REFORM DEFI SECURITY

“Amex answered the three hardest questions in agentic commerce: identity, mandate, and accountability. When the agent screws up, who pays? This is the one that matters most, and crypto has obviously not figured it out. Amex says we will pay if you use our rails and the agent screws up. That is what is going to unlock adoption for agentic commerce—the liability and the accountability—especially because the laws in this space are so uncertain and current laws are built for humans swiping cards rather than AI agents.”

“People right now are actually utilizing Arca monitoring these contracts on these, different platforms such as Aave, in order to then withdraw as soon as they receive an alert on chain that somebody's looking to deposit or has deposited... If you wanna mechanistically try to get your money out, you set an alert for any time a single dollar comes into the protocol so that you can be first in line to try to withdraw it.”

“If you have a large portion of the ecosystem, in this case, all of Layer 0's users, if you have something like 47% of them going with this one-of-one verifier setup, it starts to look less like an individualized choice, and more like actually standard architecture, or even the industry norm. I think what courts will eventually have to wrestle with is, when is it not enough to say, oh, we just provided the options, or we provided the tools? Defaults matter, and the options you give actually shape user behavior.”

“This is a core tenant of blockchain technology that we just don't talk about. Blockchain technology is open, modifiable. It's it's it's, it's just code, right, running on servers and social consensus. And that social consensus piece is the thing that destroys the idea of immutability. It destroys the idea of, like, you know, complete, agency. I mean, it is it does have agency, but it's like, it can be persuaded.”

“It's not even about smart contract exploits anymore; you can have a million audits and that wasn't the cause of any of these recent attacks. Now it's about all the dependencies around oracles and bridges and collateral and multi-sig configurations or operational security practices. It sort of feels like you're just playing whack-a-mole. North Korea and other illicit actors are just going to keep coming up with new ways, probably greatly aided by AI, to exploit vulnerabilities in the systems surrounding the core code.”

“We have to ask ourselves if we should start thinking more carefully about constraints. I think one thing that we conflate a lot in crypto is decentralization and permissionlessness, because they're not the same thing. Even just talking about permissionlessness, people usually assume you mean KYC, but a protocol can restrict what kinds of assets or collateral it will allow, or it can impose rate limits. If we even want to survive as an industry and a technology, we need to really seriously think about the trade-offs between crypto's core values and keeping users safe.”

“We were able to use that same tactic and actually and and because if we wanted to give ourselves new rules or upgrade the the software of the Nord, we could do that... we can actually make a transaction on Ethereum. We have to wait fifteen minutes, and, and since the hacker wasn't able to move their funds in that fifteen minutes, that transaction went in, and it actually was able to send their funds from the the address they control to, an address that no one controls.”

“The Lazarus Group, deposited, 228 or or sorry, $270,000,000, worth of, this wrapped, restaked ETH onto the Aave protocol. They get to withdraw $228,000,000 of, wrapped ETH. And now all of a sudden, you have a bunch of bad debt because there's a bunch of, tokens that don't actually exist that have been deposited and a bunch of real money that does exist, which has been taken out by a bad actor.”

“After this was actually withdrawn, and it started getting moved by, what we later discovered was the Lazarus Group, all of those tokens then moved onto, Thorchain or at least a significant portion of it once it was actually, taken out from from AVE. It was then taken and sort of, laundered, using Thorchain. And so when you get very large Thorchain deposits like that, it's very typical that these are, proceeds of a crime.”

“The second this hack happened, behind the scenes, they're coordinating with law enforcement. They're coordinating with all the bridges, all the all the people that they could. They're blocking UIs, this address from UIs. They're putting this address on all these lists. And, like, the infrastructure of c o nine one one is really the hero here. Like, I feel like the security council is getting a lot of credit for executing, but the the real execution happened to layer up, and it's c o nine one one.”

“In this case, using, the restaked ETH token, via, KelpDAO, essentially, layer zero accused the Lazarus Group of exploiting their decentralized verifier, network, with the way of essentially faking withdrawals of restaked ETH on, Ethereum, which then caused restaked ETH to become undercollateralized. Obviously, then you have a bunch of this token that doesn't actually necessarily even exist. But according to this bridge, it does.”

“I'll tell you. Rescuing funds is way easier than redistributing them. That is always the hardest part. ... I'm gonna be very interested in watching this conversation unfold because, yeah, we'll we'll we'll see what happens. ... the devil's really in the details of these things.”

“I think accountability is really important and we can't have that unless we're allowed to ask questions. And so we shouldn't be silencing each other every time something like this happens. What about the victims, right? They deserve to know what happened and why and what these teams are going to do about it, what the industry is going to do about it to make sure that it doesn't happen again. We can't just give thoughts and prayers; we need to improve things and ensure accountability for those who lose funds.”

“The Ninth Circuit heard this, and the other interesting thing is all three judges on this three-judge panel were actually appointed by Trump, but they sounded openly skeptical of the CFTC's federal preemption argument. If we have the Ninth Circuit rule against the prediction markets, and another circuit rule for them, that makes it way more likely that the Supreme Court is going to take on this issue. We’re likely looking at a 2027 or 2028 timeline before we have a final answer on whether these are considered gambling or legal contracts.”