Harsh Vardhan Roy

And then you will learn from it, but it will happen to you again, in a different place, in a different form and setting. It will speak directly to your face that your core needs an upgrade, which is the toughest thing possible in this lifetime.

Over the past few weeks we have re-audited every cryptographic dependency Hyperbridge relies on. This has led to the discovery of even more critical vulnerabilities in our code, third-party libraries and even Polkadot itself. All have been responsibly disclosed and patched. We’ll be publishing a detailed write-up on shortly on all our findings. The root cause of the original incident was a missing single line of code that permitted proof forgery. The vulnerable code in question dates to early Polytope Labs days and predates our current review & testing standards, which is why the re-audit was warranted and why it’s ongoing. Alongside this, we’re launching a bug bounty which will help us work with whitehats on the continued security of the protocol.

Groth16 is still the GOAT of zero-knowledge proof. Why can't anyone understand how it works then? Don't worry, we got you :) blog.zksecurity.xyz/posts/groth16/

The security landscape in crypto has drastically changed these past few months. The protocols that come out on the other side will have been battle-tested in every sense of the word. We are working to safely relaunch a more robust version of hyperbridge. More updates soon.

How every advancement in tech ends up as surveillance

If life humbles you, that means God loves you. You are destined to reach new heights.

I'm glad NK was deprived of ~$70m they stole from honest users. But I'm also glad we can finally stop pretending L2s inherit L1 security model. L2 ETH != L1 ETH. L2s are not an appropriate store of value for entities seeking permissionless self-sovereign "hard money"; that distinction belongs to L1 & Bitcoin. L2s are walled-garden permissioned accounts with crypto rails, where 12 people can rugpull your funds removing your ability to transact at any time. If you think L2s will never rugpull you because you aren't a "bad person", you simply haven't lived long enough to see how quickly the definition of "bad person" can change. Are they still useful? Of course, just like bank accounts and many TradFi systems are useful. But they aren't decentralized & they don't inherit Ethereum's security model. Let's stop pretending otherwise.

there are only like 5-6 tricks in systems - divide and conquer - caching - indirection - batching - redundancy - lazy eval and then you apply arbitrarily complicated variations of these in clever ways to build whatever you want

@yacineMTB Everything is easy when you’re having fun

Look guys, it's actually really straightforward, a bunch of people staked their ETH on the Ethereum blockchain to earn yield, except they didn't want their capital to be locked up, so they actually staked with a liquid staking protocol called Lido who provided them a liquid staking receipt token called stETH, except they decided to juice their yield further by depositing their stETH receipt tokens into a restaking protocol called Eigenlayer, except they didn't want to lock up their capital, so they actually restaked with a liquid restaking protocol called KelpDAO who provided them with a liquid restaking receipt token called rsETH, except they decided to juice their yield further by depositing their rsETH tokens into a lending protocol called Aave so that they could open a leveraged looping position that borrows ETH against the rsETH collateral and restakes the ETH into rsETH which is then deposited as collateral, except it turns out rsETH used a cross-chain bridge called LayerZero that was hacked by north koreans causing rsETH to become undercollateralized and now these looping positions are stuck and unprofitable, and everyone is pointing fingers at each other, and also DeFi is a very serious industry

In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t. The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s… The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it. When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then): -#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… - github.com/drpcorg/drpc-s… We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period: 1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority." 2. The risk was real. The market is now discovering this at a cost of roughly $250M. Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths. So the practical rule, for anyone building infrastructure whose failure mode is user funds: 1. Use at least 3–5 independent, reliable RPC providers. 2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it. You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users. We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org

end of the day; no matter who says what it is LayerZero's mistake, they got hacked, hacker was able to find out what backup nodes they used and their IP as well blaming this on Kelp is retarded, but Kelp is also retarded for blindly trusting layerzero

FAAAA

there is no better life for me than solving difficult problems with people that are smart, direct, kind, and funny.

Currently investigating this exploit. Our initial diagnosis is the attacker constructed a sophisticated malicious proof to fool our merkle tree verifier. Damage is so far limited to just the DOT token. Other applications unaffected. Bridge has been paused pending the upgrade.

Scrolling is pure evil. An hour of brainrot doesn’t just leave a hole where something meaningful could have been but also actively degrades the machinery you’d need to fill that hole. It corrupts your capacity for sustained attention. Books become harder, conversations feel slower, your own thoughts start to bore you. Over time, the range of things that can hold your interest narrows until you’re left with a shrinking circle of stimulation that only the algorithm can satisfy. It erodes your relationship to yourself. Curiosity fades. Compassion requires a kind of patient attention that atrophies. You stop wondering what you care about because the question itself feels effortful. What’s left is a stable, “comfortable” numbness. Not only five years subtracted from your life, but a slow hollowing out of the person who would have lived them.

@gaxrav Incorrect. The world that we experience is highly abstracted away through our five senses.

speed of light is the refresh rate of reality.

A $300k dev who’s experienced, communicative, and thoughtful is now just as vulnerable as a $50k junior. Peak timeline.

@seunlanlege @hyperbridge @useazza The best feeling is when users don’t feel a thing, while mountains are being moved in the backend with each click.

Just swapped USDC to CNGN in 63 seconds with @hyperbridge ⚡️ Fast, secure, and seamless Then used @useazza's cNGN autowithdrawal feature to directly offramp to Naira in my bank account.