bc1

about 2 months ago

Earlier today, Tulipa Capital identified unusual on-chain activity involving @yieldbasis (YB) contracts. The YB team was alerted within minutes of detection. What we know so far: - An attacker deployed a custom contract to claim fees and drain assets from 3 vaults - ~$1.25M in wrapped BTC (cbBTC, WBTC, tBTC) was extracted - The affected vaults appear to be owned by @giddydefi YB core contracts are not affected or at risk. The exploit targeted individual vault positions, not the protocol itself.

104

47K

bc1XBT retweeted

📚Te enseño a protegerte en https://t.co/h6qiBLhl9b 💻"Sin privacidad tu libertad es una ilusión"

about 2 months ago

Tulipa Capital is actively monitoring the rsETH and Aave situation. Tulipa Capital has no direct or underlying exposure to rsETH or Kelp DAO. Our vault positions on Aave were migrated to alternative markets. We are monitoring exposure across protocols with Aave dependencies and continue to evaluate second-order effects across the broader DeFi ecosystem.

928

Who to follow

Stark

@StarkPrivacy

neira

@borjaneira_

At @Tempo - Tokenized Financial Product Architect & Market Plumbing Find my research on my website

bc1XBT retweeted

about 2 months ago

the issue with the @KelpDAO 280m$ hack was that it was just secured by just 1/1 validator set (DVN) on @LayerZero_Core . Which means one faulty transaction from a validator is all that's needed. my belief is that the root cause was possibly that the LZ validator on Unichain was compromised. the contagion effects are going to be quite bad. I don't think many people have realized it yet. - kelp was looping on aave with stETH for a few percentage here and there. Aave is going through a bank run so that means they'll need to unwind their positions - multiple protocols and chains are now going to be bad debt because their rsETH will get depegged. - aave's bad debt is more than what they can cover rn so almost anyone who has deposited into their safety net (60mn$) is 100% rekt. all for just staking for a few % in extra yeild. - trust on LZ & Aave will deteriorate. this is bad for the industry. - the kelp team (amazing founders) will go through debt i'd say i feel sorry for everyone who is going to go through the next few hours but unfortunately this is the industry we live in.

senamakel's tweet photo. the issue with the @KelpDAO 280m$ hack was that it was just secured by just 1/1 validator set (DVN) on @LayerZero_Core . Which means one faulty transaction from a validator is all that's needed.

my belief is that the root cause was possibly that the LZ validator on Unichain was compromised.

the contagion effects are going to be quite bad. I don't think many people have realized it yet.

- kelp was looping on aave with stETH for a few percentage here and there. Aave is going through a bank run so that means they'll need to unwind their positions

- multiple protocols and chains are now going to be bad debt because their rsETH will get depegged.

- aave's bad debt is more than what they can cover rn so almost anyone who has deposited into their safety net (60mn$) is 100% rekt. all for just staking for a few % in extra yeild.

- trust on LZ & Aave will deteriorate. this is bad for the industry.

- the kelp team (amazing founders) will go through debt

i'd say i feel sorry for everyone who is going to go through the next few hours but unfortunately this is the industry we live in.

385

118

111K

bc1

@bc1XBT

3 months ago

If anyone's at EthCC and wants to grab a coffee, hit me up! ☕

142

bc1XBT retweeted

3 months ago

Tulipa Capital is actively monitoring the ongoing Resolv/USR exploit. Our vault positions do not hold exposure to the affected assets or markets. To our Gearbox users: we have disallowed position increases on the relevant assets and will take further protective action if the situation warrants it. Tulipa Capital is committed to ensuring lenders are fully protected. We will continue to monitor as Resolv works toward a recovery plan. @GearboxProtocol

bc1XBT retweeted

0xSero

@0xSero

3 months ago

https://t.co/txDnDa0Flf

166

561

bc1

@bc1XBT

3 months ago

@0xSero Let's talk !

103

bc1XBT retweeted

4 months ago

https://t.co/xYvQkHU3HD

20K

bc1XBT retweeted

5 months ago

Effective treasury management requires more than strong returns. It demands specialized expertise across multiple disciplines. For our GnosisDAO proposal, we've partnered with @flowdesk_co and @Accountable to deliver institutional-grade execution, real-time transparency, and rigorous reporting. Three teams. One aligned mission. Read our full proposal: https://t.co/xxf3xXcagf

tulipacapital's tweet photo. Effective treasury management requires more than strong returns. It demands specialized expertise across multiple disciplines.

For our GnosisDAO proposal, we've partnered with @flowdesk_co and @Accountable to deliver institutional-grade execution, real-time transparency, and rigorous reporting.

Three teams. One aligned mission.

Read our full proposal: https://t.co/xxf3xXcagf

bc1XBT retweeted

gaut

@0xgaut

5 months ago

“Mom, how did we get so rich?” “Your father and I lived in the era of the $200 claude code max plan”

121

491

320K

bc1XBT retweeted

neira

@borjaneira_

5 months ago

Never forget

bc1XBT retweeted

Infinite Field

@infinitefieldx

5 months ago

We heard that builders and API traders are struggling with integration of HIP-3 markets, multisig support and/or EVM<>Core interaction. Therefore, we built an SDK for Hyperliquid, one SDK to rule them all. https://t.co/0Ulps5fk2R

321

141

57K

bc1XBT retweeted

5 months ago

https://t.co/apPkhOmOgP

385

357

27K

bc1XBT retweeted

Santisa

@Tiza4ThePeople

7 months ago

I have not taken any meaningful hit to my portfolio since 2022. During this time, I've applied conservative risk parameters, and my portfolio has grown relatively slow but steady because of it. The feeling of engulfing stress and despair from seeing your hard-earned money disappear over a hack, exploit or simple market risk is just a memory to me. Losing a good chunk of your net worth, for which you spent countless hours that will never return and sacrificed invaluable moments you'll never get to experience again, is like dying a little bit. And it sure feels like that in the moment. Risk is unavoidable, but the amount you underwrite should serve a clear purpose. When your portfolio's size starts yielding marginal happiness returns, the EV equation starts turning negative. Risking a huge hit to your wealth, health and mind when you no longer need the money or feel satisfaction with the added returns is bad risk management. I remember quite vividly @AlgodTrading tweeting "I don't ever want to feel like this again" (now delted) after losing what I recall to be 50% of his net worth on FTX. I carry that thought with me in my actions. It reminds me to think about the objectives in all of my decisions. No inertia, no greed, no denial. Pure +EV. I invest to make money, I live to be content. Take a moment and reassess if your actions align with your objectives. Don't psyop yourself.

Tiza4ThePeople's tweet photo. I have not taken any meaningful hit to my portfolio since 2022. During this time, I've applied conservative risk parameters, and my portfolio has grown relatively slow but steady because of it.

The feeling of engulfing stress and despair from seeing your hard-earned money disappear over a hack, exploit or simple market risk is just a memory to me.

Losing a good chunk of your net worth, for which you spent countless hours that will never return and sacrificed invaluable moments you'll never get to experience again, is like dying a little bit. And it sure feels like that in the moment.

Risk is unavoidable, but the amount you underwrite should serve a clear purpose. When your portfolio's size starts yielding marginal happiness returns, the EV equation starts turning negative. Risking a huge hit to your wealth, health and mind when you no longer need the money or feel satisfaction with the added returns is bad risk management.

I remember quite vividly @AlgodTrading tweeting "I don't ever want to feel like this again" (now delted) after losing what I recall to be 50% of his net worth on FTX.
I carry that thought with me in my actions. It reminds me to think about the objectives in all of my decisions. No inertia, no greed, no denial. Pure +EV.
I invest to make money, I live to be content.

Take a moment and reassess if your actions align with your objectives. Don't psyop yourself.

195

15K

bc1XBT retweeted

7 months ago

Live now. Don't sign all required signatures on a multisig and expect it not to be executed. :)

193

50K

bc1XBT retweeted

7 months ago

This is a massive loss. It's unclear how this will be settled in between xUSD/xBTC/xETH holders and lenders against these tokens, so let’s go over all stablecoins/vaults that have (in)direct exposure to Stream. Best we can tell, these stablecoins have indirect exposure: Elixir’s deUSD: Elixir is lending 68m USDC to Stream: https://t.co/2nQkykFlUo This represents 65% of deUSD backing. The main stream wallet is borrowing these funds against xUSD collateral. Elixir claims: “Elixir has full redemption rights at $1 with Stream for its lending position. We are the only creditor with these 1-1 rights.”. Stream team said: “ They have a contract. We told them explicitly that we cannot pay them out until lawyers determine who is owed what.“ Nevertheless, it’s rational to be careful before this debt is actually repaid. Treeve’s scUSD: eliteRingsScUSD is backed by veUSD. veUSD is backed by locked stkscUSD. stkscUSD is backed by staked scUSD that specific scUSD is rehypothecated to Mithras. Mithras scUSD (about 92% = 13m) is currently borrowed by xUSD collateral on Silo & Euler. This is not an extensive list, there likely are more stables/vaults affected, and the information presented here is not guaranteed to be accurate. Overall debt to lenders on various lending markets: $284.96M.* *Not counting indirect exposure through deUSD and other loops, this is a sum of all debt against Stream assets, debt owned both by Stream and by regular users. Totals by Curator: TelosC: 123.64M Elixir (kinda?): 68M MEV Capital: 25.42M Varlamore: 19.17M Re7: 14.26M Enclabs: 2.56 M Mithras: 2.3M TiD: 0.38M Invariant Group: 0.072M Here is a list of all markets that lend to xUSD/xBTC/xETH directly, their current exposure, and the curators which allocated money into there markets: EULER: Ethereum: TelosC Stream - only includes Stream assets - 1623.5 ETH ($5.89M), $14.31M USDC, 87.09 BTC ($9.65M) borrowed = $29.85M overall - Curator: TelosC https://t.co/81VE8cKDuj Plasma: TelosC Stream - $90M USDT, $2.89M plUSD, 900k msUSD - Curator: TelosC https://t.co/2YAM9CE6pP Plasma: Re7 Labs xUSD - $14.26M USDT - Curator: Re7 https://t.co/k1HdYgqewM Sonic: MEV Capital Cluster - Hard to tell exact exposure, but the vault has $7M scUSD, $3.5M USDC, $2.7M scETH - 9.87M xUSD and 500 xETH deposited. - Curator: MEV Capital https://t.co/9pINJEL0ja SILO: Ethereum: xUSD/USDC market - $1.2M USDC borrowed - Curators: Varlamore ($850k) https://t.co/NCg0rCidlk Arbitrum: xUSD/USDC market - $15M USDC borrowed - Curators: Varlamore ($14.2M), TID ($346k) https://t.co/CG5aEvjW93 Avalanche: xUSD/USDC, xUSD/USDT, xUSD/AUSD - $1.9M USDT, $816k AUSD, $9.3M USDC borrowed = $12.01M overall - Curators: MEV Capital ($7.2M), Varlamore ($2.5M), TiD ($28.5k) https://t.co/1aGGxH4epg https://t.co/pV62h3Vc0H https://t.co/lnLvS4nIkK Avalanche: xBTC/BTC - 272 BTC ($29.1M) - Curators: MEV Capital ($17.6M) https://t.co/zyw4A7E5kG Sonic: xUSD/USDC, xUSD/scUSD - $2.3M scUSD, $4M USDC - Curators: Mithras ($2.3M), Varlamore ($1.6M) https://t.co/aSRovgUgyM https://t.co/sWGv2KsGSq MORPHO: Plume: The Elixir Market: - 68M USDC borrowed - Lender: Elixir Arbitrum: xUSD/USDC - 628k USDC - Curator: MEV Capital https://t.co/khHBfFYZUL GEARBOX: Plasma: Invariant Group USDT0 - 72.45k xUSD. This market had a LOT more xUSD, but it was all exited. GGWP, @GearboxProtocol! https://t.co/8iecgElbIa ENCLABS: Sonic: 4.21M xUSD, about $2.4M in exposure? Plasma: 150k xUSD, about $160k in exposure? Again, there might be more, this is all we found.

748

218

414

556K

bc1XBT retweeted

8 months ago

Be VERY careful interacting with unverified @merkl_xyz campaigns. A bad actor is creating triple digit APR incentives on Sonic for depositing USDC into an Euler vault, and drains all deposits. This is how it works: Because Euler is permissionless, the attacker was able to deploy a 'fake' market using scUSD as collateral and USDC as debt. The market has a 1$ deposit cap for scUSD - fully taken by the bad actor. The scUSD oracle price is set to $1M per token, allowing the attacker to borrow 700,000 USDC against a single scUSD (at 70% LTV). The attacker controls the oracle and can raise the price further to extract more funds if needed. Next, the attacker created an unverified, fake campaign on Merkl to attract deposits. Any USDC deposited to this market is borrowed, swapped into ETH, and transferred to @RAILGUN_Project. Current losses: roughly $145,000, and growing. As the attacker is not actively monitoring the vault for new deposits, it allowed 0xc0f8feab321f8ffe97666768451747d16da8cad5, a victim who previously deposited USDC into this vault, to withdraw USDC before the attacker managed to borrow it. While we don't think @merkl_xyz or @eulerfinance are at fault here, as they both clearly flag the campaign/market as unverified, @merkl_xyz should likely make depositing into an unverified campaign much more annoying with more pop-up warnings, just to prevent this from happening in the future. Main operator: 0x8ba913e764c5cc9b22ee63737841059ad9caac5f Final receiver before railgun: 0xa86399e78fb3d9fb5be053825a016e32d390fc12 The list of victims can be found here: https://t.co/3XGkqLcitv Campaign (SCAM, don't deposit): https://t.co/Q6ThronuUJ Euler Market (SCAM, don't deposit): https://t.co/bL8Ptu0KsR cc @zachxbt

yieldsandmore's tweet photo. Be VERY careful interacting with unverified @merkl_xyz campaigns.

A bad actor is creating triple digit APR incentives on Sonic for depositing USDC into an Euler vault, and drains all deposits. This is how it works:

Because Euler is permissionless, the attacker was able to deploy a 'fake' market using scUSD as collateral and USDC as debt. The market has a 1$ deposit cap for scUSD - fully taken by the bad actor. The scUSD oracle price is set to $1M per token, allowing the attacker to borrow 700,000 USDC against a single scUSD (at 70% LTV). The attacker controls the oracle and can raise the price further to extract more funds if needed.

Next, the attacker created an unverified, fake campaign on Merkl to attract deposits. Any USDC deposited to this market is borrowed, swapped into ETH, and transferred to @RAILGUN_Project.

Current losses: roughly $145,000, and growing.

As the attacker is not actively monitoring the vault for new deposits, it allowed 0xc0f8feab321f8ffe97666768451747d16da8cad5, a victim who previously deposited USDC into this vault, to withdraw USDC before the attacker managed to borrow it.

While we don't think @merkl_xyz or @eulerfinance are at fault here, as they both clearly flag the campaign/market as unverified, @merkl_xyz should likely make depositing into an unverified campaign much more annoying with more pop-up warnings, just to prevent this from happening in the future.

Main operator: 0x8ba913e764c5cc9b22ee63737841059ad9caac5f
Final receiver before railgun: 0xa86399e78fb3d9fb5be053825a016e32d390fc12

The list of victims can be found here: https://t.co/3XGkqLcitv
Campaign (SCAM, don't deposit): https://t.co/Q6ThronuUJ
Euler Market (SCAM, don't deposit): https://t.co/bL8Ptu0KsR

cc @zachxbt

355

69K

bc1XBT retweeted