English
Trevor | BitBadges
407 posts
Trevor | BitBadges
@trevormil23
Building @bitbadges_io
Katılım Temmuz 2017
1.1K Takip Edilen1.4K Takipçiler
@THORChain is the answer 🤝
Trevor | BitBadges@trevormil23
Crypto needs to go cypherpunk again. Too many ideas are just going full circle reinventing Web2 as we knew it. I kinda hate to see it. 2021 vs Now - New cryptocurrencies -> back to USDC - Immutable code, no owner -> every protocol has centralized admin or freezing nowadays - Self-custody -> embedded wallets - Credibly neutrality -> domain-specific zones, L2s, app chains At what point are we going to draw the line? Crypto gets its value from its decentralization. If we are just digitizing money in a centralized manner, it’s already digitized on every bank account. If we are tokenizing stocks in a centralized manner, it’s already all digitized.
English
Crypto needs to go cypherpunk again.
Too many ideas are just going full circle reinventing Web2 as we knew it. I kinda hate to see it.
2021 vs Now
- New cryptocurrencies -> back to USDC
- Immutable code, no owner -> every protocol has centralized admin or freezing nowadays
- Self-custody -> embedded wallets
- Credibly neutrality -> domain-specific zones, L2s, app chains
At what point are we going to draw the line?
Crypto gets its value from its decentralization.
If we are just digitizing money in a centralized manner, it’s already digitized on every bank account.
If we are tokenizing stocks in a centralized manner, it’s already all digitized.
English
Trevor | BitBadges retweetledi
The simplest fix to the rampant DeFi hacks. Add circuit breakers! This is no longer a defense-in-depth situation. It is negligent to deploy your protocol without them.
Building in @cosmos? Everything is <5 min away. No code or complex Solidity contracts required. Reach out to us.
Deploy guardrails, spend limits, wallet gating, freezability, removability, anything.
PROTECT YOUR PROTOCOL!
English
The whole point of immutable DeFi is to learn from mistakes. Use recent events as a wake up call.
PROTECT YOUR PROTOCOL. Add circuit breakers. Add guardrails. Add spend limits. Add multi-sigs. Add auto-expiring short-lived 2FA. Add contact books.
The defaults are no longer good enough.
Building in @cosmos? Reach out. All of the below is available in <5 min setup.
BitBadges@bitbadges_io
The simplest fix to the rampant DeFi hacks. Add circuit breakers! This is no longer a defense-in-depth situation. It is negligent to deploy your protocol without them. Building in @cosmos? Everything is <5 min away. No code or complex Solidity contracts required. Reach out to us. Deploy guardrails, spend limits, wallet gating, freezability, removability, anything. PROTECT YOUR PROTOCOL!
English
Thanks for sharing.
There are way too many DoS vulnerabilities in Cosmos and other blockchains.
If an attacker really wanted to halt any blockchain network, I believe they could today.
I wish they’d be taken more seriously, but many teams don’t see DoS as that important. Worst case? Some downtime and a temporary chain halt. This is kinda how teams see it.
English
I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT).
This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability.
I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure.
This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.
English
1) Volume won’t be net-new. Just a more agent-friendly way to pay for services. No API keys. No session management. No accounts. Pay per request.
2) Agreed that I think it’s vastly overrated right now for simple payments where you trust the provider. Really no need for a blockchain vs Stripe rails.
Where I think it really adds value is the agent-to-agent protocol. Agents don’t trust each other. Blockchains help as the middleman.
English
I'm genuinely asking, what are all these agent micro transactions going to be? This seems to be the top crypto <> AI narrative right now, but I'm struggling to see what net-new volume will arise just from giving agents micro-tx payment rails
English
@RoboMcGobo @Airdrops_one @cosmoslabs_io Appreciate it! This clears a lot up.
It is just the optics of it all for builders who need stable dependencies.
English
The uncertainty point definitely resonates. From what i understand, enterprise modules will be almost entirely net-new products that don't exist in the SDK today (e.g., PoA)
The Group module is a bit of an exception to that. It was removed from the SDK because almost nobody uses it and it's a lot of overhead to maintain, but afterwards there were a few teams who told us that they would rather pay for the module than see it deprecated, so we brought it back as an enterprise module.
As for what defines enterprise vs OSS for Group, any version that existed prior to this release (for SDK v0.54 and beyond) is still OSS
English
For years, appchains said " $ATOM has no value accrual."
Then the minute @cosmoslabs_io tries to put a toll booth on part of the stack, the reaction is “not like that.”
They built one: enterprise licensing on premium modules.
Open-core model - same playbook as Redis, MongoDB, Elastic. Base SDK stays Apache 2.0.
@gregosuri you can dislike the rollout.
But "no value accrual" and "don’t monetize the stack" cannot both be the answer.
Yes, none of this routes to $ATOM yet.
You have to start somewhere.
🫡
English
1) What defines enterprise vs older OSS versions? This is unclear for builders currently and clarity would be appreciated. Just moment the license was added?
2) This is a dangerous precedent to set. From a builder’s perspective, we can’t know which modules have long-term support vs not? At any moment, support can be rugged, and we have to fork and maintain it ourselves?
If this is a trend, I think clarity / clear plans from Cosmos Labs would go a long way. What modules are untouchable? Could we get some guarantees for support / what is staying open-licensed?
English
@Airdrops_one @cosmoslabs_io The funniest thing about that tweet is that there are literally older OSS versions of the module they want to use that they can just fork if they wanted.
But if they want the enterprise version, it's time to start giving back to the ecosystem that gave them everything.
English
@gregosuri Yea, that one confused me.
A simple multisig module that many Cosmos chains already use is gated to enterprises and needs a license (after formerly being marked as deprecated).
They should at least do something retroactive to allow existing chains to still use it.
English
Cosmos leadership changed their license of a critical component that will prevent Akash from:
- Deploying it in production
- Using it commercially in any way
- Offering it as a service to third parties
Meaning, we cannot use Cosmos without an enterprise license from Cosmos Labs.
When we announced that Akash is moving to a shared security layer, we thought we would still keep some Cosmos integration (at least in terms of interoperability).
These hostile licensing terms effectively make it impossible for Akash to stay in Cosmos -- one of the worst things that came out of the leadership team that will kill $ATOM.
English
Trevor | BitBadges retweetledi
Introducing Keplr MCP: turn your wallet into a programmable interface
Agents can now send, stake, swap, and manage addresses across supported Cosmos chains.
English
True. It’s technically possible.
I just ultimately think that there are tons of blockers to Osmosis being a viable option on The Hub for compliant assets unless it is paired with EVM directly.
1) ERC-3643 is looking to be the dominant standard. Hacky ICS20 hooks and tokenfactory is a high barrier, and every compliant asset would need to support both.
2) The Hub doesn’t support EVM wallets (currently) meaning every EVM chain with EVM users needs to manage 2+ wallets just to swap.
3) It still doesn’t solve the chain-level issue. If I can IBC transfer to a non-compliant chain without hooks, it defeats the purpose. Issuers want complete control over the entire lifecycle everywhere. Hard to enforce without it being compliant in the SDK on every Cosmos chain.
Not technically impossible but needs a clear commitment from the Hub in other areas to make feasible (EVM wallet support, tokenfactory hooks support, etc).
English
@trevormil23 @zkDragon @BPIV400 @tonyler_ Yeah, this is totally doable. You can do this with x/tokenfactory and tokenfactory hooks.
We created a mechanism for Tether to do this when they were considering coming to Cosmos.
English
ICS20 can’t support compliance out of the box.
Every ERC-3643 contract is a compliant siloed environment where you can enforce rules and compliance.
With ICS20, you’d need to 1) enforce this on the SDK level in x/bank directly and 2) you’d need to gate it such that it can’t be transferred to a non-compliant IBC chain.
Right now, ICS20 is all fully permissionless and no compliance.
English
@trevormil23 @zkDragon @BPIV400 @tonyler_ Why couldn't those compliant tokenized assets become ICS-20 compatible?
English
What is the plan long-term for growth?
With everyone leaving, how does Osmosis plan to drive that value from enterprises?
It’s just reliant on Cosmos Labs doing the enterprise work either way?
Osmosis on The Hub largely won’t be able to support compliant tokenized assets (ERC-3643) with EVM on the Hub being abandoned.
With the “old Cosmos” ecosystem / community largely being abandoned, the new Cosmos will be a few things: EVM-first and standalone enterprise chain first and many PoA chains (meaning lack of new ICS20 assets). How does Osmosis help in a Cosmos that looks like this?
Genuinely curious. Is the vision simply trying to onboard enterprises to The Hub directly? And why would they choose The Hub over their own chains with complete control?
English
Blockchains stand to suffer the most from zero-day exploits.
This will be interesting. Decentralization and credible neutrality will be tested.
Haseeb >|<@hosseeb
This is terrifying. @AnthropicAI 's new unreleased Mythos model is so good at hacking, it found bugs in "every major operating system and web browser." 83.1% were exploited on first attempt. This thing is like COVID but for software. Actually apocalyptic in the wrong hands.
English
@mcagney This overcomplicates it. No need for mint / burning tokens.
This is a wallet / vault problem. Emergency migrations, dead mans switches (migratable after inactivity in wallet), and vaults should be the default in crypto.
If we had these, that is a non-issue.
English
Question I am contemplating and could use input on. Let's say you own YLDS, a security, and receive it in a your Metamask wallet via a p2p transfer, so the transfer agent only knows your wallet address, not your identity. Then let's say you forget your password and recovery phrase on the wallet.
Is there any way you could go to the transfer agent to get new tokens? In theory, the transfer agent can burn the old ones and mint new ones (e.g., YLDS isn't a bearer asset), but how does it know you were the rightful owner?
Generally this would be an edge case, as most YLDS holders would want to be identified to earn interest. So it's a circumstance where someone receives YLDS, chooses not to be identified (or hasn't yet) to receive interest, and then loses the access to their wallet. But it's still a use case I'm trying to solve for.
Thoughts?
English
Doesn’t need to be chain-level.
My vision: 1:1 backed smart token protocols / vaults (on-chain) should be the entry point for all assets at rest in wallets (vUSDC, vETH).
Users customize their tolerances and criteria for assets at rest. Withdraw / unback as needed.
Fully customizable for any criteria - multi-sigs, timelocks, spend limits, off-chain 2FA.
Most users reuse the same config / rules. More advanced users can build their own.
English
@trevormil23 Chain level guardrails is interesting, some projects have pushed for this. The lack of flexibility makes it hard.
English
Drift Protocol lost ~$280M in a sophisticated social engineering attack.
The "root cause," though, was that a malicious transaction was sent, and the users were unable to verify the transaction intent.
This is a combination of major issues:
Micro:
- Always verify your transaction data
- Running unknown code should be done in an isolated environment
- Your signing device should be different from your working device
Macro:
- Transactions are difficult to sign and understand
- Many of the tools we use today have backdoors that users don't know about (VSCode's hooks that run just by opening a folder)
- Meeting in person may not be the safety net it once was
youtu.be/qjJN5S7PSoE
Also, a lot of blogs will point to the "durable nonce" issue. Don't let that distract you. That was them popping the exploit into AI and asking what happened. It's part of the story, but like the smallest, tiniest side quest.
YouTube
English
Trevor | BitBadges retweetledi
We have neglected basic security principles in this industry for way too long.
We need a paradigm shift. Defense in depth. There will always be exploits, social engineering, and malicious signatures. Every tech company or software is prone to zero-day exploits.
We built the entire tech stack based on this principle which was never bound to hold.
Don’t design assuming these things will never happen. Design assuming they will inevitably happen.
This starts with:
- Basic rate limits for wallets
- Insurance protocols
- Hot wallets and multi-vault management.
- Section everything into separate accounts
It is simply ridiculous the DEFAULT is that one malicious signature can drain your ENTIRE wallet to ANYONE.
BitBadges@bitbadges_io
@DriftProtocol exploit not only reveals the need for better security primitives and practices on the wallet side but also better primitives ON-CHAIN. - Why are entire treasuries stored where one transaction can wipe entire balances? And no limits on who to transfer to? - Why are protocols not build with basic sanity checks in mind? Even a daily limit like 10M USD saves 190M in exploits. The answer is simple : smart on-chain vaults 1:1 back USDC ATOM or any currency and add your own custom rules (time-gating, rate limits, spend limits, anything, approved recipients). Think this is too complex to implement? Nope. Reach out to see how we can help you set this up with 0 lines of code and in less than 5 minutes.
English