Jim Borrowinson 🍚 ⛓

@RuiPaiva5 @pedro____world @LeaoSel Isto, sim, seria um grande projeto.

@pedro____world @LeaoSel Facilita a emigração.

Aposto já 1000€ em que este projecto não fica por 800 milhões.

@bneiluj @RektHQ Done

I built @RektHQ 6 years ago because crypto needed a place that says what really happened when things go wrong. I never accepted funding, so Rekt could stay agnostic and say whatever the fuck needed to be said. Now you can help keep it that way. Support Rekt in the Ethereum Security QF round. WE ARE ALL REKT 🐸 qf.giveth.io/project/rekt-n…

@tetherwallet @btc @tether @btc ne1son@tether.me

The @btc Faucet is officially LIVE! 🚰⚡️ We want to help everyone experience self-custodial Bitcoin. Claiming your free Sats is easy: Download the tether.me app, then reply to this tweet, making sure to tag @btc AND include your @tether.me username. We will instantly drop a lightning-fast fraction of Bitcoin straight to your Tether Wallet. Stack 'em while the faucet is running! 👇

@0xngmi Moving to another level.

We've launched Risk metrics in DefiLlama! The best metrics come with real money on the line, so we devised a new one: how much $ would be lost across lending markets if a token got hacked This aggregates trust and willingness to extend credit to a token across risk managers

Two days ago, Kelp DAO suffered a $292 million exploit, the largest DeFi hack of 2026. The attack is elegant in its simplicity, terrifying in its implications, and a case study in how a single misconfiguration can cascade through the entire DeFi stack. ▶ The Setup Kelp is a liquid restaking protocol. It creates rsETH -- a liquid token representing ETH restaked on EigenLayer. DeFi being DeFi, users want these tokens available across multiple chains. So Kelp uses LayerZero, a cross-chain messaging protocol, to bridge rsETH between networks. The core idea behind any cross-chain bridge is straightforward: - A user locks (or burns) tokens on Chain A - An oracle observes and verifies that transaction - The bridge mints an equivalent amount of tokens on Chain B LayerZero's oracle mechanism is its Decentralized Verifier Network (DVN), a set of independent verifiers that must agree a cross-chain message is legitimate before it is executed. The critical word here is "independent." And that's where things went wrong. ▶ The Vulnerability For reasons that remain unclear, Kelp had configured a 1-of-1 DVN setup. One verifier. No redundancy. No independent confirmation. LayerZero had explicitly warned against this configuration. Kelp ignored the warning. A single point of failure in a system securing hundreds of millions of dollars. ▶ The Attack The attackers, preliminarily attributed to North Korea's Lazarus Group, didn't need to break any smart contract. They went after the infrastructure layer. To verify blockchain state, a DVN relies on RPC nodes, the servers that synchronize and serve blockchain data. The attackers compromised two RPC nodes used by Kelp's lone DVN, then launched a DDoS attack against the remaining healthy nodes, forcing failover to the poisoned ones. From there, it was trivial. The compromised RPC nodes presented a fabricated blockchain state to the DVN, pretending that 116,500 rsETH (~18% of total circulating supply) had been legitimately deposited on the source chain. The DVN, seeing no contradicting signal from any other verifier, approved the message. The attacker retrieved 116,500 rsETH freshly minted on the destination chain. ▶ The Liquidation The attacker deposited the stolen rsETH as collateral on Aave V3 and Compound V3, then borrowed approximately $236 million in (W)ETH against it. By the time lending protocols reacted, freezing rsETH markets, halting new deposits, restricting withdrawals, the damage was done. Aave now carries an estimated $177-196 million in bad debt. Its TVL plunged from ~$26.4 billion to ~$17.7 billion as panic withdrawals exceeded $5.4 billion. Whether Aave's safety module can fully absorb the loss remains an open question. Not the decentralized and trustless ideal we went for... The Deeper Problem Poisoning a handful of RPC nodes and DDoS'ing a few others was enough to fabricate $292 million out of thin air and erodes trust across the entire DeFi ecosystem. No smart contract exploit. No zero-day. Just a misconfigured verifier and an infrastructure-level attack on the nodes it relied on. But the root cause runs deeper than Kelp's configuration. The fundamental problem is the trust model. Kelp's bridge, like most bridges and many Layer 2 rollups, relies on oracles reading blockchain state from RPC nodes and attesting that "this thing happened." The security of the entire system reduces to one question: can you trust the nodes feeding data to your verifier? The Kelp hack proves the answer is no. Not the decentralized and trustless ideal we went for... There is a fundamentally different approach: validity proofs. Instead of trusting oracles to honestly report what happened on another chain, you require a cryptographic proof, a zero-knowledge proof, that the state transition actually occurred according to the protocol's rules. The verifier on the destination chain doesn't trust any RPC node, any oracle, or any DVN. It checks the math. Either the proof is valid or it isn't. This is exactly the model ZK rollups use to settle on Ethereum. The L1 doesn't ask an oracle "did these transactions happen?" It verifies a succinct proof that they did. ▶ The Goose That Lays the Golden Eggs One could argue the attacker showed restraint. With a 1-of-1 DVN, they could have minted any amount, $292 BILLION, if they wanted. There are liquidity arguments (you can only extract what lending markets will let you borrow against) and detection arguments (the larger the mint, the faster the response). But there's a more cynical reading. The Lazarus Group and similar state-sponsored actors are in a peculiar position. They could mint an amount large enough to collapse the entire DeFi ecosystem. But doing so would kill the very system they profit from. So they calibrate, enough to fund their operations, not so much that the ecosystem loses confidence and collapses. The goose must keep laying. The DeFi ecosystem likes to talk about trustlessness and decentralization. But when a handful of poisoned RPC servers can drain nine figures and trigger a systemic crisis, we should be honest about where we actually are, and serious about the cryptographic tools that can actually get us there. Stay safe.

Do you rebember when Drift accused VSCode of being responsible for the >$200M exploit? I’m fine waiting for Kelp/LayerZero to use the same approach. This time targeting Vercel. x.com/DriftProtocol/…

@0xngmi If it really was North Korea, negotiations are highly improbable.

The attack was 1. North Korea figured out which RPC providers LZ was using 2. They compromised two of the providers to make them return fake data 3. DDoSed other providers to shut them down, forcing LZ to use the bad ones AFAIK I was the only one who actually called it

@CryptoPatel Every time this happens, it has never even been prior audited or described in the documentation.

LayerZero Design Under Scrutiny The ~$290M rsETH exploit is raising questions around LayerZero’s design. Apps can choose their own verifier setup (DVN), with no minimum security requirement. In this case, KelpDAO reportedly used a 1-of-1 verifier, creating a potential single point of failure. ⚠️ If that verifier is compromised, attackers can validate fake messages and drain funds. Not just a hack, possibly a design tradeoff between flexibility and security.

The KelpDAO exploit (~$290M, is NOT a LayerZero protocol bug. It's a configuration issue and a case study every project with a cross-chain token needs to look at today. KelpDAO shipped their rsETH OFT with a 1/1 DVN security stack. One required verifier. Zero optional. Threshold 0. Straight from LayerZero Scan's ReceiverOAppConfig on the rsETH bridge pathway: • requiredDVNCount: 1 • requiredDVNNames: [LayerZero Labs] • optionalDVNCount: 0 • optionalDVNThreshold: 0 Source and Destination OApp both labeled "Kelp DAO." Destination is the rsETH OFT Adapter on Ethereum: 0x85d456B2DfF1fd8245387C0BfB64Dfb700e98Ef3. How the attack worked: the forged message's source packet was never actually emitted on the source chain (Unichain). The single required DVN signed an attestation for something that didn't exist and because it was the ONLY required DVN, there was no independent verifier to contradict it. Everything downstream then executed exactly as designed: commitVerification → lzReceive → peer check → OFT decode → rsETH mint. The contracts weren't broken. The verification layer was. One signature and 116,500 rsETH materialized out of thin air on Ethereum. To be clear: LayerZero V2 is modular by design. Apps pick their own security stack X-of-Y-of-N, multiple independent DVNs, thresholds, block confirmations. No one is forced into any configuration. The protocol gave projects the full toolkit. KelpDAO chose 1/1. Even reputable DVNs can have a bad day key compromise, infra failure, bad actor, whatever. That's exactly why you want multiple independent verifiers. Redundancy is the whole point. A 1/1 DVN is the cross-chain equivalent of a 1-of-1 multisig on a treasury. Baseline for any OFT/OApp with serious TVL: • Multiple required DVNs (3–4+) • Independent providers (don't stack correlated risk) use canary DVN as it’s also its own independent client. • Optional DVNs + threshold on top • Sane block confirmations If you're a founder or dev with an OFT live in production, pull your Send/Receive ULN config today. Call getConfig() on the endpoint. If requiredDVNCount is 1 and optionalDVNCount is 0, reconfigure before the market does it for you. Anyone can verify any OApp's config on layerzeroscan.com right now. Security is the application's responsibility. LayerZero hands every project a powerful, modular security stack it's on the project to actually use it. Kelp's full RCA is still coming, but the root enabler is already onchain and visible to anyone who looks. Check your configs. Stay safe out there.

Café Cursor Lisboa está aberto!

Check out the @cursor_ai cafe Lisbon vibes. Unleash the agents 🤝

- immigrant background - raised by a single mother after divorce - self-taught physics at 16 - wins gold at the International Physics Olympiad - starts trading crypto in 2019 with $10K from a living room in Puerto Rico - builds Chameleon, one of the largest crypto trading firms - shuts it down voluntarily - sees crypto drifting away from decentralization (FTX) - decides to build something new - co-founds Hyperliquid - team of just 11 people - no VC funding, no investors, no MMs - rejects $100M at a $1B valuation - processes over $4 trillion in volume - generates ~$900M in profit in a single year - core philosophy: neutrality and integrity - fees automatically burned on-chain - becomes one of the most profitable protocols in DeFi - Jeff Yan

@HYPEconomist @SkylineETH I thought SOL was way overpriced.

@SkylineETH Weeks not months

HYPE is just a 30% move away from flipping SOL. No offense to HYPE bulls, but SOL is seriously undervalued at this point.

Marco Barbosa (@mbarrbosa) is building @zenoVision_ with a simple belief: AI should be accessible to everyone. From gaming (170K+ users) to AI agents and payments, the team is shipping relentlessly on @minipay and @Celo. Excited to support their journey! Founder story below👇 celocamp.com/post/zeno-visi…

@SteakhouseFi Upsy

🚨🚨Do not interact with the Steakhouse app until further notice. Our team has identified a phishing attack on Steakhouse domain (both app and website). No deposits are at risk. No contracts are affected. All Steakhouse depositors are safe. The issue may impact new users interacting with the malicious website served by the attacker. We are working to restore the frontend as soon as possible. We will communicate all updates asap.

@jimborrowinson Se desconverso, é porque não estudei, mea culpa sorry

Uma lista que, de algum modo, pode ajudar a entender o sentimento e a falta de empenho da comunidade. O desafio, talvez seja tentar olhar mais para os aspetos positivos.

@alquimista68 Não desconverses.

@jimborrowinson E tu?

@CatiaInsights Eu disse-te Cátia. Vai ser business as usual. P.S: Vais continuar a tratar-me na terceira pessoa?

@jimborrowinson Imagino que se comentou o meu post, tem algum interesse... Ou gosta só de perder tempo?

Se os Estados Unidos invadirem por terra o Irão (estamos todos de acordo que eles vão, certo?) como se irá comportar os mercados?