Unchained - The Chopping Block: How to Improve DeFi and Cross-Chain Bridge Security - Ep.343
Episode Date: April 21, 2022Welcome to The Chopping Block! Crypto insiders Haseeb Qureshi, Tom Schmidt, and Tarun Chitra chop it up about the latest news in the digital asset industry. On this episode, Laura Shin, the host of Un...chained and author of The Cryptopians, also joined the conversation. Show topics: how people have responded to The Cryptopians why traditional publishers were reticent to publish the story revealing the alleged DAO attacker’s identity what lessons can be learned from North Korea’s alleged involvement in the Ronin bridge exploit what zero-knowledge proofs work and how a miscalculation in a whitepaper almost caused major issues in the crypto world this week how math proofs and reporting specifications work in the crypto space why security engineers, like samczsun, are so hard to come by how an attacker was able to steal ~$80 million from Beanstalk in a governance attack @hosseeb vs. @haseeb the difference between being in crypto and covering it as a journalist – and why Laura sees herself as more a “referee” than a participant in the crypto space whether DeFi hackers can actually cash out of their positions why Tarun is worried about Ethereum’s security in the wake of the merge being delayed even further what staking derivatives are, and how traditional are using Lido to lever up why traditional funds getting into crypto has Tarun worried about Anchor why the guys think Cosmos is more popular than Polkadot Episode Links Hosts Haseeb Qureshi, managing partner at Dragonfly Capital https://twitter.com/hosseeb Tom Schmidt, general partner at Dragonfly Capital https://twitter.com/tomhschmidt Tarun Chitra, managing partner at Robot Ventures https://twitter.com/tarunchitra Laura Shin, the crypto referee https://twitter.com/laurashin Helpful Information North Korea’s interest in crypto: https://unchainedpodcast.com/why-north-korea-is-interested-in-cryptocurrency/ The Merge delayed https://unchainedpodcast.com/why-ethereums-merge-was-delayed-and-why-it-wont-reduce-gas-fees-much/ https://bitcoinist.com/ethereum-merge-headed-for-another-delay/ https://twitter.com/korpi87/status/1513459657381068812 Beanstalk rekt for $180M https://www.theblockcrypto.com/linked/142272/ethereum-based-stablecoin-protocol-beanstalk-loses-more-than-80-million-to-exploit Crazy attack using flash loans to insta-ship governance proposals: https://rekt.news/beanstalk-rekt/ https://twitter.com/kelvinfichter/status/1515735718840184835 The Cryptopians http://bit.ly/cryptopians UST and Anchor worries https://unchainedpodcast.com/heres-why-usdn-de-pegged-from-the-dollar-and-why-ust-might-too/ Lido and centralization https://www.suresats.com/post/ethereum-s-centralization-dilemma-through-lido-staking Cosmos vs. Polkadot https://medium.com/coinmonks/polkadot-vs-cosmos-which-one-is-the-best-246e67b25d6c MakerDAO technical docs https://docs.makerdao.com/ Zero-Knowledge explainer https://www.notboring.co/p/zero-knowledge Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey, everybody. Welcome to the shopping block. Every four weeks, the few of us get together and give the industry insider's perspectives on the crypto topics of the day. So quick intros. First off, we have Tom, D-Fi Maven, and Master of Memes. Next, we have Therun, the Gigabrain, and Grand Puba at Gauntlet. Then we have Laura, she is the CEO of the show. Is it how she asked me to intro her?
Oh, please. You just called me that, and you said, I'm looking for you.
I asked you how you wanted to be intro, and you said the CEO of the show. So I said, fine.
No, I'm not at this one.
Okay.
He actually just called me that.
And before you said, you were looking for a way to interview me, and I said, just call me that then.
Fair enough.
Fair enough.
Okay.
So she is the CEO of the show, and she is chief journalist on the chopping block.
And then you have myself, Hib, Head Hightman, at Dragonfly.
So all four of us, or sorry, you should say, three of us are early stage investors in crypto.
But I want to caveat that nothing we say here is investment advice, life advice, or legal advice, for that matter.
So, this is our first show that we're doing in person.
It's honestly kind of weird because every show in the past that we've done up till now has been over Zoom.
And now of a sudden we're sitting here in this like hot studio in Manhattan.
And it's like it's suddenly breaking the fourth wall a little bit compared to how we usually do things.
Yeah.
And it's also weird because it's like so close.
We're like still kind of in COVID.
But like everybody's super sick of COVID.
Yeah.
They just lifted the mask mandates.
You know, now you don't have to wear a mask in Uber.
You have to wear masks in a plane.
nobody in the subway is wearing masks.
So it's very, very different environment.
I just came from Singapore,
which is the exact opposite,
where people are still extremely,
technically the mask mandate in Singapore is lifted,
but almost everyone there is still wearing masks,
even outside.
Oh my gosh.
Which is bizarre because it's extremely hot in Singapore.
It's like super humid.
You're probably not going to catch COVID outside.
I'm just going to tell you that.
I know, I know, I know.
It's just, I think it's a cultural thing.
If you go in Singapore and you're walking around outside,
the only people you see not wearing masks
are the white people.
All of the locals?
Not crypto libertarian.
There aren't that many.
There aren't that many.
And well,
most of the crypto people in Singapore are Asian.
And so they like bring the Asian energy
of like, okay, follow the rules.
Like, you know, at least within your normal day-to-day life
and your alter ego, you break all the rules
and then you, you know, run an unlicensed exchange or whatever.
So, yeah, it's interesting.
How has been the book tour?
Oh, my God, amazing.
Yeah?
You know, like I've been putting out these shows every week, twice a week, and doing it for years.
And, you know, I don't get a lot of feedback.
And so, like, doing these book events has been, like, just so lovely.
Like, people come off to me and they're like, oh, I work in crypto because of you.
Or, like, someone came up and was like, I'm your number one fan.
And then later his friend also saw me and his friend was like, he puts you up there with Vitalik.
And I was like, oh, my gosh.
Wow, wow.
I had like a group of four college friends.
They all listen to me.
I've had like whole families.
The whole family listens to me.
You know, there was like a person that he was like, oh, I got my wife in your show.
And now she works with blockchain technology.
Like she like added it to like what she was doing with government.
And like, I don't just, there have been so many stories like that.
I mean, there was somebody.
She read my book so closely that she was asking me these like very detailed questions about the book.
And I was like, whoa, like you like studied this thing, you know?
So the whole thing, honestly, it's just been.
amazing. I sold out the first event to New York, which, like, they were turning people away. I
didn't expect that. I have a ton of fans in Utah. Big surprise to me. Wow. You're like a crypto
rock star now. Yeah. There isn't so many, like, just delightful things. So, yeah, it's everybody
who came. Thank you. Because it's just been like, yeah, so lovely, pretty much. And yeah, really,
really unexpected. How do you feel about the reviews? How do you feel about the reception overall on
the book? Really good.
Yeah. I feel good. Yeah. I mean, you know, it's like, I've worked on this for years.
And honestly, I'm just grateful that people are even reading it. You know what I mean?
It's like people, you know, there's a lot of content out there now. Like a lot of things compete for people's attention.
And like the fact that people, I'm like taking the time to read my 400-page book, you know, all of its footnotes.
By the way, if you're a crypto-O-G, you can totally geek out in the footnotes. They're very fun.
Lots of blockchain transactions and like wayback machine and things.
and social media posts, whatever.
But yeah, like, the fact that they're doing that and, like, you know,
sometimes they're, like, screenshoting things that they're just, like,
interested or surprised by.
And, yeah, I don't know, like, a lot of people have been buying, like, bulk orders as well,
like, you know, for their whole company or their whole Dow or, like, yeah.
So I've been doing, like, a bunch of kind of events for companies where, like,
if you buy a certain number, then, you know, I'll do a virtual event.
event for you or even something in person.
And so there's been a lot of dial.
And yeah, like there was like, yeah, there was one last week where actually what happened
was it was just a conference.
I gave a speech.
And then one of the companies had bought the book to give away.
And so there was like the signing line.
And the signing line was huge.
And like I had to see for two hours signing all these books.
I like couldn't even finish because I had this other appointment.
I did not imagine it was going to take that long.
And people wanted selfies with me.
And like, it was interesting because not.
Not like most of the events, everybody already knows me.
It's already like a fan of my show or whatever.
But here, a lot of people didn't know me already.
But just from the one talk I gave, they like loved that talk.
So they were like already fans from that.
They were like, we loved your speech.
And like sometimes, yeah.
Anyway, I could go on and on and on.
But like the whole thing has just been like a dream and just so lovely.
And yeah.
So I'm like basically savoring every moment of it because I'm going to have to get back to
work because I have like a lot of other projects coming.
And so it's just like, I'm going to.
enjoy this time because like pretty soon I'm going to be hitting the ground running again.
Because I know you and you're a grinder, right? Like you just, you're a workhorse. Like you've been
putting out content consistently for years. And I know you've been grinding on this book for a long
time. And so, you know, I know that feeling of like you're, you're just working, you're putting
out stuff, you're being consistent. And then eventually you come up for air and you realize like,
oh, wow, all this stuff like someone was actually consuming it all that time. And they really like me now.
And like that doesn't, it's often.
hard for that to land, especially in the era of post-COVID and, you know, living in crypto,
which is all online all the time. And it's like, it's very, there's so many elements of it that
feel impersonal until you finally make contact, you show up at an event and people are like,
you change my life. And now I have a, you know, I went into the industry because of you.
And it's like, holy crap. Yes. I've had so many people say that to me over the years. Like,
it's really surprising. I remember when it started happening, like back in, I guess it was 2017.
and just being like, oh, weird.
But now it's like having so much.
I'm like, oh, it's kind of crazy.
I'm just, yeah, putting stuff out there and like it gets people interested.
And then they want to work in it.
And it's cool.
You know.
It's super cool.
Yeah.
Well, we are super proud of you.
Thanks.
And seeing all of the incredible reception that your book has gotten has been just awesome to see.
And I'm glad that you're savoring it.
Because I know it's hard sometimes to actually really feel the success that you've had.
And so it's awesome to go in person and feel that.
Yeah, no, I know. I definitely did not expect like even a fraction of what it's been, frankly.
So yeah, I'm very grateful for all of it. And honestly, I think the other thing I'm really glad about is, you know, we were a little bit nervous about the Dow attack or reveal.
So the fact that that went so well and like nobody, because, you know, I, I, Forbes was not the first place I pitched it. I pitched it to multiple outlets.
And some of the other outlets were like, oh, what if this is like when Newsweek tried to reveal who Satoshi Nagamoto was?
And I was like, because it's like a weird thing when you pitch it.
I couldn't reveal who it was because then if they wanted to, they could steal that.
And then like, you know, front run me essentially because there's a long lead time between
when I had the information when the book was going to come out.
And so like some places just backed off and they were like, you know, what if you're wrong?
And it was like, but like because I couldn't reveal all the evidence, but I just knew, like,
there's a difference between the kind of evidence I have and like what's previously been done
around Satoshi.
But anyway, so, you know, my Forbes editors, they know me and whatever.
And like, we have a very good working relationship.
And, you know, frankly, we just love working together.
So it all worked out super well.
But, like, you know, it was definitely kind of like a dicey thing.
And so the fact that that reveal went well and like people are accepting kind of like,
I've literally not seen a single person been like, you were wrong.
So yeah, it's definitely, you know, let's just put it to the thing.
journalists, when they're revealing that kind of thing in the critical community, they don't generally get that reception.
So I'm very, very glad that it worked out.
It's like the convex bug disclosure from last week, you know, and really the solution there is to have them add you as an editor to these publications.
And then you can reveal it yourself.
I think that's the solution.
Or we have zero-in-lawful reviews.
Yeah, that would be great.
That's like, that's really more the, like, 10-year version of this journalist's revealed.
I agree.
Certainly.
Well, so speaking of big reveal is actually one of the interesting stories of the week that kind of goes into, I guess it'll be the next chapter of the addendum to, or let's say the next version of the book.
So last week, or it's two weeks ago, last episode, we talked a lot about the Axi Infinity Hack.
And we talked a lot of shit about, you know, the, I just say I talked a lot of shit.
I don't want to put it on you guys about the irresponsibility of the SkyMavis team for their OPSEC and allowing this hack to take place.
So in the last week, we've learned something about who the attacker was, and we learned
it actually in a very indirect way.
So what happened was, so the OFAC list, which is a list of basically sanctioned entities
or in the case of crypto addresses that you're not allowed to send money to otherwise
you're in violation of sanctions.
They added to this list for a group called the Lazarus Group, which is associated with North
Korea.
So it's a hacking group that basically is a part of the North Korea.
Korean government or associated with the North Korean state.
And they're very notorious.
They've engaged in a lot of different attacks.
And one of the addresses that was added to the sanctions for Lazarus Group was the one
that was also used in the X infinity hack, which implies that it was North Korea that
attacked X infinity, which is kind of wild.
Because if you look at the previous instances, I mean, we're looking at the 10T, or what's
10X?
The 10X guy, most of the previous hacks that we've seen in crypto have been crypto insiders or
like, you know, in my mind, I always imagine that it's like some Eastern European teenager
living in their basement or just like, you know, just reads, you know, random transactions
on ether scan all day.
But it turns out that like, okay, North Korea is getting in the game because of the amount
of money.
I don't know if you know, like, pretty much all those South Korean exchange checks, they were all
like Lazarus.
Right.
Yeah, because I actually did an episode, I forget what year that was.
Was it 2018 or something?
but I had two North Korean experts that talked about
why North Korea is interested in crypto and stuff.
So it's actually been going on for a while,
but before it was, like I said,
centralized exchanges in Korea, South Korea.
That's scary.
I mean...
I mean, do you remember that around the time
the Virgil Griffith thing first happened,
there were these rumors that like the big LPs on Uniswap
were like Lazar's group?
I don't know.
This was like a very popular conspiracy theory.
So like who was minting most of the early die.
Wow.
And wait.
So did, was that ever confirmed?
No.
No, no, no.
It was like there were some addresses that happened to be depositing into some of the South
Korean exchanges around the time of the hacks.
But that was like is very like circumstantial.
Like it wasn't.
It was a little bit too much of a just so story.
But the, the North, what I meant by that is like saying North Koreans aren't crypto insiders might be the wrong.
I feel like they actually have.
been around. They've definitely been around. They've definitely been around. But I think the,
to me, it's a good reminder. So one, it means that, at least for me, I, it makes me more inclined
to back off a little bit from how much I was blaming, you know, Sky Mavis. Although, I mean,
clearly they messed up in a pretty significant way. But it's pretty hard to defend against nation state
level attackers. And obviously, the Lazarus Group is really, really good at what they do.
and it just kind of means that everything in crypto now is under the same level of bombardment and attack
as the most valuable kind of state level targets as well.
And so it's scary.
It's a good thing to keep in mind that there's the standard of security that you need to have
in order to withstand all the pressure that defy protocols and on-chain applications have today
is orders of magnitude what it was just two or three years ago.
Yeah, but I don't, well, I mean, not to, I'm not like,
judgment on the Sky Mavis team, but I don't know if I'd back off on your judgment, frankly,
I guess because the way that the security setup was, like, it wasn't, you know, truly decentralized.
It wasn't, it wasn't. But, you know, to, Robert made the point in our last episode that, like,
look, these were probably not all, like, these were probably all different servers that the
attack was able to move laterally through within their network. And then they were also able to
find another bug, and sort of daisy chain this attack with this other.
thing that had the super like it was actually a pretty complicated attack and i would assume that
rob was probably right that not all these uh you know not all these addresses or sorry not all these
uh private keys existed on a single machine and so they probably infiltrated the entire network
well a lot of it was fishing right uh well they got in initially through fishing but we we don't
really know exactly what by the i think i think probably everyone who is in crypto has received one
of those last i probably got like five a week of these like hey like Chris at a
16Z.com shared Docs, Google Doc with you, but then you like it.
Something about stable coins?
Yeah, yeah.
Or like, we get that like twice a month.
Is this like fishing attack related to stable coins?
Yeah, yeah, yeah.
Yeah, I get them too.
The solution is just archive all your email every day.
You just get out clear out the inbox and that's one wants, you know,
the message you on Telegram.
And that's the solution.
Yeah.
The Telegram spam has been increasing too.
I'm wondering if there's going to start being more like spearfishing type things in telegram.
So be careful.
Yeah.
Yeah.
But, but I just.
I just wanted to say, like, I actually feel that this particular hack was like similar more
to a centralized exchange because of the setup.
Like it wasn't like a normal defy hack, you know, it wasn't like an economic hack.
It wasn't, yeah, one that kind of like, you know, exploited a vulnerability in the Spark contract.
It was really more like a centralized setup that they were able to exploit similar to the way that
they had done with the South Korean exchanges.
So anyway, so I don't know if that necessarily means that like North
Korean hackers can hack DeFi contracts the way that you were kind of implying earlier.
I just feel like, you know, it's what I was saying before.
Like it's similar to a centralized exchange, but also the security setup for a centralized
exchanges, like that's like pretty standard.
I don't know it's about standard, but it's been around for a long time because centralized
exchange hacks have happened for like years, right?
So I feel like it's easier to do security for that kind of setup than it is for like
a Defi smart contract.
And that's why I feel like this guy made this team kind of is.
You know, they screwed up, you know, because this is something that probably, like,
most people would know how to prevent.
Whereas, like, a defy thing, I think is harder to prevent.
One thing, though, is, like, they're kind of in this worst of both worlds scenario,
because the centralized exchange at least benefits a little bit from security via obscurity.
Like, everyone can't see the code for their actual internal processes and multisig and
manage key management.
Whereas the SkyMavis thing was almost like, over the...
transparent in the sense that you could see it.
Yes and no.
I mean, the fact that four of the nine keys were held by them was actually not like,
that's true.
If you had known that, you would have been like, what the, what?
But they obscured that, right?
Nobody knew until the actual compromise.
Like when you had to explain, how did you guys get popped?
And the answer was that, well, we actually had four of the nine keys.
And it's like, what?
That it's kind of the inverse of, it's like insecurity, which you obscured.
Yeah, yeah, yeah.
But I think, you know, to the lowest point, these are more sort of social engineering style attacks,
which I think they probably have more experience with rather than exploiting, you know, super obscure,
you know, bugs and, you know, solidity.
Yes, clearly it was not like a super deep, you know, there's some cornercase of solidity or like some,
you know, VM hack or something.
But at the same time, like it's also pretty hard to defend against these at scale.
Yeah.
Right.
Like eventually, if you're, you know, bridges are like exchanges because you have to have like a hot wallet.
You have to continually be finding things and moving money around.
And so it is actually really hard to secure that.
But, you know, look, I mean, I don't back off entirely from saying this guy may have screwed up.
Like, obviously having four of the nine keys controlled by a single party is absolutely ridiculous.
But, yeah, I don't know that anybody is able to fully resist.
I mean, we just saw a recent hack of where was it, Octa that recently got hacked.
Oh, yeah, yeah, yeah.
Which is like an authentication company that, you know.
You could basically think of them as like multi-sigs for Normie.
Like that's what Octa's business is.
It's like effectively
I mean it is they just like do the office.
That seems like that would be a big business.
It is.
I mean they are a business.
They're a huge company.
It's like a $30 billion company.
Yeah.
They're big.
Yeah.
But like in a world with crypto actually succeeds basically like multisigs should basically
replace Octa.
Like there shouldn't actually you shouldn't.
Octa as a company might be gone or like they'll just be a front end to a bunch of
multi-sig.
That I'm saying like in the like I'm trying to like,
give you like the idealistic future.
I'm not saying it's likely.
We should, oh, good.
No, but actually, it's interesting that you mentioned that because when I was in Miami,
somebody actually told me about their idea about this.
And it was actually really, really interesting.
But then I don't know, then I kind of was poking some holes at it.
But anyway, the point is, I think a lot of people are noodling on this.
For sure, for sure.
I mean, Nosis obviously has the advantage.
But I think on, especially on Solana, there's a lot of teams that are trying to like effectively
do like treasury multi-sig type of stuff that will be kind of are out and out soon.
So I think people want to really do it.
I just don't, it's like hard for me to imagine like Fortune 500 buying this,
whereas like Octa literally has like every Fortune 500 company using them.
So that's like sort of the difference.
As a frame of reference, they're a coin-based sized company.
Okay.
That's.
And like every big company uses them.
So they are a single point of failure.
Yeah.
I think I'd use them at when I used to work at CBS.
I'm sure you have.
A lot of places in the internet use opt-in, you don't even know.
Okay.
Do you mind if we detour for a tiny second about the one other technical hack identified this week,
which was actually quite scary, which is like for a certain particular zero-knowledge-proof
implementation, almost all the implementations had this sort of one crucial piece implemented incorrectly.
And there was this like 20-minute period where I was like trying to look through them in
code to see if the Minero code did it the same way because obviously live network a lot of money versus like most of the other ones are like layer twos or intestine and not totally live but effectively like a very high level description of what this attack is is what can you name the project oh so so trail of bits basically should that plonk which is this zero knowledge proof algorithm the paper for it actually had a bug in like what they wrote and
the algorithm, like in the math.
But then everyone implementing it was just like basically
implementing the paper directly.
They like basically copied it line by line.
And it turned out the piece that they used,
they copied incorrectly from like the bulletproofs implementation,
which is in like partially in the narrow and other places.
So Plunk is implemented a bunch of places like Aztec.
I think maybe loopering,
not Starcware, because Starkware is at,
It's completely different.
And then a bunch of the snark implementations on different layer ones.
So like what the one Tessus is using, yeah, the one, the polygon ones.
Yeah.
So just to give a high level understanding of like what this bug is, it's like kind of a little bit,
it's not super complicated when you describe it in terms of like sort of high level
description of zero knowledge.
All right.
You're on the spot now.
Go.
Highest level description of zero knowledge proof.
I own some proper, some object.
and you want to know if I have it.
So what you do is you ask me a series of yes and no questions.
You say, hey, is it golden?
And I say yes or no.
You say, hey, is it spherical?
And I say yes or no.
And then you say, hey, is it bigger than this room?
You say yes or no.
And so after a sequence of those questions,
you can be convinced I have it without actually knowing enough about the object.
That's like the very like five-year-old.
I think that's five-year-old understandable explanation of zero-knowledge group.
Sure.
And one, the problem with that is it's very interactive.
So you have to communicate a lot.
Like, I have to keep asking you these questions.
I have to wait until you get a response.
And so there's this thing called the Fiat Shemir heuristic, which is basic.
Instead of me giving you this back and forth, which is hard to manipulate, but very slow,
I actually give you a sequence of questions all at once, but they're randomized.
And you have to prove that you answer them in a random order.
And so I give you some random number.
And then you give me back the answer in like the correct random order.
And that's like as if that would be kind of the same as if I asked you those questions randomly.
The problem is if you don't see the randomness to that correctly, it becomes like this deterministic list and you get the same exact ordering every time.
And that was basically at a very high level what the bug is.
So then people then can like memorize the answer and then always answered the same question back effectively.
That was that was great.
That was great.
B.
L.I.
9 out of 10.
Suddenly I understand zero knowledge proofs.
It just, it all clicked from it right there.
But the idea of what that is like you only have to send all the questions at once, right?
It's like I sent you the test.
I don't, I'm not doing it like, you know, interactively.
Yeah, yeah, yeah.
So I think the takeaway from this was that actually, as you mentioned, it was a mistake in these papers that were all kind of copying each other.
And nobody actually understood the particular mistake in the Fiat Shemir part of the paper.
And so they were kind of like, okay, well, you proved this part, you proved this part.
you added this thing onto the end of it,
but like somewhere up the chain,
somebody should have understood.
They're like, hey, you have to be very, very careful
in how you use the Fiat Shemir heuristic.
And that sort of got lost in translation.
And then the engineers were actually implementing this stuff.
They're not cryptographers for the most part.
They're like security engineers or cryptographic engineers,
but they're not themselves,
the people who are deriving this stuff in the first place.
And so it's a good reminder that although, you know,
we talk about this a lot with respect to layer two
is how layer two eventually is going to replace everything
because it's so secure, it's got the same trust bottle as the layer one.
That's only true if the engineering is like completely sound.
And everything we know about engineering tells us that there is no engineering that is completely sound.
There will always be bugs.
There will always be mistakes.
And you see it even in the history of like Zcash, which has had a history of these kinds of cryptographic errors that were not even the original paper.
Actually, the paper was sound.
But somebody messed up somewhere down the road.
There's like some basically the equivalent of like a transcription error that just gets amplified down the road.
and then pretty soon it's like, hey, although the paper was right, because the paper can be
proved in this closed form way, the stuff that we're doing that like kind of works around the paper
to make it implementable ends up having a bug in it.
It is funny.
I feel like when I first kind of crypto, people were obsessed with like consensus level attacks,
like that was always a discussion of like, wow, is someone going to prevent a 51% attack
on this network?
And like, we basically never see 51% attacks, like only on kind of like the tiniest, shittiest
network.
And if anything, it's all these other types of attacks that really proliferated, which again
is not really soft with like a layer or two necessarily.
Yeah.
Yeah, I mean, one thing I'd say is, you know, my co-author,
Guillermo always like to say, like,
the only real proof is actually being implemented and, like,
running and live.
And like, and one of the other things about, you know,
my personal distaste, I think, for a lot of the zero knowledge proof papers,
is they're written in this, this, like,
the proofs and the algorithms are written in this way where it's like,
here is a model of the adversary and here's a model of,
like the user and like here's an algorithm of like how they interact with each other.
But the way you analyze how they interact with each other is kind of like piecemeal.
You kind of like are like this little way of like me sending you a challenge gives you,
you report with like this type of reply. And when you when you prove things like that,
instead of like trying to prove like broader properties, A, your proofs are all very case based.
So you have like 500 cases and like it's very it's very hard to actually check every single one.
like as a reader.
Like, as a reader, when you're reading a math paper,
you should be, like, reading it.
And when you get stuck, like, you go try to re-derive something
and, like, verify the things.
But the problem with these proofs that have a million subcases
is, like, no one's going to verify the 128 subcases, right?
You try to, like, spot check.
And, like, that's effectively, for better or worse,
that's what peer review does, too, for these papers.
So just so I understand what that is,
that means, like, when you're creating it,
people don't go through and test all the things.
that have already been written about how to implement it.
They're just like testing specific, like random,
like sort of like a random check at an airport.
So like when you write like a math proof,
you say like, okay, I'm assuming A and then there's some property
a implies B and then B implies C and then C implies C.
But the problem is you can also have not linear proofs
where you say, I assume property A, property A implies properties B1, B2, B3,
dot, dot, B128.
And then you have to look through all those cases
separately. And the reader usually, that's not considered like an elegant math proof. It's usually
considered like ugly when you have a lot of cases. And like aesthetic people just don't, won't read all
128 unless they're formally verified. It's kind of like, you know, imagine that you were
proofreading someone else's book and they had like 500 citations. You're like, I'm not going to
like if you have like one citation for like the core thing, if you have 500, I'll check a few of them.
But like, I don't know, no matter how good of an editor you are unless you're like being, I don't
you're working in a sweatshop.
You're not literally going to check every single citation because you...
Yeah, that's not how it works in book publishing, but anyway.
But this actually leads me to, you know, because the copy editor,
proofreader, or whatever, they will read everything and, like, check everything.
I mean, not that I've done this job before.
I mean, well, no.
They're much more rigorous than the mathematician.
I mean, trust me, peer review is a very broken process.
You don't have to tell me.
But I do have a question, because this is something that I was wondering about in general
about, like, the defy hacks and everything.
So do you remember back?
when, this was a long time ago, but it was it called IMBC when they did that, like, ER 7.
Yeah.
Yeah.
Okay.
So just to catch people up in case they didn't follow this, there was like this exploit
that happened and people were like, what were they thinking because the exploit was known already.
It had been known for like a month or something and then they implemented it in this way where
everybody knew that it would be vulnerable.
And so it was just like, this is such a stupid mistake.
But I did have a question because now that I'm seeing all these hacks, like, so for
those of you who've been on my show, you might know that I have this just, just a
checklists that I do before I record.
And sometimes people are like, oh, it's like a really good list.
And I'm like, oh, you're listening to a list of all the mistakes I've ever made on the show.
But it made me wonder, like, for Defi and stuff, like, is there a place where people are
kind of like, you know, coelating all these different errors and where people can kind of like look
up like, oh, okay, so I'm about to implement such and such, like, whether, what are the known
vulnerabilities?
Like, if I mystically implement it this way or that way, like, are people doing that?
Because if not like...
There are these collections of them, but the problem is that, you know, there's a lot of translation error that can happen.
Where, you know, you might write in your code base, you might write like A equals one, I equals seven, and you always use that convention.
But in someone else's code, they write baby equals one and Iota equals seven.
And then you have to like go through and translate and you rename the functions.
Like no one is like consistently naming things, right?
There's not like a single, the language is the same, but like the choice of sort of like,
uh, dialect of like each programmer is actually quite different, which leads to these kind
of like divergences between like a specification and the real thing. It's actually very hard to keep
them like one to one. Okay. To also to Turin's point about like, you know, nonlinear math
proofs and like these weird combinatorial kind of issues when like many different factors
interact with many different factors. I remember in the IMBDC thing. So IBDC is sort of like a
competitor WPTC that uses ERC 777, which is sort of a, you know, different version of ERC 20
that adds some extra functions and stuff like that. And then there was Deforce. Deforce was just like
a pure fork of compound V2, which is money market protocol. And so in isolation, these things
are fine, right? Like a fork of compound will be hit the same as compound. There's nothing
inherently wrong with 777 or the limitation. But when you put these things, do two things together,
well, it wasn't really built for this and that sort of introduced the bug. And so it's like,
if you're not thinking of all these different, you know, you have many, many different dimensions,
that these things are intersecting on,
and one bad intersection can sort of cause,
you know, a terrible cascade.
Right.
And automatically checking these things
may have more cases than the number of particles in the universe,
so you're not going to be doing it.
Yeah, and that's the thing, right?
We do have static analysis tools
that will automatically run over code basis,
but to your point, it's like backwards looking, right?
It's like the last hack is the thing
that you're able to check for.
And the new hack or like the sort of the generative interaction
of multiple different potential bugs.
Like, there's so many ways in which things can interact
in a way you didn't predict before
that if you deeply understand how all these things work
and how they interconnect with each other,
well, that's just being a super experienced security engineer.
That's what a security engineer is for.
Yeah, I have another idea.
I think Sam's son should, like,
kind of put his learnings into a course
and then train people to do what he does.
Is that like a crazy idea?
Is that a consensus diligence have like a big,
is it a consensus diligence that has like a big depository of all these like security
and stuff.
So there are things like that do exist that people do learn from.
And there's a, there's a,
Ethereum security boot camp, I think, called Securium.
Yes.
They have any good?
I've heard they're pretty good.
Oh, okay.
But the reality is like learning to be a security engineer is just actually really hard.
Because it's like learning to be a great editor, right?
You can read a book on like, here are the big mistakes that previous books made.
I mean, a lot of it's just like sitting and monitoring things and finding stuff.
And then like, you know, but also I think you have to like think very creatively.
Like Samsung must have some like good imaginative tools in his brain to like combine all that to like see things that other people cannot see.
Like he, I bet he has a very creative mind.
Well, the other thing that is it's very different to be a an attacker versus a defender, right?
Like the kinds of people who are very good.
It's called sort of Red team.
Red team is like the people who go in and try to attack protocols and break them.
the kinds of people who do that are not necessarily the best security engineers.
To be a security engineer, you also be thinking about how to solve application level problems
and make sure that, okay, we're going to build this thing in a secure way,
but we also got to make sure that it works, that it's performance, that the U.S. is good.
And you have to balance all those things together or to build a protocol well.
And of course, like with most of these protocols, like, I mean, we see it because we're at VCs
and so we're backing a lot of these guys.
You know, there are very few security engineers who have meaningful experience, you know,
do security on insolid.
A maybe more kind of trite way of putting it is like,
an attacker only needs a proof of existence.
They need just like one counter example, right?
But a builder and security engineer need to be for all.
They need to like consider for all cases.
Clearly one is like way less work than the other.
Right.
And like that ends up being like the biggest problem.
It's like the combinatorial search space for the builder is like just so much bigger
than the attacker.
The attacker just only needs like one entry point.
There are so many more attackers and there are.
Oh, totally, totally.
Yeah.
Like the attackers are better funded.
Yeah.
Right.
After they win, they are even better funded.
Yeah, yeah, yeah.
So I'd say, like, the way to imagine it is like if to be a security engineer in crypto is like you're a goalie, like, you know, sort of soccer slash football or what you know.
I don't know where your audience is.
Yeah, but you have to work 24-7, 365.
Yeah, but everybody on the field is trying to get the ball.
And they all have their own balls, right?
Right.
All these different balls are all kicking in and you're constantly trying to catch
thing. Right. And if one person gets the ball in, the money's gone. Right. But I did see, like,
I think this was about Beanstock. Some security for auditing term was like, perfect. Perfect. Perfect.
Oh, yeah. Oh, what was that? You are the CEO. You are clearly to go on the shows. She's telling us,
I was trying to move on. I was like, where did I read this? Okay. So you put it in the notes.
Yeah. So I let me give the pre-degree refund on Beanstalk. So Beanstalk got hacked this week for
$180 million, which makes them the fifth largest,
defy hack in history.
So it's been a pretty bad month for on-chain hacks.
We had the number one hack with Ax infinity and the number five with Beanstalk.
So the attack was actually pretty wild.
And so I was looking into this yesterday trying to understand exactly what happened.
So the attacker made off with 80 million, meaning that $180 million of it was just, I guess, lost
or unclear, just made an LP fees or something.
But also they donated it or something, right?
No, that's not.
That's not.
Okay.
So let me explain.
Let me explain what happened.
So the thing about Beanstalk, so Beanstalk is a stable coin.
It was like getting a lot of hype on, you know, I remember you guys are talking about a while back.
So it's like a stable coin protocol.
And the governance in Beanstalk was designed to be able to protect against drive-by governance attacks.
And the way that it does that is every-
Governess attack.
Now that's the first time I've heard that, and I love that phrase.
Well, so the idea is that when you put up a governance proposal, the governance proposal has to be live for at least 24 hours before it can be voted on.
And then if you cross the threshold of voting, then it gets implemented.
So what the attacker did, so they needed some lead time because this is a governance-based
attack, which is crazy.
We haven't seen a lot of these.
Right.
So now, normally if you just put up a governance-based attack that says, send me all the money,
and then you take a bunch of tokens and you vote on yourself getting all the money.
Obviously, no one's going to vote on that.
They were like, who the hell is this guy and they're going to get you out, right?
So what they did, they did two things simultaneously.
So first is they put in two proposals, almost exactly.
exactly the same time. So first they put in this thing that was like, you know, their,
their governance proposals were called BIPs, like Bitcoin, but it's for Beanstalk. So they did
BIP 18. BIP 18 was send all the money to the attacker. And then they sent in BIP 19, but they
changed the name of it to BIP 18 to make it seem like it was a name collision. And that's what
they put up on the governance forum. And BIP 19, which was, which they called Bip 18, was let's
donate 250K to Ukraine. Because Ukraine's having a really tough time and like, it's so great,
you know, we want to support Ukraine. And so both of these guys,
governance proposal was live for 24 hours, but no one noticed the real BIP 18, which was send all the
money to the attacker. And after 24 hours passed, these things were up for a vote. And what the attacker
did, so this was the big mistake that Beanstock had in their governance, is that they did not
make it resistant to flash loans. So somebody who flash loaned the token was able to vote in
governance and use that to cross the threshold to implement a protocol change. So the attacker was able to
flash loan, a huge amount of the governance token, instantaneously vote on the proposal,
pass it, receive the- Right before it ended. Right before the vote ended.
Oh, wait, do they have the borrow live?
No, no, I think they put the proposal up and then the flash loan was later, right?
Oh, I see, I see. Yeah, they took the flash loan and then voted.
The flashed one was like right before it ended.
I see, right before the period ended. Yeah, yeah. So they flash loaned a crap load of tokens,
voted for their proposal right before the proposal window was out to end, which passed a proposal,
transferred all the funds into the attacker's wallet, and they made off like thieves and, you know, dumped all the tokens and watched it into tornado.
The Ukraine wallet still got the two-teague.
Also, also, there was some very clever low-level bit twiddling to make it make the payment to themselves not look like the payment to themselves.
They, like, rounded it to another function call.
So, like, if you wanted to inspect it, you would actually, like, have to, like, go through a few layers before you realize there was a transfer call.
It was like they were, like, making it look like it was due.
doing like some very kind of complicated, like, updating.
What did it look like it was doing?
Like, it looked like it was, like, doing some function to compute, like,
what the new interest rate should be or something.
And it was, like, named like that.
And then, like, at the bottom, like, this person was actually quite clever.
It was a very sophisticated attack.
I mean, the thing I personally enjoyed about it was I had a,
there were, like, all these people who were just like, oh, yeah, like, I made, like,
five million dollars in B.
And I'm like, I can't read their paper without, like, even being.
to like analyze it. Like, forget about their code. Like, their code reads like nonsense.
Because, like, they just name everything, like, after a farm animal. And, like, as I'm
reading the code, it's like pig dot, pig dot herd. It's very reminiscent of maker.
I almost like a maker better. Because the problem is the maker words. Very few of them
were English words or like. Right, right, right. So for people who don't know, so this is a very
famous thing that everybody in smart contract world picks on MakerDow for. So MakerDAO for,
So MakerDAO has all these weird words that they invented for concepts inside of their smart contracts
that nobody other than the maker team understands.
So there are things, there's vats and there's jars and there's tubs and there's...
Yeah, but, you know, flap, flip, flop.
Yeah.
They are real words.
But...
Yes, they are real words.
The reasoning behind it, though, is it forces engineers to build to spec, right?
When you have common English variable names, it's like, oh, well, this is the interest rate and this is whatever.
and you sort of create, you know, shortcuts in your mind of, oh, that's what this variable means.
That's what this function means as opposed to, you know, we're going to sort of create this
abstract, you know, spec for what the function, what the protocol is going to do, and you build it
this way, and then we check to make sure it was built this way versus, like, you know,
humans sort of playing tricks on themselves.
I understand the logic, but it's still, it makes it.
It is very annoying.
It's incredibly impenetrable because of the fact that it's...
Honestly, I actually think they're designs a way better than this.
The beam thing was like, I was like, I remember looking at it.
You know what?
I'm not going to analyze.
It is like a...
It's like a signor shares coin, but with like two extra coins.
There's like multiple levels of like expansion and contract.
It's very weird.
But yeah, someone actually made like a translated version of the MakerDAO code base at some point.
They actually had like the real variable names in.
Van de San.
Yeah, yeah.
He made it.
I see.
But but but I will say I just like enjoy the shot before mainly because like the only other Tarun and Twitter who is a in crypto Twitter was the biggest bean shill.
and like, now he hasn't tweeted for three days, and I'm like, yes.
You need to tag him.
We need to track him on this episode.
Wow.
His name is Rune on Twitter.
Oh, oh, oh.
Yes, that ruin.
He was really chilling.
He's on crypto Twitter?
Well, I feel like crypto Twitter people always.
Yeah, I tweet him.
I see.
The biggest esteeb, actually, this is a related story.
So the biggest of Steve is the CEO of Ifani, which is like a phone porting.
Oh, yeah.
I know him.
You know him.
Yeah, yeah, yeah.
So I remember I met him in a cafe a long time ago
because he was like, you're the other Haseeb.
I need to meet you.
And I'm like, okay, I don't have the same need,
but it sounds like you really want.
He's like, this is very important to you.
And so we met up and he was working on Lendroid at that time,
which was like a big ICO at that time.
And he was like, I have the Twitter screen name Haseeb.
I'm like, I know, I know you do.
He was like, yeah, it's really important to me.
And I was like, I can tell.
He's like, but I don't have Haseeb.com.
it's like some doctor in the UK
and I'm trying to get him to sell it to me
can you help me?
I'm like, no.
I don't know.
I don't know.
I don't know.
I don't know.
I feel no affiliation
despite the real same name.
I know, I know.
But he's definitely,
he's crushing me right now.
So I got to play catch up on the scene game.
He's crushing you?
How so?
I mean,
he's got to see the Twitter handle.
I'm playing from behind.
Well,
I think you have more followers.
I don't think that's true.
I don't think that's true.
I think he has more followers than me.
Oh, okay.
Yeah, I'm eclipsed every way by the other receive.
It hurts.
This other ruin has been on a very fast growth path.
As he?
Because of the word cell straight-prudence.
That's true.
Yes, that's right.
He's the inventor of the word cell shape-rotating thing.
I think that's so stupid.
I agree.
Do you think it's so stupid?
I do.
Okay, let's talk about this.
People love false dichotomies.
Humans are just like easily bandied into just believing.
It's not a false dichotomy.
It's a, it's two axes.
Yeah.
Yeah.
A bullion predicate who's probably.
probability of success is one half plus epsilon or epsilon is 10 to minus 80th.
It's not very useful.
Okay.
I didn't understand that, but whatever.
I don't like simplistic things like that.
Don't down things like that.
And I also don't like it that.
It like somehow like immediately portrayed journalists is like in some negative way.
And I was just like, oh, this is like part of the whole whatever Silicon Valley like bashing
of journalists.
And I was like, oh, this stupid.
Okay.
So you're in a very interesting position because you're like, you're obviously.
you've been a journalist, but then you're covering crypto Twitter.
I am a journalist.
Okay, you are a journalist.
You are a journalist.
You are a journalist.
Well, I mean, I think what you do now is like much more than just journalism.
Oh, really?
How so?
Yeah.
I mean, I think it's like you're, I mean, you, you're more like a commentator, you know?
Like, you've got to take it on a broader role.
I think you have.
Well, I mean, I get interviewed by the press, but like.
Yeah.
I mean, I still consider myself a reporter.
Fair enough.
Okay, okay.
Well, you consider yourself.
I don't think of you as a reporter.
I don't think of you as a reporter.
I don't think of you as a reporter.
But I think most people think of you as just like, you know,
because you're not affiliated with the brand,
I feel like it's very rare for reporters to not have their own.
Like I feel like, you know, all these guys are going on the upside.
You're kind of like crypto Louis Thoreau.
You know, you're documenting all the weird shit that happens in crypto, but you're amongst us.
Yeah, exactly.
Exactly.
You're one of the people.
You're not like a, you're not like a, like, I'm from Forbes.
Like, hello.
Like, tell me all your secrets.
And then I'll write about you.
Yeah.
Hunter S. Thompson?
Hunter S. Thompson.
Well, it's like you're, yeah, it's a different, it's a different relationship.
It's a different relationship with what you're covering than, then I think, for almost any reporter.
Well, I mean, I feel like my understanding of crypto is probably beyond that of a normal reporter,
but like the way I conducted my work, I still think of as journalism.
And I'm not doing any differently from how I did it at Forbes, except that like, yeah,
I probably go deeper into it than you would for the Forbes audience.
But people often do think of me as being in crypto.
I do not think of myself as being in crypto.
I think that I'm, like, as close to being in crypto as you can be without actually being in it.
What does it mean to not be in crypto?
Well, because I'm a journalist covering it.
So there's, like, you know, I'm, like, if you guys are all, like, the players playing the game, I'm the referee where I'm, like, kind of in the game, but not in the game.
Like, I'm not supposed to affect play.
I'm not, you know.
But you did.
You said people were convinced by you to, like, join and, you know, change their life.
Oh, well, yeah.
Yeah, you're playing the game.
I mean, you might think.
you're not playing the game, but you're part of the game.
You're a referee wearing a...
Yeah, you're like...
You're like in the WWE when the referee
like tears a shirt off and like starts beating
with people in the ring. Like you're in the game.
Oh, my God. I don't think of myself
that way. I mean, like, do you think
that I'm like influencing events in crypto?
Oh, 100%. I mean, the doubt
thing. Yeah, but what?
We just influenced the game.
That's a normal journalistic thing to do.
Like you, you know, find out like who did this thing.
That's what like... I mean, the people on crypto Twitter
who are like calling each other out and getting into fights.
I would say journalists in crypto have not had as much success at doing it, right?
Like the Satoshi thing is a great example.
Yeah.
So I don't know.
Like if you're successful out of it, I think it somehow does impact the market.
Oh, interesting.
But I don't think revealing who the Dow hacker was affected the market at all.
Well, not in the sense that like an impacted prices immediately, but it impacted how people's perception of certain projects was, right?
And certain people at different times and impacts, like, their future.
I think maybe part of it too is, like, frankly, I feel like the bar is very low for cryptojournalism in general.
Like, there's maybe five cryptojournalists I think of who are, like, smart and competent at their jobs.
And obviously, you are one of them.
And so it's like, thank God we have Laura to actually, like, cover the industry well because that would be kind of screwed.
So I'm serious.
No, yeah.
But I wouldn't be too hard on journalists, like, for getting things wrong because the, I mean, this is like the basic thing about journalists.
I'm like, like, I've had people like my mom, for instance, she was a pharmacist.
she's retired. And she, like, couldn't understand what I did because she learned this body of
knowledge and then she, like, applies it every day, right? And, like, my job is I'm supposed to take
things I don't necessarily know and learn them fast and, like, learn them well enough to explain
them to other people. And it's a skill. It's, like, not, like, having the knowledge. It's a skill.
So it's more about, like, being able to learn quickly and then being able to, like, explain things well.
Yeah, in that regard, like, I don't feel like I'm a crypto person. I, and,
Anyway, whatever. Like, you get what I'm saying. Like, you guys have the knowledge. Like, I don't think of myself as a crypto person. Like, I can learn things and whatever, but like, I'm not in there doing it. Like, yeah, people often come to me and it is weird. Like, sometimes people act like, like, they think that I know like everything in crypto. And I'm like, no, no, no, no. I'm like behind all my sources. My sources are the people who really know what's going on in life to like do my best to like eke it all out of them. But like, you know, I basically harass them a lot to like get that information. But I don't.
you know, like if you were to ask me right now to do something in DeFi or like on Ethereum
or whatever, it would take me like, I don't know, like five hours. Like I would be like,
people would lose all respect for me. They would be like, oh, we thought she knew what she was doing
in crypto, but clearly she doesn't. Because I, you know, I spent all my time like creating content.
I don't spend all my time like actually using this stuff, whatever. I like call people up
and I want them to tell me things. So it's just different. Yeah. You would also be surprised at
how many professional investors in this industry have all themselves never used cryptocurrency.
Oh, yeah. No, that actually doesn't surprise me.
Because I actually think journalism and VC are like not that different.
Yeah.
It is true that a lot of the early tech crunch writers became like ventures.
Exactly.
It was like very like soon after.
Yeah.
But tech crunch is like I think especially chummy with the industry.
It covers in a way that like the Wall Street Journal is not.
You know, like tech crunch is like a kind of a different animal than like other media.
Yeah.
But anyway.
Okay.
But we didn't, we never got to my audit point about the beanstalk thing.
So can we talk about that?
Oh, let's talk about it.
Yeah, because like, so, you know, somebody tweeted about the beanstock thing, like,
oh, and they were an auditing company.
They were like, this is why we only pay ourselves by the number of vulnerabilities that we identify.
So they were saying, like, we get paid by, you know, every time we find a vulnerability
when we audit something, we earn money from that.
But like, they were saying that other companies just charged by project or whatever.
And so there's no incentive for them to like actually find things that went wrong.
because they're going to make the same amount of money
no matter what.
So this company was saying like
we're incentivized.
I don't remember.
You wasn't it you that put it in that?
It was the other ones.
Was it Pekshield?
No.
I don't think I don't think we linked to it.
Okay.
There's this other problem though that happens
because like if you actually look at different audit reports,
different auditors will consider different types of things,
vulnerabilities,
and there's like a lot of standards.
Yeah.
For what a, just the basics,
of like what a low, medium and high vulnerability are,
every other makes ones that are different
and, like, obviously, biased towards the things they're better at.
So, like, I'm not so...
I feel like you're going to have this, like,
good heart law type of thing.
Like, if you make that the thing,
everyone's just going to optimize for, like,
the low vulnerability ones that everyone has by accident,
which are actually gas-saving things.
But, like, it'll have this good-heart type of thing
of, like, the metric you use will suddenly get, like...
Well, there's never...
I mean, that's true no matter what.
you do though. So like I can believe that it would be better. But at the same time, like,
I mean, it's a good question of like, what are you actually buying when you buy an audit?
And the reality is like, okay, one thing you're buying is like, okay, if there's an obvious
vulnerability, we want you to write it up and explain it to us. But a lot of what you're buying
when you're buying an audit is you're buying like a stamp of approval of like basically a trusted
third party saying like you are good and it is safe to use you. Right. Now the vulnerability
here in Beanstalk, like the core of the vulnerability was really that you did not have to
lock up funds in order to vote.
Right? That was the core vulnerability.
And that allowed a flash loan to go in and participate
in this vote, which is like, you remember, MakerDA
had the scare a long time ago.
Remember who it was who published a Peter?
Brandon Curtis?
Who was B protocol that did it?
Just B protocol.
Yeah.
Has a vote. Everyone's like, what the fuck?
They're like, yeah, yo, one thing to go through.
And they're like, don't do you.
Oh, that's right. That's right.
And so Maker had this big scare that, like,
all of Maker could have been turned off or something,
you know, some horrible thing could have happened.
we threw a flash loan, and so Naker was the first one to say, okay, we're going to make it so that you cannot flash loan governance.
But this is a very basic vulnerability that Beanstalk could have done to mitigate the whole thing.
The other very basic issue is they don't have a delay between when a proposal is passed and when it's actually implemented.
So something like compound, even if a malicious proposal goes through, there's a 48-hour delay between before it actually goes live and see one like zero X and most other protocols.
Well, they did have a time lock.
The problem is their time lock had like some sort of like the two.
two-proposal thing actually messed up their time lock execution.
Oh, really?
God.
No, no, it's actually not so, it's a little bit more subtle, unfortunately, that, like, the person
who did this did notice a lot of, like, kind of nuance about the time-lock.
I'm curious about that because I know there's like obviously delay between when a proposal
goes live when it can be voted, but even like, you know, again, for compound, even something
gets approved, like it doesn't actually go live for another 48 hours.
Yeah, yeah, yeah, yeah.
So the problem here is that when you have two proposals that are proposed, you know,
at roughly the same time,
you have this problem where like
the time lock only really applies to one
if you don't set it up correctly.
And so a lot of places will just be like
you can only have one proposal a lot of at time
or like, or they have to be staged in some way.
Whereas the beanstock thing
did not have that. I see.
Did they roll their own governance?
No, everyone just modifies compound
like pretty much. But they didn't include
those parts. Yeah.
So in general, after these defy
hacks, how did they get, but how did
they turn it into real money. Do they? And because like a lot, well, we've seen that a lot of like
exchanges or whatever will kind of blacklist the addresses, but like are people actually
getting money out of it? Oh, yeah. It depends. Sometimes it is very hard to liquidate. Like,
you know, if you have a stable coin and you can't get across the bridge. But in this scenario,
they just put a bunch of Ethan like tornado cash. And then depending on the size of the
anonymity pool for the asset also that you're hacking, you may ever not be able to anonymize it
effectively. But I think for this amount, it should be like too difficult depending on how long they wait
and how long they are, you know,
it is significantly easier for Bitcoin, though, I will say.
Oh, interesting.
Just like the volume of just like.
Using wasabi, which now we all know you can demix that.
Yeah.
Yeah, you can demix it with a lot of resources, right?
So the question is like, is someone willing to pay that much to demix?
And so for like an 80 million hack, it might actually not be like you might not get someone who's.
Wait, hold on, hold on.
Are we actually, do we all agree that you can,
just demix
wasabi transactions now?
Oh.
I,
because I
registered,
I think when we
originally talked about
this, I was like,
I'm skeptical of this.
Yeah,
that reminds me,
I know.
We'll discuss this
another time.
There is,
because there's a video.
I will somehow
have to find this
in my Twitter mentions
that I did mean to watch
where someone
made some video
where they analyzed
kind of like
what happened
with the Dow Hacker
and like what happened
with that
demixing. And it was like a Twitter handle where I was like, oh, this person would definitely know.
And I meant to watch it. I never got to watch it. So let me do that.
Okay. I've had like such a whirlwind two months or whatever. So to be continued.
Yeah. But at least you know there's some partial information that's.
Right. If you messed up, if you messed up kind of post mixing like, I can totally understand that
they're. I just think the Bitcoin mixing services have way more liquidity. And also the tornado
withdrawal sizes are like, they don't have enough. Yeah, they don't have enough. But this is like 10
a day.
Yeah, yeah, yeah.
That's what I'm saying.
I agree that 80 mil could get out.
But like if it was like the Brone hacker would be.
Yeah.
I mean,
didn't they just like mass sell on curve and just turn out of being into.
Yeah.
So then how much did they get?
80 million.
Wow.
Okay.
Because, okay, so then that answers my question.
Because the question I was going to ask is like, I thought that a lot of these people
couldn't even cash out because, you know.
Caching it, like turning it into a different asset is one thing.
Caching out is another thing.
Yeah, do you mean like getting into dollars in a bank account?
Well, just getting away with something where they can actually make money from it.
However, we're defining that.
I think was you get clean-eaf, like, you know, you can sell it and report it as income.
I think the IRS is very explicit that like, as you don't care if you're committing crimes as long as you like to clear income and pay taxes on it.
Oh, my God.
Yeah.
So do you think these hackers are paying money on their hacks?
You could use there's like an other income.
I mean, if they don't want to get caught by the IRS, they should be paying taxes.
That's how they got Al Capone, right?
Yeah. Wow. Yeah. It's fine to do crime as long as you pay your taxes. Okay. Okay. Well, but the reason
I was asking was because I was wondering, you know, some of these bounties are like somewhat generous. I mean,
so one of the, I don't remember which one it was, but one of them was like roughly two million or something.
And I was like, oh, well, if they can't really cash out, then like, it's better if they take the $2 million.
They can cash out more than $2. Okay. Yeah. Well, yeah, clearly now. In stock, try to renegotiate.
And I said, hey, you know, send us back 70. You can keep eight for yourself. And we won't look at
go after you want, like, after you, like, it'll be done.
Right.
They're gone.
That does not sound like it would have to work.
That is not sound like what to work.
I do think it's still a little hard to, like, sell all of it at once.
Not at once.
You know, I feel like usually what people do is they really use is collateral.
And then they start just, like, collecting, you know, kind of like earning spread and via
perps and things like.
Like, like, Bybit used to be kind of the exchange that the hackers all go to because
they never did KOC.
Yeah.
Yeah, they used to just never came to see.
Yeah, right.
I mean, there's still a few non-KYC exchanges, but they don't, most of them don't do that much.
They're just no volume, yeah.
You can't really get out there.
Yeah.
Also, a lot of banks won't, like, ACH to, they won't wire to them and stuff.
So it's like, you kind of.
Yeah.
I mean, I have to assume most of these attackers are not American anyway.
But they still may want to wire to a real bank account eventually.
Yes, yes.
Because, like, we're not in the world where everyone's using stable coins, yeah, for everything.
Yeah.
Yeah.
Yeah, at that size, it becomes difficult.
But look, if you're North Korea, then...
If you're North Korea, it's fine, right?
Yeah.
Obviously, if you're North Korea, then, yeah.
You're not going to pursue a bug bounty.
Probably not. Probably not.
Okay, the last piece of news that I want to discuss was so...
A lot of what I was...
I feel like I was getting on Twitter
and a lot of chatter from people was about the merge being delayed.
And I feel like this is, like, the biggest non-story of all the stories this week
that, like, somehow everybody was talking about this.
And I was like, how on earth do you think that like the Ethereum Foundation was going to hit this deadline?
Of all the deadlines they've missed in their entire lifetime, like, clearly they're awful at software estimation.
And we should just like bake that in to the numbers they go.
But somehow, like, nobody was doing that.
It's probably because there's been so many delays that like it just feels like at some point it's going to happen.
And so, yeah, when people were saying June and they were saying it for kind of a long time.
But you're right.
I had some big on my show last Friday.
I listened to it.
Yeah.
I thought it was like, again, like very non.
answer.
It's like, oh, we're not good at estimating.
I'm like, yeah, we know.
We know you're not good estimating.
But I can't remember if this was in the recording or not, if he just said it
before.
But he was just like, I'm surprised that people are all up in arms about this because he
was like, I kind of offhandedly said June and, you know, it wasn't like a fixed thing.
But everybody had it, like, as a fixed deadline.
I mean, it's exactly the problem with the Ethereum Foundation.
They're like, well, we just say things.
Why would anyone care what we say?
Like, we're just a bunch of deeds.
I also, I also think a good, if someone wants a little data science project to docks
a lot of the development correlate the commit times to the hackathons.
And you'll see this like, it looks like a heartbeat.
It's like, that's why they have to have a hackathon every month because otherwise nothing, like, really nothing gets up.
I'm totally going to check that out.
Yeah.
There's like a lot of weird correlation with the hackathons.
But one other, one thing I would say is like, I think the longer that's delayed, the weirder or worse it is for each security.
because the sheer dominance of staking derivatives at this point
and the percentage of the network that's like sitting waiting for like in the one-way contract
and having like stake deeds being levered
kind of just like means that there's just going to be this huge amount of cell pressure
as soon as the network goes live
because there are all these people who've locked up capital for all yes
sure they're earning some interest on their stake date somewhere but it's not like a lot
and there's just an enormous amount of capital locked up
that's just waiting for it to come out on the other side
and like all those people have to sell at some point right like especially if
their funds they're going to get like capital calls etc right i don't know how many funds
are going to return state fees but we there's a delay mechanism i disagree with that because we
don't know how much is going to come in the other way right once the opportunity cost of staking
goes way down because of the fact that you can actually go too way i think you'll see a lot of
capital is like, look, I'm not going into proof of stake when like, I don't know that
proof of stake will ever actually be that two-way street. And even when the proof of stake merge happens,
it's what, like another upgrade until people can actually withdraw. But, but I just mean the people
who are going into Lido, there are people raising funds that literally are just taking like 5%
fees just to put you into Lido. Wait, what? What? Yeah, it's the same as these people raising funds to
go into anchor. So there's these people who are raising funds where they're basically charging people
5% to take stable coin to take dollars and they convert to UST and then they put it into anchor,
get 20%.
Oh yeah.
Yeah.
There's a time of people doing the same exact thing for Lido and they're all doing the levered
Lido.
So to give some context, if you have a bunch of ETH, you want to lock it into the bridge
contract so you're validating the beacon chain.
You can earn interest on your Ethereum, but you can't really get it out.
So you've locked it up and you're earning interest, but you can't actually remove it.
Staking derivatives allow you to pull ETH.
with other people's teeth, and then there'll be validators that go earn that yield,
and then there's sort of this IOU called Stake Deth that you get,
and stake deeth is extremely liquid, and in every Defar protocol,
so you could effectively treat it like Ethan, and it stays pegged,
actually weirdly stays pegged, because theoretically it should actually be worth more,
but everyone is discounting exactly by the rewards, which is like a very funny fact.
It's sort of like a weird, weird anomaly in some ways.
Like, other staking derivatives don't have this property.
And so people have the steak, Deth,
but it's all an IOU for the real Eath, right?
And they can't actually get back their release.
And if people are raising these funds where they're like,
hey, we'll earn, we'll go do the whole like staking thing for you.
And it's like some institution that like bought a bunch of Eath.
And they're like, we'll, you know, we'll take 5%.
You get like the remaining.
Those funds eventually have to close out, right?
They have, and they're not, are they going to return steak to the,
if that happens, then everyone who gets the state teeth is going to just sell for
really if eventually, right?
So, like, there's some, some kind of, the longer this takes, the more the crazy levered behavior we're seeing.
We're seeing people, like, lever up on steak teeth like crazy.
Yeah.
Actually, like Babylon Finance really something this week where, I mean, this is your whole thing around,
basically automate the strategy of putting on steak to eat, borrowing yeast, turning into steak to eat, putting it back, and just like levering up.
And, you know, they're estimating like 8, 10% using this strategy.
But the question is just like, when do we see eat interest rates go up to sort of compensate and, like, exactly.
Yeah, pull in the market.
This whole ultrasound money thing only works when this type of levered game is not happening.
Yeah, yeah.
That is going everyone wants anchor yields.
Like, Doe has basically made it so that everyone has to be chasing 20%.
And, like, everyone in Eastland thinks that's not true.
But when you look at what's happening with Staked East, it's like, oh, yeah, everyone is literally just trying to chase dough.
Yeah, this is why the Fed's hiking race.
They're like, we got to match anchor right now.
It's been competitive out there.
I just, yeah, I just wanted to point that out.
There's like something weird on the financial side that I feel like the developers don't seem to give a shit about because everyone in each to, every Heath developer I talk to is like, shaking derivatives are dumb.
Like they'll never survive.
And it's like, well, actually, there's such a huge portion of East in there now that it's a little bit not true.
That's fair.
So I know this is like a slight detour and we don't have to address it right now, but I am curious what you think of the whole anchor thing because like I had Kevin Joe on my podcast.
Oh, from Godwai.
I love that clip you had.
The Twitter clip of his thing was excellent for Anchor.
Yeah, I mean, because, like, he thinks it's not going to, you know, it's not going to pan out.
And it's definitely, you know, just going to go south at some point.
So I was just curious, like, what you guys thought.
Because, like, yeah, just if you follow that whole thing on Twitter, like, there's very polarized views on either side.
Yes, yes.
Well, first, caveat, we're investors in Anchor.
So we invested in early round.
What's their view?
I don't know.
I guess I'd say that like, I mean, so Anchor did modify the protocol so that the interest rate can actually move over time.
So it can now adjust compared to what it was before, which is like this flat 20%.
But it's over a much, I think it's like once a month.
It can calibrate by like a percent and a half or something like that.
So it can't actually respond that quickly or in real time.
I guess it's like closer to the Fed, I guess, and then kind of very staggered moves.
You know, by and large, I think the biggest risk is not actually to anchor itself and more to Terra, although they're both.
obviously very interlinked.
At the end of the day,
all these algorithmic stable coins
have to get exogenous usage.
Otherwise, it just doesn't work.
And so the question,
I mean, Kevin was sort of pointing,
like, look, there's no exogenous usage for this stuff.
Which is like, okay, I mean, I mostly agree.
So the answer is that they got to get exogenous usage,
otherwise the thing's going to break.
I think another interesting thing that scares me more about it,
and this is not necessarily a knock on UST.
This is more a knock on the type of people
who are putting ridiculous amounts of money into anchor
is like a lot of the dumber trad-fied people
that I know
who are like,
probably couldn't tell you what a hash function is.
They don't know what the address is.
They're the ones who are really aping into this stuff
and putting in like $100 million into like these anchor funds.
And they don't know anything about crypto.
They're just like someone told them 20% on cash.
Wow.
Oh my God.
And so that scares me because I'm like,
wow, these people,
That, that, it's like, it's like, the psychologist, people who don't even know what they're investing in is always like the, that to me is like, feels very like big short.
Yeah.
Something about that's like scary.
Going back to the cryptojournalism stuff, we were talking about earlier, there were like two profiles on Doe Out this week.
And Luna specifically, I think there was like one in Bloomberg and like one in the journal.
And I just feel like it's a testament to like cryptojournalism like where have you been for the past year?
Like, you know, this has been a thing for the past year.
like the Luna UST rise and it's like, oh, now that it's at, you know, whatever,
$10 billion or whatever, it's like, oh, what's going on with like Luna?
What's going on with like Anchor?
I'm like, what?
Like, it's like, yeah, just very.
And anyway, there was a lot of concern and, yeah, about the whole Anchor UST situation.
I will say.
But I just have to say, like, that's the nature of our job is like news has to happen and
then we like write about it.
So it's like always like after the fact.
But anyway, keep going.
I think the one thing I do really appreciate, I think, long term for UST,
from a developer's standpoint, if they can get to it,
is actually building good smart contracts on Cosmos
that can interact with all the other Cosmos chains.
And, like, if they do that, I think the usage will come.
I actually am more bullish on the Cosmos,
like, app chain world for certain types applications.
I mean, the problem is that U.S. supply is so big.
They have to, I mean...
Right.
Well, the U.S. supply is big because they're these random, like, private equity...
Yeah, I agree.
But, like, putting a $100 million.
Unwinding that is going to be an absolute nightmare, right?
So, like, they have to, I mean, it's kind of like they're at that size now.
It's kind of like when you grow your government too big, you have to like find some use for them.
Otherwise, it's going to be extremely painful to get rid of people.
And same thing for companies, right, but like governments is the most obvious example because they tend to, they tend to get bloated and then not like, not contract.
Yeah, it's a long way ratchet.
Exactly.
Exactly.
And the problem with UST is kind of similar.
It's very difficult to drain UST and say, okay, this thing got a little out of hand.
Let's like kind of wind things down a little bit.
It's so sensitive to de-leverging that it's just very hard to do it.
The answer has to be you have to find the growth to justify your current supply.
Yeah.
Then you do QT, you know, then you start winding it down.
Yeah.
And that's probably, well, so I didn't know that much about these head funds and these anchor.
Yeah, no, there's just people marketing these, like, vehicles.
That's very, that's very scary.
You can't get 15% on anywhere else in your dollars.
Just give us dollars.
We're only putting in dollars.
That's ridiculous.
Yeah, no, that is scary.
It's funny because, like, so many of the pictures that we get are like,
oh, you can use Anchor to, like, bank the unbank.
You can go start a neobank in, like, you know, Africa or in Indonesia or whatever,
and you can give them 20% interest and it'll be so great.
Everybody will sign up for this.
And, like, the story from Anchor from the beginning has been like,
anybody can go get interest on, get yield on stables.
I mean, the difference between the outcomes, I think, for Terra and Sello are that,
you know, Sello tried to go for the banking, the unbanked narrative.
I mean, they're converging now.
Tara went for the like, you know, people with money.
People with money and it like, clearly, you know, that did have a cycle.
I mean, it's funny because, I mean, there were like so many of these like crypto-backed neobanks out there that are basically trying to do this.
Right.
Hey, give us dollars.
You put it in a compound or Ave or something else, like not necessarily angered specifically.
And they had a lot of trouble growing and people have sort of thoughts as to, you know, why that is.
Like, are they not spending enough on acquisition or whatever.
But one of the feces and sort of what I've heard from some of these companies is like,
it's really hard to advertise
will give you 8% on your dollars,
like don't ask questions.
And people think it's inherently a scam.
So it's very funny to me that like,
at least anecdotally from them,
retail is like very skeptical of the 8% yield.
Institutions are like, sign me up.
That sounds great.
I'm sure there's not a...
Take the bell curve meme.
Yeah, I think that's what you need for this.
Yeah.
Oh, yeah.
Yeah.
Yeah.
Middle of the bell curve is where you die.
It's unfortunate.
Yeah.
But...
So I don't know if this is like taking us too far off top of it and Elsa, I didn't know what the time is.
But I feel like, just to go back to your Cosmos comment, I feel like I hear a lot of chatter about Cosmos, but not about PocaDot.
And I just wondered.
For a reason.
Yeah.
So, yeah, explain that to me.
Do you want to explain?
I don't know if there's like a pretty strong reason other than like Cosmos was able to bootstrap a lot of liquidity.
Like it's just easier to get started writing Cosmos app chains.
And once osmosis became kind of like the connector.
So the cosmos model, I would say the initial weak part, in my opinion, you know,
obviously extreme cosmos fans will probably maybe disagree, is that the atom coin has pretty
much no usage.
There's no reason to actually go to the hub, which is like the main place that Adam is
stake.
And instead, it would be much better if you had like something like a Dex that was sort
of like secured a Dex chain that was secured because then everyone has to go through there.
And it kind of like can kind of have this like, you know, virtuous cycle.
And so Asmosis did that and that kind of bootstrapped everything in Cosmosis.
Because everyone in Cosmosline was running their own app chains.
Like no one was using IBC.
But then you, the killer app for IBC was really Dex's.
And like being able to go between these chains and like have liquidity on different chains.
And I think the UX on Cosmos chains, the wallets,
are really, really magnificent.
I think probably the best acquisition
in crypto in the last two years
was the Osmosis team buying Kepler,
which is the main wallet,
and is probably the best wallet in crypto.
Better than Phantom, better than MetaMath,
better than it is the best U.S., period.
Wow. I almost to try it.
You should try it.
Yeah, there's about to be a new record
for best acquisition,
but that news will probably come out soon.
Well, I still, I think that the price
that the Osmos, that that was the best
stack was like like they literally made the whole ecosystem it went from a billion dollars like
17 billion because of that wallet yeah yeah and they paid a very tiny amount relatively right
and then what about polka dot so i think the the thing about polka dot the wallet the
i don't think it's about wall i think it's a more fundamental strategic mistake substrate is hard
to use so there's a bunch of stuff about the actual tech stack and also about kind of how top
down uh polka dot has always felt relative to cosmos which has always been kind of more bottoms up
It was also much older.
I also caveat, we're early investors in Cosmos as well.
But the big thing that I think Pocodot messed up is the parochain model and the parochian auctions.
So like Pocodot decided that in order to use Pocod, instead of like on cosmos where you just, you kind of, you know, it's much more open-ended and you kind of, you know, you find your place in the Cosm's ecosystem and you carve out your own niche.
The idea for Pocod is like, hey, if you want to use Pocod, you need to sign up for this auction and you need to pay a bunch of money or like, you know, stake a bunch of assets.
and compete in this big pageant of, you know, who's going to win the next auction?
Like, oh, it's going to be this guy or that guy.
And so projects have to raise a crap load of money to pay it to Pocodot and raise debt
and wait a very, very long time until they get actually integrated and win the auction.
Now, if you're an entrepreneur, you're like, okay, I could go to any chain.
I can build anywhere because I'm an awesome entrepreneur and I'm in very low supply because there aren't a lot of great entrepreneurs.
You say, okay, well, I could go to Solana where they'll pay me a lot of money.
I could go to Avalanche with a
pay me a lot of money
I could go to Polygon where they'll pay me a lot of money
I could go to Cosmos
where I could build bottoms up and do whatever
where I'd go to Pocodot and pay them a lot of money.
Right.
Wait, what?
Why are you asking people to pay you money
when everyone else understands
the transaction goes the other way?
You need to attract developers,
not charge developers.
Yeah.
And Pocodot just has as well
in order to be sustainable
we got to charge people
otherwise what's the point of dot.
Yeah, but...
It's great for Dod, bad for Pocod
and Cosmos is like,
like great for Cosmos, but terrible for Adam.
Adam is doge coin
of layer.
Honestly, like, it truly
doesn't really have much of a purpose.
They've tried to make, they basically try to copy
Osmosas, build a decks, build a bridge, all this stuff.
But like none of the, they're, they just kind of
missed out in liquidity. I'm curious, actually,
to get your thoughts on, no, there's a new Cosmos
proposal right now to basically, like, allow
people to use existing Cosmos validators.
So, like, sort of bootstrap their own, like,
validator set, which sort of more polka-like,
like, what do you think of that?
I think the liquid staking is effectively the easiest way to do that.
And like, that's why I think you're seeing a lot of these chains have these staking derivatives,
where basically like I can pay validators validating another chain in this other chains coin,
which is basically a version of the Pocodot crowd loan,
except because there's so much liquidity on Cosmos, it's like actually easier to bootstrap.
Because it basically will feel like Wido to the end user.
But I actually think the Pocodot crowd loan model is actually very elegant.
The problem is it's like impossible to bootstrap for this reason.
Like who wants to pay to use it to start?
And like they have this thing called a crowd loan where basically you pay some portion of your tokens apply up front
and then people basically fund your Wii with dots.
But then again, the dot holder base is not that diversified.
So you don't really, it's like I think if there were like more dot holders who were like not
super close to the original team.
Like there you might see more,
you might have see more crowd loans.
No, but the flaws that you're describing,
now that I know more about Gavin from writing my book,
they sort of make sense to me, actually.
What do you mean?
I was going to say, you're the Gavin expert here,
so you should be telling us about Pocodot.
Well, but from your read of the book,
like, do you agree that it sort of makes sense for his personality?
Totally.
Yeah, yeah, it's like kind of mealomaniac style.
Like, everything has to go through me.
Yeah.
Like, Gavin.
Yeah.
Yeah, it was, so this is the Cryptopians. Yeah, it was pretty interesting. I think there's
always these, like, cult of personalities around early crypto people or crypto people in general.
Like, I know a lot of people cite their investment thesis for Pocodot being, oh, well, Gavin Lerner is a
CTO of Ethereum. I'm like, yeah, but like, what do you know about Gavin Bionni?
What about Charles Hoskinson CEO?
Oh my God, guys, today, I was at the dentist. And when he found out what I did, he engaged me
in this kind of long conversation about crypto. And at a certain point, he was like,
what about Cardano as he called it?
And I was like, oh my God.
And then I said to him, I was like, you should read my book.
I was like, if you're interested in this, you should read my book.
But no, I mean, yeah.
Sounds like the worst dentist appointment ever.
If I, if I dentists started talking about Cardano, I would not come back.
This is at the end.
Dentists are exactly the demographics.
Aardano is targeted.
100%.
The average user of Cardano is a dentist.
No, no, average owner.
User.
Sorry, user.
Yeah.
It's getting some stuff.
It is.
It is the thing that Nomad is bridging to.
They have an EVM chain, which is generating almost all the transactions.
Oh, wow.
It's like none of the Cardano native apps are running.
Wow, that's hilarious.
Gavin does have a lot in common with Dom from DFINITY, I feel like.
Oh, yes.
Oh, my God.
That is such a good call.
I never thought of that, yes.
Yeah.
So, I mean, that's the thing.
It's like everything in crypto that works has been very grassroots.
Right.
Well, actually, that's not true.
That's not true.
not everything, most things in crypto.
Well, they coin Ethereum.
Salana probably is the biggest accent.
Solana, I think Avalanche is also, you know, less grassroots.
I think Tara, obviously.
Tara is like the least grassroots.
Yeah, but I consider all of those like new and not established.
Solana, Avalanche, Tara.
Sure.
I think Cosmos, I think is very grassroots.
I guess there are different approaches, right?
So maybe that was a bad comment because I think we've seen success in both different.
Yeah.
I think it is very more bizarre and less much,
less cathedral. Like anytime anyone comes in with like their master plan of like how to solve crypto,
it's like, this is not going to work. What did we say about stablecoin inventors?
Very related to that discussion last time. Okay, well, I think we're over times. We're going to
wrap for today. So thank you, Laura, for joining us today as a very special guest.
I hope I did a good stand in of Robert. You were very Robert life. You were, you were almost as good as
the Robert himself. I didn't say GM, GM. You did. You did. Well, you were, you just did. You did. You did. You did. You did. You did. You
did bring a lot of defy daddy energy today.
Oh, no, what was it? Lending daddy?
Lending daddy. You did bring a lot of lending daddy energy.
So I appreciate that.
All right. Well, that's it for today.
Thank you, everybody, for listening.
And I think next time we'll be back in the Metaverse.
Yes, we will.
That's it.
All right.
Thanks, everyone.