Jannik Schmiedl

340 posts

Jannik Schmiedl banner
Jannik Schmiedl

Jannik Schmiedl

@skinnaj

Co-Founder & CTO @StakingRewards. Sending @looping_col to the 🌕

Hamburg, Deutschland Katılım Ocak 2012
1.3K Takip Edilen453 Takipçiler
Staking Rewards
Staking Rewards@StakingRewards·
Euro-denominated DeFi is quietly becoming real enough to rate. 4 Euro products rated in one week: · @aave EURC: A- ($69M) · @aave EURe Gnosis: BB+ ($23M) · @Morpho EURCV: BB- ($35M) · @Morpho EURC Core: BB- ($4M) Small TVL. But a year ago this list didn't exist. 👇 stakingrewards.com/defi
Staking Rewards tweet media
English
1
0
5
374
Sam MacPherson
Sam MacPherson@hexonaut·
DeFi needs an open-source and collaborative risk framework. Major protocols with centralized control must use best practices for OpSec, and the risk framework should reflect this in the underwriting process. Most want this from my discussions at @EthCC. Let's make it happen.
English
34
6
126
22.6K
Jannik Schmiedl
Jannik Schmiedl@skinnaj·
@hasufl @seanlippel Our rating monitoring picked picked up some protocols updating their signing thresholds post drift. Some even updated timelock delays. Fingers crossed that trend accelerates.
English
0
0
4
189
Jannik Schmiedl retweetledi
Digital Asset Yield Summit
Digital Asset Yield Summit@Yield_Summit·
Last Chance to Speak at Digital Asset Yield Summit Miami! The Miami agenda is nearly set. A few speaker slots remain for industry leaders with a genuine perspective on digital asset yield. If you've been meaning to apply, this is the moment. The Digital Asset Yield Summit is an invite-only forum for institutional capital allocators and the firms that serve them. 300 attendees. Every attendee is reviewed. Every session is relevant. Every introduction is intentional. We want to hear from you if you have something insightful to say about digital asset yield, staking, tokenisation, credit markets, fixed income, stablecoins, Bitcoin yield, custody, compliance, or regulation. * Speaker applications are now open for all cities in the 2026 DAYS series: · Miami, May 4 (closing soon!) · New York, 11 June · Singapore, 5-6 October · Abu Dhabi, December 2026 · Zurich, January 2027 🔗 Apply to speak ↓
English
1
2
6
470
Keone Hon
Keone Hon@keoneHD·
Admin Audit: a new kind of audit that only audits protocols from the perspective of multisig configuration, presence of timelocks on dangerous functions, use of cold devices for signing, multisig signing procedure, etc. Smart contract audits tend to focus on contract logic while treating admin roles as trusted. They might flag suboptimal configurations, but ultimately the pass/fail is based on presence of logic bugs. An Admin Audit would be the exact opposite - only focused on asking the question "what happens if multisig members get compromised" and "does the team follow best practices that substantially reduce the odds of compromise". Protocols would need to get both a smart contract audit and an admin audit - users would demand both. The admin audit would be substantially cheaper than the smart contract audit since the best practice is well-defined and issues are obvious, whereas smart contract audits are looking for needles in haystacks. Ecosystem foundations could subsidize these - for example, if a reputable firm offered these, we at the Monad Foundation would be happy to subsidize. Admin audits would capture a lot of the low-hanging fruit. Realistically, many of the huge hacks in the history of DeFi have been admin compromise rather than logical bugs. If you are building this, please reach out.
English
62
41
416
82.6K
binji
binji@binji_x·
This is a good idea. If anyone is building this, please reach out. Ideally make it a part of the “@l2beat of DeFi.” I am sure multiple ecosystems can come together to fund this. If not, and it happens in a siloed fashion, that would be really lame.
Keone Hon@keoneHD

Admin Audit: a new kind of audit that only audits protocols from the perspective of multisig configuration, presence of timelocks on dangerous functions, use of cold devices for signing, multisig signing procedure, etc. Smart contract audits tend to focus on contract logic while treating admin roles as trusted. They might flag suboptimal configurations, but ultimately the pass/fail is based on presence of logic bugs. An Admin Audit would be the exact opposite - only focused on asking the question "what happens if multisig members get compromised" and "does the team follow best practices that substantially reduce the odds of compromise". Protocols would need to get both a smart contract audit and an admin audit - users would demand both. The admin audit would be substantially cheaper than the smart contract audit since the best practice is well-defined and issues are obvious, whereas smart contract audits are looking for needles in haystacks. Ecosystem foundations could subsidize these - for example, if a reputable firm offered these, we at the Monad Foundation would be happy to subsidize. Admin audits would capture a lot of the low-hanging fruit. Realistically, many of the huge hacks in the history of DeFi have been admin compromise rather than logical bugs. If you are building this, please reach out.

English
15
2
62
7.1K
donnoh.eth 💗
donnoh.eth 💗@donnoh_eth·
i’ve seen many people asking for a @l2beat for DeFi, which i completely agree should exist. but i very much warn you into trusting any quickly vibecoded project like the one below as they are trivial to exploit and actually dangerous. assessing the counterparty risk of a project is a majorly complex task that requires much more thought and tooling than just looking at surface-level proxy upgradability. goodhart’s law is real and we see it all the time. you want to look good in the dashboard below with no meaningful change? just add dummy addresses in your multisig, all saved on your laptop. 10/12? easy. the website starts to track timelocks too? easy, add a 30d timelock but also add a function to pause the protocol so that no one can exit anyway. there’s some standard way to detect pause capabilities? there are a million ways to effectively but subtly implement a pause through param tweaks. anything that looks at less than the entirety of the codebase is simply not good enough and actually dangerous, as it gives people a false sense of security. there is a reason why at @l2beat we are a team of *19 people*, with the research team being 5 people and the rest being mostly engineers building sophisticated tools for internal use and the public to self-assess the risk if you don’t trust us. we have years of experience doing this job and we’ve seen them all. if you are *actually* serious about building this, DM me and we’ll be happy to help. but please don’t build things that put users more at risk than they already are
English
23
16
151
18.7K
Emilio^
Emilio^@The3D_·
@hasufl When we introduced all of this, we got the worst pushback saying that’s not defi Guess we weren’t wrong uh
English
4
0
44
4K
Hasu⚡️🤖
Hasu⚡️🤖@hasufl·
Every Defi protocol should have: 1. Circuit breakers for deposit and withdrawals, and possibly other internal operations as well 2. Timelocks for any change 3. Security councils that can shut down protocols immediately We don't need insurance, we need to do start doing the ffcking basics correctly. It's too early for this space to drive without any training wheels. I beg you, sacrifice a tiny bit of UX to gain a lot of peace of mind. The worst possible UX is losing your user's money.
English
74
88
875
184.1K
0xLouisT
0xLouisT@0xLouisT·
Completely agree: the operational security point is underrated. A lot of the exploits we see aren't actual protocol logic failures but they're key management, multisig, parameter updates failures... The code gets audited, the ops around it much less. We need more Pragmatic Decentralization.
Hasu⚡️🤖@hasufl

Every Defi protocol should have: 1. Circuit breakers for deposit and withdrawals, and possibly other internal operations as well 2. Timelocks for any change 3. Security councils that can shut down protocols immediately We don't need insurance, we need to do start doing the ffcking basics correctly. It's too early for this space to drive without any training wheels. I beg you, sacrifice a tiny bit of UX to gain a lot of peace of mind. The worst possible UX is losing your user's money.

English
4
1
21
2.2K
Jannik Schmiedl
Jannik Schmiedl@skinnaj·
@zacxbt Majority of hacks are no code exploits but operational failure or setup mistakes. The auditor does not check if the protocol uses a 2/5 or a 5/8 admin multisig.
English
0
0
2
50
GEE-yohm LAMB-bear
GEE-yohm LAMB-bear@guil_lambert·
We need an L2BEAT for DeFi
chainyoda@chainyoda

Is there a @Blockworks DeFi transparency framework that would allow users to check that @DriftProtocol had over half a billion sitting on a 2/5 multisig with no delay? DeFi’s primary value proposition is pitched as transparency by advocates who don’t use DeFi at all.

English
11
5
40
7.5K
chainyoda
chainyoda@chainyoda·
Is there a @Blockworks DeFi transparency framework that would allow users to check that @DriftProtocol had over half a billion sitting on a 2/5 multisig with no delay? DeFi’s primary value proposition is pitched as transparency by advocates who don’t use DeFi at all.
English
17
5
69
15K
Omer Goldberg
Omer Goldberg@omeragoldberg·
1/ Drift's admin key was compromised. $213M+ drained from @solana's largest DEX in under 10 seconds. Unfortunately, we've seen similar patterns before: - fake collateral market - a manipulated oracle - disabled circuit breakers Let's break it down 👇 written w/ Chaos AI
Omer Goldberg tweet media
English
42
101
458
172.9K
Jannik Schmiedl
Jannik Schmiedl@skinnaj·
ECDSA (public keys) and BLS12-381 (ETH PoS consensus) are cooked - ~10% chance of breakage by 2032. Even RSA (HTTPS) is rekt, but needs significantly more compute so it buys time. SHA (hashing) and AES (encryption) are essentially unaffected. This puts massive pressure on crypto specifically, as the argument that “when quantum breaks crypto, the rest of the internet is at risk too” no longer holds.
Justin Drake@drakefjustin

Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of the quantum stack. The results are shocking. I expect a narrative shift and a further R&D boost toward post-quantum cryptography. The first paper is by Google Quantum AI. They tackle the (logical) Shor algorithm, tailoring it to crack Bitcoin and Ethereum signatures. The algorithm runs on ~1K logical qubits for the 256-bit elliptic curve secp256k1. Due to the low circuit depth, a fast superconducting computer would recover private keys in minutes. I'm grateful to have joined as a late paper co-author, in large part for the chance to interact with experts and the alpha gleaned from internal discussions. The second paper is by a stealthy startup called Oratomic, with ex-Google and prominent Caltech faculty. Their starting point is Google's improvements to the logical quantum circuit. They then apply improvements at the physical layer, with tricks specific to neutral atom quantum computers. The result estimates that 26,000 atomic qubits are sufficient to break 256-bit elliptic curve signatures. This would be roughly a 40x improvement in physical qubit count over previous state-of-the-art. On the flip side, a single Shor run would take ~10 days due to the relatively slow speed of neutral atoms. Below are my key takeaways. As a disclaimer, I am not a quantum expert. Time is needed for the results to be properly vetted. Based on my interactions with the team, I have faith the Google Quantum AI results are conservative. The Oratomic paper is much harder for me to assess, especially because of the use of more exotic qLDPC codes. I will take it with a grain of salt until the dust settles. → q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. While a cryptographically-relevant quantum computer (CRQC) before 2030 still feels unlikely, now is undoubtedly the time to start preparing. → censorship: The Google paper uses a zero-knowledge (ZK) proof to demonstrate the algorithm's existence without leaking actual optimisations. From now on, assume state-of-the-art algorithms will be censored. There may be self-censorship for moral or commercial reasons, or because of government pressure. A blackout in academic publications would be a tell-tale sign. → cracking time: A superconducting quantum computer, the type Google is building, could crack keys in minutes. This is because the optimised quantum circuit is just 100M Toffoli gates, which is surprisingly shallow. (Toffoli gates are hard because they require production of so-called "magic states".) Toffoli gates would consume ~10 microseconds on a superconducting platform, totalling ~1,000 sec of Shor runtime. → latency optimisations: Two latency optimisations bring key cracking time to single-digit minutes. The first parallelises computation across quantum devices. The second involves feeding the pubkey to the quantum computer mid-flight, after a generic setup phase. → fast- and slow-clock: At first approximation there are two families of quantum computers. The fast-clock flavour, which includes superconducting and photonic architectures, runs at roughly 100 kHz. The slow-clock flavour, which includes trapped ion and neutral atom architectures, runs roughly 1,000x slower (~100 Hz, or ~1 week to crack a single key). → qubit count: The size-optimised variant of the algorithm runs on 1,200 logical qubits. On a superconducting computer with surface code error correction that's roughly 500K physical qubits, a 400:1 physical-to-logical ratio. The surface code is conservative, assuming only four-way nearest-neighbour grid connectivity. It was demonstrated last year by Google on a real quantum computer. → future gains: Low-hanging fruit is still being picked, with at least one of the Google optimisations resulting from a surprisingly simple observation. Interestingly, AI was not (yet!) tasked to find optimisations. This was also the first time authors such as Craig Gidney attacked elliptic curves (as opposed to RSA). Shor logical qubit count could plausibly go under 1K soonish. → error correction: The physical-to-logical ratio for superconducting computers could go under 100:1. For superconducting computers that would be mean ~100K physical qubits for a CRQC, two orders of magnitude away from state of the art. Neutral atoms quantum computers are amenable to error correcting codes other than the surface code. While much slower to run, they can bring down the physical to logical qubit ratio closer to 10:1. → Bitcoin PoW: Commercially-viable Bitcoin PoW via Grover's algorithm is not happening any time soon. We're talking decades, possibly centuries away. This observation should help focus the discussion on ECDSA and Schnorr. (Side note: as unofficial Bitcoin security researcher, I still believe Bitcoin PoW is cooked due to the dwindling security budget.) → team quality: The folks at Google Quantum AI are the real deal. Craig Gidney (@CraigGidney) is arguably the world's top quantum circuit optimisooor. Just last year he squeezed 10x out of Shor for RSA, bringing the physical qubit count down from 10M to 1M. Special thanks to the Google team for patiently answering all my newb questions with detailed, fact-based answers. I was expecting some hype, but found none.

English
0
0
0
87
Jannik Schmiedl
Jannik Schmiedl@skinnaj·
This is exactly right – DeFi lending has a measurement problem, not a bad debt problem. The Resolv cascade was textbook structural failure and your six failure modes are the language the industry’s been missing. At @StakingRewards we’re building precisely this: a DeFi-native risk framework. Our Ratings model decomposes protocols across Security, Strategy & Operations using 84 questions at three risk levels. It shows exactly where the credit risk lives and how much. We treat oracle divergence, liquidation endogeneity, governance windows and execution risk as first-class variables. Excited for your Vault Summit presentation. Would love to push the measurement layer forward together. Methodology: docs.stakingrewards.com/defi-ratings/r…
English
0
0
2
218
Jannik Schmiedl
Jannik Schmiedl@skinnaj·
Last week we publicly launched DeFi Ratings at @StakingRewards — a systematic risk framework scoring protocols across 84 questions covering smart contract security, key management, collateral, oracles, governance, and more. Since then: an oracle misconfiguration on Aave wrongly liquidated 34 healthy positions — $27.8M wiped because the protocol was fed the wrong price. Days later, a single compromised private key minted 80M unbacked USR, crashed the token 95% in 17 minutes, and created $6.2M in bad debt across 11 Morpho vaults. Our framework already flagged the core risks on the affected vaults — single immutable oracles, no circuit breakers, exotic collateral with no stress history, no safety modules. The timing is coincidence. The need is not. Digital asset yield products are becoming institutional infrastructure. But right now, most capital flows into DeFi vaults without any standardized risk assessment. No one checks whether the collateral issuer uses a multisig. No one asks if a permissionless function can auto-allocate capital into a broken market. We're building the missing layer. 84 questions. AAA to D grades. Evidence-backed. Protocol-specific. This is going to change how capital allocators evaluate on-chain yield. We're just getting started. stakingrewards.com/defi docs.stakingrewards.com/defi-ratings
English
0
0
1
55
Jannik Schmiedl retweetledi
Staking Rewards
Staking Rewards@StakingRewards·
The Institutional Digital Asset Yield Ecosystem Map is live.
Staking Rewards tweet media
English
24
29
130
29.2K

Keşfet

@StakingRewards @aave @Morpho @hexonaut @EthCC @hasufl @seanlippel @keoneHD