alcueca
@alcueca
Followers
5K
Following
3K
Media
463
Statuses
3K
Engineer @OpLabs Co-Founder & CTO @yield (defunct) Co-Author ERC4626 (Tokenized Vaults), ERC3156 (Flash Loans) ERC7266 (Oracles) Judge @ Code4rena, Cantina
Portugal
Joined March 2020
4. Combine those likelihoods up the tree to know how likely is the thing we are trying to avoid 🏗️.5. Work out ways to stop the low level events from happening, such as more testing or audits 🙅♂️.6. Prioritize those mitigations, so that we execute the really effective ones 1️⃣. 3/.
1
0
1
In a nutshell, we:.1. Brainstorm all the things that we don’t want to happen 😬.2. Work out how those things would happen, to build a tree of everything that could go wrong 🔎.3. Guess how likely to happen is each of the low level events 🤔. 2/.
2
0
2
It is often difficult to know if you have done enough security work for a project to be safe, or even if you have secured the right angles. In my first article for OP Labs, I describe how we answered those questions for our interop release, critical for our roadmap. 🧵
2
12
45
The industry standard is that governance transactions are not audited unless they are part of a major upgrade. That's a huge security gap. @Optimism is fixing this. As a default, many of our governance transactions will be in scope for our bug bounty. Check below how it works.
Optimism is extending its $2 million bug bounty to identify bugs in upcoming Superchain protocol upgrades. This bounty helps secure the foundation for Superchain interoperability, a major upcoming milestone for Ethereum L2s.
5
2
26
DeFi Summer is back, I tell you. At least I'm advising these guys to bring it back, and they've got a good shot at it. Check them out!.
Introducing YO: The Last Vault You’ll Ever Need. YO stands for Yield Optimizer. ✌️🪀. Say goodbye to manual yield farming. Say hello to automated, risk-adjusted, multichain yield. 🧵
1
1
13
From the friends @pv01_markets, a Delivery-Vs-Payment permissionless public goods platform. It is a pretty fundamental use case, but as far as I know, no one has deployed anything like that already. So here you go. No strings attached. Enjoy.
github.com
Delivery versus payment. Contribute to PV01-org/delivery-versus-payment development by creating an account on GitHub.
0
1
15
All I want for myself is to be as calm and contented as Daddy Pig in the first season of Peppa Pig. The guy has truly reached nirvana. An example for all of us.
0
0
7
@Elliot0x Think about this different configuration: . - A technical team that puts governance actions to be executed in a timelock with a delay of a week. - A different team whose only job is to verify the governance actions in the timelock, and remove malicious ones. (continues).
0
0
0
Pointing fingers at multisig members and telling them to become security professionals capable of resisting nation state attacks is not the best thing we can do. A humble decentralised proposal in the next comment.
1
0
2
100% agree that those things should be implemented, but maybe just a timelock would do against the Bybit hack?.
"Organizations below a certain security threshold are now at serious risk. Without security controls including:. Air-gapped signing systems.Multiple layers of transaction verification.Endpoint detection and response (EDR) systems". Sounds like something Silverback can help with!.
1
0
2
Or you could just remove malicious transactions before they make it to the signers, while they are in the timelock.
Look, it's actually pretty simple: UIs, infra, dependencies etc. can and will be corrupted. When you hit the buttons on the hardware device, that's when you need to be 100% sure what you sign. The MOST important part is the screen on your hardware device and what it displays and.
1
0
2
You could just use a timelock and remove malicious transactions before they get to the signers.
13/ The end result is the same. Hacked. There are many ways this attack MIGHT have happened, but how can companies make things harder for attackers in the future?. 1. Train employees on phishing. 2. Install EDRs on employee hardware (@sentinel @crowdstrike). 3. Heavily lock down.
1
0
1
There are several configurations, but one example would be having a timelock for governance actions before they can be signed, and an account that has permissions to remove actions from the timelock.
1
0
2
I might be missing something here, but wouldn't be a simple timelock the easiest solution to defend against UI attacks like the Bybit one?.
The victims then signed a transaction that upgraded their gnosis safe. They likely could not see what the transaction actually did because the tenderly simulation on their machine was for a different payload than the one they actually signed.
3
1
21
We all knew this place was trash, but what's the story with the lewd videos?. If I click a goat video from @josephdelong, why does the algo serve me some onlyfans streamer adjusting her clothes after?. It might be the thing that finally makes me leave. Divorces are expensive.
1
0
7
Hey nerds, what is the best tool or process that you have seen to measure the complexity of a smart contract (or protocol)?. I saw once some table by @trailofbits, and I once made my own (now lost). I'm sure some of you use something like that to price audits.
4
0
17
I haven't been writing much in a while. You should expect that to change as I tackle new challenges. Thanks to the body double, unfortunately @AmadiMichaels couldn't make it to our little gathering.
0
0
13
