Michael
1.1K posts
The mastermind behind yesterday's announcement, video and launch btw
Nina@thenouxnoux
higher, relentlessly grateful to be along for a truly generational climb
English
Come work with me and @0xGojoArc :)
Octane Security@octane_security
Octane is looking for elite security researchers. We’re launching new initiatives and want to collaborate with SRs who have a proven track record in bug bounties, audit competitions, or high-impact vulnerability research. DM us with your best work if interested.
English
@octane_security Not able to DM you, Is there any other way, I can contact?
English
Octane is looking for elite security researchers.
We’re launching new initiatives and want to collaborate with SRs who have a proven track record in bug bounties, audit competitions, or high-impact vulnerability research.
DM us with your best work if interested.
English
Michael retweetledi
thanks for giving us Opus 4.7 with Mythos mogging it ur actually goated for that. it’s probably the coolest thing ive seen in my life, you released an AI model to AI users but you put Mythos there so we know it's the mid version. heroic. i love worse models thats fire bro thanks
English
Travessia Credit is live.
Today we’re launching our first vault in partnership with @AccountableData and @withAUSD, bringing Brazilian grain trade finance onchain.
This isn’t another yield product. It’s infrastructure.
Capital flows into essential commodity trade.
Operators execute real transactions.
Cash flows are generated in the real world.
And now — they’re verifiable.
Powered by Accountable’s Data Verification Network, this vault introduces real-time, cryptographic proof of assets and liabilities without exposing sensitive data.
No black boxes. No blind trust.
Just continuously verifiable credit.
Built on AUSD, Agora’s stablecoin, enabling seamless, stable capital deployment into high-velocity trade flows.
What this unlocks:
• Real-world yield backed by essential industries
• Continuous verification of underlying flows
• Onchain credit that institutions can actually trust
• A new standard for how capital moves globally
This is the first step toward a fully programmable financial stack for operators.
All onchain. All verifiable.
We’re not tokenizing assets.
We’re rebuilding the system that finances them.
Welcome to Travessia Credit.
English
Michael retweetledi
Michael retweetledi
We recently partnered with the Arbitrum DAO through the Questbook Grants Program to provide AI-native security tooling to @ArbitrumDevs.
Here’s a highlight of our March results.
English
👀
The Deal Director@thedealdirector
Looking for an SDR who wants to make it in AI-native security. @octane_security What you'll do: Own business development with startups and companies bringing secure code review into their workflows. Hit your numbers and you'll start leading full sales cycles fast, on a direct path to promotion. What we're looking for: You've worked with developers. You understand security, and you see what AI is doing for teams that move early on the right tools. You know nothing gets handed to you. You show up, you build, you rise to the occasion every day. Location: NY or SF preferred. Remote considered if you have the track record and the habits to back it up. Think that's you? DM me.
ART
Michael retweetledi
@notthreadguy I think when we removed the crypto bots, there were only 2000 people rugging each other back and forth, forever
English
One of the most interesting takes I’ve read on the @AnthropicAI news this week. Very intrigued to see the results in time
The Deal Director@thedealdirector
AWS runs one of the most elite cybersecurity operational teams in the world. Google has Mandiant, who are widely considered one of the most competent threat intelligence and security response orgs. Microsoft is not exactly a pillar of cybersecurity but invested a lot of money in Anthropic recently, something that both Google and Amazon already did. JPMorgan is a big buyer of software but will not go around sharing their insights. Apple is notoriously uncooperative from a security perspective. Cisco is a walking vulnerability risk. CrowdStrike and Palo Alto Networks are arguably the two most important cybersecurity companies today but also have no real presence in AppSec. Announcing what’s allegedly one of the most competent pen testing and AppSec tools in the industry, then refusing to make it available except for a selection of partners, none of whom have deep AppSec background is just weird. There are allegedly another 40 orgs that will get access to it, but they are framed as building or maintaining critical software infrastructure, not operationalising AI for application security.
English
Wrench attacks are still climbing in 2026 and they have nothing to do with your keys.
Criminals skip the technical side entirely and go straight for the person, with threats, coercion, physical force until you hand over access yourself. Analysts found roughly 45% of reported attack frequency tracks directly with market cap, so as prices rise, so does the violence.
Reduce your exposure: keep your public identity separate from your holdings, split day-to-day funds from long-term storage, and audit what's out there with your name attached to it.
English
Hmu if you wanna see what Octane can do first hand 🤝
Gio@giovignone
My thoughts on Anthropic’s Mythos and some interesting takes on AI codegen vs. AI security from the @nytimes… First, agentic workflows are clearly increasing software output much faster than anyone can review it. More code, more complexity, more edge cases, and more risk. And there just aren’t enough application security engineers in the world to absorb that increase on their own. Second, AI is compressing the time and skill required to find and exploit vulnerabilities. To stay anywhere near the edge of the curve, “you have to fight A.I. with A.I.” as @fdesouza puts it. Anthropic’s release today of Mythos takes us even further into this future. Anthropic says Mythos is its most capable frontier model to date, with major jumps over Opus 4.6 on coding and reasoning benchmarks. It says Mythos has already identified zero-days in major operating systems and browsers, and has the ability to exploit them too. Put all this together and the conclusion is pretty straightforward: The old approach to security no longer matches the new reality of software. Agentic workflows easily lead to exponentially larger and faster-moving attack surfaces. Every code change carries more complexity and risk that even the engineer who pushed it probably doesn’t understand. This is why I think the market is going to separate pretty quickly between companies that treat AI as a quick and easy growth hack, and those that understand it as a full-stack operational change. The challenge for security providers will be in offering a genuinely different vision of what full-stack operational security (systems, people, and processes) looks like, rather than just building harnesses around whichever LLM is leading the benchmarks that week. We need systems that can reason about code at the same speed it executes, operate continuously inside the development loop, and actually help teams find meaningful risk before it reaches production. Systems that increase the bandwidth of talented security engineers rather than just generating more noise for them to wade through. The deeper bottleneck here is verification. A paper titled “Some Simple Economics of AGI” makes the point clearly: as the cost to automate falls, the cost to verify does not fall nearly as fast. Human oversight is still constrained by time, context, judgment, and hard-won experience. In security, that means the real scarcity is no longer just people who can review alerts by hand. It’s security talent and engineering talent that can configure these systems around a team’s actual codebase and threat model, and step in to triage the ambiguous or high-stakes cases with automation. That’s especially true in domain-specific systems like blockchain infrastructure, payment rails, and other high-stakes software. The most important bugs there are often niche, contextual, and system-wide vulnerabilities. They sit in assumptions, state transitions, edge-case logic, and system interactions that require unique context and domain-specific models to identify and verify. There will be room for multiple platforms in AI security. But the most valuable ones will be those built by people with deep understanding of specific domains, who can integrate tightly with customer workflows, and who help teams separate theoretical noise from actual risk with unique or proprietary data that helps the model detect high-signal, domain-specific findings. But early frontier model access is not a durable edge. Competitive pressure will push frontier capabilities outward over time, whether through APIs, cloud partnerships, managed access, or even industrial espionage that makes its way into open-source models. What creates a truly durable advantage is having the security research talent, experience, domain-specific data and customer context required to make those models produce unique, expert-level findings that others cannot. These general models do not perform at maximum capability out of the box, they require expert inputs to produce their best outputs. This is what we do at Octane. We combine the best frontier models optimized for security use cases and our own domain-specific models together with high-end security research. Our researchers configure and instrument the system to get the most optimal findings, then provide continued support as the platform surfaces bugs autonomously. This is how we see security scaling to meet the threats we all now face.
English
“Sorry boss, I had to move the commit deal to closed lost.
The decision maker won’t return my calls, he was the one calling the shots.
I still have 3 other buyers for the GPUs.”
Resist Wire@ResistWire
BREAKING: 13 shots fired into home of Indianapolis councilor; note reading “No data centers” left at scene.
English
@octane_security ARE delivers researcher-directed security analysis at scale.
English
🧩 Custom context engineering
▶️ Runnable PoCs
✅ Exploit validation
🔍 Deepest coverage
ARE delivers researcher-directed security analysis at scale.
Octane Security@octane_security
How ARE works: Phase 0: We work with the client to define the context of their codebase: architecture, threat model, economic assumptions, etc. Phase 1: AI explores at scale. It maps the codebase, traces execution paths, and explores the long tail of edge cases humans can’t exhaust on their own. Phase 2: Human researchers evaluate the AI’s signals. They cut down the noise, note the serious attack paths, prune hypotheses, and refine the overall context. Phase 3: Repeat. Each pass goes deeper along the paths that matter, until meaningful attack vectors have been covered.
English
I'll probably get attacked for saying this, but every team in crypto should use this as an opportunity to slow down and focus on security.
If possible, dedicate an entire team to it.
I know how hard it is. There's an enormous amount of pressure to grow at all costs. Your runway will pressure you. Your investors will pressure you. Your token holders will pressure you.
But you can't grow if you're hacked.
Take time to stop what you're doing, stop stressing about growth, and audit your whole stack. Custody. Risk. Dependencies. Access control. Everything. The world will still be here when you get back.
Focus on the safety of your users' funds above all else. In the long term, this is the most important requirement to grow.
Drift@DriftProtocol
English
Our investigation into the @DriftProtocol incident remains ongoing. Early evidence points to two compromised signers on Drift's admin multisig, which were used to execute a transaction modifying Drift's program configuration.
Squads programs were not compromised. We have also found no evidence of compromise to Squads infrastructure, though we are actively investigating to confirm this with full confidence. We will share further findings as they become available.
Best Practices for Operationally Critical Multisigs
Thresholds: Any multisig with operational or administrative control over a program should have a signing threshold of 3 or above. This requires an attacker to concurrently compromise multiple independent signers, significantly raising the difficulty of this type of attack. Where possible, signers should also be geographically and organizationally dispersed. Signers sharing the same location, devices, or org structure introduce correlated risk.
Timelocks: Multisigs with program-level control should implement a timelock (can be set up in Settings of your Squads multisig). It won't prevent a malicious transaction from being proposed, but it creates a window to detect and reject it before execution. The tradeoff: timelocks also slow down legitimate emergency responses to bugs or active exploits, so teams should factor this into their operational setup.
Alerts & Monitoring: We encourage all operationally critical multisigs to set up monitoring and alerts through our security partner @RangeSecurity. Range provides two key things: an alternative interface for independently verifying transaction content outside of the Squads UI, and proactive Slack alerts so signers are notified before a proposal moves forward. If you want help getting set up, reach out and we'll connect you directly.
A high threshold, a timelock, and monitoring are the foundation for any multisig with program-level control.
Signing Process: Signers should use dedicated devices and hardware wallets, never a general-purpose machine. Additionally, signatures are only valid for approximately 2 minutes each, so introduce at least a 2 minute delay between each signer taking actions to ensure signatures cannot be collected & bundled by an attacker. Always verify transaction content independently across all three available sources: the Squads UI, Range's alternative interface, and Solana Explorer or Solscan
On Durable Nonces
The Drift attack exploited durable nonces to collect signatures without time pressure, bypassing the 2-minute transaction expiry that would otherwise limit this type of attack. We are actively exploring ways to block durable nonce usage across all of our programs, both at the program level and through other enforcement mechanisms, to ensure this protection extends to our immutable programs V3, V4, and our current Smart Account Program. Beyond this, the broader Solana ecosystem is taking steps to address this at the protocol level, with a new transaction format that drops durable nonces as a feature entirely. We will follow up with more information on this soon.
Beyond Multisig, Operational Security
Technical controls only go so far. Most high-profile compromises lately have been social engineering attacks targeting the people behind the keys, not the contracts themselves. If you are running mission-critical protocol operations, invest in your internal opsec processes and team culture accordingly, how proposals are initiated, communicated, and approved all matter.
We recommend engaging dedicated security advisors. @zeroshadow_io and @0xGroomLake are trusted starting points, and we are happy to connect you directly.
English