SECURE ORACLES

“It is a tragedy in a sense, though, that Sam really was a generational investor. Right place, right time, right access—deep in the EA community, that's where a lot of this AI stuff came out of. And I think his portfolio would have been worth something like $120 billion. I think it does reflect badly on the trustees; they sold these things at fire sale prices.”

“The board's view is straightforward: the time to start preparing is now, not when it's urgent. They completely understand the point that me and many others have been making. You don't have the luxury of waiting until one of these things is imminent because the transition takes a long time. I thought this was really the most thoughtful paper on this that I've read so far.”

“So created a token, spun up a fake oracle, or like a real oracle that was pointing to the fake pool, pumped the price, and then they had all of this kind of credit in the system that they could use to withdraw and drain Drift from all of the blue chip protocols. So this is again why I say it's sophisticated because this attacker was preparing. He spun up the feed, he was running fake volumes in the AMM where the CVT pool is being traded and the oracle read the price from. And then also created a fake market on Drift with max risk parameters.”

“And the attacker waited. I think some of the speculation was that they waited until April 1st, for April Fool's Day, so that when messages of the hack were being dispatched, there would be confusion about whether or not it was real or a prank. And pretty swiftly, within seconds, at least for the first batch, the attacker executed a series of transactions that effectively enabled them to deposit and manipulate the price of the collateral into the drift vaults and extract all of the blue chip assets.”

“Arbitrum was able to freeze about 70 million worth of ETH here and rescue it, causing people to yell at them for not being decentralized. And DeFi as a whole has taken a massive hit. People are basically deciding that the tail risks here are so material that the rates they're being paid to lock on DeFi are not worth it. Huge mess.”

“Notably, it had zero time lock on any of the functions it could execute. And for listeners, what time lock means is, even though certain privileges in an application need to be signed by white listed addresses, a time lock basically says after they sign it, there's a gap between when it actually executes. And this is typically an additional security precaution to make sure that what was signed and the change enacted is indeed what you want it to be.”

“MicroStrategy had another big week. $2.5 billion worth of Bitcoin purchases since the last time we recorded this podcast. This STRC product is just on fire for these guys. This is the largest preferred out there, period, in all of capital markets. If the price of Bitcoin goes up, they're going to be in a lot better spot.”

“Are these yields that are attracting people to DeFi actually worth it? Are you getting paid enough for the risk? I think very clearly the answer is no. The vulnerabilities here would warrant you getting compensated a lot more than what you're getting compensated. When you can have a socialized loss on Aave due to no fault of your own, that's a bad position to be in.”

“The combo is something I'd never thought of before, but it is very compelling. Satoshi did have this unusual combination of certainly academic chops plus the engineering chops, which it's kind of like very rare that one person would have that. The case for Len is very good; he cited a very rare symposium paper from a conference in Belgium that was not distributed online.”

“There was an oracle attack where they were using a single sensor near the Charles de Gaulle Airport. The guy bought the 22 degree option, which was trading at basically zero, took a hair dryer, heated it up, the sensor triggers, the market closes, he wins, and then gets arrested. Kind of makes the case that these markets need to be a little better designed.”

“In contrast to last week, we were talking about the Resolv hack... Here, it wasn't a single key. It was a multi-sig. However, it was a two of five multi-sigs. So this is like the minimum amount of signatures that you would need in a multi-sig. So it's one step above a single key. We're still waiting for an official, I think, post-mortem... but it looks like this was a planned event, and I think that the hacker had some type of access that the team didn't know about.”

“If you can actually receive control on one of these packages, you just make a tiny modification where you can add a piece of code that effectively once run on any developer's machine gives you root access to the machine. So you can read and write whatever you want. And the second, something like that happens, which we've seen with Axios last week with Light LLM, one of the biggest AI packages, but there have been hundreds of packages that have been infected in this manner. You can do whatever you want on the machine.”