Olivia
Online
Avi
@avicoder
Head of Security @jupiterExchange and @meteoraAg
Singapore
Joined June 2013
26 Following
2.2K Followers
560 Posts
Pinned Tweet
Many crypto startups claim to be "security first," but the reality is often quite different. It is common to find projects with hundreds of millions in TVL that do not have a dedicated head of security or even a security team. Often, security is just an engineer doing "double duty," which is impossible to maintain given how busy engineers are.
Security is not the default state. You must be intentional about it because it does not happen on its own. Without an explicit effort to understand OpSec and best practices, a project is simply a target waiting to happen.
Security is a difficult sell because its primary benefit is that nothing bad happens. The true ROI becomes clear when you see the consequences of accumulated "crap" like bug bounties, phishing emails, and engineering slowdowns caused by constant bug triaging.
We are building financial infrastructure where trust is the ultimate differentiator. While the "crown jewels" in Web2 are data, the crown jewels in Web3 are money. Because of this, security shouldn't just be viewed as a cost ; it should be a way to build the hype and thought leadership that leadership teams crave.
When a protocol is hacked, it isn't just VC money that is lost; it is the savings of regular people…moms, dads, and grandparents… who use crypto because they may not have access to traditional banking. This makes the lack of dedicated security teams in protocols holding massive TVL even more critical.
In Web3, incident response speed is far more vital than in Web2 because transactions are immutable and funds can vanish instantly. Startups should have incident response plans and retainers in place before a hack occurs, rather than trying to find help while their funds are being drained.
A dedicated security team doesn't just wait for alerts; they hunt for threats. This includes monitoring "breadcrumbs," such as contracts funded by Tornado Cash or suspicious forum inquiries, to stop an attack before it happens. The "attacker’s dilemma" .. where the attacker only needs to set off one alarm for the gig to be up .. only works if someone is actually watching the monitors.
To any founder holding other people's money: go hire a security person. Security is not as difficult or expensive as people think, and there are many experts willing to help. Ultimately, a head of security can be a growth lever that bolsters TVL and generates revenue by making the protocol a trusted place for assets.
The bottom line: In this industry, security isn't just a cost center…it's a necessity. The real cost center is getting compromised, as that is company-ending.
I used to write condolences posts to protocols when they got hacked but it’s happening so god damn much now it would be the only thing i post anymore 😭
please, as an industry, take security more seriously 😐
Introducing @ETHGlobal Skills:
npx skills add ethglobal-skills/repo
With one command, your coding agents now have access to:
> 17,180 hackathon projects from the past 6 years
> sponsor docs + bounties for upcoming hacks
> all Finalist + bounty winners
Compatible with x402 via @agentcashdev. Repo linked below!
product always beats infrastructure
phantom made 5x more revenue than jupiter
but 90% of phantoms revenue is coming from swapping fees routed through jupiter
not my circus not my monkeys
@mango_ Good one
"so you staked your ETH on the Ethereum blockchain to earn yield?"
"yes, Dave"
"except you didn't want your capital to be locked up so you actually staked it with a liquid staking protocol called Lido?"
"that's correct, Dave"
"and Lido gave you a liquid staking receipt token called stETH in return?"
"yes, Dave"
"and then you didn't think that was enough, so you juiced the yield even further by depositing your stETH receipt tokens into a restaking protocol called Eigenlayer?"
"you are correct, Dave"
"and now you didn't want to lock up your capital, so you actually restaked with a liquid restaking protocol called KelpDAO who provided you with a liquid restaking receipt token called rsETH?"
"you got it, Dave"
"and then that was surely not enough juice, so you then deposited your rsETH tokens into a lending protocol called AAVE so that you could open a leveraged looping position that borrows ETH against the rsETH collateral and restakes the ETH into rsETH which is then deposited as collateral, except it turns out rsETH used a cross-chain bridge called LayerZero whose security is held together by a 1/1 toothpick, which was obviously hacked by north koreans causing rsETH to become undercollateralized and now these looping positions are stuck and unprofitable, and everyone is pointing fingers at each other, and also DeFi is a very serious industry"
"you are 100% correct, dave"
jfc.
Why are we doing this again @JupiterExchange
💯
CTO: We lost our strongest backend engineer today.
Founder: The one handling infra and outages?
CTO: Yes.
Founder: Did a bigger company hire him?
CTO: No.
Founder: Then why quit?
CTO: He said he was exhausted.
Founder: From the workload?
CTO: Not exactly. From watching the same database bottleneck, same queue lag, same deployment mistakes come back every month.
Founder: That happens in fast moving teams.
CTO: He agreed. What he could not accept was that every fix was temporary because nobody wanted to slow down and clean the system properly.
Founder: We had deadlines.
CTO: He had standards.
Founder: So he left because the work was hard?
CTO: No. He left because he was not doing engineering anymore. He was just containing damage.
The best engineers do not hate hard problems.
They hate preventable problems that management keeps normalizing.
Drift had a 2/5 multisig with 0 timelock
$280M gone...
I checked other defi protocols on Solana:
- Jupiter Lend: 4/7 (with 12h timelock)
- Kamino: 5/10 (with 12h timelock)
- Loopscale: 3/5
- Solstice: 3/5 (with 1d timelock)
- Exponent: 2/3
@FabianoSolana Thanks ! We are learning from other’s mistakes!
Jupiter is not affected by the Drift situation.
Jupiter Lend has no exposure to Drift's markets and JLP is fully backed by the underlying assets.
That said, this a difficult day for Solana DeFi and our heart goes out to the Drift team and everyone affected.
@salesforce But you can’t bring back the reply to the message, huh? This Slack thread is the biggest downgrade.
Also, before you say, “Also post to the channel,” no, it sucks.
RIP onchain gaming 😭😭😭
Two accounts you never want to see in your replies
Coding an app is the new starting a podcast.
We're introducing Codex Security.
An application security agent that helps you secure your codebase by finding vulnerabilities, validating them, and proposing fixes you can review and patch.
Now, teams can focus on the vulnerabilities that matter and ship code faster.
https://t.co/L9SkqrGro2
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers