Unchained - The Chopping Block: Who’s to Blame for the Curve Hack? - Ep. 526
Episode Date: August 3, 2023Welcome to “The Chopping Block” – where crypto insiders Haseeb Qureshi, Tom Schmidt, and Tarun Chitra chop it up about the latest news. This week, Laurence Day, smart-contract sleuth and co-foun...der of Wildcat Finance, joins the show to discuss the ramifications of the Curve Finance exploit that has the DeFi world talking. Listen to the episode on Apple Podcasts, Spotify, Overcast, Podcast Addict, Pocket Casts, Stitcher, Castbox, Google Podcasts, TuneIn, Amazon Music, or on your favorite podcast platform. Show highlights: how Curve Finance, one of the most prominent DeFi protocols, got hacked why maintaining different coding languages and clients is so hard whether developers are responsible for this kind of attack whether Curve founder Michael Egorov’s loans in Aave and Fraxlend have put DeFi at risk how the loan in Fraxlend impacted the liquidation price of the Aave loan Tarun’s reaction to the situation, given that his firm Gauntlet has tried to mitigate these risks in the past how people in the community worked together to keep DeFi safe and resilient why Tarun got canceled on LinkedIn what happened with the BALD meme coin mania on Base Hosts Haseeb Qureshi, managing partner at Dragonfly Tom Schmidt, general partner at Dragonfly Tarun Chitra, managing partner at Robot Ventures Guest: Laurence Day, co-founder of Wildcat Finance Disclosures Links Unchained: BALD Token Falls 90% Amid Rug Pull Allegations $60 Million in ETH Bridged to Coinbase Layer 2 Base Curve Founder’s Liquidation Could Trigger Chaos for DeFi $52 Million Drained in Curve Finance Pools Exploit Curve Exploit Results in Largest MEV Block Rewards in Ethereum’s History CoinDesk: Curve Founder Deploys New Liquidity Pool to Address FRAX Debt Situation Spooked by Curve Liquidation Threat, DeFi Protocols Shore Up Defenses Aave Should Block Curve Token Borrowing, Risk Management Firm Proposes After the Curve Attack: What's Next for DeFi? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Not a dividend.
It's a tale of two Kwan.
Now, your losses are on someone else's balance.
Generally speaking, air drops are kind of pointless anyways.
I'm named the trading firms who are very involved.
D5.Eat is the ultimate policy.
DFI protocols are the antidote to this problem.
Hello, everybody. Welcome to the chopping block.
Every couple weeks, the four of us get together and give the industry insider's
perspective on the crypto topics of the day.
So quick intro, first we've got Tom, the DeFi Maven and Master of Memes.
Next, we've got Tarun, the Gigabrain, and Grand Puba at Gauntlet.
then today special guest we've got lawrence the smart contract cyber sleuth and then you got myself
I'm a sieve the head hype man to dragonfly so uh we are early stage investors in crypto but i want to caveat
that nothing we say here is investment advice legal advice or even life advice please see chopping
block that xyz for more disclosures Lawrence welcome to the show we have you here and
somewhat inauspicious circumstances because there's been a lot of mayhem going on in defy and we
thought you were just the guy to help us decipher everything that's going on
I'm not sure there's been a day in this quarter that would qualify as an auspicious day to appear on a podcast.
So, to be honest with you.
There was one day, there was one day when Ripple went up a lot that I thought was an auspicious day.
The rest of them have been pretty crappy.
Actually, you know, I think for the audience who might not know, Lawrence himself has dealt with creating a protocol that has had a attack.
And so maybe a bit of history on your experience would be good for the listeners' edification.
Yeah, I'm happy to talk about that.
So in 2001, I worked as a contributor to a protocol called indexed finance.
The idea was there was that you could model index funds using balancer LPs or for-called balancer LPs.
They were attacked in October of 2021 using a, it was a flashflow attack combined with some overflowing of some overflowing of some sushi tokens into a particular pool.
It's honestly, it's been a year and a half now.
The details are starting to slip from me, but like I, all this is to say,
I know what it's like to be on the other side of that.
And, you know, to kind of pick through things as they happen.
It's, I wouldn't wish it on anyone.
And now you've been, I think, giving talks about sort of the state of the art when it comes to whitehadding and you're also working on your own new project now, correct?
Yes.
It turns out my bit.
Last year, ETCC was a rough overview of the attacks that had happened.
I think we'd had, like, over 50 attacks that had appeared.
Like, last year was a particularly bad one for defy hacks and bridges in particular.
And this one seems to be a lot more muted.
and it had been commented on Twitter
that it seemed that the pace had slowed down a bit
so people are starting to look in slightly more esoteric places,
which we will get to over the course of this chat.
But yeah, I never thought that my bit would be
the attack becomes the commentator, but here we are.
Well, look, I think it's a line of work that you're going to be able to make some
you're going to make some good money in this industry for quite a while
as long as these smart contracts keep getting hacked.
So let's maybe jump into it,
because I think actually there's a lot of different angles to the story.
And it's one that touches on different stories that we've explored through previous episodes of the chopping block.
So for those of you who are not aware, one of the largest on-chain protocols in Defy is called Curve.
So it's an AMM, it's an automated market maker that basically allows you to trade assets that are tightly pegged against each other,
most commonly trading stable coins.
So what happened over the weekend was that there was a hack of Curve.
and this hack particularly targeted these very old pools that were all deployed, I think a couple years ago.
One of them was JPEG'd P-Eth, Metronome, S-Eth, and Al-Chemex's A-L-Eth.
So these three pools in particular, in total, it was on the order of about $40 million in total that were hacked.
These were all third-party pools, so Curve allows you to have third-parties deploy certain pools of their own configuration,
then they're kind of the core pools of like, you know, the three-pool and whatnot, that those were not.
affected by this. And particularly the reason why these pools were affected is that they all
used an old version of Viper. So Viper, for those of you who are not aware, Viper is a smart
contract language that's written to be a competitor to solidity that has more Python-like syntax,
which is a little bit different than solidity, which is kind of more Java-Javascript-esque type
language. And so this older version, now newer versions, actually all of Curve is actually
written in Viper, but newer versions of Viper do not have this bug.
It was fixed, I believe, in 2011 or something.
So the rest of Curve is not vulnerable to this bug, but these older versions were.
So this bug freaked people out because Curve is one of the most, you know, well-known,
longest-standing stalwart protocols in Defi.
And it's actually one of the largest protocols in Defi by TVL.
At the time of the bug, it had about $3 billion in total assets in Curve.
And in large part, as a result of the panic that's set in after people realize this bug took place,
half of all the capital in Curve has pulled out.
Curve is now down almost 50% of all of the assets in Curve, meaning $1.5 billion
was withdrawn from Curve over the last, call it 48-ish hours.
Let me pause there because I think for a lot of folks,
they may not understand the contours of what it means to say that there was a bug in a smart contract language
or in a compiler. A lot of people have been pointing fingers and saying, oh, my God, you know,
how to kind of mess this up? Like what, what a, you know, why are these people, why are these
people sleep at the wheel? Because this bug was a reentrancy bug. Reentrancy is a very long history
in crypto as being, you know, famously the bug that took down the Dow. It's a bug that keeps
rearing its head over and over again. So, Lawrence, could you explain for us? One, help us understand,
you know, how Viper and this bug fits into it and what people mean by reentrancy. Can you just,
can you walk through that for us?
I think there's probably going to be better resources than me to talk about the nature of what reentrancy is, but basically, you know, kind of reentering a function more than once in the same call.
I think this one is particularly interesting, because as you say yourself, right, when people talk about reentrancy being a root cause for hacks, it's very common, right?
It stretches back five years, six years.
And this is, for the most part, if you're dealing with topics, you know, modern approaches for things, it's a solved problem.
in this particular instance
so as you mentioned
Curve is written in Viper
and there are three particular
versions of the Viper release
I think 215, 216 and 3
which had an issue
in the way that
one of the most common ways
of preventing reentrancy
is to just have a modify
that's just reentrancy lock
which says you know I'm executing a bunch of code
there is no more reentrancy allowed here
you can't reenter into things
but the most part if you rely on that
then as an assumption that you make
and you're fine you know
you go in, you execute code, and then you're out.
The way that it looked on a much lower level for Viper here in these three particular versions
is that the storage slots, the part in the smart contract that looks at whether or not
you're in a lock or not was reading and writing for, or it was reading from the wrong
place.
So it would say, here's where I'm like storing my status and then I'm reading somewhere else
to look and go, this is, am I in a lock or not?
And your answer would always be no, because you're, you know,
you're not looking at the place that says temporarily yes.
This was fixed in Vipers 3.1, which was released, I think, December 2021.
So this is a zero day that's lived and died two years ago, you know, where this is, it's ancient history in crypto terms.
The part about it that some people are starting to point some fingers about, I think wrongly, in my opinion, is that when it was fixed, the way that it was dealt with was fix allocation of unused storage slots in the releases.
it didn't have a flashing highlight that said,
hey, there's a bug here.
There's something that needs to be dealt with
and reach out to people.
And you can kind of do that for the curve
because it's a smaller alternative language for the EVM.
If it was something in solidity,
for example, you would have a much harder time
because you'd have to reach out to everyone.
For Viper, you've got curve and you've got yearn,
and there's a couple of forks.
Of course, if you're just reading the release notes
and you see there's no urgent flag,
then you go, okay, well, it's fine.
I don't need to upgrade.
And for the most part, if you're writing smart contracts and deploying them, you don't necessarily
want to push to redeploy things or upgrade them to the most recent language version of your compiler anyway,
because they're bleeding edge.
There might be things that haven't been discovered yet.
There's a couple of strange qualitative questions that come around when things like this happen.
I think this is the first time that we've seen a wave of bugs all around the same kind of topic based on a trust assumption.
And whilst we all say trust don't verify,
here in crypto, when you are looking at things that are lower down the stack than the language
you're programming it, you know, when you're looking a layer beneath at the thing that translates
things to EVM, you assume, and I think assume is a bad word here, but we do, that everyone
working closer to the bytecode knows what they're doing, right? And we're human. I worked as a
compilation engineer. I know how this goes. There's some interesting questions that are coming
around right now about, okay, so who was responsible? Is anyone? Is everyone? How do you resolve this
going forwards? Does this mean there should be more financial incentive to look at a lower stack,
layer 0.5, if you were to consider the compiler to be that level? If so, who's paying that? VCs don't
necessarily see a return on that, even though it falls under their stack. Developers, perhaps,
but developers will often be the ones taking external funding.
It's a really fascinating conversation that I think is only just started.
I think we'll see this roll over the next month, six weeks or so.
A curious comparison is, you know,
if we look at the most successful commercial compiler in history,
it's by far NVIDIA's compiler at this point in terms of dollars managed
or dollars that are kind of using it.
And it's kind of interesting that people had to,
tried to make open source compilers,
including Intel, ATI, A.MD, et cetera,
for graphics processors for a long time.
And it somehow got beat by the proprietary one.
I think an interesting question is,
what's the equivalent here?
It won't necessarily be that it will be a proprietary compiler.
But there'll be someone who has some sort of like market,
let's not say monopoly.
It's probably more like a monopsony
where they have some sort of like indirect network effect
that ensures that they get most of order flow
of some form. And the monopsony is sort of
incentivized to fund this type of stuff. I don't
think that, to be honest, like the Ethereum Foundation or people who are doing
consensus stuff care that much about this.
It's sort of like, well, we gave you
a solid D, you want to make another language go fuck off, right? Which is like
not, it's unfortunately for better or worse, that is.
Was it Vitalik involved in the development of Viper?
In the beginning. Sure, sure. Everyone wants
other languages. Everyone wants other languages. No one wants to maintain other languages. That's where
this fight comes from. The key thing is that all of the funding, if you look at the funding from the
base protocol, most of it has, like, Vipers got a couple of little grants, but it's mainly going to
solidity development verification. What was the E2 deposit contract written in, right? The initial
version, the test was in the Vibir, but you know, my point is that there is this concentration
effect. And this is one of these things where, you know, I kind of, I know there's a
It's a very heated battle amongst protocol engineers.
But there's a battle over whether it's a good idea to have many clients for a particular
blockchain or whether you should just have one.
Because if you have many clients and there's an error that all of them have, that is something
that's outside of the specifications of the client, well, it's possible that they each
implement to the error slightly differently.
And then you get these kind of like production bugs that look way crazier than if everyone
was running the same client.
And we actually have seen a couple of those in the YouTube beacon chain.
But I guess there's always going to be this kind of fight.
I think the place I'm more convinced will be the actual funding source for
compiler security, ironically, is going to come from a lot of ZK stuff,
because ZK circuits are much worse in terms of security vulnerabilities in some ways
than the raw code because you need the code to execute correctly,
as well as the proof.
And they have to be synchronized.
And there's lots of ways they can stay out, get out of sync.
And in some ways, if there's more value locked there, I could see that being the place that.
I mean, there's something to be said there for then perhaps money fund, like funding flowing to
languages such as Solitian Viper, like in the process of, say, verifying a transpiler down to something
that works for ZK.
You know, I mean, that's around the house's way of doing it.
But I think you raise a really good point.
We talk so much about client diversity on the execution and consensus layers.
And then we kind of seem to have accepted that, for the most part, if you're writing code,
you should be learning some JavaScript and you should be doing it in solidity.
And I can see from a cynical business perspective why that makes sense,
you know, what be it for the, you know, a catastrophic consequence of something like this was found in Sol C.
And there's part of me that goes, we should have more languages, we should be more diverse.
And yeah, it turns out it's very much to, yeah, show me the incentives.
I mean, yeah, your PhD is in Haskell, right?
I mean, I will admit, the last time I looked at anything compiler level for the EVM was
H-E-V-M.
So, like, yeah, I very much have qualifications in this regard.
So, yeah, I have opinions.
I don't think we should be doing a compiling from a Haskell DSL down and making it mainstream.
But I think we should have more.
But as we see, even too, is causing something of a stoppage in the dam of where funds go and, you know, what goes where.
I think this is weirdly an argument perhaps for, this is the first time I've thought this through.
You know, we talk about things like where either's burned to, I don't know, set aside a little bit of it for that for the ecosystem development.
But that raises a whole bunch of weird questions about who's doing the development, you know, who stewards the funds.
is this a plug for uh what's that that chain that has sort of the like the dead fun
kendo csr i was i was i was explicitly not going to say CSR but like you know it's the kind of
idea like expenditure is public good and where you are given how much people get angry but
any time i mention them on here i'm just going to say no comment yeah it's good to see you all
yeah to your point i don't think it's a uh philosophical like a
need, you know, more languages or, you know, fewer clients or whatever, I think it's more like
a funding and sort of incentives problem, right? Like, this kind of reminds me of, like, like,
like, you know, like, you know, like, the Log Forge and, you know, vulnerability from like two years
ago or like, yeah, yeah, or like, kind of like that, remember that that there's an XKCD comic of
like, you know, sort of the modern stack and there's a one little leg and it's like,
you have some library maintained by like a dude in Kansas and like.
Thankfully maintained by a guy in Nebraska since 2005. Yeah, yeah. And, you know,
comparison with like the Nvidia compiler, it's like, yeah, well, obviously you have, you know, a
multi-billion-dollar company maintaining this thing.
They're sort of different incentives in different capacities to do so.
And so, yeah, I mean, a couple of dudes who are maintaining Viper, like, yeah, they're,
they probably don't have the resources to, you know, thoroughly test and produce as production
grade.
Not to show them.
I think overall, yeah, exactly.
I was about to say, like, it's kind of a valiant effort to try to run one of these fork
languages, right?
You're like, you have no support.
you kind of like, you generally have a smaller team.
There's going to be technical issues where you can't be one-to-one with the main language that's supported.
And then the tooling doesn't really support you.
It kind of like will like do the bare minimum so that, hey, I can deploy my contract,
but all the security tooling won't support you.
And that in and of itself gets a bunch of nuanced issues.
But the reason you should be worried about these types of bugs is they're very insidious in the sense
that if you find one,
they affect many places all at once at the same time,
which is very different than most smart contract bugs,
which are usually isolated.
Yeah.
Now,
of course,
there's going to be a ton of people who are,
you know,
like,
hey,
why don't you use my particular blockchain?
We have these particular...
Oh,
and it's safe by construction,
and you hear it eight,
so you're like,
okay, chief.
Which is never quite true,
never quite true.
But this is one of the points
that I also made on Twitter,
which is that, like, whenever you see something like this,
regardless of whether or not you put the blame
at the feet of the developers,
there's going to be some sense of like,
okay, why did you get cute?
Why didn't you just use solidity?
And kind of sit in the sort of technological monoculture
that it's like, look,
Solidity just has the most eyeballs.
It's the most battle tested.
It's got the most, essentially it's got the biggest bounty
on finding something broken,
such that if there was some zero day sitting in the wings,
it would have been found much earlier
than presumably it would be for Viper
which basically has one big honeypot
which is Curve.
I don't think that assumption holds, right?
Because there were enough people
looking at Viper stuff and there stuff sat there
for two years in the open, right?
You just had to look back a little bit.
I mean, how many people do we know
that we can say like hand on heart
know the solidity co-based?
I've barely looked at it.
You know, like I have my bug bears
about how it compiles and stuff.
you know, like the VIR stuff.
But like this was my shtick, and I barely know it myself.
Of course. Look, I'm not saying that.
I'm not saying that I would blame the people.
Yeah.
I would blame the people who are using Viper.
But I mean, this, like, Curve now has to answer this, whether, you know, some people
are going to give them the benefit of the doubt as you just did.
Some people won't.
And some people will think like, wow, you know, I'll just use Uniswap from now on.
Like, I don't even want to fuck with Curve because who knows what other mistakes they're making
or who knows if Viper is at all secure,
given that this bug has been sitting around for two years
and they never had the foresight to be able to notice
that, hey, there's $60 million sitting,
or whatever, $40 million sitting on this old version.
And in absolute terms, right,
$40 million on this old version of Viper
is not a big bounty, right?
There are, I mean, there's like a very minor protocol,
you know, sitting on, you know, page two of Defi Lama.
That's not a place where I'd expect a lot of eyeballs to be,
to be poured over.
So maybe it's not surprising
that it took two years
for someone to figure out
that hey, there's this re-entrancy bug.
I'd be fascinated to see the process
by which it finally came out.
Did someone finally decompile something old
and see it?
You know, it's...
Or were they just fuzzing
expected translation unit
versus deployed translation unit
you can totally see
that type of thing
accidentally working
and you're just like
brute force
and you didn't have to think that hard.
And then you're like, oh, okay, this must be the reason.
Because it's like once you see a, it's like if you're doing parallel programming
and you see like a lock or mutex not working.
It's like, oh, you know that part of your code is broken.
So there's so many ways that it could have been found.
But I think the other point, I guess this brings is like,
this is a problem that does occur a lot in security.
Like you do run into these compiler bugs.
it's just that they've never ever been quite as high stakes.
I think like the idea that the high-stake compiler bug lasts forever in a blockchain
versus high-stakes compiler bug, my code is running and constantly being changed,
it's local, it's not, it's a very different modality of like what's curious.
It goes to the assumptions about mutability, right?
Like the idea that, okay, this thing should be immutable,
kind of assumes that there's never a reason to change the bytecode,
even if the solidity code corresponding to it is the same,
or the Vipro code corresponding to it is the same.
That sort of assumes that the compiler is always correct,
and there's no reason why one might ever need to swap that out,
which you wouldn't make in any other environment.
It's only really in crypto that we kind of bake this assumption in from the very beginning
is that as long as this is the solidity code.
Not true.
Spacecraft.
Aerospace stuff does do this.
the same thing, where it's like, you make it once
and you ship it. We had something that was built in the 80s
and that it's worked. Yeah. Yeah, and we're still getting
signals from it. Yeah. There are
like mission critical technologies
that end up being like. And that's where they do, and when they do
they do like the multiple
versions of the same thing that are
implemented in different languages, right? Exactly.
And they do like some Byzantine
fancy stuff between them in case they're
slightly bit flips.
They're not quite identical. But also
from cosmic rays. I read about this. Also, in case
cosmic rays like flip the flip bits
in the instruction set or whatever.
So I think you just have to have that mindset,
which ends up meaning you can't move as fast.
And I think that's sort of why blockchains are interesting.
And they bring some people who are of the like move fast always,
break things, don't care mindset with people who are like,
absolutely not.
This is like an immortal tomb that you can never desecrate
and has to be written perfectly up front.
Right.
Whereas in aerospace, it's like you always treat it like the ladder.
and in the rest of tech,
you always treat it like the former,
somehow you're interpolating between the two.
Like, it's weird.
Yearn ended up being one of the latter
because a lot of their stuff was in Viper,
but they pinned to an ancient version of Viper.
And I don't know to this day if this was, you know,
kind of just laziness and not wanting to go,
this will do.
You know, we don't need it to change that much.
The thing that changes is the strategies.
And those are often others elsewhere.
Yeah, one interesting thing.
Another framework to think about it is,
if I take the sets of types of vulnerabilities,
in normal software development.
Like I take, you know, just normal code execution bug,
like logic doesn't match what it's supposed to.
I take like environment execution bug.
Like I found a way to get into something
that's talking to that program
and has privileged access and can change it.
And then you have sort of like supply chain attacks,
like code that a particular piece of code depends on is itself.
You can kind of mutate it in place.
In normal software development,
no matter how much every year, like probably once a year, I read some posts or something that's like NPM, which is the main package manager in JavaScript and like every single web application somewhere in the world, you eventually uses it except for like very esoteric web stuff.
NPM. People are always like, oh, NPM has tons of supply chain attacks. And, you know, yeah, every once in a while there's like a little thing that like fishes you or like, you know, like some type of browser extension that fishes you or something like that.
certainly, you know,
board ape owners have been
a recipient of such attacks
in the last year.
With this one NPM package?
Yeah, no,
I think that like some of the craziest
fishing attacks end up coming this way.
But supply chain attacks
to a normal software developer,
if I ranked all of those,
they're probably like in the bottom 20%
of security things.
They're not anywhere near the top 10.
But this says that in crypto,
they have to be in your top three.
Yes.
Easy, easy.
Because your compiler is effectively,
your entire, like your supply chain.
Yeah, it is.
That is the whole chain.
Yeah.
Also, it occurs to me that some people might not know what a compiler is.
So maybe before we, I want to move on a little bit, but let me just quickly explain what a compiler is.
Yeah.
So when you write code, you write code in a high-level language, like solidity is one we often
talk about.
Viper is this other one that we're just referring to that was involved in this attack.
But Ethereum itself does not understand that high-level code.
That high-level code is written to be easily understood by humans.
but what Ethereum understands is much lower level instructions like add this, move this over here,
flip these two bytes, whatever.
And these instructions, which are called bytecode, or often called machine code,
these instructions have to be translated from the higher level language to the lower level language.
And that's what a compiler does.
It basically turns this higher level language into this lower level language,
and that's where the bug was that caused this re-entrancy attack in curve.
And that's why we're talking so much about supply chains.
Now, part of what I want to discuss here as well is about communication around security vulnerabilities,
because that was also a lot of the drama that I was seeing on Twitter was not just that,
okay, this thing went wrong and money was stolen, but also the way in which this ended up getting divulged
seemed to have made things worse.
And I know a lot of security people have had strong opinions about the way in which people
communicate about vulnerabilities in blockchain, because it's not the same as it is in other domains.
Do you want to speak to this a little bit, Lawrence?
Yeah, so often when these things happen, we don't have time to file a CVE, we don't have time to, you know, like we often, if you're dealing with anonymous teams, you can't even find a contact to speak to.
And when there's something that's active in the wild, not neutralized, I think it's just incredibly silly to talk about.
I think Bantang talked about this, like do not talk about live vulnerabilities until completely mitigated.
and there are a couple of companies and, you know, like security order places that I generally respect
who did the whole, hey, just by the way, here's a thing that's happened.
I think the first one that was it was JPEG's.
This is an active problem with Viper.
Here are some other places that are affected by the same thing.
And I just head in my hands and Alchemics was attacked three minutes later.
If you've replicated that thing to start with, it does not take you three minutes.
just point at different addresses and head into a private men pool.
It was, I think that's the thing I'm angriest about Miss.
Like I said on Twitter that it was clout-addled stupidity, hitherto unseen.
And I can see similarly the argument to go, people should know.
I'm like, no, they probably shouldn't.
I think that maybe 30 minutes of silence while people worked out and let people argue.
I realize I'm being a little bit contrary to my everything should be transatlantic.
transparent. But as soon as you make that transparent and it's gotten, there's an argument for
saying, just, I don't know, hit a telegram war room. We have telegram chats for this. We have
East security. People are probably... Can you take us a little behind the scenes, Lawrence,
when something like this happens, okay, let's say, boom, you hear that, uh, you know, something has
been compromised, viper, blah, blah, blah, no one knows exactly what's happening. There's fog of war.
What happens? Like, what is the chain reaction that happens behind the scenes that results in
the telegram war room and who's in there? The funny thing is, I'm not going to give you the answer
you want, mostly because the process of talking this means I will never be invited to another one.
I mean, that is how it is. There are telegram channels which exist and things form very quickly
between as soon as you realize, you know, if it's a library that's affected or a particular
protocol, there's generally someone that's kind of proficient. There are some people now that
handle like the generalist side of things. You know, like, okay, like we need to start communicating
people. We need chain checkers, et cetera. That's as much.
as I'm going to give you simply because I like helping out where I can. And if I get told you're going to
media and saying, then that's it for me. Got it. So there's a, there's a code of silence among the
people who are sort of the... No, it's weird because code of silence isn't the right thing to do,
but like, you certainly don't want to say to anyone that would be kind of acting in a malicious way,
be like, okay, if I do this, this is the timer that I have. Like, this is the playbook that I need
to kind of be working contra to. No, I understand. I'm kind of poking fun. I think what's clear,
to most people who have been in the space long enough
is that there's a group of folks,
presumably you're one of them,
who are these kind of security people and white hats
who are kind of on call, basically,
when something goes wrong on chain,
figure out what can we do to mitigate,
what is affected, what's not affected,
how do we communicate this to the right parties
and make sure that everything kind of happens?
It's a weird, kind of distributed Ethereum defense team
that often it's the same players
who show up and are on call
to try to mitigate these things.
You flatter me.
I wouldn't necessarily call myself one of them anymore
simply because I find myself busy with a child nowadays.
But like I said, as you say, right,
there are people that are around and are willing to help.
And so, like, there are security telegrams,
I think often within seconds of like a peck shield tweet going up.
There are people chatting.
Often, like, you know, there are protocols that are working
and in the back noticing.
And like, you see it appear in like six places at once.
If it's something known, quite big.
One thing, one thing I would.
point out, though, is that I think you kind of need this radio silence more for these supply chain
attacks. Because remember, these supply chain attacks are like, if it's a bug of that form,
every single thing that's ever been built with it is vulnerable at the same time,
versus if it's a specific protocol, then it becomes something more like, oh, well, all the
forks are vulnerable. And maybe the forks are just like, it's like harder to do the attack because
of deployment, you know, there's a lot of like kind of nuanced reasons, whereas when it's a supply
chain thing of like this particular thing is always true for anything created in this way,
then it becomes like much more, much more, much more, much more, much more.
You know, and to speak to that, I think we can, to the degree that you can consider something
like this, which is awful and shouldn't have happened.
Lucky in the sense of like the blast zone was effectively constrained to two major protocols
of which one of them, you know,
was out of the picture because of an older version of the compiler.
Right.
So let's continue on the story.
So just to kind of recap where we are so far.
So, you know, these old pools and curves were compromised because of this reentrancy bug,
almost instantly because of somebody going on Twitter and basically saying,
oh, hey, look at this.
This is happening on chain.
And everything that uses the same compiler version seems also to be vulnerable,
including these other protocols.
very quickly, you had a bunch of folks jumping in and exploiting basically everything that was
vulnerable within minutes.
Now, one of the things that's happening on-chain as kind of this on-chain background radiation
is this phenomenon we call generalized front-running.
And so generalized front-running is basically when you have these folks who are monitoring
the mempool looking for transactions that may make money in any possible way.
They simulate that transaction as though they were the person.
submitting the transaction instead of the actual person submitting the transaction.
And if it would be profitable for them to do so, then they automatically will submit that
transaction and try to go faster than you.
So if you make a trade that's going to be profitable, they'll try to front run the trade.
And that also means if you're going to hack something and that hack would be profitable,
as all hacks are, or most hacks are, I guarantee the useful ones, then they will do the
hack instead and front run you on the hack.
And because they're doing this automatically, most of the time these generalized frontrunners,
they don't know what they're doing.
They're just running while they're at, you know,
they're out of ballgame or they're asleep or they're whatever.
And this thing is just like doing whatever it's doing on the background.
And so we had a very interesting MV day where some generalized frontrunners
ended up picking off some of the,
some of the hacked funds that were otherwise being targeted by presumably copycats.
Lawrence, do you get a sense of what was going on here and how that story played out?
I'd been busy watching and talking to some people.
at some of the other effect of protocols like alchemics
when I realized that curve had been hit for the first time.
And then I noticed that,
it's it, Coffee Babe.
God bless Coffee Babe, by the way, if you ever watch this,
had intercepted, I think, 5 million out of the curve attack.
I think one of the things that, before I go a little bit further into this,
I think one of the things I find really fascinating,
and I say this a lot on Twitter,
is that it's incredible that it's still basically a coin flip
between whether someone who's performing an incredibly complex attack,
be it at the protocol level,
or be it as we have somewhere less than that,
you know,
maybe someone's eighth the vector,
whether they have the sophistication to change their Ethereum RPC
to a flashbot thing or not.
You know,
you get people who are still going,
here is eight figures of crime that I'm about to do.
Let me broadcast it into the public mempool.
It's one of these, like, incredible, like, incredible skill.
And they're, you know, robbing a bank
and then like stopping at the red light, it's baffling to me.
I mean, I'm grateful that they're doing it because we have wonderful situations like you have
searches that are intercepting these things.
And as people will have seen, I think there was a lot of chat about, oh, you know,
MEV searcher coffee babe picked up a bunch of it.
And others have as well.
I think there's a lot of credit to other people as well, such as Pascal Cavasaccio and so on and so
forth.
I'm not going to name them all wonderful work.
Who went, okay, you know, I've got this.
I'm going to return it to, you know, the address of my thing.
And then chat and say, okay.
I've picked this up. Where does it go?
And I think a large chunk of it has gone back to,
I think metronomes received a bunch back,
because they were heads as well as Pendle.
And I think there was,
so hang on it was JPEG, metronome, Pendle, Alchemics,
the curve pool, debridge, and ellipsis were all hit.
I think some of those were all like, you know,
here have it back, which is great.
I think this is a weird offshoot of white hattery
where someone has effectively sleepwalked into millions of dollars
and just goes, now I'm right, Chief, you take it back.
It is really beautiful.
And in a way, it's a testament to the culture that Ethereum has,
that you've got these people who are effectively kind of built
from the same material you might think as like hedge fund magnates
who are just ruthlessly out there competing every single day
for every, you know, iota of expected value.
But then when something really goes wrong, they're like, hey, you know,
everyone's got to buckle up and defend ourselves against the real attackers, which are, of course,
the folks who are hacking the thing in the first place. So I thought it was a beautiful little vignette,
and also for those of, I imagine many folks have never heard of generalized front running,
but in situations like this, it ends up becoming an important part of the story. So, okay,
let's move on to the financial part of the story. Okay, so far we've been talking about the technology,
the mechanics. I know, I know, there's, it's such a, I love how multi-layered the story.
story is, even though it's obviously a fucking tragedy.
But it's also a very teachable moment, I think, for defy and cybersecurity.
On this taking place, obviously, people pulled a lot of money out of curve, and the value
of CRV, the native token of curve, went down quite a bit. And so it dropped more than 20% over
the span of a day and a half. And if you remember from a previous episode of the chopping block,
we talked about Michael Igorov, who is the founder of Curve, and he has a very big, a
very large amount of curve that he owns on chain, against which he was borrowed a lot of money
and purchased a lot of real estate in the real world. And so presumably he has, you know,
he has a limited liquidity profile given how much he's bawling in real life. And as the value
of this curve has gone down, in addition to just what's happened broadly with Defi going down
over the last year and, you know, many of these tokens getting hit, he was already extended pretty
far in, you know, if you recall, I think it was AVE at that time that originally he was
at the risk of getting margin called. Now all of a sudden, with the value of CRV going down
25% plus and threatening to go down even more, as not only are people worried about, oh, my
God, is there going to be some, you know, death spiral that's happening here, but now the fear is,
okay, will Michael Igorov, will he exacerbate that liquidity spiral, causing CRV to just,
you know, basically get vomited out into the market when his massive positions get liquidated.
What is that going to do to Avey?
What is that going to do to fracts?
Which are all places where he's also borrowed a significant amount against his CRV holdings.
So there was basically a kind of mass contagion of fear as CRV started getting hurt worse and worse
as people started realizing this.
And further, in some ways, you know, many people shorting CREV.
CRV to try to facilitate this and bring it on and say, hey, you know, if we just get it to hit
this threshold, boom, we can kind of knock his position entirely over and, you know, kill CRV.
What Michael ended up doing is he went OTC, because of course, there's nowhere near enough liquidity
for all the CRV that he owns.
Not even struck up a bunch of CRV deals.
I'm sorry?
Well, not anymore.
Not anymore.
Yeah, that's right.
That's right.
Once upon a time, once upon a time, there were people willing to buy and sell CRV.
he ended up striking deals with Justin's son, DCF God, and DWF Labs, among several others,
to basically sell them OTC, big chunks of CRV to give him liquidity in pretty significant discounts to market with very small lockups,
so that he could repay a bunch of his debt and lower his liquidation thresholds.
So I think now it's pretty safe to say that we're out of the woods on that front.
Last I saw his, he was pretty close to,
I want to say, like, the liquidation price is pretty close to like 40 cents.
Now it's closer to 30 something just because he's repaid so much of his debt on Avey, Fraxland, and on Abercadabra.
So I think he's, I think things are looking much safer now.
Correct me if I'm wrong if anybody's has more up-to-date numbers.
His biggest vault is on Avey and currently has a health factor of 1.69, which is much better than it was.
Yeah.
Yeah. The big issue, though, is you still own so much of the circulating supply.
There's like 900 mil curve outstanding and he owns what like three 400 mil something like that.
So just like yeah, yeah, you know, even if you, you know, get liquidated, like there's just no amount of.
Where's it going?
Yeah, exactly.
So it's like, you know, in reality, you know, all the B3, obviously fixes this and then they can limit barrows per asset type.
But like, yeah, I mean, it's it's kind of a mutually assured destruction at this point.
To Roan, given that you were involved with this Ave Curfuffle a few weeks ago, what's your take on this whole de-leveraging situation?
Yeah, you know, there's not too much, you know, similar to Lawrence, it's actually still somewhat.
There's still things going on, so I probably will not say too much.
But I will say, you know, we've spent a lot of time making proposals of trying to try.
to mitigate this historically.
Is this that I told you so moment for you guys?
No, this is more just, hey, look, we've made these proposals.
We've come through this before.
Didn't quite.
If you had listened, if you had only listened to us, if you'd only listen to us.
If you'd only listen to us.
It's more like, you know, directionally it was correct.
The things are kind of consistent.
But the point of a Dow is that, hey, the Dow can be like we don't want to do that, right?
So anyway, we put up another version of some of our old proposals.
We're going to try to keep monitoring this.
I mean, I think the emergency would have been if the Fraxland interest rate.
So one thing that's worth noting is Fraxland.
So Michael had two big positions.
Of course, AVE is the biggest one.
And then the second one is was Fraxland.
Flaxland has sort of a PID controller style interest rates.
So the interest rate adjust.
So the longer the utilization is high, so the longer the funds are lent out, the more the interest rate goes up, the lower the funds aren't lent out, vice versa.
With the idea that, hey, they keep increasing the interest rate, then they can bring down the utilization, which lowers the risk, right?
So like, imagine you're a lender in the real world, you know, you've lent out all your funds, but now you're worried that some of your risky borrowers are going to default.
You may try to make the adjustable rates for your adjustable rate component go up because you want to compensate for those default.
fault. So that's sort of the thesis of the way they're looking at this, the way Frax lend is
designed. But the problem is at the current time, they were at 100% utilization. So the interest
rate just keeps going up on its own. And there is this cycle between the two loans where
one would you, in order to keep paying, like one would be draining faster because the interest
rates going up. The other one's sort of constant-ish. And you borrow against the
the one that's constant to pay the one that's going up.
And that was where there was a lot of worry and cycles of the things that could go wrong.
It was interesting to watch people trying to hunt him on Frax Lend.
Because the way that worked was, yeah, people would deposit KERP, they'd withdraw Frax,
APY Plus Plus because of the PID.
And I think there was what, yeah, a couple of hours where people are just sitting,
they're going like just watching ping ponging between the two, which I found fascinating.
I mean, I have this more qualitative thing question, you know, the what if about, you know,
we talk about like the nature of using these lending protocols that have long-tail asset support
for like the tax-free leveraging of assets to borrow against them or the selling without doing
as much and kind of saying that, you know, any bad debt that's incurred is not a me problem,
it's a you problem.
And I think today was the day where everyone kind of en masse responsible for things was like,
oh, it's a me problem.
and actually started kind of like making efforts to mitigate some of that.
I said I think there were some pretty distasteful characters that were included in the OTC deals.
My personal take on some of those people, which I found fascinating.
You know, I had 40 cents on the curve with a three, six-month handshake deal,
or you can sell if it goes up to 80 cents, which I found fascinating as kind of like this weird,
locked-in situation between a bunch of like big money.
about something which could be a massive headache for like the Rave in particular.
I find that it's so,
I mean, GCR clearly thought that something was going to go the way of the dodo
because he added a bunch of Ethereum single-sided on V3
and like aiming at like three to seven cents per curve, I think.
I mean, that might be siops.
He's probably smart enough to know that wouldn't have happened
with a liquidation because of chain link the way that it's weighted towards central exchanges.
But it was certainly a weird moment to see that happen.
Hmm. Hmm. Yeah. I will say on the whole, I mean, it does seem like the saga is coming to a close now. I want to, I want to give just a few minutes for us to kind of take the broader reflections on what it means. A lot of the people, I mean, it was a wild 48 hours, I will say, very entertaining and many different angles to the story, which is also part of what makes it so fascinating. A lot of people were saying that like, oh, I mean, this kind of shows that,
Defi isn't all that it was chalked up to be
and that it means you can't really trust this stuff
because, you know, Curve was one of the biggest
and everyone trusted it and blah, blah, blah.
I do like to remind people that, look,
I mean, the curve pools that were affected
were all a very tiny old pools
that were kind of third-party pools.
You know, the main curve pools themselves
were completely unaffected by this.
And on the whole, Curve had, what,
$3 billion in TVL,
of which, you know, roughly 30-something million
was actually affected by this bug.
And so it is, and of course, it, you know, pretty quickly people kind of came together, figured out what was wrong. And, you know, with a few caveats here and there, more or less got to getting everything else back in order. You know, the, you know, we didn't get a CRV cascade. We didn't get a bunch of bad debt proliferating on a bunch of protocols. Like people kind of came together and worked together to help keep Defi resilient. And I thought that was a great example of it's not always just about the mechanisms. People talk about that a lot in
that, oh, these mechanisms, they're self-reinforcing, they're self-sustaining, they're super
powerful.
But a lot of it is really about how you build your norms and the community and the culture.
That's a lot of what kept defy safe is just the instincts people had about communicating with
each other and working together to help this problem from getting worse.
I prefer another way of looking at it, which is in traditional finance, you can't really
see all these positions.
you know, in some ways, people are always like, oh, we should like have perfect privacy, private defy already.
There's some sense in which you want these kind of bugs in public defy fixed or, you know, discovered and dealt with first before you ever get to private defy.
In traditional finance, you already have the private thing, but because you can't really prove any properties of what people's positions are, you never really know if they're solvent or not.
You never really know the liquidity, especially for more liquid things.
So in that sense, you would not be able to identify, you know, the types of things we're talking about of like, hey, like someone is borrowing using their older loan to pay off their future loan until after it happens.
And in some sense, that transparency is actually extremely useful for figuring out mitigations and also for other users who are impacted by that to adjust their strategies, which you can't really do in traditional finance, I would say.
like you're usually guessing what other users are doing.
You're not knowing what other users are doing.
There is the tradeoff though, right?
Because we also talked about the adversarial nature of when, you know,
when it's on chain, you can see the stop and you know, like kind of how to hunt it down.
And you can spread fud about this and that because everyone is kind of, you know,
everybody was looking for, okay, what's the level that it's going to take for, you know,
basically curve to have this kind of cascading liquidation spiral.
that is something that you wouldn't have
in a completely private system.
So there's pros and cons.
It's not obvious to me
which of those two is better,
but it's pretty clear right now
that, I mean,
it's not a choice in front of us, really.
We kind of have to go.
I mean, defy is defy,
and unfortunately we don't really have
a viable private version of it,
at least not yet.
Yeah.
One of my favorite analogies recently
is talking about kind of flashball RPGs
is dark pools,
the analogy of like Treadfi.
And it'll be interesting to kind of see
like, you know,
the way that in which kind of as we start getting kind of more base level privacy,
the way in which stuff starts splitting off into different things.
That's kind of a kind of an auxiliary interest of mine recently.
I said like, I mean,
I'm working personally on trying to do stuff,
like bringing kind of deal on chain and like kind of walking the walk in terms of defy
and the degree to which I think maybe that just adds signal instead of noise
is yet to be seen.
It fascinates me,
although I am not as big-brained as people like Turin here who, you know,
look at this stuff for a living.
I would like to see more private defyed, though.
I mean, it is clear that especially for large players, I mean,
Michael Ligoroff is probably the primary example of somebody who would benefit,
at least from his perspective, from having some financial privacy.
You know, having viable forms of on-chain privacy, I think would be a big boon to large players.
I'm certainly not saying that, you know, obviously I should add some addendum.
I certainly think it is necessary.
But two things to remember is finance is never, ever, can never be fully private.
There always is some public information, right?
Like a price, a rate, something has to be public for people to trade on some set of metrics.
And those metrics have to leak something about the actual underlying assets.
And so there's always this tradeoff.
But the real question is, you know, how can you make these things stable?
I would rather learn the mistakes with the fully transparent public stuff before going fully to private.
And I think that's, this is going to, you know, we have this now library of these mistakes to avoid.
Well, we have a library, but I'm not being dilated anywhere.
That's the thing.
Like I wrote last year that, you know, whenever we see an error like this, if it's novel, oh, sorry, if it's old hat, like if it's a repeat of something, then everyone just gets like strips torn off of them.
If it's novel, then people within like 48 hours will confidently assert that anyone could have seen it and only like the malicious or the novice would have overlooked it.
We saw it even happen at the Dow.
We've started seeing it now with the Viper incident.
And I think one thing I'd like to bang on about like is kind of someone, some group of us needs to kind of like put the book together of the Waddu to not, you know, like a hitchhiker's guide to not getting wrecked at some level.
and I don't think it's ever going to exist.
So the nature of security,
much like the nature of finances,
it's always this cat and mouse game.
Yeah, of course.
And whatever edge you have is hard to make public.
So anything that gets written is always a bit post-talk.
Like never can be written in the moment.
And I think that's sort of the thing you face here.
But the transparency means that the documentation is there.
Yeah.
It exists, right?
Just think about how many financial crisis must have existed.
existed in the world where there is basically no recollection or documentation of the cause or the
solution. I bet you there's a lot of those in many countries. And in some sense, at least here,
you have the chain as the form of reference forever. Yeah. I think it would be very entertaining
to read the histories of some of the big hacks in crypto. But I think to Turin's point, it's kind of
like, you know, it's like, like rules are written in blood. And I think that's kind of true for crypto,
where, you know, after any new novel hack, like, people change their auditing practices and testing
practices and security practices and what we sort of consider safe and stuff gets better over time.
Even the concept of Biper having a library for less reintroducing guard, like, you know,
would have been a thing like, you know, I guess it was like six, seven years ago.
And so this stuff, like, as we sort of learn about different ways of attacking, I think we sort of,
you know, as an institution, build those sort of natural antibody.
but not in a sort of implicit way instead of an explicit way.
It did make me reflect, to be honest, that I feel like working in crypto this long has broken my brain.
Because on Monday, well, I know, on Monday when I saw that curve was hacked and I was like, oh, shit, how much was it hacked for?
And it was like, oh, 30 million.
I was like, oh, it's fine.
If it's not the length of my phone number, I'm not yet, I sleep.
Exactly, exactly. Looking back on this from like where Defi started when like literally all the money in Defi was about $100 million. I don't know. It does feel like security has to get simpler. Like it can't be, I mean, to your point, Tom, of like all of the, you know, the sort of the earned knowledge that is kind of tribal and is, you know, the, you go through the maze of all the decisions you can make building a protocol. And at some of those corners, there's just, you know, bones of.
protocols that came before you that fucked up in that particular way.
It can't be that it's that tribal, the knowledge of how to build things safely in DFI.
Like that aspect of it has to get better.
And I don't know how much easier it seems to be getting.
It seems to me the answer is more and more that it's not easy and it's going to stay not easy.
And instead, we are just kind of investing more and more eyeballs, resources, and security
into the few protocols that are super, super secure.
and everything else
we're kind of, you know,
it's just caveat and tour.
And that ultimately means that there's,
I mean, part of that is just that few things
really have product market fit in Defi.
But the other side of it is that
it's almost even harder
for something new to get that product market fit
when there's such a gap in security
between things like uniswap and curve
and the next protocol
that just is new on the block.
If you had another hour to spare,
I would give you my,
soliloquy on the tactics and techniques of auditing firms in Defi nowadays,
but I don't feel like getting canceled by some of my friends,
so they'll have to wait.
Now I really want to hear that.
Wait, wait, wait, wait, wait, wait.
We should really talk about the bald stuff, though.
Should we?
All right.
That could probably fit in five minutes.
Yeah, it's not that much.
The bald is fine.
I would just like looking at the clock and I was like, come on.
Like, we're not.
This is the best.
This is the best story of this week.
Is this the best story?
Okay, Turin, I'm going to let you give the exposition for balls, given that it's the best story.
As many of you know, Coinbase is launching a layer two protocol called Base.
I believe on a prior episode of this here podcast, I quoted a tweet that I saw that described it as Binance Smart Chain for white people, which got me canceled on LinkedIn, but not Twitter, which should tell you everything.
It's also not wrong.
How can you get canceled on LinkedIn?
What does it even mean?
Just people being like this is so incensed.
People like unconnected with you?
Yeah.
No, no, no.
Laura, I believe Laura posts these on LinkedIn.
I remember I saw some comments that were like.
Okay, got it.
I don't know if they were like directly in her thing or some other thing.
I think she doesn't tag me on that much.
I'm very grateful for.
I kept getting tagged in these things of like this intense.
I was like, hey, I'm just reading someone else's tweet.
I think it was a Chuba special.
I'm pretty sure it was him.
Yeah.
Yeah.
And so base has been launched in sort of like developer only.
like the chain exists, you can sort, you can bridge onto it.
Layer 2s that are optimistic, of course, have this withdrawal period,
so you may have to wait to get money back.
But I guess in honor of the fact that the people who have are in trials with the SEC
are bald or the ones who win, I forget exactly what the meme is.
Do you guys know?
Those are right.
Yeah, got to be confident when the guy at the top is bald.
that bald is like strong meaning there's a great meme like like like you are with this show with
hasib right you're very confident yes exactly exactly uh never trapped a unseal in crypto
so someone made a meme coin called bald and they deployed it and of course we had this fervor of
50 60 million dollars moving into base which sort of it was meant to be a developer
test that not totally meant for real funds um but you know
You can't stop the apes when they ape.
So all this money went in, and then the deployer developers sort of rug pulled the people in some ways.
I think there's still debate as to how much of that is true.
But once that happened, you know, what happened was what always happens in these
crypto scenarios where something awry happens, whether it's the curve thing, whether it's this,
there's this community of these people on the internet who are just constantly sleuthing and trying to figure out
like what they can about an entity and address a set of assets on the internet.
And it turned out the bald deployer is very connected to,
had done a lot of seven figure trades with Alameda,
had made a lot of posts on the D-YDX forums about how they should change their incentives,
had clearly been doing algorithmic yield farming for a while,
and not like manual you could tell from some of the rebalance moves.
and it was sort of a thing that was like,
this is a more sophisticated person.
How are they so dumb to deploy off this address
that has so much provenance?
Then that led, of course, to the natural SBF deployed a meme,
which I don't think is true.
No, I don't know.
But there are, of course, a ton of ex-Alamita employees
who could have very easily been this entity,
and that's where I suspect it is.
So, do I miss anything?
Well, the deployer has come
back now posted, I think about an hour and a half before this. I realize you've got your
hard stuff. It's come back now saying as soon as there's another decks that works,
we're going to put more liquidity back and any profits are going to effective altruism,
like non-profits. No, he said to non-profits. Non-effective altruism, non-profits. That's great,
because I'm not profitable, so I'm looking forward to getting paid by an Alameda associate.
But of course, I mean, this is, this is sciops. You can't fool me. I am familiar with your
game. Ball Deployer. It's, well, the best part was I think there was, I think there was,
another meme coin launch today called Hair, which has been quite well.
There was also Fuck Balls. Yeah, there were loads.
Fuckballed was a honeypot.
And then, of course, like, Leach itself went down because of the next point because it was
solidly forked code.
It's been an auspicious start for bassist developer only mode.
I'll say that much.
I don't understand how a developer only mode, how you can ape into a developer only mode.
They just made it harder.
They just made it harder.
There's no UX, whatever.
It is functionally running.
It's just that there's no,
none of the creature comforts of like easy to do for Metamask.
Yeah.
You just had to sign a contract on Main Nest.
It would do a self-transaction.
And you're like, well, that's not a barrier.
This whole thing reminded me of when during 2021,
in the peak bull market,
there were like all these TikTok influencers
teaching you how to use,
change your RPC to Binance Smart Chain
and, like, go arms and things to buy a smart chain.
What was the thing that would have a safe moon?
Yes.
I think that was one of them.
Oh, God.
We need a safe moon on base.
I'm telling you now.
Boy, someday you're going to be telling your kids about the days when you had to manually
change your RPC to use another chain.
I'm going to get called a boomer because do we sound like the people who talk about the dial-up
sound?
I feel like that is absolutely who we are.
That is absolutely who we are.
I got into a discussion with someone the other day.
like the era pre-flashbots about using gas price auctions to get into stuff that it was all public
and someone yeah i got called a boomer on chain this was devastating to me oh off you live long
enough with that i think i think the boomers got we didn't we didn't even get a chance to talk
about hex getting sued by the SEC but maybe um maybe we'll cover that at some point but for now
we got we got to log off thank you everybody and we'll be back next week thanks laurence
to everybody.
Yes, everyone.
Thank you very much.