Olivia
Online
Tony BiTiCi
@Tony_BiTiCi
The Future Is Decentralized. Crypto class of 2017. Seen a lot, made a lot, lost a lot. Reformed degen on the come up.
Joined November 2017
963 Following
1.2K Followers
2.5K Posts
Got sandwiched myself 😭 $15M drained in a reverse honeypot. Fake pools, fake tokens, my own bot approved the trap.
Weeks of setup. Karma’s a bitch in crypto. Still the king of MEV tho.
$3,000,000 Bounty out if you help recover or hacker return the funds
"Jaredfromsubway"
@araseb_ the same people, they just ship 10x
I've been a backend Engineer for 12+ years. Today, I'm a Principal Engineer at Atlassian.
I've designed systems that handle millions of requests. Sat on both sides of system design interviews.
Reviewed more architecture docs than I can count.
Starting today, I'm breaking down the fundamentals of scaling for the next 25 days.
If you're learning system design bookmark this thread, you're going to get a lot of learning from this.
👉For 4 years, 1 day, and 10 hours, anyone who understood the Orchard circuit could have minted ZEC out of thin air, silently, with no on-chain signature. The bug was disclosed this week. It was found by an AI-driven audit running Opus 4.8, not by an attacker.
1. Call the bug what it is
Two lines in halo2's variable-base scalar multiplication gadget used assign_advice() where copy_advice() was required. As a result, the diversified-address integrity check pk_d = [ivk]·g_d could be satisfied for arbitrary inputs. A malicious prover could spend the same note multiple times with different nullifiers, i.e. counterfeit ZEC inside the Orchard pool, undetectable on-chain because the privacy of the ZK proof hides exactly the inputs that would reveal the attack.
We do not know whether it was exploited. We will probably never know.
2. Four years. Multiple audits. Top-tier reviewers.
Orchard was reviewed by some of the strongest cryptographers in the field before activation. They missed it. Earlier automated audits with Opus 4.7 missed it. Opus 4.8 catches it in roughly 1 in 4 runs when prompted generically. The bug is hard.
And ZK inflation bugs are not new. Zcash itself shipped a counterfeiting vulnerability in Sprout (BCTV14) that survived years before being silently neutralized during Sapling. Similar soundness issues have appeared in circom, halo2, and rollup verifiers since. The pattern is consistent: when the protocol is private, exploitation is undetectable. You patch the bug and hope.
3. What Zcash did right
This was a textbook decentralized incident response:
▶️Audit: a full AI-assisted soundness audit of halo2 + Orchard, scoped end-to-end.
▶️Discover: the agent flagged the missing constraint and worked out the algebra to turn it into an exploit. A working RPC-level PoC in ~6 hours, mostly waiting on tokens.
▶️Coordinate: a soft fork disabling Orchard, prepared and distributed without leaking the bug, activated 2 days and 15 hours after acknowledgement. Coordinating a soft fork across miners, exchanges, and nodes without disclosing why is genuinely hard. They did it.
▶️Disclose: timeline, code lines, math, open questions. No spin.
Worth naming explicitly: Zcash's turnstile invariant caps the value that can ever leave a shielded pool by the value that entered it. Privacy and verifiability inside the same protocol. That is not an accident. That is good engineering, and it is what kept the worst case bounded.
4. The economics of security just changed
AI does not change whether bugs like this exist. It changes the cost of finding them. I wrote about this https://t.co/AeurraJXhB: a missing constraint in a 4-year-old production ZK circuit used to require a top-tier cryptographer with months of context. It now requires a few tokens, an API key, and a well-framed prompt.
The defender benefits. The attacker benefits more, they only need to find it once, and they never disclose.
Orchard is the optimistic version of this story: defense got there first. The pessimistic version is the one we cannot rule out, because the chain is private by design.
5. The only real exit
You do not patch your way out of this asymmetry. You raise the floor.
Formal verification of consensus-critical circuits, every assign_advice audited by SAT solvers and AI for under-constraint, as the reporter himself recommends. Proof-grade engineering that used to be too expensive is now cheap enough to be mandatory.
Hardware roots of trust, secure enclaves, certified secure elements, WYSIWYS. Cryptographic guarantees the user can actually verify, not promises a host can lie about.
Continuous AI-assisted audit of every consensus-critical commit, re-run immediately on the release of any new frontier model.
Zcash didn't just patch a bug. They demonstrated the new defensive playbook: AI-driven audits, decentralized coordination, radical transparency, verifiable invariants. That is the direction the rest of the industry needs to follow.
And those who don't raise the bar for security will be rekt in this new world.
Stay safe. Stay honest about your trust assumptions.
![P3b7_'s tweet photo. 👉For 4 years, 1 day, and 10 hours, anyone who understood the Orchard circuit could have minted ZEC out of thin air, silently, with no on-chain signature. The bug was disclosed this week. It was found by an AI-driven audit running Opus 4.8, not by an attacker.
1. Call the bug what it is
Two lines in halo2's variable-base scalar multiplication gadget used assign_advice() where copy_advice() was required. As a result, the diversified-address integrity check pk_d = [ivk]·g_d could be satisfied for arbitrary inputs. A malicious prover could spend the same note multiple times with different nullifiers, i.e. counterfeit ZEC inside the Orchard pool, undetectable on-chain because the privacy of the ZK proof hides exactly the inputs that would reveal the attack.
We do not know whether it was exploited. We will probably never know.
2. Four years. Multiple audits. Top-tier reviewers.
Orchard was reviewed by some of the strongest cryptographers in the field before activation. They missed it. Earlier automated audits with Opus 4.7 missed it. Opus 4.8 catches it in roughly 1 in 4 runs when prompted generically. The bug is hard.
And ZK inflation bugs are not new. Zcash itself shipped a counterfeiting vulnerability in Sprout (BCTV14) that survived years before being silently neutralized during Sapling. Similar soundness issues have appeared in circom, halo2, and rollup verifiers since. The pattern is consistent: when the protocol is private, exploitation is undetectable. You patch the bug and hope.
3. What Zcash did right
This was a textbook decentralized incident response:
▶️Audit: a full AI-assisted soundness audit of halo2 + Orchard, scoped end-to-end.
▶️Discover: the agent flagged the missing constraint and worked out the algebra to turn it into an exploit. A working RPC-level PoC in ~6 hours, mostly waiting on tokens.
▶️Coordinate: a soft fork disabling Orchard, prepared and distributed without leaking the bug, activated 2 days and 15 hours after acknowledgement. Coordinating a soft fork across miners, exchanges, and nodes without disclosing why is genuinely hard. They did it.
▶️Disclose: timeline, code lines, math, open questions. No spin.
Worth naming explicitly: Zcash's turnstile invariant caps the value that can ever leave a shielded pool by the value that entered it. Privacy and verifiability inside the same protocol. That is not an accident. That is good engineering, and it is what kept the worst case bounded.
4. The economics of security just changed
AI does not change whether bugs like this exist. It changes the cost of finding them. I wrote about this https://t.co/AeurraJXhB: a missing constraint in a 4-year-old production ZK circuit used to require a top-tier cryptographer with months of context. It now requires a few tokens, an API key, and a well-framed prompt.
The defender benefits. The attacker benefits more, they only need to find it once, and they never disclose.
Orchard is the optimistic version of this story: defense got there first. The pessimistic version is the one we cannot rule out, because the chain is private by design.
5. The only real exit
You do not patch your way out of this asymmetry. You raise the floor.
Formal verification of consensus-critical circuits, every assign_advice audited by SAT solvers and AI for under-constraint, as the reporter himself recommends. Proof-grade engineering that used to be too expensive is now cheap enough to be mandatory.
Hardware roots of trust, secure enclaves, certified secure elements, WYSIWYS. Cryptographic guarantees the user can actually verify, not promises a host can lie about.
Continuous AI-assisted audit of every consensus-critical commit, re-run immediately on the release of any new frontier model.
Zcash didn't just patch a bug. They demonstrated the new defensive playbook: AI-driven audits, decentralized coordination, radical transparency, verifiable invariants. That is the direction the rest of the industry needs to follow.
And those who don't raise the bar for security will be rekt in this new world.
Stay safe. Stay honest about your trust assumptions.](https://pbs.twimg.com/media/HKCPArbWMAAT2O-.png)
Why is crypto not going up while everything is?
Because a large majority of you cunts spent the last cycle promoting garbage negative sum meme coins to newcomers
Now those people hate crypto and your meme coin is worth zero regardless while some scamming cunt drives a new lambo
First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.
The 48 original investors can now claim their funds.
Brutal take, but hard to argue with.
PSA: I now consider *all* of DeFi unsafe.
Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds.
April ends as the most-hacked month in crypto history, by number of incidents.
Funds left my wallet to this address. Not sure what the vulnerability surface is. Others are getting zeroed out as well. Mainnet ETH only and strangely SAI:
https://t.co/7P2THgWqCI
Aftermath Finance lost $1.14M to an integer overflow bug. The kind of mistake covered in week one of every intro-to-programming course.
The fee was stored as u256 (always positive) but read elsewhere as signed (positive or negative). Pass a number close to the max, signed reading wraps it to a huge negative. Fee becomes rebate. Protocol pays you to trade.
Aftermath's perp source is private. Here's the exploit reconstructed from the on-chain trace:
1. Call create_integrator_info with u256 fee = 2^256 - 10^17 (looks like a huge positive number, reads as -10^17 signed)
2. Place matching limit and market orders between two of their own accounts
3. Each trade fires PaidIntegratorFees - protocol sends USDC to the integrator (attacker)
4. Atomic, repeatable, ~$79K profit per cycle
Final on-chain proof from the exploit tx:
PaidIntegratorFees event records:
- fees: 115792089237316195423570985008687907853269984665640563689698454007913129639936 (= -3.5×10^17 in signed i256)
- integrator_address: 0x1a65086c... (the attacker)
The protocol logged itself paying a wrapped-negative fee to the exploiter. Function signature on-chain confirms: clearing_house::create_integrator_info(Address, U256) with no bounds check.
The April pattern of missing parameter bounds:
- Singularity: oracle fee tier set to 42 (Uniswap only supports 100/500/3000/10000)
- Aftermath: u256 fee parameter wraps to negative when read as signed
- Scallop: spool created without last_index initialization
Same root cause across all three: setters that don't enforce the value range invariants the rest of the contract assumes. AI agents test boundary values automatically. Wrap a number, free money comes out.
Tx: 4pGQdfFG96Ghqj1xqkaeeAgMQCpttivdkgSRUGc6wVD8
gpt-3.5, I miss you.
https://t.co/II2UUXdhfh
drift lost $285m and $1b in TVL because 2 multisig signers opened compromised VSCode instances at a conference. zero-click. no phishing link. no smart contract bug. the attacker just needed to be in the same room. 24 solana protocols hit with contagion. jupiter pulled $100m in JLP tokens. kamino paused 100k+ users. every DeFi security audit in existence evaluates code. not a single one evaluates whether your multisig signer downloaded a TestFlight app from a stranger at breakpoint. the entire industry's security model protects against the wrong attack vector. human nature is the final attack surface and it's unauditable.
The most insane long game hack of all time!
North Korea built an entire trading firm
Conference passes
In-person meetings
Multiple countries
Half a year of Telegram messages and working sessions
Even $1M of their own capital deposited to look legitimate
Then when all the pieces were in place they stole $280M
Drift just released the full incident background and it’s wild!
Fall 2025: A "quant trading firm" approaches contributors of Drift at a major conference.
They Follow up in person across multiple countries. Technically fluent. Verifiable backgrounds. Typical trust building stuff.
December-March: They onboard a real Ecosystem Vault and attend working sessions
They even deposit $1M to further build ‘trust’
The long con had set in and by early 2026, these weren't strangers anymore
They had now built a 6-month working relationship
Then they share some repos which is routine stuff
The attack vector: a VSCode/Cursor vulnerability flagged by the security community throughout late 2025. Opening a file was enough. Silent code execution. No prompt. No warning. Nothing.
The moment the exploit fired, every Telegram message and trace of malware was scrubbed clean
No record or trace left
Every team managing meaningful TVL is a target and no one is safe from professional jobs such as this
Six months of infiltration and a trusted relationship, not just a sketchy email link
The bug is patched but the real attack vector was the relationship and patience
How do you protect against that? 🤯
karpathy is showing one of the simplest AI architectures that actually works..
dump research into a folder, let the model organise it into a wiki, ask questions, then file the answers back in.
the real insight is the loop...every query makes the wiki better. it compounds.. now thats a second brain building itself.
i think this is so good for agents if applied right
instead of pulling from shared memory every session, they build a living knowledge base that stays.
your coordinator is not just coordinating tasks anymore.. it is maintaining institutional knowledge so every execution adds something back to the base.
the bigger implication is crazy tho.
agents that own their own knowledge layer do not need infinite context windows, they need good file organisation and the ability to read their own indexes.
way cheaper, way more scalable, and way more inspectable than stuffing everything into one giant prompt.
and here is the full architecture of the LLM Knowledge Base system covering every stage from ingest to future explorations.
LLM Knowledge Bases
Something I'm finding very useful recently: using LLMs to build personal knowledge bases for various topics of research interest. In this way, a large fraction of my recent token throughput is going less into manipulating code, and more into manipulating knowledge (stored as markdown and images). The latest LLMs are quite good at it. So:
Data ingest:
I index source documents (articles, papers, repos, datasets, images, etc.) into a raw/ directory, then I use an LLM to incrementally "compile" a wiki, which is just a collection of .md files in a directory structure. The wiki includes summaries of all the data in raw/, backlinks, and then it categorizes data into concepts, writes articles for them, and links them all. To convert web articles into .md files I like to use the Obsidian Web Clipper extension, and then I also use a hotkey to download all the related images to local so that my LLM can easily reference them.
IDE:
I use Obsidian as the IDE "frontend" where I can view the raw data, the the compiled wiki, and the derived visualizations. Important to note that the LLM writes and maintains all of the data of the wiki, I rarely touch it directly. I've played with a few Obsidian plugins to render and view data in other ways (e.g. Marp for slides).
Q&A:
Where things get interesting is that once your wiki is big enough (e.g. mine on some recent research is ~100 articles and ~400K words), you can ask your LLM agent all kinds of complex questions against the wiki, and it will go off, research the answers, etc. I thought I had to reach for fancy RAG, but the LLM has been pretty good about auto-maintaining index files and brief summaries of all the documents and it reads all the important related data fairly easily at this ~small scale.
Output:
Instead of getting answers in text/terminal, I like to have it render markdown files for me, or slide shows (Marp format), or matplotlib images, all of which I then view again in Obsidian. You can imagine many other visual output formats depending on the query. Often, I end up "filing" the outputs back into the wiki to enhance it for further queries. So my own explorations and queries always "add up" in the knowledge base.
Linting:
I've run some LLM "health checks" over the wiki to e.g. find inconsistent data, impute missing data (with web searchers), find interesting connections for new article candidates, etc., to incrementally clean up the wiki and enhance its overall data integrity. The LLMs are quite good at suggesting further questions to ask and look into.
Extra tools:
I find myself developing additional tools to process the data, e.g. I vibe coded a small and naive search engine over the wiki, which I both use directly (in a web ui), but more often I want to hand it off to an LLM via CLI as a tool for larger queries.
Further explorations:
As the repo grows, the natural desire is to also think about synthetic data generation + finetuning to have your LLM "know" the data in its weights instead of just context windows.
TLDR: raw data from a given number of sources is collected, then compiled by an LLM into a .md wiki, then operated on by various CLIs by the LLM to do Q&A and to incrementally enhance the wiki, and all of it viewable in Obsidian. You rarely ever write or edit the wiki manually, it's the domain of the LLM. I think there is room here for an incredible new product instead of a hacky collection of scripts.
i can't stop thinking about the drift protocol hack.
not because of the $280m. we've seen big numbers before. i can't stop thinking about how it happened. and what it says about everything we're building.
on april 1st, while people were posting jokes, an attacker drained $280 million from drift protocol in minutes. the team had to literally tweet "this is not an april fools joke."
but this didn't start on april 1st. it started on march 23rd.
that's when the attacker created four durable nonce accounts. two tied to drift's own security council multisig members. two controlled by the attacker. quietly. no alarms. no flags.
on march 27th, drift migrated their security council due to a routine member change. by march 30th, the attacker had already compromised a signer on the new multisig too.
then on april 1st, they executed.
a test transaction first. then one minute later, two pre-signed transactions fired four slots apart. admin takeover. withdrawal limits removed. a malicious asset introduced. every vault drained. jlp. sol. btc. usdc. over 15 tokens gone.
the entire thing took minutes.
this wasn't a bug. this wasn't a smart contract exploit. this wasn't a flash loan or an oracle manipulation. drift's own report confirms it (you can check @DriftProtocol's latest to confirm). no compromised seed phrases. no code vulnerability.
this was social engineering.
the attacker got 2 out of 5 multisig signers to approve transactions they didn't fully understand. used durable nonces to pre-sign them. then waited. patiently. for over a week.
two signatures out of five. that was the security standing between users and $280 million.
two out of five.
i keep coming back to that number because this is the part that should make everyone uncomfortable. not the hack itself. the architecture that made it possible.
we've seen this before. we've seen this so many times.
bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code.
ronin bridge. $625 million. compromised validator keys. same story.
cetus protocol. $223 million. different method but same result. hundreds of millions gone.
in 2025 alone, $3.4 billion was stolen in crypto. and the pattern is almost always the same. not brilliant code exploits. not zero-day vulnerabilities. someone was tricked. a key was exposed. a human made a mistake.
only 19% of hacked protocols even used multi-sig wallets. and the ones that did, like drift, got beaten anyway. because the weakest link was never the code. it was always the person holding the key.
now here's what makes me angry.
i've seen people dunking on solana over this. blaming svm. questioning the entire chain. the same thing happened after bybit when people started questioning evm and ethereum's security model.
this is not a solana problem. this is not an ethereum problem. this is not chain-specific at all.
drift's own report says it clearly. the programs and smart contracts worked exactly as designed. the chain did what it was supposed to do. a human was tricked into signing something they shouldn't have. that can happen on any chain. any protocol. any ecosystem.
pointing fingers at solana is a deflection. and it's net negative for the entire space because it distracts from the real conversation we need to have.
which brings me to circle.
nine days before the drift hack, circle froze 16 business wallets overnight. legitimate companies. crypto exchanges. forex platforms. payment processors. no criminal charges. a sealed civil lawsuit that nobody could even read. no advance warning. businesses woke up and couldn't process payments, couldn't settle trades, couldn't serve their customers.
zachxbt called it "potentially the single most incompetent freeze" he'd seen in over five years of investigations. one of the frozen wallets wasn't even a business. it was a dfinity bridge contract used by thousands of users who had nothing to do with the case.
then nine days later, $280 million is being drained from drift in real time. the attacker is converting stolen tokens through jupiter, bridging them to ethereum, moving funds through circle's own cross-chain transfer protocol.
and the freeze didn't come fast enough.
so circle can shut down 16 legitimate businesses overnight for a civil case. but a quarter billion being actively stolen through their own infrastructure? different speed.
i'm not saying circle is the villain here. i'm saying the system is broken in ways that should concern everyone.
now think about who's actually affected by drift.
it's not just traders. protocols are built on top of drift. neobanks integrate with defi infrastructure. real customers with no idea what a multisig even is woke up and saw they couldn't access their money. some platforms said user funds are safe. but nobody could withdraw.
your money is "safe" but you can't touch it. think about what that feels like for someone who just wanted a better savings rate.
i know what it feels like on a smaller scale. i lost $5,000 to social engineering. it's nothing compared to $280 million. but the feeling is the same. that moment when you realize the funds are gone and there's nothing you can do. it doesn't scale with the dollar amount. it's the same pit in your stomach whether it's $5k or $280m.
and here's the question i keep circling back to.
we say defi is the future. we say we're going to onboard the next billion users. we say this technology will replace traditional finance and bank the unbanked and give people financial sovereignty.
but how do we onboard millions of people into a system where a social engineering attack can drain a quarter billion dollars in minutes? where 2 out of 5 signatures is considered security for $280m? where the attacker sets up wallets two weeks early, runs a test transaction, and nobody notices? where circle can freeze legitimate businesses overnight but can't stop a live heist fast enough? where the same attack, the same playbook, the same human error keeps happening year after year after year?
ronin. bybit. cetus. now drift. same cause. different name. different chain. same result.
defi doesn't have a code problem. it has a people problem. and we keep solving for the code.
i haven't interacted with a protocol in a while. i like money. but i love safety more. and right now this space is asking me to choose between the two.
security can't keep being the last conversation. it can't keep being the thing we talk about after the hack and forget about before the next one. it has to be the first priority. not the last.
because right now we're not ready for the next billion users. we're barely keeping the ones we have safe.
Drift Protocol just released their thread on the $280 million hack
It's worse than anyone thought too
There was no code exploit. It wasn’t a flash loan. It wasn’t even a traditional key theft.
Solana has a feature called "durable nonces" that lets you sign a transaction today but execute it days or weeks later
Sound familiar EVM critics? 😏
Think of it like writing a signed check and leaving it in someone's drawer until they decide to cash it.
The attacker used this to build a time bomb inside Drift's own governance system.
So I was wrong and Solana’s architecture did in fact play a role in this exploit occurring. Similar to how a hacker exploits approvals on EVM chains.
Here's how it played out:
March 23: The attacker sets up four of these delayed-execution accounts. Two are tied to real Drift Security Council members and two belong to the attacker.
At some point, the attacker tricks two of Drift's five council members into signing transactions they didn't fully understand.
Blind signing is something I have called out a lot and it is a major issue with many of these chains
Drift calls it "transaction misrepresentation” 🤨
But in reality they were socially engineered into signing their own robbery
Those signatures sat dormant for nine days!
March 27: Drift rotates its security council. New members, fresh setup. Doesn't matter. The attacker compromises two of the five new signers too.
April 1: Drift runs a routine test transaction. Sixty seconds later, the attacker cashes those pre-signed checks. Two transactions, four Solana slots apart. Full admin control.
Every withdrawal limit removed. Every vault drained.
$280 million. Gone.
Two out of five signatures is all it took 🤦♂️
But also clearly some major planning and patience for this elaborate attack
Blind signing
Durable nonces which function similarly to approvals
Poor key management
Insecure infrastructure
Everything worked as it was designed to work and this was just an incredibly well orchestrated and thought out attack
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers