Olivia
Online
Aaron Holt
@aholtblockaid
GTM @ Blockaid | Proud father of 3, proud husband of 1, proud supporter of LFC
Leeds, United Kingdom
Joined July 2010
757 Following
456 Followers
1.7K Posts
Introducing Blockaid's Risk Exposure:
A real-time onchain compliance solution that lets organizations monitor addresses, transactions, and act the moment they're exposed to illicit funds.
Powered by Blockaid’s first-party signals to make policies programmatically enforceable.
We’ve been working with @blockaid_ on investigating the legacy @humafinance v1 protocol exploit, and for transparency I’m sharing their excellent root cause analysis (link in the first reply).
Here is a TL;DR and the key architectural learnings from the incident. 👇
TL;DR
The Exploit: An attacker found a smart contract bug and drained ~$101K in leftover protocol and pool owner fees from three legacy v1 pools on Polygon.
User Funds: Zero user funds were impacted.
Isolation: This is strictly a v1 issue. It is completely unrelated to PayFi Strategy Tokens (PST), the permissioned v2 pools, or the permissionless programs (PST & Prime).
Solana Programs: The Solana programs feature a fully redesigned architecture and do not contain the exploited functions or logic.
Status: All v1 pools have been paused.
Key Architectural Learnings On the surface, this was a smart contract bug in v1, launched in early 2023, but it highlights several critical protocol design and operational considerations where different paths should have been pursued:
1. Decouple state transitions from complex logic. Functions like _updateDueInfo() and _getDueInfo() carried high complexity to calculate dues and fees. Embedding state transitions within these complex functions is an anti-pattern. This complexity was recognized as unsatisfactory and was completely abandoned during the architecture of Huma v2 smart contracts.
2. Ruthlessly eliminate unused functions. requestCredit() was built to support future expansion but never actively utilized in operations. Non-critical functions inherently receive less testing and security scrutiny, creating an unnecessary attack vector. We even discussed removing it before launch, but kept it under the assumption that it doesn’t add much complexity. If a function isn't required for current operations, it shouldn't be in the contract.
3. Proactively migrate and close legacy pools. Leaving older contracts out on the blockchain creates unnecessary liabilities. With developers and attackers both leveraging AI extensively today, legacy contracts that haven't undergone AI-assisted audits are naturally more vulnerable. Older pools should be actively migrated and fully closed, rather than left running. We were in the process of sunsetting the v1 pools, but didn't have a chance to complete it.
This is a hard lesson. But a hard lesson should never be wasted. Sharing these reflections to help the entire ecosystem in the joint defense against attackers. DeFi United, DeFi Strong! 🛡️
🚨 Community Alert Blockaid's exploit detection system has detected an exploit on @PolytopeLabs Hyperbridge cross-chain infrastructure and DOT tokens via forged ISMP state proofs on Ethereum, Arbitrum, Base and BSC.
More details:
@Goboony your customer service is very poor. Someone please contact me today, my booking is about to be cancelled because your team is so unresponsive and unhelpful
Who to follow
Troy Kranendonk
@TroyKranendonk
Founder of BOOXPUB | Principle Data Author @Pluralsight | Athlete | Coach | Lover of the Way aka Jesus.
Julian Wragg
@jdwragg
Chief Revenue Officer at xUnlocked. Passionate about enabling companies to improve skills & performance through technology
Joe box head
@PluralsightJoe
Sat down for chat with @DenelleDixon on the future of Stellar, privacy and agent payments. And also a bit of @StellarOrg nostalgia. Check it out ⬇️
@Goboony can someone help me with my booking pls? I contacted support but no answer. Booking 3974C4
In the last 24 hours, @ResolvLabs USR was exploited with ~80M tokens minted because of a compromised private key.
↓ @blockaid_ detected the exploit in real time and has been monitoring it since.
tell me more about this winter
2 years ago, it was a handful of us building. Today, Blockaid is the trusted security layer for the largest companies operating onchain.
→ SKO 2026 in Miami
→ GTM team 3X'd this past year
→ We're hiring: https://t.co/NNjnQGjsas
One team with a shared vision, having fun doing it.
Losses by Chain:
Stolen funds flowed through 13+ major chains, with Ethereum and Arbitrum accounting for the largest amounts.
Top 10 incidents:
Attacks spanned multiple organizations, with centralized exchanges seeing the largest losses from private key compromises.
Key findings from 2025:
- 63 incidents, $2.58B lost
- Losses peaked in Q1, driven by Bybit’s $1.5B hack
- Infrastructure exploits caused most losses
- Frequency ≠ financial impact
$2.58B lost in onchain security incidents in 2025.
↓ What Blockaid's data reveals and what onchain builders must avoid in 2026:
Funds have been recovered 🔒 with a 10% bounty agreed and covered by the IPOR DAO. This concludes the good-faith white hat incident.
Current Status
• The IPOR Fusion app continues to operate as usual.
• No other Fusion vaults share the conditions required for this attack vector.
• The incident was isolated to one legacy IPOR USDC Fusion vault on Arbitrum, which remains paused.
• Root cause involved external factors (Pectra / ERC-7702) combined with a legacy validation gap - not part of core Fusion infrastructure.
Sincere thanks to @hexagate_, @blockaid_, @blocksecteam, and @_SEAL_Org for their notification, assistance, and coordination.
All affected depositors will be made whole.
Further updates and coordination with impacted users will be shared in IPOR's Discord.
.@hedera Heads to Sibos, Adds Blockaid Security
🔹 $HBAR to showcase tokenization, AI, and HashSphere at Sibos Frankfurt.
🔹 Blockaid integration adds proactive dApp and token scan security on HashPack.
🔹 Ecosystem expanded with Dfns, KAIO, Swarm, and Asset Tokenization Studio award win.
Many of us don't know this cause it's been a long time back
@rainbowdotme is not doing it alone, cause I believe 2 heads are better than 1
That's why they made a partnership with @blockaid_ for the reason of ensuring you receive notifications about potentially harmful dapps before making transactions,
Want to know more about this partnership
Check this out; https://t.co/RdVNuH2REL
Bring your friends to attend #NODES2022 and WIN a cash prize! 👀🎉
The 10 participants with the most friends attending will each receive $500.
Read how, here:
https://t.co/nk9t57SPbW
#Neo4j #contest #prices @neo4j
Join this free webinar to discover how #AstraZeneca use a @Neo4j Reaction Knowledge Graph to integrate data from multiple sources to predict new reactions.
Register:
https://t.co/zLiLHDQqBs
#Neo4j #KnowledgeGraphs @AstraZeneca
Road to NODES workshops are on 🔥!
On October 26th, we'll cover some best practices related to:
✅Using the Neo4j Graph Data Science #Python client
✅How to parallelize in Python without headaches
https://t.co/cG0sfVp3zu
#NODES2022 #workshops #freetraining #Neo4j @neo4j
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers