punk3959.eth 🦇🔊

Eventually focus will shift to fundamentals.

@aave @MikeSilagadze @LlamaRisk There is a third scenario to consider: Do not wait for scenario 1 or 2 to get decided by a third party. Change the oracle to a USD based one and let the market decide the value on L1 and L2s. Then you do not need to pause Umbrella and will be able to fix this mess more timely.

Update on rsETH incident: @LlamaRisk has published a report outlining the rsETH incident, the immediate actions taken, its impact on Aave, and potential paths forward. All service providers have been working to assess the two potential bad debt scenarios on the Aave protocol. Aave DAO service providers are also leading an effort with ecosystem participants to address any bad debt. This effort already has several indicative commitments from various parties and we are grateful for the strong support we have received so far. We will share further updates as we have them. In the meantime, the full report can be read here: governance.aave.com/t/rseth-incide…

The Ethereum "receipt". (past month snapshot)

Calling all ETH lenders locked on Aave. We have built a way to exit to any token. While Fluid provides redemption to wstETH/weETH, via our Pathfinder algorithm, you can swap aEthWETH directly into the asset of your choice. aWETH → any token on t.co/Ww06FSqqd4 in one click if you're still stuck.

What likely happened: attacker got deep access to LayerZero's RPC nodes. Planted fake data that only the DVN could see while everything else looked normal. Knocked out the honest RPCs with DDoS so the DVN had no choice but to read from the poisoned ones. DVN saw a fake transaction, verified it, bridge released the rsETH. What LZ still hasn't explained is how the attacker got deep enough into their RPC nodes to replace binaries and delete logs. That's root level access. The entry point is the real story here and the post skips it entirely. Now the big question, would 2/2 DVN have prevented this? If the second DVN runs on completely different infra and different RPC providers, yes. Attacker would need to compromise two separate systems independently. Much harder. If the second DVN uses similar infra or same RPC providers, no. Same attack just needs to be done twice. More DVNs alone doesn't fix anything if they all run on similar infrastructure.

Who is running a @LayerZero_Core Decentralized Verifier Network (DVN) right now? @eigencloud ? @symbioticfi ? Is it secured with sufficient stake? @ether_fi any clarification?

i wish that @aave deployments on L2s, going forward, will decide to only accept native or canonical bridged assets and avoid third party bridged assets entirely “but muh ux, 7d withdrawals bad” yes but -100% overnight more bad

Rocket Pool has not been impacted by the recent Kelp rsETH incident. rETH continues to be fully backed by staked ETH and has no LayerZero bridging exposure.

Despite everything that's happened in recent days I'm as bullish the idea of decentralized finance as ever. That's not cope or me making light of current events, this KelpDAO exploit is ugly and still ongoing. It calls into question a lot of the core designs of DeFi, starting with how protocols appraise the risk of derivative and bridged assets. But if "shit blowing up in a crisis" was reason enough to abandon a financial primitive then there'd be no banking system. There'd also be no debt, equity, derivatives, or insurance. And there definitely wouldn't be any money, seeing how most of the currencies that have ever existed "blew up in a crisis" My bullishness on DeFi stems from a core belief that handing important decisions to code, cryptography, and consensus leads to a safer financial system than handing it over to blokes, bankers, and bureaucrats. But we need to be a lot better and a hell of a lot more prudent to achieve that vision.

@MikeSilagadze @ether_fi Just hope it is sufficiently safe! Seriously

When we designed the cross chain system for @ether_fi we spent a lot of time to ensure the core asset doesn’t get rekt in case of L2 or bridge issues. Rate limits everywhere. Multiple DVNs. Hypernative active monitoring. Seeing these kinds of hacks really pisses me off.

the great news is that pretty much all of this is totally preventable ethereum and ETH are rapidly growing to global ubiquity. this doesn't change that one bit future defi solutions won't make these amateur errors (they'll eventually seem like amateur errors... already do to many experts) attacker supremacy from AI won't last, it's working through a backlog of exploits. the limit result will be much permanently more secure protocols and eth's neutrality and capital gravity well will be more valuable than ever if you have ETH lent in aave, imo you should get out right now by using onchain limit orders to sell to whale loopers who are actively buying aETH unwind leverage. you can take as little as a 1.1% haircut based on ongoing txns in mid 6-figs, which is much lower than some estimates of final socialized losses. why can ETH lenders take only a 1.1% haircut now? because loopers want to avoid liquidation from high rates caused by 100% utilization. on the bad debt side, loopers actually win from socialized losses because their debt token (aETH) is the one taking the haircut, so they'd owe less in ETH terms. the most remarkable thing in this crisis is clearly that billions of dollars in backbone eth lending on aave were in fact exposed to signer risk in a 3rd party bridge... effectively some random downstream fellow was actually an aave admin. aave additionally has negligently low borrow rates during 100% utilization, leading to extremely dangerous illiquidity. what if ethusd crashed for any reason... eg. if stocks were open and a politician said the wrong thing, btc goes down 5%, eth goes down 8%... this can lead to broader contagion and bad debt. protocols and their teams like fluid (who've had low level dynamic withdrawal rate limits in protocol from day 1 so can't be insta drained) and spark (who seem to have excellent scientific gov and no exposure for eth lenders to 3rd party bridge admins) deserve respect and attention for doing what they knew was right and possible even before the ecosystem had a forcing function to care about it. same goes with other kinds of security practices that are still fringe, maybe including formal verification and ipfs hashes for frontends nearly 24h since the attack, the lack of material updates from affected protocols, including kelp, layerzero, and aave, suggests to me the ongoing severity of the situation. many factors are in play, there's probably no great solution, somebody is going to lose big is just the bridged rsETH (that argubly took bridge risk intentionally) fully on the hook for the bridge failure, and L1 rsETH should be unaffected? however L1 rsETH *was* affected due to gov choices in aave. does aave's junior debt program, umbrella, take the full wipeout? however umbrella's terms & conditions say they have no bridge risk, which aave gov effectively violated without umbrella holders realizing it. does layerzero bear responsibility for allowing their users to be subject to terrible admin config in one of their ecosystem bridges? i'm probably missing aspects here, it's very messy. Just Use Aave is dead... nobody is going to Just Use Anything anymore the future of this industry is to do the smart obvious stuff even when it's unpopular, like withdrawal rate limits, better interest rate gov, avoiding toxic market share steroids like degen bridge looping affordances. and for 10x better user recognition and higher standards around protocol hygiene and security differentiation. degen stuff is fun and amazing but only when you understand the true risks in sum, if you are lending ETH in aave, get out now at a ~1.1-1.5% haircut by selling to loopers actively unwinding because when the dust settles, a material haircut for Aave v3 ETH lenders is a possibility ethereum and ETH are growing well to global ubiquity and will be massive net beneficiaries of our industry successfully navigating this crisis season of backlogs of exploits discovered by AI and preventably poor practices in defi architecture/gov. trillions await

Those who say "crypto is dead" or "DeFi is dead" don't know what they are talking about. Banks never operated in such harsh conditions, and they always get saved by the Big Printer. As a result, their infra is horrifically bad. In DeFi, we have to make sure that our stuff is solid, and only the fittest survives

.@ether_fi please act accordingly to this bridge hack Make sure that weETH on mainnet will never ever be at risk again cause of third party bridges. Canonical bridges are the only way to go You should submit a proposal as soon as possible to avoid capital flight @MikeSilagadze

I'm a WETH provider on @aave watching my position go negative after the @KelpDAOxyz rsETH exploit. Can't withdraw — 100% utilization. Every failure here is a feature of shared-pool variable-rate lending: • One bad collateral listing impairs the whole WETH reserve • Slope2 punishes borrowers trapped when whales exit first • DAO votes move slower than collateral can lose its backing • First-come-first-served exits reward informed capital • Umbrella socializes losses onto suppliers who never approved the listing The architecture that fixes all of this already has its primitives deployed: Event-driven intent-based lending with fixed rates and P2P matching. Lenders sign intents specifying collateral, LTV, rate, duration, and event triggers. Borrowers sign symmetric intents. Solvers match. Custody stays with the user until atomic settlement. No shared pool. No slope2. No slow governance. No socialized loss. Each loan is a discrete contract. We solved this pattern for spot trading with 1inch Fusion. Lending is next.

I think people vastly underestimate just how centralized most token bridges built on LayerZero are The most common config is a 2 DVN validator minimum threshold, with LayerZero Labs’ DVN often being one of them That’s just two entities required to sign off on a cross-chain transfer Stargate, the liquidity bridge built on LayerZero, is one such example of a 2-of-2 threshold config The second most common config is a 1 DVN minimum threshold (like Kelp $rsETH) That’s literally just one entity required to sign off on a cross-chain transfer The number of configs requiring more than 3 DVN validators to sign off on a transfer is basically a rounding error And as I’ve noted before, most DVNs (including the most commonly used) are not actually decentralized despite the name “Decentralized Verifier Network” is marketing psyops, they’re typically a single validator operated by a single company This is what systemic risk in DeFi looks like

@banteg the formula: list a cross-chain token as collateral, and you're listing the bridge's trust assumptions as collateral

I will continue to store my wealth in $ETH

The 'risk-free' rate in DeFi is T-Bills wrapped in centralized risk. Yet, yield-bearing BOLD yields 2.5% higher. With none of the tradeoffs. - No admin keys. - No counterparties. - No freezability. - No governance All onchain on a decentralized dollar. link to deposit 👇

@solana @eigencloud .@eigencloud retweeting scamlana tweets and @gajesh mentioning soylana as single payments layer in his docs. Hm perhaps my trust and faith the past years wasn’t worth it. To be clear there is no reason to support anything outside the EVM. Did these bastards buy you?

Distributed inference needs instant payment and settlement on Solana

@gajesh @LeanKinPrazli Is it too early to run the service as an AVS backed by EIGEN and ETH to ensure liveness?

@LeanKinPrazli experience for most ppl have been stable. we have a coordinator which finds providers and if someone drops in the middle - we find a new one. it can work with openclaw— any OpenAI compatible endpoint

one of the funniest things is we’re the first providers to host the Jackrong’s Qwen3.5 27B that was finetuned with Claude’s reasoning traces. that finetuned model has beat benchmarks. and currently 17 providers serve it.

Introducing @Arbitrum as the Superset hub chain. This is the logical choice to align security, speed, cost and liquidity, and ensure unified stablecoin execution infrastructure works. It's time FX came onchain 🤝