Daniel Von Fange

This exact string of bytecode has been deployed more than 40 million times, averaging more than 25 times per unique contract on ethereum. It makes up 8.16% of all code on Ethereum. What is up with this? Thread... 1/4

@elyx0 Nope. Code doesn't change, just the compiler.

@danielvf Depends if the 10% reqs assembly{} shenanigans no one will grasp

If you had the option of making all new solidity contracts 10% smaller, but cost 15 gas more to call, would you do it?

@sferik @nikitabier In a non-gamed case, it's because you're both adding value (your own opinion), and it's higher signal (you are putting in some work in response). Elon is basically gaming it though. Things that work on average can be gamed.

@danielvf @nikitabier Yes. But why?

@nikitabier Why does Elon always repost with a “comment” (typically a single word or emoji) versus just reposting. Presumably the algorithm rewards the former, but he/you could change the algorithm. The comments don’t add value; they’re just noise.

@puntium Also, you can completely remove a lot of risks at the architecture stage, before any code gets written.

@puntium Internal code review, both early/informal, and full/deep before code goes to external parties for review.

The 2026 DeFi security stack: - Audits (human, agentic) - Formal Verification - Guarded Launches - Rate limits, settlement gates with emergency overrides - Bug bounties - First loss junior capital tranches - Multisig opsec review - Gsuite/slack/telegram/X opsec review - DNS / package dependencies / Web2 stack security audit - Collateral asset review and disclosure (market, operational, oracle) - Infra dependency risk (bridges, pools, oracles, etc.) - Realtime monitoring - Incident response run-books - Periodic reviews to catch drift in any of the above - Review depth and sophistication that scales with value at risk What am I missing?

You would be surprised to understand which ecosystems are really the safest, and what drives that. It's not what you think.

@pashov @paulg Well, he had a half-dozen examples, but here's one

@danielvf Paul, we'll need a tldr here @paulg

The reasonable man adapts himself to the world, while the unreasonable man persists in adapting the world to himself. Therefore all progress depends on the unreasonable man. Have a beautiful Saturday🌸

@functi0nZer0 I just learned that if someone is behaving super badly in UK parliament they kick them out for a few days as punishment.... ..... by saying their full name

All of my children have two middle names I’ve installed a four-stage DEFCON system for them that tells them in advance how badly I think they’ve fucked something up I consider this a kindness

@tayvano_ Lol. 😭

@danielvf fixed for this weekend:

The lesson from this weekend is: 1. Do not build a system like this 2. If you have built a system like this, fix it 3. If you depend on someone who depends on something like this, be scared, don't trust as much.

@hrkrshnn Some of the happiest days in my life have been when I no longer needed to do a thing, for the thing to be done.

If you spent 10 years of your life becoming a cancer specialist and all of a sudden a pharma company is going to drop a cancer vaccine that cures 90% of cancer, how will you react?

@tayvano_ @llamaonthebrink @wagmiAlexander In the choice between hacking contracts, and hacking contracts while having admin keys, the choice is clear.

Yeah, they will do whatever and learn whatever to execute a hack. They're very good at learning. But I guess sitting there and trying to find a vulnerability is just not something they spend their time on. It might also be the sheer number of people, especially ones who aren't necessarily the best devs but who can send messages and socially engineer the fuck out of any company in the space.

What’s ironic about this post is that none of these listed exploits were smart contract related. They were all of web2 supply chain, spear-phishing, or social engineering based attacks.

They used to be clueless on the smart contract side, but that's not the case any more. The big hacks were not because of smart contract vulnerabilities, but often employ contracts to do some clever things. Bybit for example, upgraded a gnosis safe to a custom dprk implementation, and stole with it.

@tayvano_ @wagmiAlexander Yeah I personally think because they don’t have the savvy They repurpose spy tools for nation state cyber war to target low hanging opsec marks

@fofrAI Haha, its dwarf fortress.

gpt-image-2 is pretty good. > show me a screenshot of a mac desktop, large terminal window visible, doing something in the terminal with an expressive TUI layout related to a world sim

@storming0x VGA cable hits hard.

its amazing

A scary amount of people do use that phrase to mean "an Act of God beyond the control of mortals". Compromising infra and replacing geth so it faked information to a particular IP, is both 1. A sophisticated attack 2. Something that you should have designed your system to handle.

In the shadowed veils of antiquity, such world-shaking calamities were simply called ~magic~. Yet in this flickering age, mortals name them ~sophisticated attacks~. Both spring from the same ancient root: the ever-hungry void of knowledge.

I think many non-pure onchain projects may have something like this buried inside. For example, a large restaking protocol might build a cron job that loads in the total amount staked over RPC, and then updates the onchain token's assets and distributes yeield with the results.

To add nuance, there's some aspect of this in any bridge. But trust should not be binary - you can't build a system like this on pure trust of the component before it.