Faust

A guy I know went for a backend role thinking he was ready. First question they asked: “What happens when two users try to update the same data at the same time?” He froze. Not because he hadn’t seen it… but because he never understood it deeply. So here are backend concepts explained simply. Save this. You’ll need it.

A Nigerian startup launched their app. Built a clean OTP flow. No rate limiting on the SMS endpoint. Shipped it. Within 48 hours, their Termii balance went from ₦150,000 to zero. They woke up to failed OTP delivery complaints from real users. Checked their logs. Someone had been hitting their /send-otp endpoint in a loop with thousands of requests sending SMS to sequential phone numbers that were not even their users. This is called SMS pumping fraud. Here is how it works: • Fraudsters find your open OTP endpoint • They send requests to thousands of phone numbers, sometimes numbers they control on premium routes • Every successful SMS costs you money • They get a cut from the carrier. You get the bill. It is automated. It runs while you sleep. The fixes that would have stopped it entirely: • Rate limit by IP: max 3 OTP requests per IP per hour • Rate limit by phone number: max 3 requests per number per 10 minutes • Add a minimum delay between requests • Implement CAPTCHA or device fingerprinting on the frontend • Alert yourself when SMS spend spikes above a threshold None of this is complicated. All of it takes less than a day to implement. That startup lost ₦150,000 in two days and had to shut down OTP entirely while they fixed it. Their users thought the app was broken. Some never came back. The breach was not dramatic. No hacker. No sophisticated attack. Just an open endpoint and a bot. Secure your OTP flow before you launch. Not after you've learned the hard way.

You have ₦100,000 in your GTBank account right now. You log in. it says ₦100,000. feels safe right? funniest part it's not there, the money is not there. The moment you deposited it, the bank kept ₦10k and loaned out ₦90k to someone else...that person spent it. it landed in another bank. that bank loaned out 90% of it again. This cycle repeats infinitely, your ₦100k has been "used" by at least 6 different people What you actually own is a promise from your bank that they'll give it back when you ask This is called Fractional reserve banking every bank in the world runs on it. it's not fraud. it's just how it works. Most people never know this

If there's one thing I learned over the last year of being surrounded by the best founders / the most entrepreneurial people in the world, it's that everything before Series A is about you as a person. They say they do, but in reality they (VC's) don't care about your market or your product or your tech or anything else. They care about why YOU're the person to dominate in the field you're going after. They literally only invest in people. So if you're struggling to raise it's a you issue, not a business issue

misc thoughts from writing some code by hand for the first time in a bit: - there are so many microdecisions that you make while manually coding that get lost when looking at a plan - 0 skill atrophy, immediately got back into being able to write good code if they turned off the models tomorrow i'd be annoyed but fine - planning in markdown files is dumb, plan via making an MVP of what you want to build and have the agent implement that instead - good programming probably looks like a mix of agentic and regular programming, no tools do this well today nothing revolutionary in here, don't offload the important parts, love LLMs for the grunt work, code still matters imo but you have to figure out which parts anyways, worth giving a shot if you've been stuck with agents on a problem and need a fresh perspective

Best decision I made this year: switching to paid trials. Free users were 50% of our token costs, brought abuse and spam, and rarely converted. Paid trials converted better, lowered noise, and increased customers. As a bootstrapped product, I’d rather serve serious users than compete with VC-funded free plans.

You sent ₦5,000 to your friend at 11:43pm it hit them in 4 seconds Here's what happened in those 4 seconds that nobody talks about: Your bank received the request and debited your account. They sent a message to NIBSS, the Nigerian Inter-Bank Settlement System NIBSS is basically the middleman every Nigerian bank is connected to. NIBSS identified your friend's bank and routed the instruction...their bank received it, credited the account, triggered the alert 4 systems. 3 institutions. 1 shared national infrastructure. All in the time it took you to lock your screen Next time a transfer fails at night, it's usually NIBSS. not your bank.

A programmer discovered he could open an OPay account in his mother's name. Not with her phone. Not with her BVN. Not with her NIN. Just her bank account number which she had shared publicly for a business transaction combined with any random address and a phone number he controlled. He did it. Verified it on video. OPay had a third onboarding option called "Verify with bank account." It bypassed the standard BVN and NIN checks entirely. Fraudsters had already found it before the journalists did. The scam worked like this: • Find someone's account number online from a giveaway post, a business flyer, anywhere • Open an OPay account in their name using your phone number • Use that account to solicit transfers from their contacts, impersonating them It escalated fast. Tech CEOs were being impersonated. Adewale Yusuf of AltSchool Africa. The CEO of Techpoint itself. Fake messages asking for urgent funds, sent from accounts bearing real names people recognised. One woman had her phone stolen. Fraudsters opened accounts in her name and drained ₦100,000 from her contacts before she even knew. Techpoint published the story on December 15, 2023. OPay disabled the feature on December 18. Three days. That feature had existed long enough to cause real damage to real people. The lesson is not that OPay was careless. The lesson is that convenience features in onboarding are attack surfaces. Every "easier way to sign up" is a question you need to answer: what does this unlock for someone with bad intent? If you cannot answer that question before shipping...do not ship the feature.

The most underpaid role in Nigerian tech is the backend engineer who actually understands payments. Not the one who integrated Paystack. The one who knows what happens when the transaction hits the card scheme, bounces, and the customer's account is still debited. That engineer is rare. Pay them well.