I understand. Watch what we do next. I think about the people affected every day. That hasn't left my mind once this week and it won't going forward. The team is working on this every single day, and I'll continue sharing my perspective here as things develop. Official updates will continue to come through @reflectmoney and my own account.

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!

Mom said don't talk to strangers. Drift didn't listen! Everyone's posting about the @DriftProtocol hack so here are my 2 cents as an ex-cybersec guy who's still been hacked multiple times himself 😅 This was a classic social engineering attack, the most common attack vector in today's world. OpSec has improved so much that human emotions are now the easiest target left, and as we say in cybersec: "Your system is only as strong as its weakest link." Here's a brief of what happened: - DPRK actors posed as a quant trading firm - met Drift contributors at conferences - made a TG group - gained trust over 6 months - and then slipped in malicious repos and TestFlight apps that got keys social engineered right off their devices Now I see a lot of people blaming the team for going to conferences and sharing repos/testflights but honestly? That's completely normal! That's how I've met some of my closest friends in this space, and sharing repos or testflight builds between teams is pretty standard practice, I've done it too. The problem wasn't the human interaction, the problem was the security architecture that left no room for human error. But the weak part here was the multisig. It only had a 2/5 threshold with those keys sitting on frontends, which is really bad. Even for personal funds exceeding $10k, you should be using a multisig of hardware wallets to avoid these hacks. And for funds as large as $300 million, the best setup in my opinion would be a nested multisig, that is a multisig of multisigs, where each leg is itself a multisig of hardware wallets. The diagram below explains it better. We can also have something like wallet whitelisting. Similar to how traditional banks work, where you add a beneficiary and have to wait 24 hrs before you can send money to them, we can have the exact same thing for whitelisting wallets onchain. Would just be a simple onchain contract. On top of that we also need a cooldown period of about 12 hrs after queuing a transaction, and an amount check so that no more than $1M can be transferred in a single transaction. I might be wrong at places, would love correction in the replies below!

No audit saves you from this. Drift was audited. They still lost $270M. DPRK ops deposited $1M, met the team IRL across 3 countries, built trust for 6 months - then opened a VSCode file and drained everything in 60 seconds. The attack surface was human.

Claim Your Blessings

Oh man, once again im reminded of the Morse NFT that I bought for 0.35eth which went to 0 💀 What is your score?

i genuinely think everyone in this space should immediately switch to using Vim. DPRK started abusing VS Code hooks that run _automatically_ in the background when you open a folder. ZERO fucking user interaction required _after_ trusting the repo (the trusting part is important here). Yes, read it again. ZERO. INTERACTION. REQUIRED. so what happens is the following: they (in the usual case the Contagious Interview group, meaning some fake recruiting guy) share GitHub, Bitbucket, and GitLab repos containing a `.vscode/` subdirectory with malicious hooks. the one example I share here executes a fake font that's actually heavily-obfuscated JS and will absolutely rek you. all your fancy software that feels "convenient" makes tradeoffs. those tradeoffs are now being abused to silently rek your devices. use Vim. and use Qubes. Thx.

@underoakeyebrow . @DriftProtocol

looking for the best ways to use these tokens. submit your suggestions, frens. wrong advice only 👇👇👇