zkCross Network

@Surf_Liquid just published their biggest ecosystem update. The entire execution stack powering it runs on zkCross Network. Every vault deployment, every AI agent action, every Guardian Layer rule enforcement, every circuit breaker trigger, every cross-chain capital route. All of it executes through the zkCross infrastructure. → The Guardian Layer that held every vault safe during the recent wave of DeFi exploits is the zkCross architecture. → The MPC signing that secures every transaction is the zkCross infrastructure. → The cross-chain settlement rails that move capital across Base, Polygon, and the upcoming Ethereum mainnet deployment are zkCross rails. → The isolated vault contracts that keep each user's capital separate from everyone else's deploy via zkCross. $107M+ in on-chain volume. 194K+ transactions processed. When Surf scales to @arbitrum, @avax, @BNBCHAIN, @solana, @StellarOrg and @HyperliquidX, the same zkCross rails handle every chain. Surf is the product users see. zkCross is the infrastructure that makes it all work.

@pashov Motivation over credential rings true in audit work. The contributor who reads the spec line by line and asks the awkward question catches the issue the team kept walking past. Selection by curiosity is the lever, not headcount.

I've worked with 150+ security researchers - from top tier experts to promising newbies You'd be surprised how many times the "newbies" contribute things no one else does. Motivation makes all the difference. Now looking to make the number 1000. Scaling the fuck up. Stay close.

Scaling got easier because compute and consensus did. Security stayed hard because policy never got moved on-chain. Every bridge that got drained had a signer who could be talked into producing a valid signature for an invalid intent. On zkCross every signing path runs through a policy contract first. Source state has to match before any signer touches a key.

Another bridge exploit. The Verus-Ethereum bridge exploit estimated losses reaching roughly $11.6M. Crypto keeps proving interoperability is one of the most dangerous attack surfaces in the industry. Scaling got easier. Security didn’t.

@Fairu_90 @PushChain Chain-as-context-switch is the friction users actually feel. The chain belongs behind the action the user wanted, not in front of it. The cross-chain story lands at the UX layer or the infra story stays invisible.

People still juggle ETH on Ethereum, SOL on Solana, MATIC on Polygon, and dozens of gas tokens just to use crypto. That’s not mass adoption. That’s friction. $PC is trying to change that. The vision behind @PushChain is simple: Make crypto feel chainless. No more thinking: “Wait… do I have the right gas token?” With Universal Gas Abstraction, users can transact across chains without constantly managing multiple gas assets. One seamless experience. Here’s why that matters: Right now, liquidity is fragmented. Users are fragmented. Apps are fragmented. Every chain feels like its own island. Push Chain wants to unify that experience through $PC. The “Holy Trinity” of $PC utility: 1️⃣ Universal Gas Abstraction No more hoarding different gas tokens for every network. 2️⃣ Transaction Fees $PC powers the Push network as its native currency. 3️⃣ Universal Staking Secure the network while empowering the community. But this gets bigger than simple payments. The real vision is a universal coordination layer for: • DeFi • RWAs • AI Agents • Cross-chain liquidity Imagine RWAs moving freely across ecosystems instead of being trapped on isolated chains. Imagine DeFi liquidity no longer split across dozens of networks. Imagine autonomous AI agents interacting cross-chain without barriers. That’s the direction Push Chain is building toward. And honestly, crypto needs this. Users don’t care about bridges, gas fragmentation, or chain complexity. They want: • fast UX • simple UX • unified UX Infrastructure that removes friction wins. One more important thing: ⚠️ $PC is currently on TESTNET ONLY. Ignore fake mainnet contracts and stay safe. If someone is pushing a “live” token address right now, it’s likely a scam. The chain abstraction era is coming. And $PC is positioning itself at the center of: → cross-chain execution → unified liquidity → borderless AI economies Keep watching 👀 Season 3 invite codes below 👇 PC-89PFP4EF PC-9SERDJYS PC-6TB433ZW PC-EA6AU98M #airdrop

Moving disputed funds into another lending market mid-court fight turns the protocol into both venue and party. That kind of role overlap is the reason on-chain disputes still end up in off-chain courts. The cleaner design choice has to happen years before the lawsuit, not during it.

I’m watching the Arbitrum governance process closely. Moving disputed exploit funds to Aave sounds simple on paper, but the court fight makes this much more complicated.

@Diphunter18 @0xPolygon Enterprise payments only work when the rail agrees on a state across hops. The Polygon side of this got measurably tighter in the last six months. Cross-chain settlement that does not drift is the precondition for B2B commerce on crypto rails.

Polygon just pushed the internet payments standard to a completely new level. And most people haven't noticed yet. @0xPolygon is building a high class payment suite: real global payment infrastructure for enterprises (internet-native finance) Imagine you're a business in Brazil. You need to pay suppliers in Europe. Until now: 3–5 banking days, high fees, exchange rate losses, paperwork. With Polygon: settlement in seconds, sub-cent fees, 24/7, no banking hours, no correspondent banks. This isn't a concept. It's already in production. But this requires infrastructure. And right now, something came together that the world hasn't seen before. Four OG DeFI protocols formed a deliberate partnership, each solving a piece that none of the others could solve alone: • @0xPolygon — the settlement rail. Sub-cent fees, sub-5s finality, 3200+ TPS. The highway everything runs on. • @fraxfinance — the dollar anchor and FX layer. $frxUSD is Treasury-backed and becomes the shared denominator across every currency corridor. Every non-USD stablecoin on this stack routes through frxUSD by design. That's not a paper partnership, i see frxUSD as the safest base dollar you can get. • @CurveFinance — the liquidity layer. Curve built a new pool type specifically for this stack, optimized for stablecoin-to-stablecoin FX swaps with minimal slippage. Without deep, reliable liquidity routing, i think no FX market works at scale. • @DFB_DeFi — active market-making. Real FX venues need active participants, not seed liquidity that disappears after week two. DFB keeps spreads tight and the corridors actually functional. None of these pieces existed together two years ago. All of them exist now, and they plug into each other. The numbers speak for themselves: • Payments apps on Polygon: +51% QoQ ($5.8B volume) • Stablecoin supply: +21% QoQ ($3.5B) • APAC non-USD stablecoins: +187% QoQ • #1 in active USDC addresses globally And the Polygon chain just got faster: • hitting 3200+ TPS (1.75s block times Sub-5s finality) • +14% more payments per second This is not a roadmap. This is live. And then Visa showed up. @Visa integrated Polygon into its global stablecoin settlement program ,running at a multi-billion dollar annualized run rate. Why does this matter so much? Visa doesn't pick a chain because it sounds cool. Visa picks infrastructure because it opens new markets. Think about it: a small business in Southeast Asia or sub-Saharan Africa that previously had no access to global payments, too expensive, too slow, too complicated for traditional correspondent banking. With Polygon as the rail, Visa can serve exactly those customers. Fast. Cheap. Global. Without a new banking license in every country. This isn't Visa vs. Crypto. This is Visa using crypto rails to reach markets that were previously cut off entirely. And then there's privacy. Every stablecoin transfer on a public chain broadcasts: who sent it, who received it, how much moved. For a business moving millions daily, that's simply not acceptable. Competitors can read treasury strategies. Business relationships become visible. Contract volumes go public. Polygon solved this: private payments via zk-technology built with @hinkal_protocol. Stablecoins move on-chain, without sender, receiver or amount being publicly visible. Compliance capabilities remain fully intact. This is the unlock for: -Enterprise treasury operations -Institutional settlement -Payroll systems -Large B2B payments -Cross-border commerce Privacy isn't a nice-to-have for institutions. It's a prerequisite. The bigger picture for me: DeFi. Stablecoins. Payment APIs. zk-tech. Institutional settlement. Global payment providers. What looked like separate worlds is converging into the same stack. Polygon isn't building to replace Visa. Polygon is becoming the infrastructure layer underneath modern finance, the part nobody sees but everything depends on.

@an420eth Where you place your trust is encoded in the contract that releases the funds. The closer the trust assumption sits to the signing layer, with policy gating each call, the harder it becomes to keep the assumption hidden.

1/7 I’ve read too many DeFi exploit post-mortems. The pattern: Nobody expected the failure, but the hidden trust assumption was there from day one-just undocumented. DeFi security isn't about removing trust. It’s a question of where you place it. 🧵

@wiseadvicesumit Exposure for restaked-collateral holders is mostly downstream of bridge configuration. If the wrapper relies on a single verifier, it inherits that single point of failure. Multi-party signing on the mint path closes the gap.

🚨 KelpDAO just got exploited for $292M. Here's what happened, what it means, and what to do if you're exposed. First: how it happened: KelpDAO's rsETH runs on a LayerZero cross-chain bridge. The bridge had a critical weakness a single verifier setup instead of multiple. The attacker found it and exploited it. • Minted 116,500 fake unbacked $rsETH, about 18% of total supply out of thin air • Deposited that fake rsETH as collateral into $Aave, Compound, Euler and others • Borrowed real $ETH against fake collateral • Swapped everything through $Uni and disappeared across 20 chains • Left $292M in bad debt behind Two follow-up attempts of $100M each were blocked after KelpDAO hit the emergency pause. What it means for Aave: Aave is the biggest casualty here. Around $177-200M in bad debt sitting in WETH pools on V3 and V4. Aave's own contracts are fine. This is not an Aave exploit. But Aave accepted rsETH as collateral and now holds the bag. Token is down 16% as markets price in the Safety Module risk. If bad debt cannot be recovered, staked AAVE in the Safety Module could get slashed to cover it. If you are exposed right now: • Monitor closely, some analysts are recommending withdrawal before any settlement kicks in • Holding rsETH anywhere, your positions are frozen, check official KelpDAO channels • Using rsETH as collateral, frozen, do not ignore this • stETH or wstETH, $Lido confirmed unaffected • Aave on Base or isolated pools generally safe This is the largest DeFi exploit of 2026. It follows the $285M Drift hack just 18 days ago. The pattern is the same every time, bridges are the weakest link. Not the smart contracts. Not the protocols. The bridges connecting them. A single verifier. That is all it took to drain $292M. 💀

@CryptoLady_M Idle stablecoins on a money market are the symptom of risk caps doing their job. The architectural question is whether credit lines can be issued from the same liquidity hub while keeping the riskiest collateral type's tail isolated. Spokes are how that scales.

Aave currently has $6 billion in stablecoins lying completely idle. That accounts for nearly 30% of its total deposits. The upcoming Aave V4 aims to fix this capital efficiency pain point by introducing a Reinvestment Module. Take 1 minute for an objective breakdown of V4’s core mechanics and industry impact.👇 ✅What exactly does V4 update? It automatically deploys idle, unborrowed liquidity from the pools into ultra-low-risk strategies, such as short-term Treasury RWA or delta-neutral trading. The key premise: no liquidity is sacrificed, and users can still withdraw at any time. ✅Structural shift in yield expectations Currently, risk-free stablecoin yields on major DeFi protocols like Compound and Maker hover around 3%–8%. To chase yields above 12%, users typically have to turn to CeFi platforms, which means accepting the risks of centralized custody and locked capital. According to Aave’s simulation tests, the V4 module could boost base APY by up to 25% while maintaining zero lock-up and self-custody. On Polymarket, markets are pricing in a 91% chance of its mainnet launch before June 30. If APY can really reach 25%, it’s definitely worth looking forward to 📊

@juliasaywhut @Fujina73 @RiverdotInc @River4fun @NomismaNetwork @sleepagotchi @wallchain Cross-chain depth quietly does more than cross-chain count. A protocol on five chains with shallow pools sits worse off than one on two with deep ones. The fragmentation problem is depth-shaped before it is chain-shaped.

@Fujina73 @RiverdotInc @River4fun @NomismaNetwork @sleepagotchi @wallchain cross chain depth is probably gonna matter a lot more once liquidity fragmentation gets worse

Chillin' with @RiverdotInc, @River4fun, @NomismaNetwork, @sleepagotchi , and @wallchain got me thinkin’ these folks are seriously making web3 feel user-friendly. Crazy, right? Gone are the days of tech overload; it’s all about keeping it simple. A lot of investors still see $RIVER as just a content mining play, but they’re missing the bigger picture. It’s about liquidity infrastructure, man! While everyone's busy racking up points, those cross-chain protocols are quietly transforming the flow of assets. Is this just a tech upgrade, or are we witnessing the dawn of something much larger? 🌊 Backed by StargateFinance, $RIVER's asset swaps between Ethereum, Base, and BNB Chain are smashing liquidity barriers. The dev team is hustling hard capital retention and cross-chain depth are their jam. And the incentive model? Just scratching the surface with @River4fun. The true value lies in their ability to forge partnerships and expand networks. But what’s the ultimate goal here? And don’t sleep on @NomismaNetwork’s season 3. This isn’t your typical flash-in-the-pan project. They’re in it for the long haul, ditching the usual quick-farming nonsense. What’s the catch? A 91-day cycle, a $100k USDC pool (that could balloon to $500k), and their ImpactShare rewards real contributions. It’s a breath of fresh air, right? That dual reward system? Absolutely brilliant. Instant CPA rewards for real actions + long-term ImpactShare based on authenticity. Consistency over fleeting viral moments? Heck yes. Then there’s @wallchain, flipping the script by focusing on quality engagement instead of chasing numbers. It feels like a narrative shift. But are we just going in circles? And @sleepagotchi? The chillest project yet. Turning sleep habits into a web3 experience? Sounds quirky, but it’s intriguing. Just waiting to see which projects can turn that hype into lasting habits...

The coordination across six deployments is the underrated part of this. Parameter changes applied identically across chains come from contract logic at the policy layer. That consistency is the same property cross-chain calls need to stay safe. Same architectural muscle we built zkCross around.

In accordance with the rsETH technical recovery plan, WETH LTVs on Aave V3 Ethereum Core, Ethereum Prime, Arbitrum, Base, Mantle, and Linea have been restored to their pre-incident values. WETH now operates as normal across all affected V3 deployments.

@StaniKulechov The recovery itself has been impressive. The architectural lesson sitting behind it is the one most builders still skip: validity has to live in the execution path, not in a downstream check. Pre-conditions on the lockbox itself are the cheapest defence and the least built one.

The attacker’s rsETH on Arbitrum has been burned. As the last step is to refill the rsETH bridge lockbox. Meanwhile withdrawals for rsETH into ETH will start within the next 24 hours to normalize the markets. The past few weeks, including weekends, have been incredibly intense. None of this would have been possible without the entire team working around the clock on this recovery effort. We're building a new level of resiliency and a post mortem will follow with new learnings.

The cleanest part of this is the parameter layer being the lever for both pause and recovery. Risk lives at the policy layer where contracts decide what is in scope. That consistency is what makes incidents recoverable rather than catastrophic. The same architectural muscle sits underneath zkCross.

The next step in the rsETH technical recovery plan has been completed with the restoration of WETH LTVs to their pre-incident levels across all affected networks. Users can now once again borrow against WETH on Aave, including through collateral and debt swaps.

@turtledotxyz @chainlink The shift institutional capital is making is to deterministic settlement. Configurable bridging defers the security decision to whoever sets the config that day. Cross-chain that scales needs the rules baked into the contract before the transfer leaves the origin chain.

Following the $292M LayerZero exploit, Turtle has updated its due diligence framework: • Assets relying on configurable, ad-hoc bridging are priced with a haircut • Cross-chain tokens integrated with @Chainlink CCIP are preferred The haircut accounts for the additional monitoring burden capital allocators carry when verifier configurations can shift ad hoc. CCIP's secure-by-default cross-chain infrastructure is the gold standard for institutional liquidity in internet capital markets. It lets allocators quantify and price risk with precision, and is the recommended solution for issuers. When issuers ship on secure-by-default infrastructure, Turtle can: • Eliminate single points of failure • Price risk without constant manual review • Compress time-to-deal • Quote on the most favorable terms Read the full updated framework:

The 'who can verify messages, who can pause, who decides after a break' framing is the part most projects skip when they ship. Bridge validity belongs inside the execution path, not in the asset's downstream assumptions. Once that constraint runs before settlement, the inherited risk stack shrinks fast.

DeFi risk used to look simpler to me. A few weeks have passed since the KelpDAO / LayerZero incident. So this is probably a better time to look back at it without the noise, and ask what the market should actually learn from it. You check the smart contracts. You check the audits. You check the TVL. You check whether the protocol survived past stress events. That was the mental model. But the KelpDAO / LayerZero incident made that model feel incomplete. Galaxy described it as a roughly $290M exploit. The attacker caused 116,500 rsETH to be released from the Ethereum-side bridge adapter through a forged cross-chain message, then used that collateral across lending markets. Aave’s estimated bad debt was framed between $123.7M and $230.1M depending on how losses are handled. The part that stands out to me is not only the size. It is where the risk came from. Not a simple contract bug. Not a normal oracle failure either. Not a “protocol got hacked” story in the clean way people usually imagine. It came from the assumptions around the asset. → bridge verification → RPC infrastructure → cross-chain messaging → collateral listings → emergency governance This is the uncomfortable part. A lending protocol can do many things right and still inherit risk from an asset it accepts as collateral. A token is not just a token anymore. It is a stack of assumptions. Who can mint it? Who can pause it? Who verifies messages? Who can freeze funds? Who decides what happens after something breaks? I used to think DeFi risk was mostly about code quality. And thanks to AI, the industry is probably going to get faster at writing, reviewing, and improving code. But that does not remove risk. It just pushes the question one layer deeper. Now I think the more important question is becoming: how many hidden committees, bridges, signers, guardians, and offchain processes are inside the thing people call decentralized? That does not mean these systems are useless. In some cases, emergency controls probably prevent worse outcomes. But it does mean the market has to stop pricing “DeFi” as one category. There is a big difference between trust-minimized finance and finance that works because a small group can react fast when something goes wrong. Both can be useful. But they are not the same product. And after enough nine-figure incidents, I think users will start caring less about the label and more about the actual control surface.

@PatrickAlphaC Clear signing is one half. The other half is what the signature is allowed to do. Model proposes. Contract validates. MPC signs only if policy holds. Audited execution as the boundary between reasoning and risk.

1 year ago, I made a video about how blind signing would cause massive pain. Since then, we've seen hack after hack (recently, Drift protocol for almost $300M), where clear signing could have helped mitigate. Today, we finally have a systemic upgrade to wallet UX 👇

Almost $100M across three protocols in four days. The pattern is consistent. Bridges and minting paths that assume collapse under a single attacker call. Cross-chain work is signature scoping, not just contract audits. zkCross is built so that every move sits within a Guardian rule, and every signature within an MPC quorum. The infrastructure has held.

This is what gets built on zkCross infrastructure. Per-user proxy wallets via CREATE2. Scoped MPC signing. Atomic on-chain settlement. 34 versions shipped The base architecture never changed. The vault contracts stayed boring. The trading layer did the work. Full breakdown from our founder below. 👇

Reasoning is half of it. The agent stack also needs an execution layer that prevents reasoning from leaking past policy. Computing and reasoning both improve faster than the contracts they act on. The constraint that scales agent autonomy in production is the policy gate at execution time, the on-chain rules that decide which moves the model can even propose to a signer. Strong reasoning, plus a deterministic gate, is the shape that ends up being trustworthy for value-bearing actions.

The identity layer is the right starting point and the authorisation layer is where the next problem lives. An agent identity that proves who is acting still leaves the question of what the agent is allowed to do, under what conditions, and with whose ratification. A signer with policy bounds and an off-the-shelf rule contract closes that loop. The two together are what make agent participation production-grade.

Autonomous payments are settled on @0xPolygon. Cross-chain settlement is settled on zkCross. Every vault deployment, AI agent action and Guardian rule enforcement powering Surf runs on the same execution stack, with deterministic policy contracts and multi-party authorisation behind every move. Production-grade abstraction, audited by Halborn, working under live consumer products on Polygon. The more autonomous activity Polygon settles, the more proven the abstraction layer underneath becomes.