Unchained - Strategy's Preferred Stock Is Now a Stablecoin. And DeFi Has a Security Problem.
Episode Date: April 22, 2026The $290 million Kelp DAO hack, attributed to North Korea's Lazarus Group, has DeFi TVL down $13 billion in 48 hours. Do DeFi's foundational assumptions need to change? --- Heads up! If you haven�...�t yet, be sure to subscribe to Bits + Bips, since the show will migrate there in a few weeks. Follow us on Apple Podcasts, YouTube, Spotify, X, Unchained and wherever you get your podcasts. ---- DeFi TVL fell from $99.5 to $86.3 billion in 48 hours after the $290 million Kelp DAO exploit — the latest nine-figure attack attributed to North Korea's Lazarus Group, this time via a compromised Layer Zero bridge. Meanwhile, a new class of yield-bearing instrument is staking a claim on capital fleeing private credit: Apyx's APY USD, backed by Strategy's STRC preferred stock, launched on Kraken this week with a 12% yield target and $180 million in supply after just seven weeks. Is STRC-backed yield a legitimate financial primitive, or a Bitcoin derivative with extra steps? And as DeFi absorbs yet another devastating security failure, is the industry's core assumption — that incoming transactions should be treated as legitimate — finally due for an overhaul? Austin Campbell, Ram Ahluwalia, and Chris Perkins dig in with Parker White of Apyx and Michael Bentley of Euler. Hosts: Austin Campbell, Host of Bits + Bips, Zero Knowledge Consulting Ram Ahluwalia, Co-Host, CEO of Lumida Chris Perkins, Co-Host, CEO of 250 Digital Asset Management Hosts: Parker White — @TheOtherParker_ — Founding Contributor, Apyx. Michael Bentley — @euler_mab — Former CEO, Euler Labs Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey, everybody. Welcome to bits and bips where we explore how crypto and macro collide one basis point at a time. We're here to discuss the latest stories in the worlds of crypto and macro and today, one or two interesting new developments and products. But before we begin, first, a word from our sponsors.
If you've been loving bits and bibs, don't forget that the show is transitioning to its own feeds on X, YouTube, and your favorite podcast player. If you're not already subscribed to bits and bips on its own channels, go there now and hear.
hit that subscribe button so you can keep up with our twice weekly live streams and macro meets crypto
breakdowns. Bits and Bists will only be on the Unchained feed for a few more weeks. So subscribe today to be
ready for launch. You can get all the links at Unchained Crypto.com slash bits and bits.
All right. Today is Monday, April 20th. And I am your host, Austin Campbell, High Scholar of Zero
Knowledge Group, here with my co-hosts, Ram Alawalia, Maester of Weld, the leader of Lumida, Chris Perkins,
CEO of 250 digital asset management.
And today we're going to be joined by multiple guests, but starting with Parker White,
founding contributor to Apex.
So let's start with that one, which is Apex.
We've seen a significant set of products launch over the past few years, attempting to capitalize
on blockchain rails, developments around crypto, and call it all.
alternative means of creating, I guess in this case, stable coins.
So Apex, Parker, I'm going to let you give us the download on this first to describe as our
foundation here.
What is it?
How does this work?
Sure.
So the general idea is to create a staple coin or a stable like asset backed by digital
credit.
And digital credit is what Michael Saylor is calling.
their preferred equity instrument issued by strategy STRC.
So if anyone's been paying attention, I believe it was last week they bought about $2.5 billion with a Bitcoin.
They are raising capital at a pretty astonishing pace.
Micro Strategies, STRC or Stretch instrument, as they call it, is the most traded, most liquid and largest preferred stock ever in history.
preferred stocks are kind of a somewhat niche area of the market.
But interestingly, and many people don't know this,
Stretch's IPO was actually the largest IPO of 2025, full stop,
larger than Circle, larger than any other asset, you know, IPO.
And so it has really been catching on now.
And, but, you know, it's NASDAQ listed.
It's not really accessible into the defy world.
And so essentially what we did was,
we created stable coin backed by this instrument,
some cash in there as well, a little bit of SATA,
but we think a whole bunch of other debts
are going to be issuing very similar variable rate
non-convertable preferreds as well.
And so this basically ports that yield from the NASDAQ
into the on-chain world.
So right now APYUSD, the staked version,
is paying about 12%.
We target about 13th.
And so it's, you know, good double-digit yield on chain, and it's super transparent backing.
There's no like trading strategies or borrowing and lending across AVE and centralized exchanges.
It's just people give us cash.
We send it to the brokerage account.
We buy the stretch.
That's that.
Now we, of course, are listed on Pendle and we, you know, have the points farm and all of that, which helps to boost the yield a little bit.
but the underlying collateral base is, you know, itself yielding about 12% because we've got, you know,
stretch in there, which is 11.5 and then we've also got SATA.
So pretty straightforward, pretty simple product, but over the last seven and a half weeks,
we've been growing pretty significantly.
We've hit about 180 million in supply.
We announced, I guess it was a week or so ago, crossing the million share, so 100 million.
dollars worth of stretch on the balance sheet. So we're one of the largest holders of stretch at this
point. And today, actually, the stable coin was just listed on Cracken, which is pretty wild for a
stable coin pre-TGEE to be listed on Cracken. Obviously, the entire team is X Cracken, so that certainly
helped. But there's a lot of steam being built here around this narrative of kind of digital
credit on chain. Excellent. So looking at this, as we look at, call it press,
commentary out in the world. One, bullcase. So if we look at Joseph Honorati, the CEO at Defi Development
Court, its apex creates a feedback mechanism that bridges between publicly listed balance sheets
and on-chain markets. Benchmark research was noting that Stretch is becoming the backbone of
yield-backed stablecoin ecosystem. And Parker, you just gave us a good description of how to get this
yield on chain. So bear case to go the other way, Alexander Bloom, CEO of two prime, says a product that
pays more than 6% over treasuries must come with additional risk. And Stephen Strong says ApexUSD is a
BTC fall derivative dressed up as a dollar. If stretch trades below par, the yield story will break.
Now, JPMorgan research has pointed out that yield bearing stables are growing significantly faster than
traditional stables call it 15x faster right now, though, noting for everybody coming off a small
denominator is much easier than coming off a large denominator. 15x size from current non-yield
bearing stable coins would be a giant amount of money. And post-genious, yield-bearing stable
coins are no longer call it stable coins in the United States. So what I want to dig into,
and actually I would like to start with Chris as a former investor and somebody who's
managed a liquid fund and like currently looking at these strategies is where do you place this in the risk taxonomy in the world, right? As we look at an instrument like this and where is it going to be used on chain?
So I think you nailed it. This is definitely not a genius denominated standpoint, genius regulating staple coin, right? Like that's so so names matter. And I think if we're in United States, we have to call it something maybe differently.
It's kind of a mix of an on-chain private credit.
I guess I've got a couple questions if it's okay.
What's the goal of having a, quote, yield-bearing stable coin versus, it sounds like in this case it's to maximize yield.
But why I call it a stable coin is the end use case to have that stable coin serve as collateral to back additional exposures?
Why don't you just say, hey, this is a private credit exposure that's yielding 11 and 1%, 12%.
Well, very importantly, it's not private credit, right?
It's not backed by illiquid assets.
It's not backed by Apollo funds.
Got by a preferred stock trades on the NASDAQ.
You can see it every day.
It trades hundreds of millions, some days billions of dollars in volume.
And so that's actually kind of the interesting juxtaposition here is that you've seen a lot of these private credit instruments come on chain, whether it's straight,
private credit or it's the, you know, the reinsurance stuff. This is not that. This is kind of
the opposite of those. It's just you can see the balance sheet. You can see the number of holdings.
Got it. And then when you take something that's a security and you bring it on chain,
isn't it still a security? So when you wrap it, it's part of a basket, right? So you've got
a mix of some securities, some non-securities, some other stable coins, that kind of thing.
But, you know, the asset, or at least our front end, is not available to folks in the U.S.
So that is important.
You know, you can't access it in the U.S.
It's kind of geo-blocked to a number of jurisdictions.
The Ruggast exemption offered a foreign investor.
So is there any additional value added?
Sorry, just one-click clarification.
Is there any additional value added versus owning STRC directly other than that's on-chain?
Well, it's a couple of things.
So you get the diversification of holding.
a little bit of SATA as well.
And then there will be others of these that will be launched,
you know, one or two from the large Ethereum dots,
maybe one or two from some of the salonadats.
And so you kind of get that diversification, that basket there.
The other one is because we are over collateralized,
and there's a mix of some cash in the pool as well as the preferreds,
you get a little bit of reduced vol.
So if the vol on the preface is say, you know, well, right now it's like 1%.
But let's say it's like historically it's maybe like 5%.
Then the vol here might be like 2.5% or something.
So you get some of that reduction there.
Those are like, I'd say that you'll be lower if it's over collateralized though because you're tying up more capital.
But if I understand correctly, it matches the yield of STRC.
It's a lower vol because it's over.
collateralized. I think we don't fully understand the question. Right. So it's over
collateralized, then that's consuming some capital. Right. So therefore, shouldn't have a lower
yield versus investing STRC. Well, because of the diversified basket, right, some of these other
prefs do pay a little bit more yield. You know, that generates some extra yield. And then, of course,
because it's a crypto project, we've got the governance token. And so, you know, we can sell some
that to kind of build the reserve. But then very importantly here is the two token stable model.
So it's very similar to Athena, where we've got APXUSD is the non-staked version. And then APY
USD is the staked version. AQYUSD is the only bucket that pays yield. And so right now we've got,
let's just call it 50% of the balance sheet or 50% of the issued assets are staked.
So the whole collateral base is paying yield to just the 50%.
So that's how you actually get some, you know, kind of yield leverage, if you will.
So that kind of allows us to be a little bit lower vol and a little bit higher yield than just holding stretch directly.
So it's really kind of package to make it more accessible for set it and forget it investors.
But then it also creates this ecosystem where you can have the active traders trading the non-stake
version as well, and that all creates a liquidity flywheel such that, you know, our stock
or our asset is much more liquid on chain than say like an STRCX, one of the, you know,
X-stocks tokenized versions.
So if we're thinking about the framework here, and it's going to be a reg-ass issue and so it's
going to non-U.S. persons, it sounds to me like the value prop is, I don't have a U.S.
brokerage account. I can't buy this thing natively. I'm elsewhere in the world.
would like to get my hands on this yield, I go into defy and buy that thing, a little bit like Athena
works, right, as you said, which is a packaged version of the basis trade. And then if we're thinking
about the collateral pool that you have in there, the risk that these people are taking is basically
a combination of stretch continuing to work, because obviously impairments there just pass through.
That is what it is. That is the nature of like the risk that you're taking. And then the second part of
that, I suppose, is all the usual, like, DFI protocol risks, which, you know, you will try to
manage as well as you can in a relatively linear way. But do I have the profile right of the
investors that you're looking for and what the underlying risks are there? Yeah, I think you've
nailed the risks really well. I think the other demand pool is going to be investors that want to
use this as a, you know, a DFI building block, a DFI. Right. So right now, you've got
got it trading on Fendl, people can farm the YT, points on the YT, or they can do the PT.
We're talking to a number of these tronching protocols where they, you know, take the yield
version and split it into a senior and junior tranche.
So, you know, once it's kind of in that DFI package, it can be used in all sorts of
creative ways.
And so investors that want exposure to, you know, stretch in some of this other, you know, pool
basket, but they want it in a unique way, maybe a higher yield junior tranche, maybe a
senior tranche, maybe a points farm, whatever.
They can access it here versus, you know, a stretch shareholding in your Schwab account.
Like, you can't use it in Defi at all.
It reminds me of some of the financial engineering that we saw, like in 2008, where you
had CDO.
It's like, well, this product is so good.
Let's just CDO to CBO.
No.
Let's take all the tranches and tranche it up again.
You know, STRC is itself a financial engineering.
It's creating yield on an underline that has no yield, right?
Now your product is a pass-through.
It improves portability and accessibility to non-U.S.
investors.
So, Austin is saying.
And it creates more yield for the junior tranche through structural leverage.
It's really, it's kind of fascinating.
You know, humans love leverage, right?
We'll find a way.
Give me something with a stable yield.
We'll refine away more leverage.
Juice it up, distribute it to the far corners of earth.
No, Rom, humans love yield.
They don't love leverage.
They don't love leverage.
They love yield.
Yes, if it comes through leverage, that's in the fine print.
Humans love yield.
That's right.
With no drawdown risk.
That just always pays 10%.
That's what humans like, yes.
Equity return with bond-like volatility.
The thing that's got to be keeping you awake at night right now is kind of the stuff that
we saw it helped out, right?
Is it, if defy is the end utility use case here,
how do you get your head around that, you know,
with what we continue to see over and over again?
Yeah, it's, um,
it's certainly, I think, slowing down our, um,
you know, product roadmap and having it spend a lot more time on security,
getting audits on lots of different areas.
Um, you know, we, all of our minting and redeeming is done manually,
We have a multi-sig that we do that, so that kind of would help us avoid the resolve issue.
We also have time locks on all of our contracts.
Everything is manually reviewed, so that would help us avoid the drift issue.
And then right now we use for our bridge to base.
We have, you know, use chain link CCIP protocol and also have amounts, daily limits.
for the bridging there, which would help us have, you know, avoided the kelp issue.
But, yeah, I mean, look, these are all issues, and the next issue is probably not going to look
like any of the last three or any of the last 20 that we've seen over the years.
And so it's being, you know, it's all about being hypervigilant.
And, you know, the team here, X Cracken, going all the way back to 2013 at Cracken, we've got
a pretty good upbringing and, you know, training in the,
security realm just having been at crack in and so applying all that knowledge here um but yeah it
certainly makes things you know slower and more different yeah it's even if you have every all
your act together it's like the third party dependence seems you can't control it must keep you
awake look i'm a big buyer of defy i think it's going to be you know one of the fundamental unlocks
you know into the future but gosh we really got to navigate this this real critical juncture
Yeah, absolutely.
So I'm going to go the other way as I think about this and say, I agree with Ram's commentary
and Parker what you're saying that this is effective packaging to get these equities into the
D5 markets and distributed to people who cannot currently hold them.
I think the risk profile of that becomes pretty clear, which is to say, if bad things happen
to strategy or stretch, bad things will happen here and vice versa, that.
to me, as long as that is fairly disclosed to people, I believe people should be able to evaluate, take risks with their money.
That sounds fine. If I were the founder behind this thing, though, in a strange way, are you not long, call it U.S. regulatory stasis?
That is to say, the worst nightmare in some ways would be stretch being able to just trade in D5 freely in the first place, because that reduces a lot of the value of the wrapper here.
So in a sense, are you guys kind of call it betting on more restrictive versions of clarity, less action from the SEC, or simply never finding a path to distribute U.S. equities effectively on chain to non-U.S. persons.
Well, today you already have U.S. equities on chain via X stocks and some of these other super state, Ando, so on.
So we're actually now the largest holder of STRCX on chain.
So we just actually mint STRC into STRCX and then hold it ourselves.
But there's no market for this stuff, right?
It's not trading.
It's not really being used in Defi.
It can be.
There's nothing preventing X stocks.
But there's just not a lot of demand for it.
We are already far more liquid than STRCX on chain and more liquid than I think all of the
X stocks may be combined at this.
point. And so the
packaging, you know,
as I mentioned, it's not just straight
STRC pass through. It's a basket.
It's got some of those other things. Got the
two token model. A couple different
kind of crypto modifications, if you
will, that really boost
the liquidity. And ultimately,
that is going to be
the moat for
just a straight STRC
on chain. Because again,
it's not just non-U.S. investors
that, like all
non-yose investors that can't get access to stretch, there's lots of brokers all over the world.
People can buy this stuff directly in their brokerage accounts, you know, interactive brokers,
all these different brokers around the world.
But people want to buy this because of the way that it's packaged.
It's maybe more similar to, you know, an ETF with some unique crypto features than it is just holding stretch itself.
And I think that will become more clear over time as more of the debts issue these instruments.
And we can have a little more diversified base.
Right now, it's just stretch and SETA and mostly stretch.
But I think over time, you'll start to see that spread out.
And, you know, that'll add some liquidity benefits as well.
Let's want.
How do you put it for scratch?
Sorry, Chris.
I was just going to say, how do you get back on shore?
I mean, you don't want to have an instrument that's only available
than non-U.S. persons in the long term.
You want to have, you know, maximum liquidity as possible, right?
How do you do that?
Yeah, it's a great question.
You know, I think there's probably going to be, you know,
assuming clarity does eventually pass.
There's probably going to be a lot of rulemaking around that.
So it might take a little while, but we'd eventually need to see some type of regime
for yield-bearing instruments, you know, not exactly stable coins,
but, you know, loosely stable coins or just loosely stable in value.
But some kind of regime to offer that to use.
US users.
You know, so we'll have to see what kind of developments come, but, you know, it might take a while.
But interestingly, on a secondary market basis, so the primary issue or us, you know, we can't kind of issue roughly or relatively speaking to US users.
But for example, APXUSD that just listed on Cracken, it is available to US users.
So on a secondary basis, users can go out and trade it and, you know, we can't really do anything to control that.
And so this is kind of the, you know, I wouldn't say loophole, but kind of the construct that even like an X-Dox is using where X-Dox is not formally issued to U.S. users, but if they happen to interact with it within D-Fi, that's kind of like up to them.
So I think over time, you know, it might just naturally get into the hands of folks.
Again, we're not offering that or marketing that, but hopefully a sandbox does appear over time from the SEC and the CFTC to make this formally available to U.S. users.
All right.
So speaking of things available to U.S. users, Rom, stocks hit a record high.
Bitcoin has been ripping and is up significantly right now back to things.
they're helping stretch. I think it's at like 76K today, if I'm seeing this correctly.
And yet the war in Iran continues. We don't yet have a ceasefire. And the markets appear to be
shrugging. I mean, previously people used to think Trump would taco and back off when
economic pain bites, but instead we're just not really having economic pain, as we can see
through the lens of Bitcoin right now. What do you make of what is going on, right?
if Trump, you know, as the Wall Street Journal earlier alleged, are, is in the process of putting up
impulsive posts and yelling at people, but the markets are shrugging it off and moving onwards
as those this will be, to quote you, a nothing burger. What's going on here?
Two topics. One is positioning and the second is Iran. So what happened is, and I mentioned this
on Twitter, I think, on April 7th, is that the head.
hedging, the shorting is so significant. People also exited the market. Black Rock took a neutral
view on equities. That's the largest asset manager in the world, which many investment advisors
follow. And they're themselves an asset manager, went to a neutral position. So they're off-sides.
There's a lot of cash offsides. And they're trying to find a way to get back in. So that's one. The
second thing that happened is Claude went from AI apocalypse to decimating whole categories when
they had these product releases at a seemingly unstoppable frenic pace of every two days, right,
hurting SaaS, hurting Wall Street names, trading names, Adobe, you name it. Now it is, hey,
this AI stuff is real. The world is short data center compute. So semis have to go up,
industrials have to go up, financial services see a productivity boom.
That is the new thing.
And people are scrambling to get in.
This is very reminiscent of last year, actually.
This is a non-consensus rally.
So I'm excited.
I think you should be constructive.
On the Iran piece, I think Iran is largely priced in now.
The people that wanted to sell sold out, the U.S. economy can handle oil at 85, 90, 95.
It can't handle 120, but it seems largely contained.
There's been no further escalation.
The US is blockading the Strader-Framus and tankers are lined up outside of Houston, then as well as increasing production.
Not bad.
So far, so good.
There was a fantastic Wall Street Journal article that came out this weekend.
I don't know if you guys had a chance to look at it.
It gave a lot of insight into Trump's decision-making.
There's a behind-the-the-scenes view into what is into what is into a.
what is happening. We can talk about that also. If you want to go there, I'll just kind of pause
and give you the market view. Yeah, I know Parker has to depart momentarily. So Parker,
I wanted to ask, do you want to throw anything in here on the global macro? Like how does this
make you feel as somebody who's structurally long Bitcoin, shall we say? Sure. And, you know,
just I've been structurally long personally for quite a while. And basically in all the projects
that I've worked on.
I think it's really interesting seeing Bitcoin kind of decouple from equity markets during
this crisis, started to move higher.
That was a real interesting moment.
But then I think as investors look at this catch-up trade, look how to, you know, get back
on sides here.
You've got to live across the risk spectrum, look at equities, and then you look at Bitcoin,
still well off all-time highs.
you've got to think that there's going to be some type of catch-up trade here.
I know we're in the throes of a bare market and all this defy stuff is going on,
but Bitcoin's not impacted by that.
And strategy's buying billions of dollars of Bitcoin a week now.
You know, I kind of like the setup from, you know, just a relative value perspective.
How long do you think micro strategy continue to market stretch and not run out of the marginal buyer?
Isn't that what the Bitcoin complex depends on?
Yeah, so what's really interesting about Stretch is rather than having to pitch to people,
do you want to buy Bitcoin?
Here's the story about Bitcoin.
It's, you know, here's the returns, volatility, whatever.
You just go pitch, do you want to buy a one-vall asset that yields 11.5%.
It's a much easier pitch.
And as you see all the redemptions in private credit,
where investors were just slinging tens of billions,
hundreds of billions of dollars in without fully understanding what was in there,
right?
Clearly, you've all these redemptions hitting all these gates.
I think you're going to see a rotation.
And private credit investors, they're used to double digit yields.
They're not just going to say, well, I guess my mandate needs to change,
and I'm going to go buy treasuries.
No, they're going to go look for something else that is also yielding double digits,
but needs to solve the problems of the last, you know, area they were in.
And the two problems of private credit are illiquidity and lack of transparency.
Stretch is liquid and transparent.
And so I think you're going to see people typically look at preferred stocks and be like,
well, it's this tiny bit of the market and like the TAM's not really going to grow.
But I think it's going to grow massively because you're going to see this huge wave of capital moving out of private credit into this.
investors can easily model it. You can short Bitcoin, you could short micro strategy common.
There's lots of ways you could hedge it on the Tradfai side if you wanted. And so I think
stretch can grow quite a bit. Now, it'll start to be a little bit constrained by the micro
strategy balance sheet and the leverage ratio that they take on. But as long as they can continue
to run the common ATM as well, they should be able to balance that out. And then of course,
you know, every move in Bitcoin to the upside also de-levers the balance sheet. So I think they've got
quite a bit of runway here. It's only an eight and a half billion dollar instrument, which is a drop in
the bucket from, you know, global financial products perspective. I think you hit the nail on the
head with the ultimate thing this all hangs on is micro strategies common and Bitcoin price,
right? Like Bitcoin having another very significant leg down is a very different story here than
going back up towards the all-time highs. And so all roads, you know, Rom, you've said this before,
but all roads ultimately just lead back to sentiment to markets overall.
So I guess we'll pause there on this one.
Parker, thank you very much for joining us.
We appreciate the time today.
Thanks.
I'm on.
See ya.
Absolutely.
And for everybody else, we're going to take a quick commercial break before we're
back with our next guest.
If you've been loving bits and bibs, don't forget that the show is transitioning
to its own feeds on X, YouTube, and your favorite podcast player.
If you're not already, subscribe to Bits and,
and Bips on its own channels, go there now and hit that subscribe button so you can keep up with
our twice weekly live streams and Macrom these crypto breakdowns.
Bits and Bits and Bits will only be on the Unchained Feed for a few more weeks.
So subscribe today to be ready for launch.
You can get all the links at Unchained Crypto.com slash bits and Bips.
All right, everybody, welcome back.
We are now joined by Michael Bentley, Lord Protector of Euler.
And we're going to be talking about the Kelpdow hack.
So as an ongoing trend in defy, we've continued to have some security issues.
Kelp Dow appears to have been about a $290 million hack where attackers, allegedly North Korea's Lazarus Group, drained 116,500 RSE, valued at about $290 million from Kelp Dow via its layer zero bridge.
The attack mechanics are basically the attackers compromised two RPC nodes, feeding layer zero, single DVN, swapped the OPGETH binary for a malicious one, and then the clean nodes were DDoS to force a failover to what are essentially now poisoned nodes, which approved a fraudulent cross-chain mint.
The malicious nodes straight up lied selectively, so the monitoring cues failed. This is blocked.
Cade's analysis of what occurred.
Perhaps unsurprisingly, Layer Zero and Kelpdow are now fighting with each other.
Layer Zero said Kelpdow shows a one-of-one DVN configuration.
A hardened setup requires consensus across multiple independent DVNs.
Kelpdow countered Layer Zero's own Quick Start and GitHub defaults point to the one-of-one
structure and 40% of Layer Zero protocols use it.
third party analysts are, to be honest, blaming largely more layer zero here.
So Zach Rines of Chainlink, OXNGMI, the defiant and Dune analysis, and Euler have all said single verifier setups have always been centralized oracles.
So I'm going to start right here before we get into some of the downstream economic implications of this.
of what do people make this specific attack,
the sophistication, how the setup was done?
Michael, I see you nodding.
Do you want to start?
Yeah, sure.
I mean, this is clearly a sophisticated attack.
There's no doubt about that.
I mean, yeah, changing the binaries,
managing to carry out a DDoS at just the right time
and being able to, yeah, then trick the RPC nodes
into essentially providing a false view of the world.
It's all quite sophisticated.
and clearly, I think, yeah, it looks like a nation state level.
So I think the Las Recients, probably correct.
Yeah, I think there's all sorts of like issues here with sort of like risk.
And I wouldn't lay it all on layer zero, although I do agree that the default setup that's kind of out of the box for people to use is probably not great.
And I think it's something like 40% of people do tend to use that setup.
And so they're saying it's mainly the fault of Kelpdau for not sort of modifying that and going further.
But I think there's some truth in that.
Obviously, there's 60% of people, including OILA and all these other projects that decided to use more DVNs.
But yeah, certainly there's some blame across all parties here, I would say.
Chris, you've been in this space for a while.
You've both had to invest in projects, evaluate projects.
invest like trading setups like evaluate those what do you make of this hack what does this say to you about
where defy is yeah i think i think that we have a lot of challenges right now in the space
and again what have we lost like 600 million in this month alone um i'm not the type of guy who's
going to point fingers at layer zero or kelp down let's point fingers at the people that really deserve it
and that's the criminals that perpetrated this attack right
And what have we done?
We continue to allow people to operate and attack our protocols without an all-government response.
I think it's unacceptable.
I've been talking about this forever.
But like, why are we blaming the victims again?
Yes, could they have been stronger?
Absolutely.
Yes, it's a very harsh environment.
But when I'm walking down the street with my wallet and someone steals it from me, you know, those are the persons that need to be held accountable.
So like, I think it's, I think everyone's going to point fingers, this and that.
But why are we letting these threat actors destroy?
and impede our protocols.
I think it's unacceptable.
I think we need a whole government response.
I think we need to take action and clarity.
It's completely, completely unacceptable.
We cannot tolerate this.
We want innovation in this country.
Then we need accountability when people try to attack it.
We need to put them on defense.
Anyway, that's a start.
Sorry, go ahead.
Well, look, Mythos is both an opportunity and a threat, right?
There are, someone's cat is very excited right.
now. But look, as AI comes into effect, it's going to provide brand new threat factors,
ones we've never heard of. But we have to be in front of that as well. So look, I think it's going
to take a while for confidence to be restored. What investors care about, investors will take
market risk all day long. What they won't take is operational risk and cyber risk. And so we've got
be very, very careful. So, Chris, I'll ask you this as we look at clarity, and I know it's a topic
that you've had things to think about before.
And Rah, Michael, feel free to pile on here.
One part of this is clearly like privateering in your case.
That is to say, when these assets are stolen, deputizing people to go after them,
get them back and return them in a way that is now legal.
But secondarily to that, what other fixes do we need in the ecosystem right now?
And, you know, one of the things I observe is,
security and spaces like this have been a traditional tragedy of the commons type problem that is to say it needs to be done for everybody but individually many people don't have the incentive to spend on it if their competitors are not also spending on it how do we get to a point where greatly hardening these systems and responding quickly is also the norm let me just add one other the thing the one thing that was pretty good here was that chelpedow was able to take action within 46 minutes
That's in eternity, actually.
But what we talk about all the time here is latency matters.
At least they were able to prevent incremental,
other incremental $100 million of being stolen.
So I think that is a very thing.
Everything when you're dealing with security comes down to latency.
So to Ram's point, we need to be much more aggressive with agentic activity,
agentic defense.
And frankly, we need to be much more on offense.
I've been talking about this from day one.
We need to have our private sector supporting the security of our infrastructure.
structure.
Yeah, let me lay around here.
Last week we talked about Mythos AI.
I did some more homework on it.
It is really quite remarkable.
So Mythos from Anthropic was able to identify security vulnerabilities in BSD Linux, which
has been battle tested out there for decades.
And so a lot of these Fortune 50 companies are using Mythos to identify security vulnerabilities
and protect against that.
The point is that these nation state capabilities,
will be in the hands of corporates and then individuals within one to two years because of the
democratization of AI.
So it's a significant thing.
It's a disappointing setback.
Defi is what, like six, seven years old now?
You're still getting these hacks?
It's hard to have confidence in the system when that happens.
I think people are going to stick in the capital markets world and the ETF world because
value security first.
I do think, you know, yes, like hold governments accountable,
but what are we going to do in North Korea?
They already have sanctions.
They're already a pry of the international system.
It's hard to find what the marginal response is.
Yeah, I think.
But this is not North Korea, right?
This is not North Korea.
It's Laszis Group.
Right?
Why do I say that?
It's a criminal organization.
We wouldn't attack it's nation state.
Are they directly connected to the DPRK though?
I know.
Aren't they essentially an arm or a DPRK?
Of course they are.
But I'm saying is DPRK has to have plausible beniability because they're a nation state.
We need to shut down Lazzar's group, bottom line.
Part of it, I'll be real quick.
One is fight AI with AI is one, like, of course, but we need this technology.
We need it yesterday.
And it's not surety.
The second is, how do you create surety can use other technologies and insurance and reserve pools?
You know, an insurance market, we have reinsurance, for example.
there's a Berkshire Hathaway, they would collect a fee from providing that insurance.
How do they underwrite it?
They performed their own security assessment.
They'd just like a ratings agency.
They'd rate it.
They'd assess the protocol.
They stand behind it, collect a fee for that.
That's a free market response to this and that can instill confidence and trust.
Michael, we'd you talk about this.
So in derivatives, we have guarantee funds, right, where we have socialized losses in case of extreme-tale risks.
maybe that's the solution.
Maybe we should start having
these pool type solutions to your point.
It's a take on insurance,
but it's a market-driven,
socialized risk approach.
So a few points just came back.
I mean, I think the, you know,
finding Lazarus is very, very difficult.
You've got some fantastic people out there.
I've worked with law enforcement before.
I mean, there are people out there really trying.
It's just a really tough challenge.
And the other thing is in Defar,
there's nowhere to hide, right?
In the years gone by,
it always used to be a smart contract,
exploit. You know, my early years in DFI back in 2020 and sort of up to 2023, it was all smart
contracts because throughout their public. And that's something to be celebrated because it means
that everybody can verify the code and exactly exactly what it's doing. But it also leaves you with
very little wiggle room. There's no margin forever. People are spending a tremendous amount of
money. You know, oil, we spent millions and millions of dollars on security. But there is really
just no room forever whatsoever. You do have tend to.
to get one of the arguments I used to make about defy
was that you would get kind of anti-fragility emerging
from protocols that had vulnerabilities would be exploited
and would kind of fall away.
And the ones that remained would get this,
you know, so-called Lindy effect.
And there'd be the ones that you knew weren't exploitable
because they're codes right there,
and they've held billions of dollars
and you know they can't be exploited.
I think this kind of attack was quite different.
And the kinds of attacks that we're seeing now are quite different.
A lot of them are kind of key leaks.
so people losing access to their private keys or sort of leaking infrastructure.
And then this one was more sort of infrastructure level as well.
It was a very, very, I would say an entirely different class.
It's nothing too novel, but the way it's being carried out now,
it's not all at the smart contract level.
I think we're actually seeing quite a hardening of protocols.
On AI, AI is a great tool, but it's in arms race, right?
It can be used by the good guys and the bad guys.
I do think I think teams need to be using it much more on auditing end-to-end,
absolutely everything using AI and getting their hands on the best possible tools.
I think you see a lot of security firms are working to bring these tools out now
and increasingly teams are using this, but it's also in the hands of the bad guys.
And they're very, very effective operators and it's speeding up their ability to attack things as well.
And then, yeah, the last point on the on the pulled model and the insurance and all the rest of it.
One thing I've said to somebody today on social media was a lot of the mechanisms and a lot of mechanisms we have in Defi today are kind of legacy from a period where you weren't really allowed to introduce centralizing elements into the systems.
So people have been asking, you know, why are they not more monitoring systems and pause functionality and more control effectively?
And part of that comes from this, you know, regulatory stance from the past where you had to be fully decentralized, I'm zero control because any amount of control you did have would lead to persecution by the regulators.
So as that stance has softened and changed, I do think we'll start to see quite a big difference in how protocols are built up now and the level of, you know, the kind of systems they have in place to firstly prevent attacks.
And then once that, if an attack has happened, as you said, then, how do you actually go about the process of socializing that?
How do you, how do you, who organizes that?
Who's in charge?
I think now it's hopefully going to be easier for teams to actually step up and say, no, here's the system.
Here's how it will.
Here's how it will work.
We're in charge.
We'll do this.
I mean, I think you could have decent.
I'm going to jump in.
I think you could have decentralized socialization of risk.
I honestly do.
And the way that it would work would be you create a pool.
And I think most of the perps decks that should do this too, because I hate this concept of ADL and the beginning.
It should be at the end.
But essentially, you create a pool.
And the pool members benefit from the yield of the protocol.
They benefit from the revenue of the protocol, however that protocol may work.
A pool is created.
You can flex the pool.
You can make it bigger with higher yield.
You can smaller with little yield.
And if there are certain A equals B, if there is a hack, that's the pool that becomes at risk.
And provided that that's fully transparent, I think theoretical, theoretically, it's very, very possible.
But we just haven't seen that yet.
We've seen nuances about it, but like not really anything codified or anything hardened.
I mean, one of the things that's interesting here to me is people start speaking about insurance for these protocols is insurance comes along with underwriting and it comes along with restrictions.
Right.
And I'll tell you right in the current day, if you look at what most insurance or reinsurance companies would charge you for defy, you're not going to like the quotes.
And I think that is it.
Yeah.
I think that is a deal.
I mean, there are people who will give them to you, but I've seen the prices and they're an accurate reflection of risk, right?
Like, how do you feel about a 30% per annum premium, right?
Like, oh, well, why are you even buying something at that point?
But the reality is, Chris is an extension of what you were saying, whether it's decentralized or centralized.
The nice part about insurance pricing is it's going to be pretty functional and experience rated.
There were structural upgrades we need to start making to.
crypto because we have to start, you know, and I think this feeds into the point that,
Michael, you were making earlier about working in legacy frameworks. The belief that transactions
are, call it optimistically correct, has to be discarded in this environment. We are clearly
getting enough hacks that all large transactions should probably be viewed with some degree of
skepticism. And I don't know if that means delays withdrawing the protocols, choke points on bridges,
needing significantly larger shares of votes to move assets. Like there are many ways to do that.
And not all of them are implicated by having one centralized party that controls things.
But I would say without a multiply redundant risk framework, I have a lot of doubts that we can
solve that problem. And the reason I say that is as you look at the sophistication of some of
these attacks. Again, we're talking about, like, poisoning a bunch of, like, RPC nodes. At the same time,
we're doing a D-DOS attack. At the same time, we've compromised, like, this is not trivial stuff to
defend against. If we're saying it's nation-state actors with their tremendous resources
against individual protocols, the protocols will lose with certainty. However, you can still flip
that security framework out of its head if we make it a chain of things that have to fail
with a redundant response across the ecosystem.
Because the Lazarus group, breaking a single protocol is relatively easy,
but breaking eight protocols simultaneously,
all of which work differently becomes so complex
that if they're capable of doing that,
essentially the chain is unusable at that point.
And so I would say Defi,
if you're thinking about how to get insurance
and how to build things,
has to stop operating from the framework
of we assume transaction.
are legitimate. That has been my major takeaway of the past few hacks in a row of just like
starting all the way back with by bit and then another partial interdiction, which was the CETIS hack.
We just had kelp out here. We've had like attack after attack after attack. And to me, it raises
the question. And I'm curious, you know, for the rest of the group, do we have to change our
default like thought model of transactions are legitimate? It's a good question. But you,
You risk giving up concepts like immutability and the concept of non-reports and finality.
Okay.
So I will grant you that on finality.
Yes, because if we slow down transactions processing, agreed.
But immutability is just that we can't change the history of a chain.
If there's like a 280 million exploit and it goes into a queue and everybody looks at it during the delay period and says, oh, that's not correct.
And so a transaction spits out that then reverses it.
You still have an immutable chain where the history is transparent and known and unalterable.
It's just a question of under what terms do we let them sort of transact down the chain, right?
Yeah, it's interesting.
I mean, you're asking all the correct questions.
It's not in my head there.
And you start to see how things naturally get centralized over time.
It's like over time, people flow risk to trusted parties.
They're trusted because they're regulated and capitalized and have,
all sorts of oversight and auditing.
We have to find a way to keep this going with code and technology,
not bring it back into the system.
One would think that there's a way to transfer the risk
of each transaction.
Maybe it's not at the pool level, maybe it's at a transaction level.
There's more work to be done.
It's a major setback.
This puts DFI back a couple of years.
Yeah, I think.
Go ahead, Bess.
Oh, you do it.
I was going to say, yeah, you can try to build these mechanisms.
You know, I thought bought deeply about this kind of stuff as a sort of mechanism builder myself.
We used to try to think about how we could introduce these kind of mechanisms into our protocol.
And it becomes quite difficult because there's all sorts of nuances here and sort of edge cases.
When you think you fix one thing, it's like pushing a bubble under the carpet.
You just sort of move it somewhere else, but the bubble's still there.
You know, if you want to do, you know, rate limiting, for instance, on protocols, you need to know what are you actually limiting?
You know, what's the actual unit of limit there?
Is it the underlying asset?
Well, that the amount of asset in circulation can change.
So that needs to sort of adapt over time.
Its value could certainly change, you know, a lot.
So then you need to start to bring in oracles and third parties and that introduces new dependencies and things.
So adding these mechanisms in principle sounds like a great idea.
And people often ask what often ask builders like me.
Why aren't there more of these?
And it does come down to just be very, very difficult to do it without adding new trust
assumptions into the mix.
And that carries a cost ultimately.
So I strongly agree that it carries a cost.
But let's look at the counterfactual, which is that in 48 hours, D5TVL has gone from,
what, 99.5 to 86.3 billion.
I think the market may be speaking that the cost is what is currently there is just rapidly
becoming unused. Too high. Yeah. I agree. Yeah, I totally agree. So Michael, I would ask you,
like, as a builder yourself, and I know some others that have been posing this question to people,
I kind of see two paths here. Path number one is increasing, like, call it slowness,
checkpoints, multiple redundancy in the system one way or another, because Chris has said,
the latency problem is real. And if we're going to be optimistic about transactions with zero latency,
see, I don't see a pathway to interdicting these things.
Caviot.
If we continue to build relatively complicated things, because as a counterpoint,
let's look at a model that's largely been successful and stood the test of time,
which is uniswap, right?
If all of our LP pools are segregated and unalterable into upgrade,
we've got to like withdraw from V2 and go to V3,
withdraw from V3 and go to V4, and all of these can sort of blow up in their own self-contained
box.
Yes, uniswap is a very simple thing.
They are not building complex like layers upon layers upon layers.
But is the future, I guess I would ask you as a builder, more likely to be actually we need to simplify a lot of these things and remove the attack surface area like go back to basics in defy or is it if we want to retain this complexity we need to think much harder about security, which may, as you noted, lead to certain forms of centralization.
the the yeah this this came a lot up a lot through my time built building a building a lending
protocol ultimately a an a m or an exchange is it's very self-contained it really doesn't
care about the outside world it just it just looks at what's inside and it can you know it's
it has to try to to balance a single invariant in the in the pool if you look at a credit
market or lending market that all sorts of
dependencies and the credit markets really care about the outside environment that they
sit in so they care about the volatility the assets they need to know the prices of those the prices
aren't intrinsic to the assets so then you have to have some kind of third party report on those
prices liquidity is a massive massive issue you know a dex doesn't care what the liquid
environment is outside of the decks right it's uh you can it can operate with 10 000 or 10 billion
dollars it's it doesn't matter but lending protocols as we've seen you know with this uh
you know, the liquidity crisis we're in now, very, very heavily dependent on what else is going on.
I think that's the, that's what makes it so difficult to build a, you know, fully, truly
immutable uniswap-like lending protocol. We've tried, we've tried to get as close to that as possible,
you know, morpho also building with similar sort of mindset, trying to try to keep as much of that as you
can while still offering a viable capital efficient lending market. It's just, I think, but at this point,
I'm resigned to say that it's just not possible for credit really.
We've had seen many teams come up with all sorts of interesting ideas and how to do this,
and I just don't think it's possible.
So then we have to accept this is the state of the world now, this is how it has to be.
How do we, what's the minimum amount of centralizing force that we can add back to these systems
to make them not collapse so spectacularly when they do,
while maintaining the corporate's possible to find disintermediation,
composability and all the less of it.
I mean,
if you,
so we saw,
go ahead,
we saw DRIF partner up with Tether.
And I don't know,
is it a centralization force that's going to restore security?
Or is it just the resourcing that you need to have just to go through like,
in an order an amount of audits,
bring in the AI.
Like, clearly for this industry to move forward,
we need to provide confidence in whatever protocol you design.
So I guess is centralization the only option or can, you know, like you're seeing this partnership between tether and drift, don't know all the details yet, but is it more of a resourcing issue?
It's really hard for a start of the computer.
I really don't think it is.
I think, you know, we talked earlier about mythos, like finding bugs and flaws in 26-year-old operating systems.
You know, the amount of man hours spent on that, you know, is just more than anybody could afford to ever spend building.
a D-5 protocol and yet there were still bugs that could be you know teased out there so
I don't think it's just a I don't think it's purely a resource issue everybody's really really
cognizant of the importance of security and they really really are trying it's um it's very very
very hard problem I I thought I think it's unsolvable at the other code level
so we need we need other we need other fail safes we need other mechanisms that are introduced I I
I think at this point to help safeguard things a little bit more than just rely purely on code alone.
So working backwards, right, like one of, this is me putting on my business school professor hat,
but looking at some of the lessons from history, I feel like there are two paths that we can go down here.
One is exactly what you said, which is looking at Tradfai lending markets and starting to build in a lot of the fail safes in modern markets.
It's like great example.
You know, if you have, call it $200 million of supply and somebody deposits $500 million,
not making all of that available for borrow immediately, right?
Like allowing that only to increase by call it 10% per day or something like that gives
you a very long runway to interdict these things.
And yes, it obviously makes that protocol somewhat less efficient from like I can't take
a $300 million flash loan or, you know, immediately.
deposit something in size, but it might also be fair to say maybe that's a problem,
not a feature. And why are you so intent on doing this like literally right now at 3 a.m.
on a Sunday becomes a valid question, along with many of the other redundancies you build in.
The other one, though, to go the other way on like a lending protocol is, I know this makes it
less liquid, but there's no reason you can't structure it like an AMM of all of these are
essentially bilateral offers for lend and borrow. And then you don't have this contagion risk,
right? Like, I will lend a hundred thousand dollars of USDT at this price and I will accept the
following things as collateral. And that's that. You can have like these pre-packaged boxes where
each person can do their own like lending and terms. The problem you run into there, which I think,
you know, you've spoken to this in your earlier answer is that's less efficient than it might
otherwise be. Like, if I recall, I think there was an early version of like sushi swaps led
protocol that was similar to that way back in the day. Exactly. It's now just being tried.
Yeah, it just didn't, it just didn't attract enough, enough users. It's so clunky,
sort of almost peer-to-peer-like. And when you're competing against a pool model, which is,
you know, I can just deposit and withdraw whenever I like and there's so much liquidity.
You know, people think it's about the technology. It's really not. What are they another like really
large lending protocols are selling is liquidity. It's that ability to go in and take out those huge
loans and repay them whenever you like. That's the main product. When you've got liquidity,
that's keying above all else. And so when you have these isolated, you know, almost
it to be like lending systems much, much more secure, as you say, you don't need all these
external dependencies and all the rest of it. You just need to trust that the code, a very simple
piece of code works for that particular loan. But then it's just how do people find each other? That's the
problem that I think compound originally solved and that the RV, you know, heavily model
along the compound system, you know, followed on with. And it's, it worked so tremendously
well that it's scaled up to billions and billions of dollars. But with it has come this,
you know, but, you know, other challenge, which is when things go wrong, they, they sort of
tend to cause contagion in a way that those isolated models don't. So, yeah, we've, we've,
we've experimented a lot in defy at this point. And I'm, I'm, I'm sort of resigned to the fact that
maybe it's just not possible to get the best of all worlds and that we're going to have to
sacrifice something somewhere along the line. Well, I will say as a closing remark here as we are
hitting time that I have resigned myself to the belief that I think you're probably correct
about that, but we are not going to be able to have our take and eat it too. And we're going to
have to figure out, which, by the way, there are multiple paths to tradeoffs, but we're going to
have to tolerate some of them because one thing I think all of us agree on is the current
paradigm is not sustainable.
I'll give you one other concluding thought.
When the Pentagon finally releases information on non-human intelligence and UAPs,
we can encounter these.
We're going to ask them, who is your leader?
What are your intentions?
And the third question will be, how do you manage money?
Who do you trust?
How do you exchange over vast distances?
How do you represent value?
Just give us the answer.
And is there quantum money?
That's a question number four.
All right. On that note, thank you everyone for joining us for this episode of Bits of Bips.
Next up, Laura moderates a debate slash allegedly fistfight on Canton between Yvall,
Haseeb of Dragonfly, and Alex Krofsky of Matter Labs. It was pre-recorded, and I have been
whispered to that it got quite heated, so be sure to stick around for that point. Thank you.