@ceterispar1bus Welcome, it's a beautiful game. Go ahead and find an English Premier League team and follow them. It's the best league in the world with incredible drama and entertainment. You'll also get to know all the players that end up in the world cup as well.
@realRockyChung@ExponentFinance@Titan_Exchange Can you guys enable simple limit orders for the most popular RWAs? Current asset pairs that have limit orders available on Titan are extremely limited.
No luck involved here sir. Architecture.
CCIP by @chainlink was built around the exact failure that just drained Kelp, and the difference isn't a slightly better config. It's a different threat model from the ground up. Every CCIP message is validated by two completely independent networks before it can execute on the destination chain. The main Chainlink DON observes the source chain, reaches consensus on the messages and their ordering, and commits a Merkle root to the destination. That's the same shape as any oracle network. The part that matters is what happens next. A second network, the Risk Management Network, watches the source chain on its own, independently rebuilds that Merkle root from scratch, and has to explicitly "bless" it before any message under that root can be executed. No bless, no execution.
A compromised primary network cannot move funds on its own. A buggy primary network cannot move funds on its own. A primary network with a key leak cannot move funds on its own. That second network isn't a different quorum of the same thing. It's a separate Rust codebase (smartcontractkit/risk-management-network), separate team inside Chainlink Labs, separate set of node operators, zero shared nodes with the main Go client. Different language, different binary, different infra, different people. A bug in the Go client cannot exist in the Rust one. An operator compromised on one side has no signing rights on the other. Both repos are public and you can audit the consensus logic, the blessing logic, the curse logic, and the signer set yourself.
That's what client diversity looks like when someone actually builds it. LayerZero's marketing says DVNs can be diverse, but in practice every major DVN runs the same closed source "essense" client and pipes signed messages into a LayerZero operated collector. You cannot prove two "independent" DVNs aren't the same binary on the same box run by the same operator under two names. Kelp's config was 1-of-1. One signer. One closed client. $292M of trust sitting on a single key whose provenance nobody outside LZ can verify.
RMN also has a kill switch that lives outside the system it protects. Any RMN node that sees anomalous state, a reorg, a finality violation, a message that shouldn't exist, a rate limit breach, can push a single curse transaction to the Risk Management Contracts on every chain and the entire CCIP lane halts globally in one tx. No multisig coordination, no 46 minute pause window, no scramble to find the right pauser key. Kelp needed 46 minutes to pause. In that window 116,500 rsETH walked out the door and the attacker tried twice more for another 40,000 each time, only stopped because the pause finally beat them.
Rate limits live inside the OnRamp and OffRamp contracts themselves, enforced by the protocol. Every lane has a per-token throughput cap and an aggregate cap that refills over time. You cannot drain 18% of a token's supply through a CCIP lane in a single txn because the contract reverts before the transfer settles. This isn't something the app developer has to remember to configure. It's the default behavior of the rails. Kelp's OFT Adapter had no equivalent. One lzReceive call released 116,500 rsETH with no throttle anywhere in the path.
The operators themselves are economic security, not just signing keys. CCIP DON operators are public companies with public identities (@linkpoolio , @cryptomanuf, @googlecloud, various others), each running independently audited Chainlink nodes. You can verify on chain what is signed and how long nodes been running. Contrast that with the DVN space, where you cannot even verify that the address listed as the Nethermind DVN is actually operated by Nethermind, because the signer wallet has never publicly identified itself or signed a proof of ownership.
And this isn't theoretical. PrimordialAA flagged LayerZero's DVN architecture 18 months before Kelp, then flagged Stargate's specific 2-of-2 admin wallet setup 8 days before Kelp. LayerZero publicly dismissed both as "gas abstraction" and "0 implication on security." Eight days later a different OApp using the same class of architecture got drained for $292M. @ChainLinkGod has been explaining this for two years. None of this was a mystery. The warnings were in public, the on chain evidence was in public, the code was in public.
So when the reply is "just use Chainlink," it's not superstition and it's not branding. It's the observation that CCIP made specific architectural choices that make the Kelp-style attack mechanically impossible. One network signs funds away? Blocked by RMN bless. Bug in the node client? Blocked by Go and Rust diversity. Operator compromised? Blocked by the second operator set. App didn't remember to configure a rate limit? Protocol enforces one anyway. Something weird happening that the automated systems didn't catch? Any human operator at RMN can curse the lane globally in one tx.
Everything I just described is verifiable from an RPC right now, in two public repos, with public operator identities and public signer sets. That's the actual argument. It's not "trust Chainlink," it's "Chainlink built the system so that trusting them isn't the thing holding it up." Two networks, two languages, two teams, two codebases, two independent verifications, a global curse, protocol level rate limits, public operators, slashable stake. All of it on chain. All of it auditable.
"Don't jinx it" is understandable after watching $292M vanish in 46 minutes. But the security of the system isn't a vibe. It's the Merkle root that two independent networks both have to agree on, or the message doesn't move.
@kamino Great article. Can you guys highlight the oracle usage/risks that a user would be taking on by employing these strategies? Are liquidations triggered by DEX prices given there is an off chain NAV of ONYC? @kaminointern@onrefinance@Ayyanrahman
@LinkBoi777@ClairHawk_Cap You also want the ability to write calls against it down the road since it's not currently possible in the crypto sphere as far as I'm aware.
@MacroScope17 Is this using native BTC? Because correct me if I'm wrong, there is a conversion that happens on the backend from BTC to cbBTC. It's then used as collateral and borrowed against using the Morpho protocol. If true, native BTC to cbBTC is a taxable event.