Ologai | Umbrella Finance ☂️

Hi folks. I'm the founder of an innovative protocol built on Monad testnet. In Umbrella Finance, you can swap, lend and borrow any token, where your LPs work twice (for trading and for lending) effectively boosting your yield. Come and give it a go. Feedback is appreciated.

"so you staked your ETH on the Ethereum blockchain to earn yield?" "yes, Dave" "except you didn't want your capital to be locked up so you actually staked it with a liquid staking protocol called Lido?" "that's correct, Dave" "and Lido gave you a liquid staking receipt token called stETH in return?" "yes, Dave" "and then you didn't think that was enough, so you juiced the yield even further by depositing your stETH receipt tokens into a restaking protocol called Eigenlayer?" "you are correct, Dave" "and now you didn't want to lock up your capital, so you actually restaked with a liquid restaking protocol called KelpDAO who provided you with a liquid restaking receipt token called rsETH?" "you got it, Dave" "and then that was surely not enough juice, so you then deposited your rsETH tokens into a lending protocol called AAVE so that you could open a leveraged looping position that borrows ETH against the rsETH collateral and restakes the ETH into rsETH which is then deposited as collateral, except it turns out rsETH used a cross-chain bridge called LayerZero whose security is held together by a 1/1 toothpick, which was obviously hacked by north koreans causing rsETH to become undercollateralized and now these looping positions are stuck and unprofitable, and everyone is pointing fingers at each other, and also DeFi is a very serious industry" "you are 100% correct, dave" jfc.

So let me start. DeFi is the future of the World Financial System. That's my belief, and this is why we are here. This amount of absolutely preventable hacks we see in DeFi (with root causes attributable to CENTRALIZED points of failure) is enormous recently. This damages out industry, and I build for this industry. So I cannot remain silent. Imagine an average grandma (mass adoption is here?) putting her life savings on Aave. And then BOOM, she cannot withdraw her funds on Monday. Aave (the biggest DeFi protocol btw) said it's operating as intended - just rsETH got exploited. rsETH said that all code is safu - just LayerZero bridge got hacked. LayerZero (the biggest bridge securing quarter of a trillion $) said that everything operating as intended. Yet, she cannot withdraw here funds. WTF? Are we industry of clowns? But here's the thing. All issues like this should be prevented BEFORE they happen, not AFTER. Number of single points of failure should be reduced, not increased. When these points of failure are unavoidable - trust should be split. If there's a reliance on infrastructure - we should share best practices how to configure it. Not to mention that code should be very well checked - everyone gets that already. We should probably come together and develop safety standards for DeFi. How to build safely, and how to verify safety. Probably everyone should bring their best practices, and the projects, auditors and risk assessment groups should know them. Maybe we need @ethereumfndn and @SolanaFndn bringing all the ecosystem projects to participate and come up with principles, rules and recommendations of safe building. And, perhaps, we can even learn something about protecting the few remaining centralized points of failure from traditional finance who have many more of those. DeFi will win

@patfscott @CurveCap I'd go mostly for number one, especially with social engineering. Most recent hacks were done that way.

What do you guys think is behind the sudden surge in crypto hacks? A few possibilities: - AI is advancing hacking capabilities faster than security. Not just identifying exploits, but social engineering through deepfakes. I know people that have been targeted. - Groups using all their known exploits before Mythos drops. - Engineers in crypto no longer see a legal path to making money.

I'm at point where I prefer to have AI review my code (yes, I went old school and still wrote my code) than a human. Some false positives, but also many true positives.

@DefiIgnas What are the centralized oracles you mention? Chainlink is decentralized afaik. There are some lending protocols out there that do not rely on external oracles, including my own. Can I DM you?

Crypto gave up building real DeFi years ago. What we have now is onchain finance. For me real DeFi means: - no admin keys that can modify or upgrade contracts (most are upgradable projects) - no multisig that can pause withdrawals, block addresses (like Hyperliquid) - no centralized oracle feed or offchain dependencies that a single provider can manipulate (Aave falls here) And no governance token concentration that lets one entity do whatever it wants. In this sense only Uniswap falls under pure DeFi. Perhaps Curve too. Even OG MakerDAO had dependency on oracles but pivoted to pure onchain finance protocol. Or Reflexer's RAI that didn't target direct $1USD peg needed oracle. Liquity V1 was a good try but still needed oracles. a16z vision of 'progressive decentralization' was a right one, but we gave up on it. So blaming Drift for not being DeFi is true, but basically nothing is.

@Only1temmy From the user perspective, safety is better of course. But from the protocol perspective, it needs to keep adding features to remain competitive. How to balance that? Creating new contracts and asking everyone to migrate from old to new contracts is not great either.

@ologai which would you prefer. And can you explain better to me. Yet to research that deeply

i can't stop thinking about the drift protocol hack. not because of the $280m. we've seen big numbers before. i can't stop thinking about how it happened. and what it says about everything we're building. on april 1st, while people were posting jokes, an attacker drained $280 million from drift protocol in minutes. the team had to literally tweet "this is not an april fools joke." but this didn't start on april 1st. it started on march 23rd. that's when the attacker created four durable nonce accounts. two tied to drift's own security council multisig members. two controlled by the attacker. quietly. no alarms. no flags. on march 27th, drift migrated their security council due to a routine member change. by march 30th, the attacker had already compromised a signer on the new multisig too. then on april 1st, they executed. a test transaction first. then one minute later, two pre-signed transactions fired four slots apart. admin takeover. withdrawal limits removed. a malicious asset introduced. every vault drained. jlp. sol. btc. usdc. over 15 tokens gone. the entire thing took minutes. this wasn't a bug. this wasn't a smart contract exploit. this wasn't a flash loan or an oracle manipulation. drift's own report confirms it (you can check @DriftProtocol's latest to confirm). no compromised seed phrases. no code vulnerability. this was social engineering. the attacker got 2 out of 5 multisig signers to approve transactions they didn't fully understand. used durable nonces to pre-sign them. then waited. patiently. for over a week. two signatures out of five. that was the security standing between users and $280 million. two out of five. i keep coming back to that number because this is the part that should make everyone uncomfortable. not the hack itself. the architecture that made it possible. we've seen this before. we've seen this so many times. bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code. ronin bridge. $625 million. compromised validator keys. same story. cetus protocol. $223 million. different method but same result. hundreds of millions gone. in 2025 alone, $3.4 billion was stolen in crypto. and the pattern is almost always the same. not brilliant code exploits. not zero-day vulnerabilities. someone was tricked. a key was exposed. a human made a mistake. only 19% of hacked protocols even used multi-sig wallets. and the ones that did, like drift, got beaten anyway. because the weakest link was never the code. it was always the person holding the key. now here's what makes me angry. i've seen people dunking on solana over this. blaming svm. questioning the entire chain. the same thing happened after bybit when people started questioning evm and ethereum's security model. this is not a solana problem. this is not an ethereum problem. this is not chain-specific at all. drift's own report says it clearly. the programs and smart contracts worked exactly as designed. the chain did what it was supposed to do. a human was tricked into signing something they shouldn't have. that can happen on any chain. any protocol. any ecosystem. pointing fingers at solana is a deflection. and it's net negative for the entire space because it distracts from the real conversation we need to have. which brings me to circle. nine days before the drift hack, circle froze 16 business wallets overnight. legitimate companies. crypto exchanges. forex platforms. payment processors. no criminal charges. a sealed civil lawsuit that nobody could even read. no advance warning. businesses woke up and couldn't process payments, couldn't settle trades, couldn't serve their customers. zachxbt called it "potentially the single most incompetent freeze" he'd seen in over five years of investigations. one of the frozen wallets wasn't even a business. it was a dfinity bridge contract used by thousands of users who had nothing to do with the case. then nine days later, $280 million is being drained from drift in real time. the attacker is converting stolen tokens through jupiter, bridging them to ethereum, moving funds through circle's own cross-chain transfer protocol. and the freeze didn't come fast enough. so circle can shut down 16 legitimate businesses overnight for a civil case. but a quarter billion being actively stolen through their own infrastructure? different speed. i'm not saying circle is the villain here. i'm saying the system is broken in ways that should concern everyone. now think about who's actually affected by drift. it's not just traders. protocols are built on top of drift. neobanks integrate with defi infrastructure. real customers with no idea what a multisig even is woke up and saw they couldn't access their money. some platforms said user funds are safe. but nobody could withdraw. your money is "safe" but you can't touch it. think about what that feels like for someone who just wanted a better savings rate. i know what it feels like on a smaller scale. i lost $5,000 to social engineering. it's nothing compared to $280 million. but the feeling is the same. that moment when you realize the funds are gone and there's nothing you can do. it doesn't scale with the dollar amount. it's the same pit in your stomach whether it's $5k or $280m. and here's the question i keep circling back to. we say defi is the future. we say we're going to onboard the next billion users. we say this technology will replace traditional finance and bank the unbanked and give people financial sovereignty. but how do we onboard millions of people into a system where a social engineering attack can drain a quarter billion dollars in minutes? where 2 out of 5 signatures is considered security for $280m? where the attacker sets up wallets two weeks early, runs a test transaction, and nobody notices? where circle can freeze legitimate businesses overnight but can't stop a live heist fast enough? where the same attack, the same playbook, the same human error keeps happening year after year after year? ronin. bybit. cetus. now drift. same cause. different name. different chain. same result. defi doesn't have a code problem. it has a people problem. and we keep solving for the code. i haven't interacted with a protocol in a while. i like money. but i love safety more. and right now this space is asking me to choose between the two. security can't keep being the last conversation. it can't keep being the thing we talk about after the hack and forget about before the next one. it has to be the first priority. not the last. because right now we're not ready for the next billion users. we're barely keeping the ones we have safe.

Another one. This is getting too frequent... My guess is that social engineering is becoming increasingly better.

Great stuff. Just search Google to find the url.

This Man Trusted Physics By Being Ejected At 80 Km/h From A Riding Truck Running At 80 Km/h 🤯

🚨 @ResolvLabs USR just got exploited: here's the full on-chain breakdown h/t @yieldsandmore who flagged this first | data via @ArkhamIntel An attacker deposited 100K USDC into Resolv's USR Counter contract via requestSwap and received 49,950,000 USR back (~$39M) That's a 500× overcredit on a $100K deposit. The minting function is broken. On-chain receipts: → 100,000 USDC sent to Resolv: USR Counter (0xa27a...5861) → 50,000,000 USR minted from null address to Counter → 49,950,000 USR forwarded to attacker (0x04A288a7...caEd) → 100,000 USDC sent to intermediary (0xacB7027f...2b8e) The _targetAmount in the input data reads: 50,000,000,000,000,000,000,000,000 (50M × 10^18) The requestSwap → completeSwap is a 2-step async process. Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing. The attacker's exit playbook is textbook DeFi hack cashout running at full speed: Step 1 — Wrap USR → wstUSR to access deeper DEX liquidity 20M USR → 17.65M wstUSR 15M USR → 13.24M wstUSR Step 2 — Dump wstUSR across every available venue 8.77M wstUSR → 9.7M USDT (KyberSwap) 2M wstUSR → 2.01M USDC (direct contract 0x04a2...caed) 1.31M wstUSR → 655K USDT (KyberSwap) 1.31M wstUSR → 148K USDT (KyberSwap — slippage getting brutal) 604K wstUSR → 568K USDT 300K wstUSR → 277K USDC (Velora) 300K wstUSR → 303K USDC (Velora) Dozens of 100K-150K wstUSR clips through Velora at varying slippage Step 3 — Convert stables → ETH aggressively 4.85M USDT → 2,297 ETH (contract 0xbeef...c555) 1.66M USDT → 789 ETH (Uniswap V4) 2.02M USDC → 948 ETH (MetaMask Swaps) 1.5M USDT → 703 ETH (MetaMask Swaps) 2M USDT → 938 ETH (MetaMask Swaps) 808K USDT → 384 ETH 760K USDT → 362 ETH 656K USDT → 312 ETH 370K USDT → 174 ETH Yes @MetaMask Swaps for multi-million dollar legs 😅 wstUSR selling at $0.50-$0.88 on the dollar across different trades, with slippage worsening as liquidity drains. Multiple failed transactions visible on-chain showing the urgency. Estimated total extraction: $25M+ and counting. The attacker is still actively dumping remaining wstUSR positions as of this post. For context Resolv had ~$500M+ TVL, an @immunefi bug bounty of $500K, Fireblocks custody integration, and multiple audits including a Sherlock competition. Audits ≠ security. Monitoring partnerships ≠ prevention. The core question: how did a 100K USDC requestSwap get authorized as a 50M USR completeSwap? Someone needs to explain what happened between those two steps. @PeckShieldAlert @peckshield @SlowMist_Team @hypaboreal you may want to take a look 👀

My net worth peaked at $1.2 million. None of it was real. I don't mean that philosophically. I mean it was located on servers that have since been turned off. I own eleven properties in the metaverse. Three in Decentraland. Four in The Sandbox. Two in Voxels. One in Otherside. And a beachfront villa in Horizon Worlds that I bought for $214,000 because Mark Zuckerberg called it "the next frontier." The frontier closed last week. It's a mobile app now. Last year I mass DM'd 340 people the phrase "you don't understand how early we are." I have since stopped doing that. Not because I was wrong. Because most of them blocked me. I got into metaverse real estate in November 2021. Everyone was buying. Someone paid $450,000 to be Snoop Dogg's neighbor. In a video game. With no legs. The avatars didn't have legs. I thought that was bullish. "The legs are coming," I told my Discord. "Legs are a roadmap item." Three hundred people reacted with rocket emojis. I called myself a "digital land baron." I put it in my Twitter bio. I put it in my LinkedIn headline. I said it on a podcast that had eleven listeners. Three of them were bots. The rest were my alts. My virtual property has more square footage than my actual apartment. My actual apartment has furniture. Location, location, location. My most valuable asset was a plot next to a virtual Gucci store. Gucci left in 2023. The store is still there. Nobody's in it. It's like a mall in Ohio but with worse graphics and no food court. I held. Diamond hands. That's what we said. "Diamond hands." It means refusing to sell while your investment loses 94% of its value. We turned financial paralysis into a personality trait. A guy in my Discord paid $2.4 million for a 618-parcel estate in Decentraland. Prime district. High foot traffic. I asked him what "foot traffic" meant when the platform had 38 daily active users. He said I didn't understand the technology. I didn't. I still bought more. We had a DAO. A decentralized autonomous organization. That means we voted on decisions. There were nine of us. Three never showed up. Two voted on everything without reading it. The other four were me and my alts. We voted to "acquire strategic parcels." The vote passed unanimously. I voted four times. My portfolio peaked at $1.2 million. I told everyone. I made a spreadsheet. I projected 40x returns by 2025. I made a pitch deck. The pitch deck had a slide that said "WE ARE BUILDING THE DIGITAL ECONOMY." The slide had a rocket emoji. That was my entire financial model. In 2023 I bought a Bored Ape for $189,000. It's worth $14,000 now. I don't talk about the Ape. I still use it as my profile picture. People ask me about it. I say "I'm long-term bullish." Long-term bullish means I can't sell it without crying in a Panera. My mom asked me what a Bored Ape was. I said "digital art on the blockchain." She asked why it cost more than her car. I said "you don't understand Web3." She said "I understand you live in a studio apartment." She's not in my Discord. Justin Bieber bought one for $1.3 million. It's worth about $90,000 now. I felt better about mine after I heard that. That's community. WAGMI. We're All Gonna Make It. We said that every day. In the group chat. While the floor dropped. While the volume dried up. While 95% of all NFT collections went to zero. We're all gonna make it. None of us made it. But we said it with conviction and a laser-eye profile picture. That counts for something. It doesn't. But we said it did. That's decentralized consensus. Meta spent $84 billion on the metaverse. I need to say that again. $84 billion. More than the GDP of Luxembourg. More than the GDP of Iceland, Luxembourg, and Malta combined. They spent it on a platform where the avatars had no legs, the graphics looked like a 2006 Wii game, and the peak user count was lower than the lunch rush at a Chipotle in Des Moines. They just pulled Horizon Worlds from VR headsets. It lives on as a mobile app. My beachfront villa is now a mobile app. Location, location, location. Zuckerberg renamed the entire company for this. Facebook became Meta. A $900 billion company changed its legal name because the CEO watched Ready Player One and said "I want that." Reality Labs lost $10 billion in 2021. $14 billion in 2022. $16 billion in 2023. $18 billion in 2024. $19 billion in 2025. That's not a strategy. That's a speedrun. They laid off 1,500 Reality Labs employees this year. Shut down three VR studios. Killed Supernatural. Put the entire VR social vision in a casket and said "we're pivoting to AI and wearables." The pivot took four years and $84 billion. I pivoted too. I'm an AI real estate investor now. I bought a virtual plot in an AI-generated world that doesn't exist yet. The founder said it was "the intersection of spatial computing and large language models." I don't know what that means. I gave him $40,000. He has a whitepaper. It's 47 pages. I read the title and the tokenomics section. The tokenomics section is a pie chart. I love pie charts. They make everything look like a plan. The project has a roadmap. Q1: "Build community." Q2: "Launch beta." Q3: "Scale ecosystem." Q4 is blank. Q4 is always blank. That's where the exit scam goes. My accountant asked me to value my metaverse portfolio for tax purposes. I said $1.2 million. He said "current market value." I said $6,400. He stared at me for eleven seconds. I know because I counted. He asked if I had any other investments. I showed him my NFTs. He stared for longer. I told him they were "cultural artifacts with long-term provenance." He asked if I'd considered a 401k. I told him a 401k was "legacy finance." He told me to leave his office. The metaverse is dead. I don't accept that. I am a digital land baron. I own eleven properties across four platforms. I have a beachfront villa in a mobile app, a plot next to an empty Gucci store, and a cartoon monkey that cost me more than my actual car. Location, location, location. The location is nowhere. But I'm early. I'm always early. That's the same as being wrong except you get to say it with confidence.

Earlier today, a user attempted to buy AAVE using $50M USDT through the Aave interface. Given the unusually large size of the single order, the Aave interface, like most trading interfaces, warned the user about extraordinary slippage and required confirmation via a checkbox. The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return. The transaction could not be moved forward without the user explicitly accepting the risk through the confirmation checkbox. The CoW Swap routers functioned as intended, and the integration followed standard industry practices. However, while the user was able to proceed with the swap, the final outcome was clearly far from optimal. Events like this do occur in DeFi, but the scale of this transaction was significantly larger than what is typically seen in the space. We sympathize with the user and will try to make a contact with the user and we will return $600K in fees collected from the transaction. The key takeaway is that while DeFi should remain open and permissionless, allowing users to perform transactions freely, there are additional guardrails the industry can build to better protect users. Our team will be investigating ways to improve these safeguards going forward.

This video really puts life into perspective. Don't take time with your loved ones for granted. Don't look at charts 24/7. Balance is key.

Another oracle related incident, this time on Aave. $27M worth of wstETH wrongly liquidated due to a safeguard configuration problem. It's a lesson that even guardrails can be a problem, with the inconvenience that they are seldom tested in prod. More info below...

So the reason this Polymarket “prediction market” is performing so insanely high is because there’s a second market asking if this market will go above 5%. People in the derivative market are manipulating this market. Which defeats the public policy case for prediction markets…

@newmichwill @CurveFinance I may be looking at it the wrong way, but using the direct price of an AMM pool as an oracle seems like a rookie mistake. Looking forward for the Curve guide...

Hacks by spot price manipulations are the Web3 analog of SQL injections in Web2. Constructing your own oracle may look simple but it is not. We at @CurveFinance will publish a small piece on how to avoid common errors when rolling your own oracle. This is not something to do "real quick". Ask your auditor or contact @CurveFinance when in doubt if your integration code is safe