Durian.hl

I beg everyone in crypto to read this in full. I expected this to be another case of social engineering, likely some recruiter/job offer shit. I was very wrong. And the depth of the operation and personas makes me think they already have multiple other teams on lock. 😳

Relentless.... unfollow, guaranteed to save you money and reading time

@cobie @lBattleRhino the episode when Do Kwan showed up was fun 😆

but it is a good question. i thought maybe no guests but ledger has missed 3 yrs of crypto so nothing to talk about without guests lol * jeff + shoku * prediction mkts * light if he will do it again * maybe arthur hayes, never came on before * maybe some recent founders of ok stuff * errrrr who else fk

Up only back is dope but who will they have on, we don’t have anywhere near the level of interesting main characters that we did last cycle

@AvgJoesCrypto @Collector_Crypt None of the revenue used to buy back , they use it to reinvest into buying more cards inventory

$CARDS is perhaps the clearest example of the market's fixation on buybacks swinging too far. @Collector_Crypt has built a fantastic business, on pace for $77.4 million in annualized revenue. Yet CARDS is down 65% from its ATHs, trading at just 3.4x P/S, one of the lowest multiples among top revenue-generating tokens.

I love Uniswap, but let’s be honest. UNI tokenholders are financing much of the volume. Zero revenue goes to those tokenholders. People aren’t bear posting Uniswap The Product. They’re bear posting Uniswap The Investment.

@litocoen You can pay tax with card ? Show me plz 🥺

just got $4k cashback in one tx paying a tax instalment with my etherfi card there was a 2% card processing fee on the government portal but given cashback is 4% on the tier i am was still worth it thx scroll

My friend mistakenly sent mid 6 figs of USDC (basically owned by @Coinbase) to his @CoinbaseInsto Prime deposit address on Base, a chain wholly controlled by Coinbase. They are claiming they can’t recover it. This is not a contract address that is chain specific, they obviously have the private key, but they only accept USDC deposits on mainnet. The fact that they don’t support their own chain on Prime is laughable; the kicker is they have a recovery service for retail but not for Prime. They obviously can and should recover it.

Urgent: Update iOS Now — A Dangerous Vulnerability Found in Safari and Chrome Browsers. Apple has released an emergency update for iOS 18.6 to address a serious security vulnerability. Hackers are already exploiting it — simply visiting a website can trigger the malicious code. There's no need to download anything. What’s particularly concerning is that all iPhones starting from the XS model are at risk. Attackers can gain access to passwords, banking information, and even enable hidden surveillance.

@svbmrgd nvidia ?

are you guys ever gonna fix or deploy the old bridge contract ? (the one deployed on eth mainnet) i got 55 eth stuck on the arbitrum side. all it would take to get my eth back is for you guys to use the create2 function in your library with the original deployer address (your multisig), you deploy that bridge/smart contract on any chain (there's like 9 other chains with people's money stuck on it), and then you can finalize the stuck transactions/finish the deposits.. but instead you deleted every tweet that had any mention of that bridge, and then deprecated it.

TLDR: Across Protocol/Bridge ($ACX) team used secret votes to extract ~$23m from the Across DAO’s treasury for their own private company's benefit. Background: I’ve many times posted about DAOs that are DAOs “in name only” - that is, organizations that pretend to be run by “the people” but where in reality all decisions are made by a very few select insiders, often team members. Across Protocol - although a relatively well-respected entity in the crypto space, backed by true chads and OGs - appears to be one such faux DAO. Across is a crypto bridge that ostensibly runs on a DAO structure. The token holders of $ACX are led to believe that they are the stewards of the destiny of the protocol, and that those leading the project are acting to the benefit of the $ACX holders. However, if you look more closely at the governance proposals (and who votes on them, and how), it becomes clear that the DAO serves more to benefit Risk Labs, a separate for-profit company by the same team as Across, than it does to serve the Across DAO members themselves. On information and belief, it seems the Across/Risk co-founders and insiders orchestrated governance proposals that let them secretly subvert the “democratic” process of the DAO, and extract ~$23m (at today’s value) from the treasury they were meant to protect. In doing so, they directly harm the current and future $ACX holders by creating significant amounts of potential future token sell pressure. FYI/disclosures/disclaimer: Over the past few months I have spoken at length with Kevin Chan (Treasurer of Risk Labs) and Hart Lambur (CEO) about this upcoming post, both of whom were very responsive. I also spoke briefly with the head of marketing, James Richard Fry, to try to help coordinate their disclosure of what has happened, but he was almost completely unhelpful and was (at best) dismissive of the issues. My hope was that what I’d found on-chain was incorrect, but unfortunately it doesn't seem it was. I gave a lot of time to the Risk Labs / Across folks to let me know if any of my points were inaccurate and to let the public know about what they’d done themselves, but they decided not to do so, so unfortunately I’m having to spend my time writing this post. There is a non-zero chance that I've gotten something incorrect in this post - but I did as much due diligence as I reasonably could before going live with this information. I currently hold a long position in $ACX, have done a very large OTC with the Across team before, and hold long positions in virtually all of Across’s competitors. So, in a sense, I’m “fudding my own bags.” What Happened (Part 1): In October 2023, Across project lead Kevin Chan submitted a public proposal to the DAO requesting 100 million $ACX tokens, valued at around $15m at the time of this X post, to be transferred from the DAO to Risk Labs, the Across founders’ private, for-profit company. snapshot.org/#/acrossprotoc… This proposal was framed as a strategic investment in the future of Across Protocol, and for those who worried what would happen with the massive amount of distributed tokens, the proposal explicitly stated that tokens won’t be sold for 2 years. The proposal did not guarantee the money would be used for Across, there were no formal agreements between the two companies, and in fact Risk Labs does or has worked on projects separate and apart from Across, such as Oval. But the Across DAO should pay for this work? When the vote went live, it looked like it had a lot of DAO voter support - but this was illusory. On-chain analysis shows that the proposal was, in fact, being secretly pushed through by Kevin and his crew. While Kevin used his public “KevinChan.Lens” address to propose the grant itself, he cast a massive “yes” vote in secret from a separate wallet: maxodds.eth. The wallet was somewhat easily linked to his friendtech account, as well as to named addresses of family members of his. Kevin didn’t act alone, though: it seems that several folks from the Risk Labs team worked together to vote this massive grant through. Another team member, Reinis FRP, also used millions of $ACX across several secret wallets to vote “yes” on the proposal. And the second largest voting wallet in the entire proposal, accounting for almost 14% of the total vote, was initially funded by Hart Lambur, who founded both Risk Labs and Across. So, it seems the team made a proposal for a huge treasury grant “in the open,” then used a web of hidden, insider-controlled addresses to make it look like there was “community approval” for the vote to pass. It looks like a staged vote, orchestrated by insiders, to benefit their private business to the tune of tens of millions of dollars. What Happened (Part 2): A little less than a year later, and after the first vote went through without consequence, the team came back for even more money. This time, they asked the DAO for “retroactive funding” of 50m $ACX, worth $7.5m at the time of this post. And once again, Kevin’s secret wallets did much of the heavy lifting: maxodds.eth and a new wallet funded by it contributed 44% of the total “yes” votes. There was more to this second proposal that was problematic, though. In the discussion forums for the new grant, the team said they had been selling token options agreements (in simple terms: selling the rights to the tokens) from the first proposal to “strategic investors.” If you remember, the first proposal clearly said there would not be any selling done for 2 years - and it was on this basis that supposedly the community (although in reality the leadership) had made the initial grant. And one more thing of note: had the team not voted on this proposal, it wouldn't have reached quorum - meaning that it wouldn't have had enough votes to pass at all. Why It Matters: In any other industry - be it publicly traded companies, non-profits, governments, whatever - there are strict rules against what’s called “self-dealing,” and others that tell us how we should act to prevent other breaches of duty. These ethical and legal guidelines have been established for a few hundred years in order to prevent the erosion of trust in the entities that have outsize influence on our lives. In government, politicians are supposed to not vote on laws they will personally benefit from, or if they do, they have to do full disclosure. In business, if an insider of a publicly traded company is selling their shares or there is an arms-length deal that will benefit them, this has to be disclosed to the public. Even in non-profits, there’s a concept called “private inurement” where a non-profit can lose its tax-exempt status if its board members use the funds of the non-profit to benefit insiders without disclosure. The goal of a DAO is to mitigate principal-agent issues - so if one or a few voters who are also management are able to pass a proposal that benefits themselves elsewhere, then it goes against the principle of DAO governance in the first place. If they do it surreptitiously, secretly, in my view this shows us that the purpose was to mislead the public, which is a far worse violation of ethics, and maybe laws. Otherwise why not disclose the conflicts of interest, and/or use wallets everyone knows are yours to do the voting? More directly, the extraction of these $ACX tokens directly harms the current and future holders by not only draining the treasury, but also creating significant future potential sell pressure during the “unlocks.” Final Thoughts: If the team members of crypto protocols feel they absolutely must vote on their own proposals to siphon funds from the public to their own private businesses, at the very least they should provide clear disclosure statements saying so, such as: “the team will be voting for this, and they are benefited personally by the $x that is being asked for. There is no guarantee that the team will do anything at all on behalf of the DAO, there are no agreements in place saying so and won't be, and the team will be voting affirmatively for this proposal with their own personal wallets.” Then, at least, the public can know that there are conflicts of interest, and vote/sell/buy their tokens accordingly. But really, team members just shouldn't be voting on their own DAO proposals, and should exercise good governance, as has been done across the world for hundreds of years, to eliminate even the perception of bad faith and/or self-dealing. Almost all DAOs in crypto are total scams or at least facades. Frankly, I think that the “insider” threat to investors in crypto is quite a bit larger than the threat of the “outsiders” (hackers etc) who I usually work to recover money from. We can do better, and should, if we want to be taken seriously as an industry. Until then, if you yourself are running a project and thinking about doing some underhanded activities, remember: the blockchain is forever. 🙂

@0xBreadguy drgn 😅

Class of 2017 rise up. My coins: VeChain Stellar Nano Ethereum

100 ETH were assumed lost but could eventually be recovered. Here's what happened, how it became a happy ending and what's needed to prevent this from happening again. Context A user of Safe{Wallet} wanted to bridge 100 ETH from Mainnet to Base. But then they realized that they can't actually access the funds on the Base. The Safe on Base had a different set of signers than their original Safe, meaning they had no control over it. How can this happen? Unlike EOAs (Externally Owned Accounts), smart accounts like Safe are governed by deployed smart contract code. It's technically possible to deploy a smart account with the same deployment config (same signers) on different chains at the same address (using counterfactual deployment). So normally bridging to a chain where the smart account is not deployed yet is merely an annoyance as the user first has to deploy the smart account before they can access the bridged funds. But this case was different. The user used their @Safe smart account since 2020. The smart account version from back then (v1.1.1.) was not yet written with multichain in mind, so it was possible for anyone to deploy a smart account on a different chain with completely a different config at the same address. Something that has been changed since the v.1.2.0. version. Rescue Once the Safe team became aware of the incident, @tschubotz took immediate ownership. He examined the Safe on Base and noticed that the address had been deployed by an account that had preemptively deployed many other v1.1.1 Safes on Base. Through further onchain analysis, the trail led to @protofire. As it turns out, the Protofire team was aware of this edge case for older Safes and white-hat deployed Safes to frontrun a malicious hacker taking advantage of it. So just two hours after the incident was reported, there was hope that the funds could indeed be recovered. And few minutes later, a first test transaction and then a full transfer of the 100 ETH back to the user could be done. This is commendable anticipation of @protofire, strong leadership from @tschubotz and fantastic support by the wider @Safe team to get the funds safely back to the user. 💪 Learnings The root cause was the use of an older Safe version (v1.1.1), which didn’t account for multichain deployments. Since version v1.2.0, Safe includes protections that prevent conflicting deployments across chains by modifying how the CREATE2 salt is constructed. To bridge, the user chose the native bridge integration which is essentially a @lifiprotocol widget but with some optimizations for smart accounts. For example, the bridging feature warns users explicitly if there is NO code at the destination chain, meaning that no smart contract was deployed there. However, there was no warning in place for there being different code deployed on the destination chain. This additional layer of protection has now been introduced to cover the edge-case for old v.1.1.1. accounts. The deeper fix lies in improved keystore infrastructure (like keystore rollups) that can guarantee a consistent account config across chains. Until then, deployment behavior will remain difficult to reason about for developers and end-users. Finally, we are still at a point where users are expected to do test transactions before moving bigger funds. This is not scalable and shouldn't be expected from users. There needs to be more innovation around hooks, guards, and other safety mechanisms that allow strong protections for users. I'm glad this case could be resolved with a happy end and there is important learnings for wallet developers, especially ones using smart accounts. But it also clearly showed once again that a lot more work is ahead of us to truly make self-custody easy and secure for everyone.

I lost my life savings in one click using @safe last night. That's after 8 years of holding ETH and avoiding scams. A UX bug within the official Bridge feature, implied the destination address was my Safe on Base. It wasn't. Essentially, due to the age of my Safe, a bad actor had exploited a window of time last year to deploy my Safe mainnet address on Base with a different owner address. Those bridged funds are now unrecoverable. I appreciate that Safe's staff have transparently explained to me that this was an extreme edge case and apologised. I'm in a lot of pain. I'm now praying that they can make me whole. cc: @koeppelmann @SchorLukas

We need to talk about hardware wallets. 1. If you have one, you're probably signing transactions without checking calldata. 2. If you don't have one, you're more susceptible to hacks. One of these needs to change.

@0xBreadguy check out hyperdash.info for top traders and their positions

Discovered a site that shows aggregate, active HYPE TWAPs on Hyperliquid. It is both soothing and informative for positioning.

@zqinfo Solana has zero value just like Ethereum. You're absolutely correct. Users will use applications that are agnostic to any chain and will only use whatever is cheapest/fastest and eventually internalize as much of the flow as possible.

@0xOmnia @blknoiz06 @deBridgeFinance add the layerzero hyperbridge in there too , almost no fee bridging usdt0 and usde to hyperevm , another one is hypebridgexyz.

Option 2: @deBridgeFinance directly into HyperCore / HyperEVM "Hyperliquid" = HyperCore "HyperEVM" = obviously HyperEVM

Seeing a lot of difficulty (somehow??) to bridge into HyperEVM, and it's way simpler than you think, please don't overcomplicate it for yourself and others. Quick ez mode guide on how to do it:

coins i would suggest you not buy: - coins launched by countries - coins launched by presidents - coins named after people's pets - coins created by celebrities - coins created based off of that funny thing that just happened this is financial, legal, and mental health advice.

Feel like some haven’t understood it yet so I’ll just spell it out- 1. Stop asking wen Alt season- alt seasons as you know them are no more. Just occasional dumb pockets of liquidity— like when the noob gets his monthly paycheck and goes to the casino or poker room to gamble against the odds and eventually lose it. 2. The 4 year btc cycle is also no more. Inflation halvings dont matter under 1% emissions as now, and macro cycles have been repressed by the US money printing. We will just get more random and unpredictable choppiness now. 3. The retarded ‘L1 premium’ is no more. It finally got saturated with all the chains. You want premium, go build smth that actually innovates and can get to sustainable revenue. Clear enough? Adapt or get chopped up. No pressure— just your whole future bloodline depending on you getting this right.