Constantine | dRPC.ORG

2K posts

Constantine | dRPC.ORG banner
Constantine | dRPC.ORG

Constantine | dRPC.ORG

@constantine_rm

CEO at @dRPCorg - The most performant & reliable Web3 infrastructure

Worldwide Katılım Ekim 2017
243 Takip Edilen9.7K Takipçiler
Sabitlenmiş Tweet
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t. The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s… The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it. When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then): -#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… - github.com/drpcorg/drpc-s… We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period: 1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority." 2. The risk was real. The market is now discovering this at a cost of roughly $250M. Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths. So the practical rule, for anyone building infrastructure whose failure mode is user funds: 1. Use at least 3–5 independent, reliable RPC providers. 2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it. You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users. We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org
LayerZero@LayerZero_Core

x.com/i/article/2046…

English
3
17
65
35.6K
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
Well said. The whole world is pretty “patterned”. Rivers finds the easiest way to flow, likewise money finds the easiest way to grow. People could help to find these ways and adapt or spend their lives trying to change direction of the flow because “that’s right” in their mind.
Brivael Le Pogam@brivael

Elon Musk avait dit un truc qui m'avait marqué sur l'allocation de ressources. En substance : passé un certain niveau de richesse, l'argent n'est plus de la consommation, c'est de l'allocation de capital. Cette phrase change tout. L'économie, dans le fond, c'est juste un problème d'allocation. Tu as des ressources finies et des usages infinis. Qui décide où va quoi ? Imagine une cour de récré. 100 enfants, des paquets de cartes Pokémon distribués au hasard. Tu laisses faire. Très vite, un ordre émerge. Les bons joueurs accumulent les cartes rares, les collectionneurs trient, les négociateurs trouvent des deals. Personne n'a planifié. Et pourtant chaque carte finit dans les mains de celui qui en tire le plus de valeur. Le système maximise le bonheur total de la cour. C'est ça, la main invisible. Maintenant fais entrer la maîtresse. Elle trouve ça injuste. Léo a 50 cartes, Tom en a 3. Elle confisque, redistribue, impose l'égalité. Trois effets immédiats. Les bons joueurs arrêtent de jouer, à quoi bon. Les mauvais n'ont plus de raison de progresser, ils auront leur part. Les échanges s'effondrent. La cour est égale, et morte. Elle a maximisé l'égalité, elle a détruit le bonheur. Le problème de la maîtresse, c'est qu'elle ne peut pas avoir l'information que la cour avait collectivement. C'est le problème du calcul économique de Mises, formulé en 1920. L'URSS a essayé de le résoudre pendant 70 ans avec le Gosplan. Résultat : pénuries, queues, effondrement. Pas parce que les Soviétiques étaient bêtes, parce que le problème est mathématiquement insoluble en mode centralisé. Quand Musk a 200 milliards, il ne les consomme pas, il les alloue. SpaceX, Starlink, Neuralink, xAI. Chaque dollar est un pari sur le futur. Et lui a un track record. PayPal, Tesla, SpaceX. Il a démontré qu'il sait identifier des problèmes immenses et y allouer des ressources avec un rendement spectaculaire. L'État aussi a un track record. Hôpitaux qui s'effondrent, éducation qui décline, dette qui explose, services publics qui se dégradent malgré des budgets en hausse constante. Le marché identifie les bons allocateurs, la politique identifie les bons communicants. Le profit n'est pas une finalité, c'est un signal. Il dit : tu as alloué des ressources rares vers un usage que les gens valorisent suffisamment pour payer. Plus le profit est gros, plus la création de valeur est grande. Quand Starlink est rentable, ça veut dire que des millions de gens dans des zones rurales ont enfin internet. Quand un ministère est en déficit, ça veut dire qu'il consomme plus qu'il ne produit. L'un crée, l'autre détruit, et on appelle ça redistribution. Dans nos sociétés il y a deux catégories d'acteurs. Les entrepreneurs et les bureaucrates. L'entrepreneur prend un risque personnel pour identifier un problème, mobiliser des ressources, créer une solution. S'il se trompe il perd. S'il a raison, ses clients gagnent, ses employés gagnent, ses fournisseurs gagnent, l'État collecte des impôts. Il est la cellule de base du progrès humain. Le bureaucrate ne prend aucun risque personnel. Son salaire est garanti. Au mieux il maintient une rente existante. Au pire il la détruit par excès de réglementation, mauvaise allocation forcée, incitations perverses qui découragent ceux qui produisent. Mais dans aucun cas il ne crée. Regarde les 50 dernières années. iPhone, internet civil, SpaceX, Tesla, Google, Amazon, Stripe, mRNA, ChatGPT. Toutes des inventions privées, portées par des entrepreneurs, financées par du capital risque. Pas un seul ministère n'a inventé quoi que ce soit qui ait changé ta vie au quotidien. La France est devenue le laboratoire mondial de la dérive bureaucratique. 57% du PIB en dépenses publiques, record absolu. Une administration tentaculaire, une fiscalité qui pénalise la création de richesse. Résultat : décrochage face aux États-Unis, à l'Allemagne, à la Suisse. Fuite des cerveaux. Désindustrialisation. Dette qui explose. Et le pire c'est que la mauvaise allocation s'auto-renforce. Plus l'État prélève, moins les entrepreneurs créent. Moins ils créent, moins il y a de base fiscale. Plus l'État s'endette et taxe. Boucle de rétroaction négative parfaite. La maîtresse pense qu'elle aide, et chaque année la cour produit moins. Dans nos sociétés, ce sont les entrepreneurs, toujours, qui font avancer la civilisation. Les bureaucrates au mieux maintiennent une rente, au pire la détruisent. Aucune société n'a jamais progressé en taxant ses créateurs pour subventionner ses gestionnaires. La question n'est jamais qui a combien. C'est qui alloue le mieux la prochaine unité de ressource pour maximiser le futur de l'humanité. La réponse depuis 200 ans n'a jamais changé. Ce ne sont pas les fonctionnaires.

English
0
0
0
89
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
1. Yes, because it’s just default lb, where your local nodes always better and prioritized. 2. If someone catch you with gun on the street, your 16 symbols password will not help you to save money, if guy with gun know about them - correct. But LZ told that balancer was not hacked, only RPCs ;) 2.1. What is “popular”? dRPC is popular, we serve majority of well-known web3 projects. If you ask about Alchemy and QN particularly, because only those 2 more “popular” now - we don’t have them in pool, so currently you can’t use them for such quorum. But I believe it’s good momentum in time to discuss this with them as well. Eventually it’s not about competition, but collaboration for common good. Btw, write me in DM, always happy to speak with fans 🫶
English
0
0
1
31
Nam Chu Hoai ⏩
Nam Chu Hoai ⏩@nambrot·
1. agree that more nodes would have been better, but does that invalidate their approach/architecture? 2. Can you share more, if the machine that runs the signature verification gets hacked (like in this case), this doesn't help you no? Btw, can you share more here? I was not aware that popular rpc node providers provide signatures of their reponses 3. agree, that's what i mean by pathological
English
1
0
0
21
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t. The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s… The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it. When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then): -#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… - github.com/drpcorg/drpc-s… We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period: 1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority." 2. The risk was real. The market is now discovering this at a cost of roughly $250M. Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths. So the practical rule, for anyone building infrastructure whose failure mode is user funds: 1. Use at least 3–5 independent, reliable RPC providers. 2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it. You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users. We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org
LayerZero@LayerZero_Core

x.com/i/article/2046…

English
3
17
65
35.6K
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
We got a lot of requests to bring this back to life, and as promised, it's live now! #nodecore" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… If you build a mission-critical dApp, or if part of your functionality is super fragile to RPC poisoning, please use the Verification feature from dRPC via NodeCloud or NodeCore; there is no excuse not to use it, and you can't say, after yet another hack, that you were not aware of this.
Constantine | dRPC.ORG@constantine_rm

In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t. The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s… The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it. When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then): -#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… - github.com/drpcorg/drpc-s… We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period: 1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority." 2. The risk was real. The market is now discovering this at a cost of roughly $250M. Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths. So the practical rule, for anyone building infrastructure whose failure mode is user funds: 1. Use at least 3–5 independent, reliable RPC providers. 2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it. You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users. We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org

English
0
3
23
6.5K
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
It's a good question, and we can't say "use dRPC's NodeCloud or NodeCore, and you will be 100% SAFU", I'm not "that" CZ :D But the possibility of such an attack will be much lower. Based on their message, they used 2 self-hosted RPC (poisoned) and 1 3rd-party RPC (DDoSed). With this feature, as I mentioned, #nodecore" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…, it will be impossible to hack. Why: 1. not only 3 nodes, 2 of them under the control of 1 DevOps. 2. each response signed by provider by key on provider side. 3. if quorum didn't reach (let's imagine some node was poisoned or DDoSed) you will get error, not a wrong response
English
1
0
0
56
Nam Chu Hoai ⏩
Nam Chu Hoai ⏩@nambrot·
Long time fan of drpc, I'm curious how you assess the specific situation here? My understanding is that even if L0 would have used NodeCore (which it sounds like they had their own version), this compromise would have likely happened since the machine running nodecore could have just been swapped out? And then with NodeCloud, the trust of "properly running quorums" would have moved from their infra to your infra? From what I can tell, there was a pathological case with the quorum logic which excluded "down" nodes from quorum?
English
1
0
1
41
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
@toxzique @banteg @Quicknode "Send enough traffic" via eth_call? And block not particular requests that hit the limit, but the entire account? God bless users of this service in that case :)
English
1
0
0
58
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
Not really, I don't even know how KelpDAO is exactly related here. This post is about a technical design issue, based on the official message from LayerZero. And such kind of issues it's not something unique. It's not pointing to someone particular about poor design, it's a highlight of a general poor approach, where for years people refused to spend time and money on RPC reliability.
English
1
0
8
312
Jonny Dee
Jonny Dee@0xJonnyDee·
@constantine_rm Feels like it's a bit of a blame game going on right now. Let's see what KelpDAO says. Regardless, DeFi is currently in shambles.
English
1
0
1
342
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
@0xngmi @ChainLinkGod Added some light here: x.com/constantine_rm…
Constantine | dRPC.ORG@constantine_rm

In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t. The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s… The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it. When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then): -#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… - github.com/drpcorg/drpc-s… We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period: 1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority." 2. The risk was real. The market is now discovering this at a cost of roughly $250M. Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths. So the practical rule, for anyone building infrastructure whose failure mode is user funds: 1. Use at least 3–5 independent, reliable RPC providers. 2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it. You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users. We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org

English
0
0
0
69
Constantine | dRPC.ORG
Constantine | dRPC.ORG@constantine_rm·
I'm not really understanding how "other providers" were DDoSed by <20M eth_calls during a couple of hours, based on the provided screenshot. And as @ChainLinkGod mentioned below, there are no clear statements on who compromised. I believe most likely it was in-house nodes. Because it's quite logical from a typical lb logic perspective: 1. lb estimate fastest nodes 2. lb send requests to it So you don't need to DDoS anybody, you can just compromise in-house nodes which are closest to the Gateway and considered "fastest" - profit. We initially built our system to cover such issues on RPC centralization, because such a vector of attack is not new at all, and it was just a question of time, when it would hit. Will make a post with my thoughts on all of this today.
English
1
0
8
1.6K
0xngmi
0xngmi@0xngmi·
The attack was 1. North Korea figured out which RPC providers LZ was using 2. They compromised two of the providers to make them return fake data 3. DDoSed other providers to shut them down, forcing LZ to use the bad ones AFAIK I was the only one who actually called it
0xngmi tweet media
LayerZero@LayerZero_Core

x.com/i/article/2046…

English
78
101
1.4K
148.9K
banteg
banteg@banteg·
went through layerzero gasolina aws deployment repo + extracted app source. tl;dr concerning the reference deployment is public by design. and the sample providers.json ships with rpc quorum: 1 on every mainnet chain. 1. the recommended cdk stack puts a public api gateway in front of a private alb in front of fargate in private subnets. publicLoadBalancer: false, taskSubnets: PRIVATE_WITH_NAT, and an HttpApi with HttpAlbIntegration. the readme literally tells operators to send the resulting ApiGatewayUrl to layerzero labs. 2. no authorizer, no iam auth mode, no ip allowlist, no waf, no route-level policy anywhere in the repo. the app itself (bootstrap.ts) registers /provider-health, which leaks configured rpcs. server.listen(port) without host arg binds to public ip. 3. cdk/gasolina/config/providers/mainnet/providers.json sets quorum: 1 for ethereum, bsc, polygon, arbitrum, optimism, fantom, and the rest. multiple rpc urls are configured as failover, not consensus. the multiprovider code only enforces quorum when quorum > 1 and explicitly bypasses the wrapper when it's 1. rpcs are mostly public endpoints (llamarpc, publicnode, ankr). 4. provider config lives in an s3 bucket that the cdk stack creates, uploads to, and passes via env vars (PROVIDER_CONFIG_TYPE, CONFIG_BUCKET_NAME). so the trust boundary is the app + the mutable config plane + the upstream rpc tier + whatever's in front of api gateway. 5. operators are told to validate by curling the public url for /available-chains, /signer-info?chainName=ethereum, /provider-health (again, leaks rpc). external reachability is an encouraged documented requirement. caveats: this is the public repo and extracted non-public source. it doesn't prove the config they had for kelp bridge. but the public info and the defaults the operators are pointed at look concerning. read more here: gist.github.com/banteg/2fde29d…
English
18
34
355
44.6K
Duca
Duca@big_duca·
Anyone know someone from @Quicknode? We are burning through credits and need to upgrade to a higher plan asap.
English
11
0
19
3K
Constantine | dRPC.ORG retweetledi
Aerodrome
Aerodrome@AerodromeFi·
3 rounds of audits, starting this month. Then a bug bounty. Then Mainnet. See you in July.
English
63
85
712
101.3K
Vasily Sumanov
Vasily Sumanov@vasily_sumanov·
@wagmiAlexander @wmougayar Someone who did this dashboard has wrong numbers in it. Revenue for @aerodrome @CurveFinance and some other projects is much bigger This data is wrong, and those who built this dashboard isn’t deep in what he did and even didn’t verify his numbers
English
1
0
0
65
alexander
alexander@wagmiAlexander·
In almost every conversation with funds and institutions at DAS they expressed: "we need better tokens". The last year proved the market is no longer willing to tolerate tokens that don't have a reason to exist. This year lets put the "fun" back into fundementals.
alexander tweet media
English
15
6
95
3.5K
Constantine | dRPC.ORG retweetledi
P2P.org
P2P.org@P2Pvalidator·
Most Solana infra promises speed. Few explain where it comes from. Speed is not just about sending. It is about landing, and that is a product of routing. Let us break it down ↓
P2P.org tweet media
English
2
4
11
528

Keşfet

@VitalikButerin @lomashuk @MicahZoltu @wagmiAlexander @ChainLinkGod @banteg @toxzique @Quicknode