Unchained - The Chopping Block: How This DeFi Hack Negotiator Gets Hackers to Return Stolen Money Ep. 577
Episode Date: December 1, 2023Welcome to The Chopping Block — where crypto insiders Haseeb Qureshi, Tom Schmidt, Tarun Chitra, and Robert Leshner chop it up about the latest news. This week, the gang sits down with Ogle Crypto, ...a veteran negotiator in crypto hacks, to discuss the recent KyberSwap exploit, which involved an almost $50 million loss across various chains. Ogle shares how he initially became a negotiator, including his first case in which he tracked down a group of hackers from Hong Kong when they fled to Great Britain after stealing $24 million in funds. Ogle also shares his negotiation tactics, the typical profile of hackers he encounters today and his empathetic approach towards these often young and financially struggling individuals. Then the group raises concerns around the hype and marketing strategies of Blast, a new Layer 2 on Ethereum offering “native yields” that achieved $620 million of TVL in less than two weeks. Listen to the episode on Apple Podcasts, Spotify, Overcast, Podcast Addict, Pocket Casts, Pandora, Castbox, Google Podcasts, TuneIn, Amazon Music, or on your favorite podcast platform. Show highlights: How KyberSwap's sophisticated security was breached, resulting in an almost $50 million loss across various blockchain networks. Why Tarun suspects the behind-the-scenes workings of an organized group, rather than a lone attacker, in the KyberSwap incident. The evolution of crypto hacks towards more systematic and professional negotiations with hackers. Ogle's journey into the world of crypto hack negotiations, highlighted by a fascinating case of pinpointing hackers who had fled Hong Kong. Ogle's strategic approach to negotiating with hackers, balancing empathy and tactical communication. Profiling the typical hackers in these scenarios, focusing on their youth, origins, and backgrounds. Ogle's perspective on why he often finds a sense of understanding towards these young, misguided hackers. Assessing the crypto industry's response to white hat hackers: Are they adequately rewarded for safeguarding the digital frontier? The curious surge of investments into Blast, Ethereum's new Layer 2 contender, amidst swirling concerns and skepticism. Robert's take on why the Blast phenomenon could signal a troubling trend, surpassing the chaos of 2017, paralleled by Tarun's analogy to a “decentralized Herbalife.” Were Blast’s marketing tactics misleading or merely overly optimistic? Hosts Haseeb Qureshi, managing partner at Dragonfly Robert Leshner, founder of Compound Tom Schmidt, general partner at Dragonfly Tarun Chitra, managing partner at Robot Ventures Disclosures Guest Ogle Crypto, Crypto sleuth and negotiator Links Hacks Unchained: $48 Million Drained from KyberSwap in Hack Kyberswap’s hacker latest message HackerNoon: Mark Cuban's Bane: How Iron Finance's $TITAN Crypto Crashed From $60 to $0 Cointelegraph: KyberSwap hacker offers $4.6M bounty for return of $46M loot Blast Unchained: Blast Surges to $300M TVL, Rapidly Gaining on Top Ethereum L2s Amid Concerns DefiLlama: Blast TVL Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Not a dividend.
It's a tale of two Kwan.
Now, your losses are on someone else's balance.
Generally speaking, air drops are kind of pointless anyways.
Unnamed to trading firms who are very involved.
D5.8 is the ultimate punks.
Defy protocols are the antidote to this problem.
Hello, everybody. Welcome to the chopping block.
Every couple weeks, the four of us get together and give the industry insider's perspective on the crypto topics of the day.
So quick intros, first you got Tom, the Defy Maven and Master of Memes.
Hello.
Next we've got Robert, the Cryptoenastor.
and Tsar of Super State.
GM, everybody.
We've got Tarun, the Gigabrain, and Grand Puba at Gunlip.
Aloha.
And today we've got a special guest, Ogil, Crypto, Cyber Sleuth, and Negotiator.
Hello, hello.
And finally, I'm a Sieb, the head hype man at Dragonfly.
So we are early-stage investors in crypto, but I want to caveat that nothing we say here
is an investment advice, legal advice, or even life advice.
Please see Chopping Block that XYZ for more disclosures.
Before we even start, can I make one point?
Tom is on his like Steve Jobs era like in this episode.
He's like he's got the black turtleneck.
I feel like I feel like I'm ready to Steve Jobs doesn't have a monopoly on the black turtleneck.
Elizabeth Holmes.
It's Steve Jobs.
Yeah, it's pretty tainted.
Technically it's navy, but you know, the camera is not picking it off.
The white balance is off.
It doesn't look very navy.
It's like it looks.
Don't you guys, don't you guys think this is a different aesthetic for Tom?
I just am not a little bit.
It's a little bit different.
It's Tom's winter wardrobe.
Yeah.
It's cold in New York.
You know, I have to dress for the weather.
We got to warm that neck up.
Yeah, I got it.
We don't know each other, but I would say you've got the Iris outful look going on yourself.
I do.
I love Iris.
One of the best dressed women in history.
It is true.
Okay.
Well, so the reason why we brought Ogil on is that it's been a very crazy week for exploits
and specifically around an exploit in khyber.
Swap. So Khyberswap, for those of you don't know, it's a very OG Defyte protocol way, way back in
the day founded by Loy Lou and a couple other folks. And Khyberswop on November 22nd, so about a
week ago from today when we're recording this, so Khyberswap was attacked by what's been described
as an infinite money glitch. So essentially, there's a very, very subtle bug in the way that it was
essentially doing math to figure out the edge cases around how different parts of the liquidity
curve was being calculated. And based on a very, very tiny error in calculating some of these
liquidity boundaries, an attacker was able to drain almost all the money that was held inside
of Khyberswap. So about $50 million was stolen across Arbitrum, optimism, and Ethereum.
The hacker themselves was a very colorful hacker. They left a lot of charming comments in the
process of the hack in the event logs, leaving comments such as step two, finding liquidity
required, is it enough and a much more salacious description of what they were doing to the
contract?
The Khyberswav then advised everybody to withdraw their funds and they offered a 10% bounty for
the attacker to return their funds.
And it seems like this may have been connected to the index finance hack that occurred
two years ago, which was perpetrated by this guy and Dan Medjiv Majedovik.
However, it could, apparently $2 million was sent to an address that was controlled by that
guy, but it may have been misdirection. Nobody really knows. It's hard to prove any of these things.
So two days later, after the hack, Kyberswap announces to the attacker, please return 90%
of the funds that you took from users by 6am UTC on November 25th. Otherwise, we are going to pursue you.
And the hacker responded, again, through on-chain mechanisms in the sort of memo field
of a transaction, negotiations will start in a few hours when I'm fully rested.
Essentially telling people, like, chill out. I'm not ready yet to have this conversation.
Kyerswap, then a couple days later,
they recovered about $4.7 million through front-running bots
that apparently some folks who were front-running
some of the attackers,
through generalized front-running,
they were able to front-run some of the attackers' attacks
and recover some of the money,
which were sent back to Khyber Swap.
Then yesterday, the hacker sent another message to Khyber Swap
saying the following.
I said I was willing to negotiate.
In return, I've received mostly threats,
deadlines, and general unfriendliness
from the executive team.
that's okay, I don't mind.
I have prepared a statement concerning our potential treaty.
I plan to release it on November 30th at noon UTC Sharp.
Under the assumption I'm treated with further hostility,
we can reschedule for a later date when we all feel more civil.
You need to only say the word.
If not, we proceed as planned on November 30th.
Thank you.
So this has been kind of a weirdly dramatic hack.
So the hacks and defy happen all the time,
but the nature of the attacker and their communication style
struck me as very strange.
And so I'm curious to get your guys' reactions
to this? This feels like a group of people instead of one because I feel like the change in tone
didn't feel like quite consistent. Usually I feel like the attackers are more consistent than this.
So the reason why I brought on Ogle to discuss this is that Ogle actually is involved in the
negotiations with the Khyber hacker. And Ogle has some experience working with through a bunch
of these different hacker negotiations, which is honestly very new to me. I've not really seen
how these things play out. I always assumed they were somewhat ad hoc.
but it seems like actually there are a lot of repeat players.
I don't know if the hackers are repeat player,
you know, presumably perhaps,
but the negotiators and the people who are, you know,
kind of solving this on the protocol side
seem to be repeat players.
I don't know what you guys think of this phenomenon,
but it does seem to me, I wrote a tweet there about this earlier.
It seems to me like this whole dynamic
between protocols that are getting hacked
and the negotiations with the hackers
is becoming more and more professionalized
and more standardized.
Like in the past, it was quite chaotic.
It was very hard to find these people.
Nobody really knew how to reach them.
And people just assumed that the attackers run away with everything.
And now it's become standard to have this kind of negotiation.
You give back 10%.
Things seem to be a little bit more calm.
I don't know what you guys think of this and how this is affecting the dynamic in attacks on a defy like this.
Well, as an outsider to this, I mean, the first hacks that I remember were really the BZX ones that kicked off sort of like the Defy Protocol trend of getting hacks.
And that was much more chaotic.
I mean, recoveries were zero.
I don't even think that there was the expectation that there would be recoveries.
I think it was like there's this common expectation like following the first hack of all time, really, the Dow, where it was like, okay, that's the end.
Once something is hacked, it's basically game over for that smart contract and for the expectation of the users that had assets inside of it.
And that's really changed.
I mean, at this point now, you know, there's starting to be playbooks that are being written and a lot of, you know,
standards that are starting to emerge. And I agree with you to see it. It definitely feels like
we've come a long way over the past. I don't know what is this like three years, really,
of smart contract tax. Yeah, I tend to agree. I think also just, you know, the story two,
three years ago even was it was much easier to anonymize assets and, you know, get them and
sort of desegregate them from the attacker address and then, you know, they're sort of gone. And that's
obviously harder to do now. But also, I think the flip side we've kind of seen is, you know,
in these negotiations, you know, it's always sort of this leverage point of, hey, you give us
most of the money back. You know, we won't bring in law enforcement and we'll sort of call it a
gentleman's agreement and go handshake. And I think there was just a charge like two months ago.
It was like the Southern District charged some engineer in New York with hacking some protocol,
even though he returned most of the funds and they sort of reached some, you know, negotiation.
And so it's like, it's actually, yeah, it was not Mango actually.
I think Mango didn't return the funds, right?
But it was something.
He did actually return some of the funds.
Okay, maybe it was Mango, but in any scenario, you know, it doesn't matter, right?
Because it's actually a criminal matter.
And so if the state is mad at you, they will go and arrest you.
And so it doesn't matter if you have this civil agreement or this handshake agreement with the protocol.
You can still be, you know, arrested and charged.
Yeah, on that one, Tom.
I mean, that one in particular was interesting because, you know, he did give back some of the money.
He kept loads of it, though.
But I think what screwed him and why he ended up getting charged is because he was
was so bombastic. And he was, he taunted the regulators. He taunted the police over and over and over
again. And, you know, a lot of people who, who talked to him in some of the telegram groups and so
forth, including myself, were like, what is wrong with you? Like, you've, you've essentially
gotten away with the situation. You've gotten lots of money. Why would you then go and publicly
just be like, like, the Southern District could suck it, you know, and think, like, why would you
do that? Like, there's just nothing to gain from that. You know, I mean, I can't, I can't speak on
details, but I'm very confident that that was a big, big part of why he was still pursued.
It is the case in these situations where there's not a victim left anymore. If most of the
money's come back or all the money's come back, there's no victim. In my experience, working with
these agencies, they don't really care anymore at that point. They say, you know what?
Like, we're not going to have a participating victim that's going to help us along the path. We do
need their participation. We need them to give us logs. We need to give them. So if they're not
going to help us, we're not going to help them. Let's just do something else.
here. But yeah, with him, it was a little bit different. Interesting. I think I maybe just remembered it was actually
Shaqib Ahmed, was this guy who acted in exchange and then returned most of the funds and they still got
him anyway. And so I hear you. I think, hey, you know, the state is limited resources. They might not
pursue, you know, in this case, if no one's really cooperating or sort of helping them out. But, you know,
in this scenario, you know, in theory, the exchange agreed to this settlement and they went and got him
anyway. This is a centralized exchange that he act?
Yeah.
For some reason that does feel different to me, I don't know that like there's a good reason for that.
Maybe because there is, I don't know, like at terms of service and other elements that are more binding than just code as law.
Hey, you know, gentlemen's agreement.
But actually, no, sorry, it was a decentralized exchange.
I'm like, we were treating this.
Yeah, yeah, yeah, yeah.
But no, I hear you too.
Hacking a company is maybe different.
Yeah, and there's more legal precedent.
The legal precedent that is everywhere in the rest of the.
economy is theft is theft unless 100% is returned. You know, typically people are being pursued,
you know, by the long arm of the law. You know, what's amazing to me is that, you know,
there's this expectation still in crypto that it's like, you know, oh, just keep some of it,
you know, as long as you don't take it all. And I imagine over time that's going to converge with
other expectations outside of crypto. So you think this 10% thing is going to go away?
I mean, can you imagine if it's like, oh, just heck JP Moore?
to keep 10% of whatever you hack as a white hat bounty and give back the rest.
Like it's, it's funny.
I mean, it's a sense to think that like that, like that is the standard.
And I don't think it'll hold.
I think it's a temporary standard.
I think it's like a, you know, I mean, I think the reason why, so it used to be.
So like three years ago, right, you hack a protocol and you steal $30 million.
You don't keep $3 million.
You keep $30, right?
Because back in the day, you know, there was much weaker AML.
rules of many fewer exchanges are actually enforcing these things. You could move it into
stables pretty easily. You could bridge it. There are a lot of ways to kind of make your getaway.
In a post-tornado era, in an era where now, you know, Binance and, you know, all these big
exchanges are actually being pretty thoughtful about AML. It's much, much, much harder to actually
fence the stolen money. And there are many of more people who have eyes on it and who are more
capable of actually following the and tracing those funds. So it seems to me like the reason why we've
arrived at 10% and why not 5%? Why not 1%? Why not a fixed fee? And I think the answer is that
it has to do always with the balance of power, which is that the attacker, you know, if they want
to sell dirty money, if they want to fence dirty money, they can't get 50 cents on the dollar
on it. They can't get 30 cents on it. They can probably get something. I think there is some,
you know, market rate that they're basically getting of like, look, if you're, if you try to
sell a stolen Amazon gift card, you're going to get very good conversion ratio on that.
If you try to sell stolen TV, you're going to get a much worse ratio on that.
I mean, I can tell you for sure because I'm the one who did the 10% in the first case.
It was the message that I wrote about a year ago in a different case.
And that was the very first time.
And it was an attempt to see if we might be able to negotiate since finding someone didn't always result in them actually returning any cash.
And so I was thinking, you know, I have a traditional business background building tech businesses.
And there's a lot of negotiation that goes on.
And I like to negotiate.
And part of that is, okay, you got to figure out who are you dealing with.
Why did they do what they did? What's their motivation? And how do they get out of the situation if they're caught?
Right. And so depending upon that circumstance, I was thinking to myself exactly how you're saying. It was a calculation. I say, okay, look, so they get $100, you know, they get $100. Let's call it. They're going to have to go to the black market and try to get $50 back. If it's a lot of money, it's going to be hard to even get $50, though. It's hard to watch that through gift cards and things like that. So they're going to have to go to some kind of unscrupulous actor. There's a real danger in that. You go to an unscrupulous actor. You go to the mafia or whatever, you know, some underground.
why would they even give you 50?
They know you got 100.
They take out 100 of it.
You know, so you have real existential risk going through that process.
That's the first thing.
Second is the question was, I was thinking, okay, some of these hacks are pretty big.
It'll be 30 million, 50 million, $100 million hack and maybe even bigger.
A lot of the time, these guys are just opportunists, right?
It's not like they came into this, like really planning out.
You know, they've already got 20 in the bank and they want another 10 or whatever.
It's like they've got $600 in the bank and they're smart.
and they want a way to change their lives, right?
And so the approach with a 10% in this particular case,
the first case that I did on that was I was like,
I figured out who the guy was or I was pretty sure who it was.
And I'm like, this guy doesn't need all this money.
His life has changed with a fraction of this money.
And so that's where the negotiation came from.
So I said, look, man, we can both walk away.
Your life has changed.
You've just made a load of money overnight.
The protocol continues going on.
All these people's life savings don't disappear all of
sudden, all this work that's been gone into this protocol doesn't disappear all of a sudden.
Everyone walks away a little bit happy, right? And then you can disappear and not worry about having
to spend the rest of your life spending every dollar you just stole, making sure someone's not coming
after you because you don't know if the authorities are coming and you don't know who your victims are.
You've got to be careful with that. If you have a bad victim, that's not, you know, you really
need to consider that. There's cost that going to that. So that was kind of the approach was to try and
just put logic behind it to say, work with us here and we'll walk away.
everyone walks away a little bit happy, a little bit unhappy.
This is fascinating.
So, Ogle, I would love to hear, so I know you can't comment too much on Kaibir specifically,
but I'd love to hear, walk us through the narrative of like, let's say not this hack,
what a previous hack you've been called into.
Tell us a story about what happened, who calls you, when do you enter, how do you find
the person, and how do you end up getting in contact and actually structuring that negotiation?
Yeah, I'm specifically curious about the origin story.
How do you become a negotiator?
like how do you become known as the guy?
Did you have some training in this?
Did you watch some like YouTube video?
I'm just curious.
Is it Liam Neeson, you know, ask?
Yeah.
So I'll answer that question first.
So about two and a quarter of years ago,
I've run a big online community with a bunch of folks.
And there was a project that came up during the Iron Finance collapse of their token
where Mark Cuban lost loads like, you know, tens of millions of dollars overnight.
It was a huge news story.
Suddenly, people had a lot of stables because they were trying to pull it out of that protocol,
and they needed somewhere to put their stables.
And so they put their money in different places.
But one of those places happened to be this thing called Stable Magnet.
It was a Binat Smart Chain thing.
It had just launched.
It was like basically a nothing protocol.
It was launched to be a rug.
That was the purpose.
But this crew had been rugging $200,000, $100,000 every few months here and there.
And suddenly they found themselves for $24 million in their bank, like overnight.
And so they were like, okay, let's go.
you know, so they rugged. And I was, I was walking through the city and a friend of mine called me and he said,
people just stole this, you know, stole a bunch of money from a lot of our members. A lot of people in our
community, a lot of them got screwed on this. And in fact, you had a little bit of money in there
too because it was a guy who managed some of my money. So I was like, okay. Okay. So looking back,
back in the day, the late 90s, early 2000s, I used to do like white hat hacking related stuff in the
web one era, let's call it. And so there are a lot of things that you can,
do with Web 1 and Web 2 techniques that Web 3 hackers don't have any idea about.
Like their OPSEC is usually pretty garbage, in fact.
Like they might really be good at smart contracts and so forth, but they have no clue
how to hide their tracks.
They drop them cookie crumbles everywhere.
And so I said, you know what?
Who knows?
Maybe let's try it out.
And so in this case, I went, looked at all their old channels, how their stuff does.
And they had left some XIF data in one of their images, which gave away some information.
And from that point, it was like just boom, boom, boom, boom, that the tile started falling
found the girlfriend, found the guy, found his GitHub, found his friends, saw that they forked, you know, found everything at that point. And so the question was, all right, what do you do? And so there was a victim's group with like 1,500 people in it. And I said, well, let me just see if I can talk these guys into giving the money back. I mean, who knows? Because, I mean, these are young, these are 20-something-year-old, you know, 21, 22-year-old guys. I don't want to ruin their lives. You know, we all make mistakes. And this is a serious problem. But if we can get the money back to the victims, maybe there's a way everyone walks away unscathed. Where were these guys located?
Hong Kong. They were in Hong Kong.
And so I did a number of, I did a lot of research, got their Hong Kong ID numbers, you know, got everything on these people, found their, you know, the parents, everything about them.
And then came into one of the victims group. And I was like, I'm sure they're going to be in this victim's group monitoring, seeing what people are saying, right?
So I said, hey, folks, look, I'm going to help you find this stuff. I think I know who it is. And I just started to talk publicly as if they were listening because I knew they were. And so I'm like, okay, hackers, I know you're in here.
just so you don't think I'm bluffing.
This is the first initial and last initial of your names.
You know, and I listed them out.
You know, don't think I'm BSing here.
And so then what do they do?
At that point, I was tracking them in some other ways.
So what do they do?
They fled.
They left from Hong Kong.
And this was during the COVID time.
They left from Hong Kong and flew over to England,
which was one of the only places you could go easily at that point during COVID.
England had a 10-day quarantine period with a bunch of hotels that were set up for that process.
I speak Chinese.
And so I was having these conversations.
And I was like, you know what I can do?
I'm just going to call every effing hotel in these.
I was like, maybe London will be where they go because there's a big Chinatown there.
But I was like, no, probably it would be somewhere smaller because these aren't morons.
Let me try Manchester first and we'll work our way out.
So I tried Manchester.
I call it 140-some-odd hotels.
And I said, hey, look, I'm the brother of, and I gave the girlfriend's name.
And I'm just wondering if she's there.
I can't get in touch.
I've got a pretty important message.
every time they answer the phone.
You know, we don't have anybody by that name here.
We don't have anybody by that name here.
No one by that name here until eventually one of them said,
I'm not allowed to say if we have a guest by that name.
But if we do, I'll take the message and I'll give it to them.
And if they happen to be here, you know, they'll have the message.
I'm like, bingo, that's the folks.
And so I said, all right, here's the message.
I called back a few minutes later.
I said, you know what, don't worry about it.
She just called me back.
And the nice lady was like, I was just about to go upstairs and give her this letter.
I said, don't worry about it one bit.
So I let the authorities know at that point, the Manchester police, I already had the DHS,
the Department of Homeland Security and the U.S. side involved.
I said, look, I know where they're at.
I know what hotel they're in.
Go get them.
Right.
And so eventually a few days later, it was a longer story, but eventually they did go in there.
They got one of the guys, got the money.
Then those things started tumbling.
And we got all the money back.
It was the full recovery.
It was the first recovery ever in a defy hack.
And so I was really excited about that and got a little bit addicted to
to doing that. They kept nothing.
Holy shit. You actually are a reason. That's insane. That is insane. Wow.
It was so much fun. Now, so that wasn't like, I wasn't like, yeah, keep a few bucks.
You know, that wasn't the situation in that because, you know, I was just like,
guys, I've been cool with you. Like, you should have given the money, but you're being,
you know, you're being really stuck up about this. And you're not, you're not participating.
So fine, screw it. So they got arrested. You know, that process worked out how it did. But then I was
thinking this is something that over time, maybe I can start.
actually help out people with a little bit and see where it goes. And so fast forward about a
year, which would have been about a year ago. I can't remember which project it was, but I was introduced
to a project that had had money stolen and by a friend of mine at Stargate. And not stolen by a friend of
my at Stargate, but I was introduced by a friend of mine at Stargate at Layer Zero, who introduced me
to the team. And at that point, you know, I said, look, let's work on the messaging. Like,
finding the person on the chain is not where I think the resources need to be spent. And I'm
because we've been doing that for years and never results in anything,
I think communication is the key here.
Like,
let's talk to the person and see if we can convince them to do some stuff.
And that's where this,
that was kind of the genesis of this whole process.
And it worked out.
You know,
we start getting actual recoveries.
So then once that happens,
to answer your first question to see,
you know,
then,
well,
you know,
one company sees a recovery and other company sees a recovery.
Then you just start kind of being pulled into the groups,
you know,
off and on.
And,
you know,
eventually you become the person who writes,
who writes these messages.
And in the case, you know, the case where you guys are talking about now, Khyber, I'm advising them on the messaging, but I'm not writing their messaging.
And you can tell that in the way it's written versus the ones I have been involved, which is like 35, 36 of them in the past year.
You can pretty much tell it's me writing the messages.
And, you know, a really key part there is like, I'm not working with companies that are not going to live by what they say because the integrity of this negotiation is super important.
So I was working with a company a few months ago.
And they said, I was like, okay, this is the message you should send out.
I think we have a good profile on the hacker.
This is the way we should approach this to make sure everyone comes away on skates.
And they said, yeah, we're going to do this.
And then we're going to turn them into the FBI.
And I'm like, well, then I'm not going to work with you.
Then I'm not going to do it.
Because the moment that I'm putting my name there saying, look, I'm helping on this negotiation.
And then you go screw them.
No one's ever going to actually participate in these.
Like, we have to have, you know, honor amongst thieves here, right?
You know, there has to be at least a little bit of that.
And so, yeah, yeah.
So that's kind of how that process works.
Now I get thrown into these rooms, you know, once and
while to help out. It's a very tiring process. It's frankly a thankless process because if I'm being
honest, you know, you're, you know, you're the Messiah for, you know, a couple of days and then
you never hear from anybody again. This is all pro bono work, you know, for the most part. And so it's
I was right about to ask that. Yeah. Yeah, yeah, it's mostly, I mean, you know, people are like,
yeah, we're going to give 10% of the recovered money for sure. And then they get the money back
and it's like, yeah, just kidding. I hope you have a good day. You know, we'll talk about it soon.
Well, whoa, whoa, whoa, whoa, whoa. The people that you recover money for,
ripped you off. Oh, dude, it's 50, 60% of them don't even say thank you. Literally. It's kind of
amazing. And it's not just, you know, I mean, these are teams of people. They're like, there are like a lot of
people who are in there. And I can throw some names that are really great. Like Alicia Katz is in a lot of
these groups. Tays and them, Sam sees his son. You know, there's a, I really could list out, you know,
six, seven, eight people who do great work in the own ways. Like Alicia is good at organizing. Sam is
good at the security side. You know, all this kind of stuff. But honestly, like,
It's, I don't want to, like, be negative, you know, but it's kind of disgusting, to be honest,
you know, like the amount of, like, or the lack of the amount of even like, thank you,
appreciate it, guys. You know, here's a pizza that you get from, from these folks a lot of times.
I'm disgusted on your behalf. I mean, that's unfortunate. Like, you would think that a project
that you've saved would honor their commitments to you. I mean, even if there's not a commitment,
because, because you don't let, you know, you're not like explicitly saying, hey, look, give me, you know,
this, you know, a lot of times, some people do, but that's not the way I work. I'm always like,
look, I'll help you. I'm happy to help. And I am. I'm happy to help these people for free. It doesn't
matter to me. I just don't want to be told, hey, if this happens, this happens. And I'm like,
okay, great, I'm looking forward to that. That's going to be a good day. And then it just doesn't
happen. You know, that's a, it's a little bit frustrating, you know, that sort of thing.
I will say there are some, there are some outliers, though. Like, for example, Alchemics,
I worked on the Alchamix hack, which was part of the curve hack, alchamics couldn't have been cooler
about everything. I mean, they were perfect. Like they were from the get-go. They were so appreciative,
so thankful, giving all the access to the information you need at the end of it, worked with
their Dow to support the security work that I'm doing and the team that I've got to pay out of
my own pocket. They were super cool all the way through the whole process. And if that was the
case always, you would have a lot more people like me helping out these protocols. But as it is,
there's loads of time, loads of effort, and there's real risk involved in it, you know,
because people don't like you suddenly because you just screwed their theft up, right?
And to have that be a situation where, like, you know, you're not, you're not being taken care of at all,
even from like a psychological level.
It's not very motivating for other people to get involved and help out too.
What do you find to be the best tactic or tactics in negotiating with these hackers?
And maybe the flip side of that way, like, what are the big mistakes protocols make when they're trying to, like, get their money back?
The big mistake, I think, is not profiling who the hacker is.
And so, like, a lot of times the protocols are freaking out.
out, right? They have a lot of anxiety and they have a lot of pressure from their community to
like hurry up and get something done. And so one of the first things that myself or like Alicia,
for example, will say is take it easy. Step back. For now, tell your community, we got it under
control, we're sorting it out, but we're not going to talk about it until we have something
to say. And actually stick to it. This is a big mistake people make these protocols make
because they talk too much and they say things on accident that give away where they're at with
the, you know, with the search. Maybe they say, oh, we're not quite sure yet where he is,
but we think we found, that's not, don't say that. Even if it's true, you don't say it. You keep
everything to yourself, let it be a question. That's the first thing. Second, is not profiling
the hacker properly from like a technical point of view. Like, for example, the Khyber hack is
very well done. That's a complicated hack. Like, this person's an expert. And so when you're
negotiating with this person, you're not going to talk to them like they're an idiot because
they're not, right? It's just going to piss them off. Like, clearly they have an ego, so you're not
going to talk to them like that. You want to treat them with the respect that in a certain
sense they deserve, right? But you also want to make sure that everyone's aligned on getting
to the other side of this coming out not as harmed. And then third, I think that I'm not really
sure how to say it, but like, like, just keeping control of one's own, like making sure to get rest,
making sure to like act as a team, being organized, things like that is something that a lot of
these folks don't do and it and it screws things up because you have three people doing the same thing
overlapping jobs and this sort of thing and it creates it creates distrust sometimes it creates like you know
just like a waste of time and it's also like people get in the way of each other and fall over their feet right
and so being super organized shutting up for a while and then thinking through how can we get through
this situation in a way that's not vengeful it's not angry it's not sad it's just logical how can we
get through this in a way that's going to get us out of it smoothly and make sure that the other
person feels like they're getting a good, you know, good outcome too. Everyone needs to come
away a winner. You guys are negotiators, right? You don't ever walk away from negotiation saying,
I got everything and they got nothing. The cyber attacker has taken your advice about being well-rested
and that was so interesting, right? You know, again, I don't want to talk to me much about,
you know, about this one in particular, but this guy's approach is very different. And I think it is
and evolution in a certain way of how these are probably going to, you know, how these might get done in the future.
This is a really interesting modification to the normal. And I think it does say a lot of things about all
the topics that I'm happy to talk about, but I feel like I've been kind of monologing for four minutes already,
so I'll be quiet.
Look, we brought you on here to hear your perspective, so we love the monologue.
I guess the other question I'd ask is you've been through, it sounds a lot of negotiations.
It sounds like three a month from what you're describing. What are you seeing in terms of
patterns. Like what's changed over the last couple of years in the profile of these attackers,
but also what do they tend to look like? Where do they tend to be from? What are their
skill levels, backgrounds, countries? Help us get a picture of what you're seeing when you're
interacting with these folks. Sure. Yeah. I mean, three out of four times, they're Asian folks,
I would say, maybe a little bit higher than that, coming out of Singapore, coming out of Hong Kong,
coming out of mainland China, sometimes Vietnam, places like that. But almost always, I would say
75% of the time it's coming out of Asia.
And you can tell this via
writing patterns and stuff a lot of times.
That's another thing you look for is like writing patterns.
You can tell where someone's at, you know, in that way.
But three quarters of them are that.
And almost everybody's very young.
Like these are kids.
Like how young is very young?
Like 20.
Like 19, 23.
You know, these are young folks who've gone through
engineering school potentially.
Or maybe they have just, you know, done hacking for the past six,
eight years on their own learning or whatever.
They're very skilled usually.
They usually don't have any money.
You know, they come from kind of tough backgrounds a lot of times.
I've actually become kind of friends.
I know it sounds weird, but I've become what I might call like social friends in a certain sense with a few of these people.
Because, you know, they are, I'm the only person that a lot of them have ever talked to about this stuff.
Their family doesn't know.
Their friends don't know what's happened, but I do.
Right.
And so I can talk to them and say, hey, how's everything going?
Are you cool now?
Is everything all right?
And they'll talk to me about what music they're listening to.
And these are okay people sometimes who just saw an opportunity and took it.
They saw 500 bucks on the ground and picked it up.
And I think that that's an important thing here too is keeping in mind, these are mostly young people.
And my goal is not to destroy a young person's life no matter what they did.
You know, like it's your brain, your prefrontal cortex is not quite developed at that point yet.
You're making stupid decisions.
You know, we're all driving too fast.
right and and just guiding them in the right direction and trying to keep it where where their life
isn't ruined but they're also not ruining anyone else's life is usually the goal that I come
into it with.
And what have you seen change over the last couple of years as you've been interacting with
some of these incidents?
Well, the frequency has certainly changed as in it's gone up a lot.
The ability to get away, technically speaking, has gone down a lot.
Like you guys were speaking about earlier, you know, it's a lot hard.
to wash through online platforms.
I mean, there's ways of doing it, but it's much harder.
The sleuths have gotten way better at finding, at just tracing down these people.
So even if they're using something like tornado, like, you're not, you're not good.
Like, there's, there's ways to figure out with high probability who you are,
especially if you're working with big amounts of money.
And so I would say, yeah, the frequency has gone up a lot, but also the ability to capture
of them has gone up a lot. And therefore, the entrance of negotiations, I think, is appropriate.
It's like the right time for that kind of thing in the past couple of years. I will say, too,
that on the, on like the, say, the white hat bounty side of things, they have not caught up on this at
all. So companies are paying garbage rates for really important bounties. And they're not
incentivizing these people to actually give them the information. So like, you're sort of asking for it
in a certain way. I don't want to blame the victims, really. But if you're saying,
I mean, I, for example, found an exploit recently in a popular place where people publish their posts.
Okay, let's call it that.
And I wrote to them on the bug bounty program.
I don't need the money, but I wrote to them on the bug bounty program.
And I said, hey, look, this is the thing.
And how do you feel about this?
And didn't even get a response.
And so I followed up two weeks later.
And I said, look, I'm going to publish this exploit like existence on Twitter if you don't respond to me at least because this is still existent two weeks later.
They respond back.
Okay, sorry.
Yeah, we didn't respond.
We'll fix it soon.
I respond back, okay, what level of bug boundaries is this qualified for?
Ghosted again.
Right.
So that's my experience going through this in like a really low level.
I could have just deployed the exploit, screwed people out of, you know, a couple hundred thousand dollars before it was caught and walked away.
And so the incentive, if your goal is to actually make money here, is so skewed toward being bad because the good side like supports it so little that the industry is like it's like it's just asking for.
these problems, I think. That is very true. It does seem almost impossible to really fully remedy
that imbalance, right? Because it's always going to be the case that protocols can't afford to pay
a 10% bug bounty of the amount of money that would have been attacked because at a certain point,
those losses have to get socialized among their users, right? They can't absorb that off their own
balance sheets. And so in order for the protocols to assume that their default alive, they have to be
able to say, look, well, you know, I only have so much money that I can really devote
towards security audits and bug bounties. Otherwise, you know, users wouldn't tolerate it, right?
If a user, if somebody tells their user, hey, guess what, a white hat showed up and they found
some great hack, so 10% of your funds is going by-bye.
Yeah, yeah.
Like, there would be a mutiny, right? So it's never, it's never going to be as advantageous
to be a white hat as to be a black hat. But you're right, the imbalance is so severe
that a lot of white hats can't make a living being a white hat. Like, they have to find
other sorts of work unless they're really, really, really good.
These are two different dollars. These are two different dollars, right? I mean, $10 of dirty money
is the same as, you know, 50 cents a clean or a dollar a clean. Like, you don't need to have
10% of the stuff going out. That's okay. The dirty money, nobody wants that crap. Like if,
if these people, these skilled folks could reliably say, look, if I find a problem in a protocol
where I could have stolen $250 million, I could black had it and keep $25, or I can white had it
and you'll give me a million dollars. Like, I bet, you.
you almost everyone's going to say, screw it. I'm whiteheading this thing. It's clean. It's above the
board. And I can do it all day long. I can spend my life doing this. I can get a team of people.
I can build a business on this, you know, whatever. But right now, it's like, you know,
a clean hack. You come to someone. There's $250 million on the line. And if they respond to you,
which a lot of times they don't, they'll give you 10 grand. You know, 20 grand. It's just,
it's just so far off, you know. Just to flip this on its head a little bit, you know, we've spent a lot of
time talking about, you know, the process of resolving a hack after it's occurred.
From your vantage point, is there anything that projects can do before an incident to prepare
for the possibility of an incident ahead of time?
Or there are things that you would tell any protocols out there today that they should, like,
think about, like, how do you think about, you know, the preemptive approach to this?
Yeah, sure.
So, I mean, besides, like, penetration testing and audits and, you know, that sort of thing,
just the disaster response part I think is really important Robert.
And like, you know, the part about organizing yourself and, you know, being chill and that kind of thing.
And so to that end, so I have done a little bit of that for some for some different protocols that have asked me for it.
And that's something that through a small security company I've got like, they'll say, hey, look, can you, can you put us through like a drill kind of a thing?
Sam Seasy's son started up a group called SEAL Team 6.
And I think they're doing this kind of stuff soon or they might already be doing it.
I'm involved in that only in the sense that I'm like helping a little bit with like a guide
they're writing, but I'm not actually on the SIL team thing, just to be clear.
But yeah, so I think those kind of things would be really useful.
It costs so little, you know, but then your team gets, your team's already ready.
They've got a notion ready where all the data is going into.
They've got the Google Docs ready.
They've got the drive ready for sharing the files.
They've got the telegram war room already set up for everyone to be joining in there.
They know the list of people they're going to be calling in in the case of an attack.
it's a day of prevention that might save the entire company later on down the road.
That makes sense.
And last question I asked you, Ogl, what would you like to see change in the industry or in the kind of security practices going forward?
Oh, gosh.
I think, I mean, well, first off, I think the imbalance we were talking about earlier needs to be fixed.
Second, I think that projects paying for their own audits and deciding if it gets a good.
published or not needs to be fixed.
Like I find like audits as marketing to be kind of disgusting and really, really, you know,
the incentives are really misaligned there for the public versus versus what's supposed
to be happening.
I think there's solutions for this.
Like actually having proper code review, like writing tests, like actually having like reasonable,
you know, like having reasonable coding practices.
That'd be a good improvement.
You know, just catching up to web too, really.
you know, I mean, a lot of ways, like, I love Web3 stuff.
I've been in this essentially since the beginning, been encrypted since 2012 before, you know, a long time ago.
But Web 2 just does it better on a lot of the stuff.
It's had the time to screw up and it's matured.
But a lot of the people in Web 3 are like, screw Web 2.
Everything about Web 2 sucks.
It's the old way of thinking.
Okay, sure.
But like, you know, sprints in development are useful.
QA is actually a good thing to do.
You know, like these are important parts of the process that you should be doing before you
deploy a contract out there that people are putting their hard and earned money into.
It's even more important in these cases because in traditional Web 2 stuff, you're not holding
people's money, right?
But now you are.
Like you have a responsibility, in my opinion to really, really, really get this stuff
right.
And it goes the opposite way where people just don't pay any attention at all.
That is terrifying that there are people out there who are writing smart contracts without tests.
Some of those things I'm like, okay.
Yeah, it happens.
It should embarrass the entire industry when it does happen.
Okay.
Well, Ogil, I want to thank you so much for coming on and sharing your wisdom with us.
You're doing the Lord's work.
Please let us know what's the closest pizza shop so we can buy you several pizzas.
Also, if you're looking for, how can people find you if they want to get in touch with you
or if they're looking for some security assistance?
Yeah, sure.
So my Twitter is at Cryptoogle, C-R-Y-P-T-O-O-G-L-E.
Same thing on telegram.
People could hit me up if there's like an emergency at that same username.
Ogilsecurity.com is where I do some stuff.
But I'm really,
I'm not leaning into that,
to be honest with you.
It's just like,
it's just kind of there in case someone needs,
you know,
an insurance or they want to do some philanthropy and be nice to me.
You know,
it's very rarely used.
Just Twitter is kind of,
it's probably the best place to chat.
And,
and yeah,
I mean,
you know,
just between us,
you know,
you can edit this part out if you want to.
But I'm building,
I told you I'm building in L1,
been building it for about about a year and a half now.
And it's very,
very heavily focused on security user experience, things like that, to try and solve some of
these problems that do exist. And I think we're going to, including like the audit problem,
like we're going to be doing all the audits and stuff, you know. And so, so I think that just
a little bit of time down the road, again, you can add all this crap out, but I'm just telling you
guys, down the road, I think we're going to be in a situation that's, that's a lot better
than how it is now. Like, I'm going to bring in some of those web two old school, you know,
like geezerly ways into, you know, the chains and actually make it safe for users, I hope.
That's great to hear.
Well, you're doing the Lord's work, and anybody who's listening, please buy this man
of pizza because he became some thanks for all.
Thank you.
And I'm so hungry, too.
I'm so hungry.
All right.
Take care, fellas.
Thanks for joining us, man.
Absolutely.
Good to meet you.
That was hardcore.
I was not expecting it to be quite.
I was not expecting that to end with the I'm making an L1.
Well, good for him.
Good for him.
I mean, it just was like.
It was like so focused on application level and higher.
And then it was like, nope, making it not one.
Look, only infrastructure gets funded in this industry.
You know that.
Come on.
Yeah, yeah, yeah.
I don't know if I'm part of the problem, part of the solution.
You're mostly the problem.
I mean, I think all four of us are part of the problem.
Yeah.
Oh, well.
All right, cool.
So I think we probably have time for just one more story.
So one of the big stories, just one.
I think. Well, so one of the big dramas that's been taking place, aside from hacks,
has been a new L2 called Blast, speaking of infrastructure. So Blast is launched by Pac-Man,
who is the founder of Blur, the NFT Exchange, in which we are investors, full disclosure.
So Blast was described as being a layer two that is going to have what's called Native Yield.
And so native yield basically means you deposit assets into the L2 bridge.
So you're moving some ETH, you're moving some USDC or whatever.
And Blast will take that ETH or that USC and it will deposit it, the Eth into Lido, the stables into Maker, in order to give you yield that rebases on the L2.
The idea is people are on these L2s.
They have capitalists just sitting around there doing nothing in the bridge.
Why not make sure that you get some extra yield for just sitting around there doing whatever you're doing?
and eventually blurs can also be, you know, built on top of Blasters can move on to Blast,
something along the lines.
So he raised about $20 million for Blast from Paradigm, Standard Crypto, and a bunch of crypto
and it turns out that this project, which was announced, you know, a little bit over a week
ago now, is already ready for deposits.
So you can deposit money into Blast nominally and start getting some yield as well as
getting points that will presumably result in anirdrop.
The problem is that blast does not exist.
So there is no L2, there is no platform, there is no smart contract, there's nothing.
There's just a multi-sig right now.
And this multi-sig, as of today, about a little bit over a week, is currently holding
$620 million in deposits that have been deposited into this more or less multi-sig.
Over 50,000 users have deposited funds into this thing.
There's a three-month period during which nobody can reach.
withdraw. So this money is just going to sit in that multi-sig for three months. And this has made a lot
of people very upset. This contract, the multi-sig, has five signers on the multi-sig. But it has not
been revealed who the signers are. So normally when there's a signer, you know, if you look at,
you know, Polygon has a multi-sig, a bunch of, you know, a bunch of these protocols, a bunch
of L2s have multisigs, arbitrum optimism, et cetera. They all have multisigs. But usually the signers of
the multisigs are known entities. There are people in the
community who are, you know, already docs.
And so people know, okay, I can trust this set of five community leaders or whatever.
You also have the ability to withdraw.
I think that's the just.
Yes, also you have a, you have the ability withdraw as well.
I think, I think that's the, that's the part where it feels like we went went back to 2017,
right?
No withdrawal.
Worse than 2017.
I mean, it's a loot box.
It's a lot.
But here's thing, in the old school lock drops, it was literally like, hey, this is programmatically
locked and we can't steal your money lock drop.
Like I remember those lock drops and they weren't put $620 million in a multi-sig that
doesn't belong to you.
The original lock drops were at least contractually enforced that said you're going to
be able to get your money out in 90 days, period, full stop.
Yeah.
So the story is that there's been a lot of criticism about the security of the multi-sig, the withdrawal
policy, the referral scheme, there's like a referral program where if you bring more people in,
you get more points.
So questionable marketing tactics.
The sort of yield on yield promises
and the endorsement by all these VCs
and crypto influencers.
Pac-Man, the founder of Blur and the founder of Blast,
came out and defended the project
and made clear that Paradigm, who was a lead investor,
did not necessarily agree with all their tactics,
but they decided to go through with it anyway.
And then a few days ago, Paradigm came out
and publicly criticized Blast launch.
because I think Paradigam was facing a lot of heat
for their involvement with Blast.
And Paranam basically said,
look, we talked to the Blast team.
We don't agree with the way of we're doing this.
We think it cheapens the project.
But, you know, they're great guys and something, something, something.
So it seems like a lot of people are upset,
but not quite, you know,
so to be clear, we are not investors into Blast.
But it seems like the people who are investors into Blast
are kind of saying like,
oh, we don't like that people seem to be upset.
and somehow they're directing this anger at us.
So we will kind of disaffiliate ourselves publicly from this,
but of course they already own the tokens and they're left of the right, I suppose.
Or the future rights to tokens, I should say, yes.
The tokens don't exist yet.
For Blast, I mean, a few things.
I think there's a few lines of criticism, as you've said.
One, people don't like the way the yield is being phrased saying, hey, you know,
this is not, you know, risk-free yield.
there is risk associated with these sorts of yield.
People don't like the multi-sig.
And people don't like the marketing around it, right?
There's a kind of cute diagram where they show one person referring many people,
and those people referring many people that looks suspiciously like a sideways pyramid.
Look, look, look, look.
This is just decentralized herbal life.
And we've decentralized Bill Ackman by the crypto-Twitter people.
Bill Agman lost the herbal life, by the way.
So, you know, I don't know if that's the best conflict.
No, no, I think my hot take on this is this is a little bit like the genies out of the bottle about like, hey, people actually, you know, want $600 million went into this and like my ZK roll up that I worked really hard on for three years has like $30 million.
So like I guess we all have to offer a yield.
I think it's going to become this arms race.
And it's like I agree the marketing was distasteful and whatever.
but if we look back on this in six months, I'll make the prediction now,
we're going to be like, oh, okay, I guess every L2 is offering this.
You know, it's like it does feel like it's a one-way function in that.
Totally.
I think the product is great, actually, right?
The trend in DFI has been moving towards more sort of base yield rebasing products
and then nesting those in those things, like steak-deaf is larger than ETH in ABE,
stake-eath is larger than ETH in MakerDA.
It makes it better for protocols, but you don't have to complete.
keep with sort of this risk-free rate that people are comfortable taking the risk on,
you know.
I prefer calling it a risk-neutral rate.
You are taking-risk neutral rates.
Yeah, there's a little bit.
But, you know, certainly it's sort of broadly accepted that, hey, we were comfortable
with these levels of risk is the way the market is moving and the market is sort of speaking.
And unfortunately, if you want to use Stake-Dath, the way you would normally use ETH and
D-Fi or other, you know, applications on Ethereum, it's kind of a pain in the ass because
it's this weird ERC rebasing token that you can't use.
like normal native ETH, you can't pay for gas with it necessarily. And so I think enshrining it and
sort of making a first-party product that is doing what people already want to do makes a ton of sense
to me. And obviously, you know, again, the market is sort of speaking to it. The multi-sick thing,
I also agree was kind of goofy. You should probably have at least a time lock on it or have some
sort of like, you know, base. I mean, if it's an OP stack fork effectively, like have sort of a,
you know, fairifier contract. Wait, but it's an OPAC fork, but not super chain apparently, right?
It's like not going to enjoy this.
I think it's too forked from, from OP stack with their whole rebasing thing.
So it's a little different.
So that was a little goofy.
But yeah, I think the flip side here is, hey, they've created an immense amount of, you know,
hype around the product.
They front run all these other roll-ups that have basically been sleeping.
Like their go-to market has been total shit, which is, you know, why no one actually
wants to use these like random, you know, long-tail L-2s.
And now, you know, Blast basically invented this idea.
and they had the momentum.
Was that a Freudian slip?
Was that?
Yeah, I wanted to should unscroll, but they kind of came to mind when I'm like, what the
fuck are they doing?
Hey, hey, hey.
As a scroll investor, I will stand up for them.
I think that they actually went the right way.
Go to market bad.
You know, you can fix it.
But I think it reminds me a lot of blur where there's like there's these invisible
lines in crypto that people don't want to touch, right?
Of, oh, we have to pay royalties to artists or, oh, you know, we, we, we, uh, NFTs are about
the art. It's not about trading. And I think Pac-Man is actually a great founder in being able to
violate those lines and say, no, actually, this is wrong. This is what the market wants. And the
market speaks and, you know, says, yeah, that's correct. Yes, I take your points that clearly
this is something the market is speaking that it wants. Although, to be clear, it doesn't actually
have this yet. So I don't think people actually can say with certainty that, yes, this is the thing
that's going to get traction. I can see just as much that a lot of that capital leaves the moment
with theirdrop hits.
Just because like, okay, do people really want like an L2 with rebasing?
I think what people want are applications on L2s and what do devs want?
They want TVL.
They want, you know, the capital that's there that's ready to deploy that's ready to use
their applications.
So I actually can see this being very popular with devs as well.
It's not, we're not turning back from this.
This is like, it's like restaking.
Like all of the things where everyone is going to be very angry about the rehypification
implied, the sort of like implied leverage.
the market always wants that in this industry way more than anything else.
And like the moment someone offers it even the tiny bit, there'll be like a ton of capital
that chases it.
I think there's no way back.
I bet you will we will see every other L2 do the same thing.
There's this kind of, it's just like unfortunate.
In some ways there will be some extra systemic risk, unfortunately.
But like the point is like it's definitely going to, there's no way everyone doesn't copy it.
I think this is way too strong with a claim.
Like these are airdrop farmers.
Everyone here is literally, they're not.
Using the product, there's no product.
So if they launch the L2 and the L2 gets developers and applications, then yes, maybe there's a ghost of an argument there.
But this is like the airdrop to end all air drops.
That's why people are here.
And every marginal dollar that gets contributed, like, you know, right now there's a futures market for Blass on Avo, very, very low liquidity.
But it's being priced at like north of a billion, FTV.
So clearly the market expects that this is going to be a massive fucking airdrop.
And that's why they're putting all this money in a one-way multi-sig with no product.
So it's possible.
It's possible that yes, this takes over the world.
No, no, no, no.
But the reason I say this is like, again, from the perspective of a layer two developer,
there's a million of them now, right?
Because there's all these stacks, all these software kits to make it like,
I can do it on a weekend as a hobby project.
I'm not thinking those ones will be successful.
I'm just saying it.
The tech barrier has gone down enough that there's inevitably a lot of people who look at the
$600 million in Blaston and are like, I can do it better.
and that that just starts the foot race.
I think don't underestimate that part of the market.
The foot race will happen now.
I agree.
Not to use the wrong word, but I think it is a paradigm shift in how people think about L2s.
I mean, truly, because you might say we're shifting to a different standard.
Oh.
Even better, even better.
But I do, I agree with true.
I think that over time other L2s are going to figure out how to have a,
neutral yield to it.
And I do think it's actually a really elegant solution to call it restaking, call it,
whatever, where you don't have to worry about losing the yield inherent in your
ether when you bridge it over to an L2.
And I think that is fundamentally incredibly powerful.
And I think, you know, I don't know if Blast is going to be the one that actually achieves
adoption on top of this, but I do agree with Troom.
I think most L2s over time are going to find a way for you not to have this opportunity
cost loss of the ether staking guild when your ether is bridge to that L2.
And I think they've stumbled on a very natural economic principle here.
And I think there's massive risks.
I think like Teroon's underselling the risks.
I'm not, I'm not trying to say there's no risk.
I'm just saying that like, you know, everyone is going to close their eyes and pretend they're
not there because they see the TVL.
Of course there's tons of risk.
Yeah, this is going to, and L2 or multiple L2s, including potentially blast,
are going to implode in a spectacular shit show of duration mismatch at some point.
SVB on chain.
It's going to be SVB on chain.
Without a doubt, it might not be blast.
It might be some copycat who makes this.
The knowledge of these systems decreases with every fork from the original.
But one of these L2s is going to implode at some point because
you know, taking all the ether, turning it into state ether, you know, works great on the
way up. There's no slippage. But the withdrawal queue might be six months and everyone is suddenly
rushing to that. That's why I don't think you can abstract that much over the details about this.
Like, it's not like just being in the money market. My point is I'm not saying, like, I'm the one,
I would be, I'm the first one to tell you. There's a ton of fucking risk here. There's a reason I said
we have, we can't, we have to stop fucking calling it risk free. That's the most,
infuriating part about most of the advertising to me is like everyone just talked about being
fucking risk free which is absolutely not true it's actually risk neutral because you're not
even like you don't even care about the variance because you're using it all the time right
I just think there's kind of this this thing of like inevitably there's just the foot race right
it's like the foot race downhill and like I don't I just don't see the like people are going to
look at that TVL and they're like why did I spend so much time building a really elegant L2
but this thing that's a multi-taker's 20x the TVL,
that incentive, that type of like forcing function
inevitably causes people to copy.
Like I just, how could that not happen?
Look, I think that's definitely true
for a lot of emerging L-2s, right?
I think some of them are going to say,
hey, this is a strategy
to juice the yield and get me some extra money, right?
In the same way that J.P. Morgan pays you almost nothing
on your deposits and small regional banks pay you like almost 5%,
right?
Because they really desperately want their deposit.
What else is the roll-up revolution other than unbundling the main bank Ethereum?
Look, I think when people realize that like, okay, now I have to figure out the taxes on my auto rebasing currency.
Now I have to figure out like, oh, I wanted to withdraw my money to like go hedge something.
And I can't because it's stuck in a withdrawal queue.
And like there's all this complexity that is going to show up in places where people don't expect that complexity.
And they're going to realize this is not a free lunch.
They realize too late.
They realize too late.
They realize too late.
that's,
they're real,
like,
but it's not going to be like Arbitrum and Opie Maynett
and all these things start doing this.
But the problem is,
no,
no,
the problem is these SDKs for doing your own roll up.
OPSAC,
you know,
orbit.
Yeah,
people may fork blast.
People may fork blast.
My point is like,
they make it so that every single one of these side rollups is,
why would they not do that,
right?
Like,
it's just,
it's such an easy thing.
Also,
account abstraction actually makes it much easier to make this a native gas
model for a lot of while.
And you're actually outsourcing how that conversion gets done to the Paymaster.
So I actually think some of the technological changes make this even easier to just copy
pasta everywhere.
Sure.
But the withdrawals, like, I would bet a lot of money that this is going to be done manually
at first, right?
To actually get the money withdrawn from Lido and get the stuff with Maker and not end up
paying too much slippage or whatever, that stuff is going to be done manually.
in the beginning because it's just the fastest way to get things off the ground,
in which case, at some point someone's going to fuck up.
At some point, something's going to go down.
At some point, something is going to go wrong and people realize,
oh, we don't have everything quite in place yet for this to feel seamless.
Maybe someday it will.
I agree.
I agree with you, but I don't think that means that people aren't going to just copy even
a half-assed type of thing.
Totally they will.
Totally they will.
But it sounds like what you guys are describing is a kind of maximalism that this is,
or almost accelerationism, right?
This is inevitable.
All roll-ups are going in this direction, and this is what the future of roll-ups will all look like.
It'll all be rebasing Lido-based, maker-based, blah, blah, blah.
Which, by the way, if you believe that, usually is a super-bler-long Lido and Maker.
I know you want the EA version of fucking safety, like roll-up safety.
Do we move from AI safety to roll-up safety.
I think there is a truth to this, though.
I think, frankly, you see, what you sound like a little bit is like Bitcoin Maxis in, like, 2013.
I think there will be a tipping point
if they can actually attract the best devs
to the platform, then it's kind of game over.
But I think to that point, you're right, we'll see.
But I think it's hard to say that,
oh, they don't, you know, enthrine
or believe in certain principles that we believe in
and therefore, like, it's not going to work
or there's this technical complication they can't overcome.
Like, you know, I think history has shown that,
hey, at a certain point, this stuff can be figured out
and, you know, these things can just build massive flywheels
that are just, like, very difficult to break.
Yeah, look, my heuristic is that simplicity wins.
This is so, to do this is so complex
and has so many pointy edges that everybody now has to think about.
If you have your money in a roll-up that's doing this shit,
you have to think about it.
And that is the reason why I think it's going to,
it's not going to be the default.
Some people may choose to do this, especially if you're trading on blur,
I think this is great because blur, you know, whatever.
You have some passive liquidity sitting there.
You want some extra yield.
Fine.
If you use blur, this is part of the equation.
But are people going to do everything in environments that are built up like this?
I think the answer is no because it's too complex.
People will certainly try for a while, though, before they realize.
That's, I think, more the fundamental thing.
Right.
Anyway, all right.
We got to wrap.
Thank you, everybody for listening.
We'll be back next week.
See, all.