0xBLC

It’s almost funny how obvious this $LAB scam is, yet nobody seems to be doing anything about it. The token is up another 2x this week and is now trading at an $8.6 BILLION FDV. It’s pretty clear that shady market makers are painting the chart to lure in retail traders and then extract liquidity from them. The sad part is that something like this is only possible with the supportof CEXs, since you’d need fee-exempt accounts to pull it off at scale. Otherwise, the costs would be far too high. For example, if you look at DEXs like PancakeSwap, there’s so little liquidity for a token supposedly worth nearly 11-digits that a $10,000 buy order would move the price by more than 70%. That’s absurd. One thing is certain: there will always be shady founders trying to get rich through scams. That’s just the unfortunate reality of human nature, and it’s a problem that exists in every industry. What I find even more disappointing is that major industry players like @Gate, @kucoincom, and @bitget are willing to facilitate this kind of activity just to make a quick buck, even though it damages the very industry they operate in. It shows how short-term and purely profit-driven their thinking is without any moral. Use DEXs or you’re part of the problem.

The world's richest centi-billionaire oligarch used his power to change the rules, so he could dump his garbage company (which is cartoonishly overvalued, unprofitable, and incinerating cash) on retail investors, using trillions of dollars in retirement funds as exit liquidity, all in order to become the first trillionaire. This is the perfect metaphor for the US economy as a whole, which is entirely based on bubbles and scams.

@DriftProtocol Maybe you can also include why this was changed last week: > migrated to a 2/5 multisig (1 old + 4 new signers) > no timelock just to reduce further fud

@DriftProtocol @solana there it is there’s the culprit 2/5 multisig for a 500M TVL with no time lock is crazy you’d think it’s 4/5 multisig but nah man these teams are crazy and then they’ll come up with a highly technical bs to explain why after users funds are gone

Actually what's the point of using such decentralized protocols like Drift or maybe even HyperLiquid if admins can withdraw the entire liquidity whenever they want? It should work in such a way that nobody can move funds deposited by users, even the owner of the protocol. Otherwise it's even worse than CEX - much worse.

I have sympathy for every drift user and 0 for the team With what happened to bybit + every other admin key compromise, you have a duty to handle admin keys way more seriously With $200MM at stake I expect institutional grade safety around upgradability/keys It is their failure

Drift stored $500m TVL behind a 2/5 multi sig with 0 timelock? Pray to the gods of old and new this is not true Imo should be illegal to only require 40% quorum with absolutely zero delay But Kyle did say he prefers speed over security

This was @zachxbt and @mert and a few thousand people on twitter earlier today during the drift exploit

Although 95% of what happened with Drift today was gross negligence by the team, @circle has a duty and a responsibility to not facilitate native bridging of stolen funds: • 3+ hours after the exploit was publicly flagged • During normal US business hours • While the attacker was actively using CCTP • One week after Circle froze 16 innocent business wallets within hours over a civil lawsuit filled w errors Why does Circle not have a full time response team dedicated for events like this? Do better.

Every Defi protocol should have: 1. Circuit breakers for deposit and withdrawals, and possibly other internal operations as well 2. Timelocks for any change 3. Security councils that can shut down protocols immediately We don't need insurance, we need to do start doing the ffcking basics correctly. It's too early for this space to drive without any training wheels. I beg you, sacrifice a tiny bit of UX to gain a lot of peace of mind. The worst possible UX is losing your user's money.

Two things stand out to me about the Drift hack today: 1) The Drift team is so unbelievably stupid to have setup their multi-sig with a 2/5 threshold and a 0 sec timelock 2) The hack lasted multiple hours and Circle did nothing to freeze the USDC Utter incompetence everywhere

defi is fucked lol drift just got drained for $200M+ and here's how: - attacker minted 750M fake tokens - made a raydium pool with $500 liquidity, priced at ~$1/token - compromised admin key listed the fake token on drift - disabled all withdrawal guards in one tx - deposited $785M of fake "collateral" and drained every vault in 31 txs over 12 minutes - nobody noticed for an hour - attacker came back 2hrs later to grab a few more million the multisig was 2/5 with a 0-second timelock. $200M+ protected by two signatures and zero delay. and people wonder why nobody takes this industry seriously

Update: $230M+ USDC bridged via CCTP from Solana to Ethereum across 100+ txns. 6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack. Circle is a centralized stablecoin issuer headquartered in New York and the attack began around 12 pm ET. Why does our industry allow them to stay silent? @jerallaire @circle @usdc

i can't stop thinking about the drift protocol hack. not because of the $280m. we've seen big numbers before. i can't stop thinking about how it happened. and what it says about everything we're building. on april 1st, while people were posting jokes, an attacker drained $280 million from drift protocol in minutes. the team had to literally tweet "this is not an april fools joke." but this didn't start on april 1st. it started on march 23rd. that's when the attacker created four durable nonce accounts. two tied to drift's own security council multisig members. two controlled by the attacker. quietly. no alarms. no flags. on march 27th, drift migrated their security council due to a routine member change. by march 30th, the attacker had already compromised a signer on the new multisig too. then on april 1st, they executed. a test transaction first. then one minute later, two pre-signed transactions fired four slots apart. admin takeover. withdrawal limits removed. a malicious asset introduced. every vault drained. jlp. sol. btc. usdc. over 15 tokens gone. the entire thing took minutes. this wasn't a bug. this wasn't a smart contract exploit. this wasn't a flash loan or an oracle manipulation. drift's own report confirms it (you can check @DriftProtocol's latest to confirm). no compromised seed phrases. no code vulnerability. this was social engineering. the attacker got 2 out of 5 multisig signers to approve transactions they didn't fully understand. used durable nonces to pre-sign them. then waited. patiently. for over a week. two signatures out of five. that was the security standing between users and $280 million. two out of five. i keep coming back to that number because this is the part that should make everyone uncomfortable. not the hack itself. the architecture that made it possible. we've seen this before. we've seen this so many times. bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code. ronin bridge. $625 million. compromised validator keys. same story. cetus protocol. $223 million. different method but same result. hundreds of millions gone. in 2025 alone, $3.4 billion was stolen in crypto. and the pattern is almost always the same. not brilliant code exploits. not zero-day vulnerabilities. someone was tricked. a key was exposed. a human made a mistake. only 19% of hacked protocols even used multi-sig wallets. and the ones that did, like drift, got beaten anyway. because the weakest link was never the code. it was always the person holding the key. now here's what makes me angry. i've seen people dunking on solana over this. blaming svm. questioning the entire chain. the same thing happened after bybit when people started questioning evm and ethereum's security model. this is not a solana problem. this is not an ethereum problem. this is not chain-specific at all. drift's own report says it clearly. the programs and smart contracts worked exactly as designed. the chain did what it was supposed to do. a human was tricked into signing something they shouldn't have. that can happen on any chain. any protocol. any ecosystem. pointing fingers at solana is a deflection. and it's net negative for the entire space because it distracts from the real conversation we need to have. which brings me to circle. nine days before the drift hack, circle froze 16 business wallets overnight. legitimate companies. crypto exchanges. forex platforms. payment processors. no criminal charges. a sealed civil lawsuit that nobody could even read. no advance warning. businesses woke up and couldn't process payments, couldn't settle trades, couldn't serve their customers. zachxbt called it "potentially the single most incompetent freeze" he'd seen in over five years of investigations. one of the frozen wallets wasn't even a business. it was a dfinity bridge contract used by thousands of users who had nothing to do with the case. then nine days later, $280 million is being drained from drift in real time. the attacker is converting stolen tokens through jupiter, bridging them to ethereum, moving funds through circle's own cross-chain transfer protocol. and the freeze didn't come fast enough. so circle can shut down 16 legitimate businesses overnight for a civil case. but a quarter billion being actively stolen through their own infrastructure? different speed. i'm not saying circle is the villain here. i'm saying the system is broken in ways that should concern everyone. now think about who's actually affected by drift. it's not just traders. protocols are built on top of drift. neobanks integrate with defi infrastructure. real customers with no idea what a multisig even is woke up and saw they couldn't access their money. some platforms said user funds are safe. but nobody could withdraw. your money is "safe" but you can't touch it. think about what that feels like for someone who just wanted a better savings rate. i know what it feels like on a smaller scale. i lost $5,000 to social engineering. it's nothing compared to $280 million. but the feeling is the same. that moment when you realize the funds are gone and there's nothing you can do. it doesn't scale with the dollar amount. it's the same pit in your stomach whether it's $5k or $280m. and here's the question i keep circling back to. we say defi is the future. we say we're going to onboard the next billion users. we say this technology will replace traditional finance and bank the unbanked and give people financial sovereignty. but how do we onboard millions of people into a system where a social engineering attack can drain a quarter billion dollars in minutes? where 2 out of 5 signatures is considered security for $280m? where the attacker sets up wallets two weeks early, runs a test transaction, and nobody notices? where circle can freeze legitimate businesses overnight but can't stop a live heist fast enough? where the same attack, the same playbook, the same human error keeps happening year after year after year? ronin. bybit. cetus. now drift. same cause. different name. different chain. same result. defi doesn't have a code problem. it has a people problem. and we keep solving for the code. i haven't interacted with a protocol in a while. i like money. but i love safety more. and right now this space is asking me to choose between the two. security can't keep being the last conversation. it can't keep being the thing we talk about after the hack and forget about before the next one. it has to be the first priority. not the last. because right now we're not ready for the next billion users. we're barely keeping the ones we have safe.

All valid points. As a reporter here’s my perspective: Only flagging activity ask for a freeze when I have certainty of illicit activity. CryptoForensic (Josh) and ZeroShadow (Julia/Tanuki), Tayvano, 3-5 others are the only sources I can listen to blindly. Other individuals / firms do not have the same competence which leads to false positives due to weak quality controls. Leads to frustrated users which is simply unacceptable when you’re a business. It annoys me because others incompetence can indirectly make my job more difficult. Yes Protocols/Companies subscribe to these services however customers have different settings so when addresses get flagged nothing generally happens and attribution is not updated quickly. Also the analytics firms do not communicate with each other so you have to flag at each one individually. None of the analytics firms pay you as a provider for flagging data so there’s less incentive. Thus I end up flagging illicit activity directly to teams with the goal of being as high signal as possible. Trusted individuals should be whitelisted since tools do not replace manual review (however I recognize it creates an issue of who is trusted). There’s what works in theory vs reality (govt, regulators, LE, Circle, etc are years behind). I say it as someone who has frozen multiple 9 figs from incidents at a variety of services. I am skeptical of people who propose AI / automated solutions for complex analysis.

It was just a crazy day, and anyone wondering why Zachxbt and others were so pissed it’s because Circle allowed this and never cared. They would rather sit on the fence while a whole house is burning than do anything to stop the fire. Anyone monitoring the funds movement yesterday will definitely be so angry at Circle, because what exactly are you a centralized entity for when this kind of issue would take seconds to handle, yet you ignore it? Wallets held millions for 3-6hours post-bridge before swapping to ETH. Just for example: 0x586d353D718B168C3891c9a8162dD2b523bEd741 0xAD383d6b3886b598F48c625437ccB4f8E84dBB48 Circle is a bad actor for the industry.

17/ Timelocks, multisigs, parameter bounds, admin action rate limits; these aren't nice-to-haves. They're the difference between a close call and a $200M+ loss.

15/ The DeFi ecosystem continues to grow in scale, but not in operational security. Protocols now have custody of hundreds of millions in user funds while depending on admin key setups that would be considered unacceptable in TradFi for a fraction of that AUM.

14/ With Drift, we observed: - No timelock - No multisig - No governance delay - No circuit breaker on the admin operations themselves

13/ The Structural Problem @DriftProtocol's admin key could, in a single transaction: - Create a new collateral market with arbitrary parameters - Set the oracle to an attacker-controlled account - Disable withdrawal guards on every major vault