Vyacheslav
13.8K posts
Vyacheslav
@thought_sync
Weaponized curiosity. CTO @ https://t.co/ZQBl40UE5h
Riga, Latvia Katılım Mart 2010
366 Takip Edilen1.2K Takipçiler
DeepSeek v4 small KV cache + MacBook fast SSD disks = the idea that the disk is not a good target for KV cache is, in this context, totally obsolete. It works *great*. The session you see is opencode using my inference engine for DS4, saving, loading sessions from disk.
English
Vyacheslav retweetledi
Add a 7-day dependency cooldown.
uv's `exclude-newer` refuses any version published inside a rolling window. With 7 days set, today's malicious uploads would not be considered for resolution at all.
Most malicious uploads are caught within that window.
English
@antirez Doesn’t mean Europe should stop investing in LLMs even though weak ones
English
Europe AI strategy should be to specialize on AI inference and improvement of large open weight models, while we try to recover the GPU / companies gap to have a viable internal path. A large Chinese open weight model that works is only better than an European-trained weak one.
English
@paulg Wow, US airlines must suck so bad that traveling 15 hours is better than 2 hour flight
English
Whoah, self-driving cars compete with airlines. I never considered that till now.
Nahuel Hilal - TattooGuy@nahuelhilal
Yesterday I drove my @tesla 900 miles on FSD from Miami to Nashville and I realized it’s genuinely the better option. I fly that route 2 to 3 times a month. Flights are never under $400. Most times $600. Sometimes $800. Add Uber to and from both airports, or parking garage fees. Then factor in the delays, the cancellations, the security theater, the chaos, the guy next to you who hasn’t met deodorant yet. On the other hand: I pack healthy snacks, press one button, and the car just goes. I took calls. Replied to emails. FaceTimed my family. Ate without pulling over. Did everything I normally do on a travel day, except none of the stuff that makes travel days miserable. My biggest concern going in was range and charging. Here’s what actually happened: My bladder needed one extra stop the car didn’t even suggest. Most charging stops were under five minutes. Total cost for the whole trip was less than just the uber to the airport. And this was the base model Y. Now I’m thinking I should get something comfier and just make this the default.
English
Vyacheslav retweetledi
We got a lot of requests to bring this back to life, and as promised, it's live now! #nodecore" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…
If you build a mission-critical dApp, or if part of your functionality is super fragile to RPC poisoning, please use the Verification feature from dRPC via NodeCloud or NodeCore; there is no excuse not to use it, and you can't say, after yet another hack, that you were not aware of this.
Constantine | dRPC.ORG@constantine_rm
In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…
. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t. The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s… The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it. When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then): -#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst… - github.com/drpcorg/drpc-s… We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period: 1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority." 2. The risk was real. The market is now discovering this at a cost of roughly $250M. Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths. So the practical rule, for anyone building infrastructure whose failure mode is user funds: 1. Use at least 3–5 independent, reliable RPC providers. 2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it. You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users. We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org English
@banteg Well if they had quorum 2 of 3 and all others were DDoSed quorum wouldn't help, but I think it's easy to have 3/4 etc, which would prevent it. We actually built PoC years ago, but 0 intereset from clients #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…
English
the most concerning thing about layer zero is that it doesn't check cryptographic proofs at all.
events generate receipts which get merklized. you can get a proof and check it against the merkle root. even if a node is compromised or even a sequencer, it can't generate a root that injects a fake receipt, because the execution is gated by the state transitions the contracts allow.
another thing is a quorum with even a few public nodes would've saved the day here, because they would disagree on the state.
English
@0xngmi 3. For a lot of methods (e.g, eth_getLogs, which is very widely used for bridges) its impossible to have locally verified data due to the fact that you can prove inclusion, but not omission.
4. Its REALLY slow, that's why almost nobody uses it in production
English
@0xngmi Unfortunately, reality is far more complicated.
1. Ethereum itself has pretty nice light client support (could be improved further though), however most of L2s have almost none.
2. eth_getProof method on most of the clients is almost broken, unfortunately nobody talks about it.
English
Btw ethereum has a very simple solution to faulty rpcs, rpc nodes maintain state tries to the block header
RPCs can use that to craft a cryptographic proof that its response is correct
That way even if rpc provider is hacked you’re safe, a much better solution than high quorum
English
Vyacheslav retweetledi
In dRPC you can run a quorum of data providers, including internal nodes, with custom rules for quorum. We made it in 2023: #why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…. For a mission-critical application like a bridge or oracle, there's no excuse not to set it up. But they didn’t.
The framing of the recent KelpDAO and LayerZero incidents as some novel attack vector, or the work of meaningfully smarter attackers, is mostly wrong. The actual failure mode - applications trusting a single RPC endpoint to return honest data - has been discussed openly for years, by @VitalikButerin, @lomashuk, @MicahZoltu, @wagmiAlexander, @ChainLinkGod, @banteg, and many others. It is neither new nor subtle. A closely related failure happened in 2022 with the Ankr DNS hijack on Polygon and Fantom: x.com/Mudit__Gupta/s…
The point here isn't ideological. In a 24/7 market where automated systems act on RPC responses in real time, assuming one provider will always return correct data is a system-level risk. There is no T+2 window in which a human notices the error and reverses it.
When we launched dRPC, cross-verification across a permissioned set of RPC providers was the core idea. The original repo and docs are still up (although outdated since then):
-#why-use-verification" target="_blank" rel="nofollow noopener">drpc.org/docs/gettingst…
- github.com/drpcorg/drpc-s…
We used a simple quorum rather than zk-based verification, partly to test real demand before overbuilding. Two observations from that period:
1. The demand was not there. In public, everyone agreed with the thesis. In private, the responses were "we are not ready to pay more for quorum," or "yes, we could apply it to sensitive paths only, but it's not a priority."
2. The risk was real. The market is now discovering this at a cost of roughly $250M.
Because full cross-verification on every request is overkill for most workloads, we eventually shifted toward shadow checks — randomized background comparisons across providers that detect and eject unhealthy nodes before they serve meaningful traffic. This is a reasonable compromise for general workloads. It is not a substitute for quorum on sensitive paths.
So the practical rule, for anyone building infrastructure whose failure mode is user funds:
1. Use at least 3–5 independent, reliable RPC providers.
2. Do not build your load balancer on training wheels. Something like drpc.org/nodecore-open-… is open source, free, and almost certainly better than what you would build in-house. Contributing to it is a better use of time than reinventing it.
You cannot defend against every possible attack. But this particular class is avoidable at low cost, if you are willing to treat RPC as a system-level dependency rather than a commodity input. That is a reasonable bar for anything meant to serve more than a narrow circle of users.
We will update the dRPC NodeCore (drpc.org/nodecore-open-…) with strict rules for quorum on your side in the near future, stay tuned. If you have more sophisticated requirements for security, we are fully open for your requests - feel free to each me our via DM here or by email kz@drpc.org
LayerZero@LayerZero_Core
English
@kellabyte @ashoKumar89 My first thought would be how to do it without interruptions, and it required scaling past 1 server
English
You need to handle 10,000+ requests per second.
Most engineers jump to scaling infrastructure. That’s usually the wrong first move.
What are the first 3 things you would design or optimize?
English
For years my journalist friends complaint that everybody taught them what is journalism, because everyone consider themselves “some kind of journalist” and because “everyone can write text”. Now when everyone is a coder I finally understand how that feels.
English
Canceled ChatGPT subscription. Kudos to Anthropic for standing for at least some of our freedoms. I’ll be using it more.
English
@SatiataOff @brain_slug Так что если поставить себе цель в жизни как разнообразие разных позитивных эмоций и опытов, то дети явно должны быть где-то в списке.
Русский
@SatiataOff @brain_slug Ну если все это рационализировать, то ситуация простая:
1. Жизнь бессмысленна
2. Есть набор ощущений и чувств, которые ты можешь получить только каким-то уникальным образом и никак иначе. И мне кажется, что дети это один из таких примеров. Но как и у всего есть негатив.
Русский
Могу ошибаться, потому что у меня нет детей, но для меня родительство выглядит как бесконечное обслуживание другого человека. Без права отказаться. Я пока не придумала себе причину, почему я должна заниматься подобными вещами.
Русский
Vyacheslav retweetledi
If you build a public goods like @DappRadar @DefiLlama @l2beat and you can’t handle your unit economy, please don’t close your services.
Reach me out, we will help you with RPC and I personally will help you to optimize other spending where it’s possible.
English
@headinthebox But if it makes us 20% slower should we work more?
English
If AI coding is speeding up work by 10x, shouldn’t we work less?
English
Woke up to my Revolut account being closed at 3:53 am in the morning after receiving email to update my residence permit info at 3:53 am.
And now I can’t update my KYC info, because my account is in the process of closure.
And our course my “premium support” is silent (Saturday obviously). This is going great!
English
@ilyagrshn Ну я дискутировать на эту тему не буду, но я скорее отреагировал на твой твитт! Ты назвал акциями, а это не акции, так что посыл был в том, что ты акции в воллете купить не сможешь.
Русский
Мог ли я три года назад представить, что смогу в Wallet в Telegram купить Nvidia, и даже скинуть друзьям акций на ДР? А теперь мне и представлять этого не надо.
Русский
@ilyagrshn Ну вот по-моему называть это акциями неправильно, потому что это вводит людей в заблуждение, и по-моему это не очень честно. Потому что акциями владеешь, к здесь акциями владеет посредник, а ты владеешь токеном и если завтра посредник соскамится, то ты все потеряешь.
Русский