ltkhehe

@sandmanarc @LayerZero_Fndn @hyperlane @ether_fi Legend !

Why is Everyone Quiet about the Cross-Chain Honey Pots? $10B+ at risk? This post will cover: 1. DVNs on @LayerZero_Fndn 2. ISMs on @hyperlane 3. OFTs & Warp Assets 4. Non-dormant addresses on @ether_fi and @renzoai multisigs "Decentralised Verifier Network" aka DVNs by LayerZero LayerZero Labs DVN: 2/3 multisig Nethermind DVN: 1/1 multisig Stargate DVN: 1/1 Google Cloud DVN: 2/3 Horizen DVN: 2/2 Source: You gotta go to Etherscan and call the signerSize and quorum functions. Here are the contracts: Link [1] (in the reply) Note: There is no guarantee that these multisigs are actually distributed and not maintained by a single person like in the case of Multichain. The name "DVN" itself is misleading. It certainly mislead me into trusting them more. A DVN is a modular validator entity inside LayerZero. That means, if you choose a single DVN set-up, your cross chain messages will be solely validated by this DVN. You can choose multiple DVNs or m out n DVNs to secure your setup. Most protocols (clients using LZ) have 2 DVN setups at max. I had to create this Dune dashboard myself to look into what's happening on-chain. For instance, Stargate has 2 DVNs. Stargate DVN and Nethermind DVN. Both are 1/1 multisigs. Securing, checks notes, $442.84m. Dune is doing a terrible job here, here's how the distribution of various configurations looks like. Look at the numbers that start tapering off as we go down the list. Dashboard link [2]. So, most protocols (clients using LZ) simply trust this one entity, LayerZero Labs, a 2/3 multisig. It's baffling to me that we're all fine with this and nobody is talking about it. We gotta push these teams towards more secure systems, rather push protocols that are using LayerZero to demand for more security. Let's look at Hyperlane, LayerZero's biggest competitor at the moment. First of all, thank God they call their default setup "Multisig ISM", ISM = "Interchain Security Module". They are at least honest about it. It is a multisig. Period. Hyperlane has setup their default ISM to be a distributed set of validators with different quorums for different chains. Each of these validators in this multisig setups are different entities, like various DVNs on LayerZero. Here's how their default setup looks like: Arbitrum: 3/5 multisig Base: 2/5 Blast: 2/3 BNB: 2/4 Ethereum: 3/7 Optimism: 2/5 (source: Link [3], note: they said this post prompted them to up their numbers, so this may have been updated) It is not very far off from the LayerZero DVN setups. But atleast you can be sure that 3-7 of these entites are actively validating in the system. It also seems better than using a single LayerZero Labs DVN setup. By the way, in a m/n multisig setup, if n is >> m, you are compromised if ANY of the m keys are compromised. In their BNB setup, 2/4, if any of the 2 validators out of 4 are compromised, you are compromised. If you compare these with Wormhole's default 13/19 setup, Wormhole looks a lot better. But I've heard it is upgradable. Do they need 13/19 signers to upgrade? I don't know. There are two main arguments by the GMPs (General Messaging Protocols, LZ & HL in this case) defending the lack of security of individual setups at the moment. 1. You can make it as secure as you want by adding as many DVNs/ISMs as possible. This is a marketplace and the market isn't choosing their security right. 2. You can upgrade to a more secure setup when they are available. Choosing your own security In fact, I'm writing about this after I had to choose my own setup for my protocol built on LayerZero. I had no idea what to choose. LayerZero does not provide any information on the current usage distribution of DVNs, nor do they advice you on a secure setup as they want to be agnostic. Layerzeroscan only provides data on the distribution of messages by different protocols using LZ. But that is not useful to me at all. They don't even tell us what DVNs these protocols are using. That's why I built my own Dune dashboard. Here are the most used DVNs across major EVM chains: Outside of the top 6 DVNs I mentioned at the top of this post, none of the DVNs are getting any volume. Why would a protocol choose to even trust DVNs other than the active ones? What guarantee is there that they are active and will be active in the future? What if you brick your system by choosing a dying DVN? If a DVN is not getting any volume, they would rather turn off their nodes as it costs to run a DVN. It's the same with complex DVNs or ISMs. If there is an ISM that is not being used, that means, it is not battle tested. If it is not securing any value, why would you trust it to secure your protocol? So the argument that these GMPs are agnostic marketplaces does not hold true at all. Someone has to help the crypto protocols choose the right setups. It is as if Amazon offered a default product for all of your searches and gave you a list of other options without product availability, reviews or even a description. In my experience, Hyperlane is more eager to engage their clients with education than LayerZero. It should be easier for more DVNs to start competing in the GMP marketplaces. In reality, there is no way for them to market themselves to the protocols using Hyperlane/LayerZero outside of shouting into the void on Twitter. Apparently the teams(LZ said so) are currently working on dashboards to showcase more data about individual DVNs/ISMs. Maybe this post pushed them to do so. The second main argument is that, protocols should use this trusted setup now, so that they can upgrade to a ZK bridge or a restaked security setup later down the line. The Upgradability of Your Setup First of all, I want to highlight that this is so far from the crypto ethos that got me into this space. Mutability, smh. Let's compare an ERC20 with an omnichain token. An ERC20 1. Has a fixed supply that nobody can change (most of em) 2. Exists on a blockchain where nobody, including the team itself, can mint extra ERC20s An OFT or A Warp Asset 1. Has a fixed supply in theory, but an unlimited number of tokens can be minted if the interop setup is compromised, unless there is a rate limit. 2. Has its interop setup managed by a multisig controlled by the token issuer (protocol). This multisig can change the rate limit as well (lol?). 3. Exists on multiple blockchains where if one of the chains is malicious, they might be able to mint as many tokens as possible, unless there is a rate limit, which can be changed. Let's look at team multisigs for a second. At least they are dormant addresses locked up in a basement, right? Right? @ether_fi is a protocol with $5.5B+ in TVL. Here is the multisig (Link[4]) securing their weETH OFT. 5 out of these 6 wallets have been active in the last 2 months. That means a higher likelihood of getting their private keys stolen.. For context, Ronin ($600m) and Harmony Bridge ($100m) hacks were due to comprises of multisigs. @renzoai is a protocol with $1.5B in TVL. And their ezETH is an xERC20. It is also secured by a 3/5 (multisig Link [5]). All 5 of these addresses have been active recently. And they all seem to be kinda interlinked. But I am not an expert on-chain sleuth to comment on that though. Will Ethena's USDe ever depeg? Perhaps not due to their stablecoin design, but rather because of their interop setup (LayerZero Labs DVN + Horizen DVN, basically a 4/5). At least 7 of their 9 multisig addresses are dormant. So, can we say a total of around $10B+ is at risk here? I am not blaming these GMPs. They are simply selling a setup. I am pushing the community to demand enough security from the protocols that are using these setups. Did we all forget that the bridge hacks have accounted for >50% of all funds we have lost? Now we are offering billions more on a platter to the hackers around the world. Kim Jong-Un is probably rubbing his hands right now. Native Bridges, Ignored, And Left for Dead It is easy to point out problems than to offer solutions. What is the best security for cross-chain messaging/tokens right now then? I would suggest studying wstETH by Lido. It uses native bridges to bridge and also to control the upgradable token setups on L2s. The upgradability is controlled by the Lido DAO on L1. Except the upgradability aspect of this, I have no issues with this setup. There is no way an unlimited amount of wstETH can be minted in this case. There will be solutions based on restaking in the future, hopefully they will offer a much better security than what we have today. Closing Thoughts I used to think very highly of LayerZero as a protocol. A protocol that is marketed x.com/mark_murdock3/… as a peer next to Bitcoin and Ethereum. Bitcoin, Ethereum, LayerZero. But I do not feel strongly about it anymore. I don't think it's even close. Bitcoiners chose the smaller blocks chain, Ethereans still care about the solo stakers, but the protocols using LayerZero are fine with one or two DVN setups. This is not a post targeted towards any of the GMPs/protocols mentioned here. I wanted to voice out my concern because I hold a lot more ETH than I hold ZRO (I do hold some ZRO, sandmanarc.eth). I have also integrated LayerZero into the protocol I am currently building. Although I am having second thoughts about it now. Let's demand better standards from our industry. - A humble community member, Sand

the great news is that pretty much all of this is totally preventable ethereum and ETH are rapidly growing to global ubiquity. this doesn't change that one bit future defi solutions won't make these amateur errors (they'll eventually seem like amateur errors... already do to many experts) attacker supremacy from AI won't last, it's working through a backlog of exploits. the limit result will be much permanently more secure protocols and eth's neutrality and capital gravity well will be more valuable than ever if you have ETH lent in aave, imo you should get out right now by using onchain limit orders to sell to whale loopers who are actively buying aETH unwind leverage. you can take as little as a 1.1% haircut based on ongoing txns in mid 6-figs, which is much lower than some estimates of final socialized losses. why can ETH lenders take only a 1.1% haircut now? because loopers want to avoid liquidation from high rates caused by 100% utilization. on the bad debt side, loopers actually win from socialized losses because their debt token (aETH) is the one taking the haircut, so they'd owe less in ETH terms. the most remarkable thing in this crisis is clearly that billions of dollars in backbone eth lending on aave were in fact exposed to signer risk in a 3rd party bridge... effectively some random downstream fellow was actually an aave admin. aave additionally has negligently low borrow rates during 100% utilization, leading to extremely dangerous illiquidity. what if ethusd crashed for any reason... eg. if stocks were open and a politician said the wrong thing, btc goes down 5%, eth goes down 8%... this can lead to broader contagion and bad debt. protocols and their teams like fluid (who've had low level dynamic withdrawal rate limits in protocol from day 1 so can't be insta drained) and spark (who seem to have excellent scientific gov and no exposure for eth lenders to 3rd party bridge admins) deserve respect and attention for doing what they knew was right and possible even before the ecosystem had a forcing function to care about it. same goes with other kinds of security practices that are still fringe, maybe including formal verification and ipfs hashes for frontends nearly 24h since the attack, the lack of material updates from affected protocols, including kelp, layerzero, and aave, suggests to me the ongoing severity of the situation. many factors are in play, there's probably no great solution, somebody is going to lose big is just the bridged rsETH (that argubly took bridge risk intentionally) fully on the hook for the bridge failure, and L1 rsETH should be unaffected? however L1 rsETH *was* affected due to gov choices in aave. does aave's junior debt program, umbrella, take the full wipeout? however umbrella's terms & conditions say they have no bridge risk, which aave gov effectively violated without umbrella holders realizing it. does layerzero bear responsibility for allowing their users to be subject to terrible admin config in one of their ecosystem bridges? i'm probably missing aspects here, it's very messy. Just Use Aave is dead... nobody is going to Just Use Anything anymore the future of this industry is to do the smart obvious stuff even when it's unpopular, like withdrawal rate limits, better interest rate gov, avoiding toxic market share steroids like degen bridge looping affordances. and for 10x better user recognition and higher standards around protocol hygiene and security differentiation. degen stuff is fun and amazing but only when you understand the true risks in sum, if you are lending ETH in aave, get out now at a ~1.1-1.5% haircut by selling to loopers actively unwinding because when the dust settles, a material haircut for Aave v3 ETH lenders is a possibility ethereum and ETH are growing well to global ubiquity and will be massive net beneficiaries of our industry successfully navigating this crisis season of backlogs of exploits discovered by AI and preventably poor practices in defi architecture/gov. trillions await

@frizzaud Turn out Kyle still saying the truth

@CarOnPolymarket No it not i'm alien

Have $1M lying around? You can make $156,353.74 by predicting that aliens will not be confirmed to exist this year. Sounds like a good investment

@atalantis7 The most importain that is signal US want to stop ( or they must stop cos consequences )

No real US-Iran negotiaton w/o GCC participation

This is the new EF Mandate. For many of you, the contents should be no surprise, and a clarification along the lines that we have been going and thinking for the past few months. But the clarification is nevertheless worth making. Ethereum is a unique object and has a unique role in the world. Its role is to be a sanctuary technology, to preserve technological self-sovereignty, to enable cooperation without coercion, domination or rugpulling, and to provide an escape hatch, to ensure that no single person, organization or ideology's victory in cyberspace can be total. The Ethereum Foundation is a steward of Ethereum - the original steward, and today, the steward specifically dedicated to preserving and expanding the above aspects of Ethereum. This means a heavy emphasis on CROPS (censorship and capture resistance, open source, privacy, security), both at the protocol layer, and at the access layer, user-facing applications and tools that we create or contribute to. There are things that we do in Ethereum because we believe that they are valuable for the underlying goals that we have for Ethereum. There are things that we do not do because from the perspective of our values we find them uninteresting (or worse, harmful). But there are also things that we do not do because while they are useful, they are not our role. At the Ethereum protocol layer, we focus on decentralization, verifiability, inclusion guarantees, protocol liveness, security and privacy first and foremost. We also value capabilities (eg. L1 scale, account abstraction, perhaps some forms of in-protocol aggregation), particularly because improvements in these capabilities better enable users to properly benefit from Ethereum's CROPS properties and displace the need for higher-layer intermediaries that might weaken the extent to which Ethereum's properties carry over into the full stack. We also believe that the Ethereum protocol must strive to pass the walkaway test. "We do X to specialize to serve the use cases of today, if more use cases appear later, we will continue to keep adding more EIPs for them later" is logic fit for many other blockchains whose names you hear often on this forum, but we do not believe it is logic fit for a decentralization-first blockchain like Ethereum. At the application layer, we focus on making "the zero option" - user experience that goes hard on ensuring security and privacy, avoiding dependence on intermediaries, and respecting the user's agency - as high quality as possible. We see this as complementary to work in the Ethereum ecosystem that "goes broad", starting from the world that it exists, and brings it onchain and improves its properties over time. Such work has its natural home outside the EF. We intend to be supportive of such efforts. We believe that the two are complementary: tools that are developed within the EF can be adopted by anyone, including partially, and even partial adoption that improves people's security, privacy and agency is a good thing. But the form of user experience that is more heavily insistent on CROPS properties is where we want the EF to develop its center of expertise. This does not mean shrinking from the hard questions. We believe in a vision of self-sovereignty that protects users, and does not leave users in the cold to face environments where they lose their life savings if they make a mistake, and click "yes" on a confirmation screen by accident two seconds after. But such protection must be designed based on a philosophical baseline of empowering the user, not empowering centralized organizations that claim to act in the user's name. This quadrant of design space - caring about users' (including non-experts') well-being and safety, and yet insistent on doing this in a way compatible with their agency and freedom, is underserved (not just in crypto, but in the world). We wish to use Ethereum as a platform to build out and showcase this quadrant, and ideally work with others to expand its reach over time. This is also a new chapter in how we see our position in the world. We must see ourselves not just as the Ethereum community, but also as maintainers of the Ethereum tool within what you might call the CROPS community or the sanctuary tech community, or a dozen of other words that have for a long time been used by people with similar values to us but far outside Ethereum. This means open-mindedness to new conceptions of what things in the world are our natural allies. Ethereum is not the world. Ethereum is a specific object in the world that is here to have specific properties. The Ethereum Foundation is a specific organization within Ethereum - one steward, not the sole one. I encourage all to read the mandate in detail; it includes concrete examples of how we intend to deal with the challenges and nuances of these ideas. We are doubling down on Ethereum and are excited about its next chapter.

I am working on agentic systems now, and having access to truly private and permissionless compute, along with reliable independent infrastructure like Ethereum, will be very important. My message was that this is available for institutions, and that sooner or later large organizations will not have much choice and will need to adopt Ethereum’s guarantees to stay competitive. That is also where the store of value comes from. It is important to keep delivering censorship-resistant, privacy-oriented, secure, open-source solutions. The only part I am unhappy about is where the EF believes that it can move slowly. The world is not moving slowly. Defense is not about staying in place but about hectic preparation without losing a single second when the threat is imminent.

I actually do the whole new year's resolutions thing, and it actually works. The key thing to understand is that humans are creatures of habit. Doing the same action you've already done regularly takes very little mental effort, whereas inserting a new one-time task takes much more. And so if you want yourself to do certain things more, you need to make it a habit. The year boundary is as good a place as any to evaluate the habits that you're chosen to impose on yourself, and see whether they are effective and sustainable, and adjust, add or remove any. My style is to make them measurable, trackable, and targeted to exactly the level of effort that I know will not make me want to abandon them, even during my months of busiest work, most intensive travel schedule or call schedule, etc. Examples I've done: * Walk an average of >= 6km/day each month * Run >= 50km each month * Write >= 1 blog post each month * Study some language for 30 min each week * Do >= 2 major cryptography programming projects each year At every year boundary, re-evaluate your old list, and decide on your new list. And yeah I have txt files for tracking this (sorry, not gonna use some corposlop app that makes me dependent on third-party servers) You actually want each one to be relatively trivial, so that you can stack multiple, and because the benefits of maximizing are less important than the risk that you will give up on the whole thing. This has worked well for me and I recommend it.

@VitalikButerin @RyanSAdams ETH is a store of value and one of the most important apps on ethereum.

@RyanSAdams ETH is a store of value and one of the most important apps on ethereum.

the last "say the quiet thing out loud" things i'd like to hear from vitalik is that ETH is a store of value and one of the most important apps on ethereum

@BTCdayu Pessimist sound smart but in the end only optimist can win

乐观主义者即使错了， 也比正确的悲观主义者过得更开心。 ——马斯克

10 Lessons that improved my trading 1) Embrace uncertainty Markets don’t reward certainty. They reward those who can operate comfortably within uncertainty and let probability play out 2) Know your limits By oversizing a position, a trade stops being about the market and starts being about fear and hope. Even correct ideas can fail when position size forces irrational decisions. Know your limits and find the right balance 3) Less is more No trade is still a trade, and often the optimal one. Quality over quantity consistently leads to better results. Trading is mostly a waiting game, and recognizing when not to act is part of the process 4) Consistency beats talent A bad trade can be profitable, and a good trade can turn into a loss. Short term results can be misleading, what matters is consistency over a prolonged period of time. 5) Find balance Trading requires focus and patience. If you’re sleep deprived or external factors are negatively affecting your state of mind, it’s better to avoid trading that day. We all have bad days, recognize them before the market does for you 6) Narrow your focus This industry can be overwhelming, and noise can cloud judgment. Clean your timeline, narrow your ticker selection, and focus only on what’s essential. Simple systems tend to outperform complex ones 7) Live in the present Never let past losses or wins influence your next move. Each trade is a separate event. Avoid revenge trading or acting out of fear of missing the next move, there will always be other opportunities. 8) Be objective Never marry your positions and never rationalize your losses. Stay neutral. You’re an observer, never take sides. 9) The market doesn’t care about you It’s human nature to want to feel special or contrarian. But the market is the ultimate truth. Don’t fight the trend, and stay flexible enough to adjust your bias. 10) Survive I’ve seen countless traders, including very talented ones, give back all their gains. Surviving to fight another day matters more than anything else in this space. I’ve made a lot of mistakes along my journey, and I’ll most likely continue to make some. Trading isn’t always fun, it can be very lonely and emotionally draining. But in retrospect, it was all worth it. The view from the top is priceless.

@AltcoinSherpa We are all waiting for this time to come

Love seeing this move, I want to see strong continuation here for $BTC.

@inversebrah We are so back LFG

>_<

New year New resolutions But without a change in mentality and lifestyle, the outcome will be the same. A few lessons from someone who has lost and made life changing money - Money won’t fix your problems, it amplifies them. Live in the present, not in a future that might never exist. Take action today to improve your life. Success is the result of countless small daily victories - Don’t overtrade. Don’t over size. Stop comparing yourself to others. Find your own path and your own peace. Each year there are 3 or 5 big opportunities in the market, be present in that moment and spend the rest of the time learning new skills - If you’re so smart, why aren’t you rich? Take responsibility. Don’t blame others or hide behind excuses. Accept and admit your current situation. If you are not able to admit your own mistakes, you will never move forward - Mens sana in corpore sano, a Latin phrase meaning “a sound mind in a sound body”. Take care of yourself, take care of your body and your state of mind. Trading is a race against the world, but more importantly, against yourself - “Be water, my friend” - be adaptable, flow around obstacles, take different shapes. Never let your bias or fears take over, be always objective. Your only goal is to make money, not to be right nor to become a community member. Never let the echo chamber cloud your judgment - Become bulletproof. This game isn’t fair, and no matter how prepared you are, life will find ways to put you on your knees time and time again. You need to become obsessed, find a way to harden yourself, and always survive. If you can’t be the smartest person in the room, become the most resilient. If you made it this far, thank you for your time. As for me, I have no intention of slowing down. If anything, I’ve barely started. I will win. Losing was never an option.

@bitfalls Wow your size is perfect

@SolarEtherPunk Clown talking about ETH is dead, but if ETH is dead so all of crypto is nonsense ag

If $ETH is overvalued. Your coin is worth nothing.

@donalt u a fkin braindead when can think about this shjt

I'm really surprised how stupid the ETH reply guys are Always thought SOL fans were the most braindead, turns out ETH might be even worse ETH has underperformed for 5 years now, have some humility And this is coming from someone that likes ETH

@elonmusk Cycle is continue

Europe is sleep-walking into oblivion

@TaikiMaeda2 @ryanberckmans Bullish signal for ETH

hey ryan, I have a lot of respect for you and understand the frustration I do want to separate the fact that I am bearish ETH price but love ETH as a product. I have most of my portfolio on mainnet/L2 and use the chain more often than 99% of ETH maxis. I even max participated in MegaETH sale and avoided Monad. So I'm mostly talking "shit" from the pov that ETH is a great product but a terrible investment, as things stand now. I just happen to believe that ETH is a great short (from a trade pov) since my view is Tom Lee pumped it too much too fast buying 3% of supply, and now I expect that to retrace. I try my best to share trades (as a trader/investor) and share my reasons. You may disagree, but I have been posting my ideas to try to help people take profits before the market crash. I think I've been a bit too harsh on ETH but it's one way to deliver a message that is more nuanced. At the end of the day, price/valuation matters since most people aren't rich eth whales whose lives aren't affected even if eth goes -50% from here. I wish someone told me to sell crypto in 2022 instead of listening to people saying ETH was going to 10k. I'm just trying to be that person, and maybe I'm taking the ETH shorting thing too far but it's just a way to express a particular market view. And I'm usually a dumb person but I'm not hating on ETH the asset because I hate ETH, but more from a pov of trying to help people preserve capital so they weren't rekt like me in the 2022 bear holding eth from 5k to 800. There's a parallel universe in which I'm wrong and got clowned on. But we're living in the now and we have to do what's best for our financial situation. And I feel like I have a responsibility to try to help, though in most cases I get things wrong (which is why people often call me a midcurve countersignal).

Taiki calls ETH a "hot stove" that ppl keep touching and get repeatedly burned. He shorts ETH, makes money when BTCUSD crashes and ETHUSD with it. But ETHBTC is doing well rn (~3.5x better than in spring dump) Don't talk shit about eth unless you're willing to short the ratio