If you own a large balance or important access controls on an address generated by a less widely used wallet, rotate your keys, or reach out to @coinspect
@banteg@mysticryuujin Not only are most queries getting routed straight to the trash bin, but the few that make it through, the pace is throttled so aggressively that it's painful to sit and watch.
@pulkit_mittal_ Hot routes still remain hot, If one user/API key is extremely active, hashing sends that key to one owner. It can become the bottleneck.
Usage of Consistent hashing also routes a key to a node, but if that node dies, rebalancing can duplicate or reset local state unless handled
@pulkit_mittal_ You optimised the hot path but may have weakened the semantics of rate limiter
Global limit can be violated, If every node has local bucket, total allowed traffic can exceed the global quota.
E.g. 100 nodes ×100 local tokens = 10000 requests allowed, even if global limit is 1000
@HowToAI_ It's true but only for sparse graphs.
If your graph is dense (m ~ n^2):
O(mlog^{2/3}n) becomes O(n^2log^{2/3}n)
Dijkstra: O(m+n\log n) = O(n^2)
New algo: n^2 < n^2 log^{2/3} * n
Dijkstra still wins.
The breakthrough is real—but it breaks the sorting barrier in sparse graph.
layerzero solosig dependency check in
if you haven't hardened your config, you are sitting on an unnecessary dependency on layerzero 3/5 solosig.
if it gets compromised, it could instantly drain all the adapters that rely on the default receive library. after the kelp exploit, the vulnerable adapters tallied to $3.13 billion. after some outreach, the number has dropped to $178 million.
good progress, but still not enough. there is still a long tail of projects that have ignored this advice.
i will make this simple for you. here is a full list with exact calls for how to pin the default library.
https://t.co/diEyhgheRB
Video of @L1v1ng0ffTh3L4N's tool in action.
In the published PoC video, a compromised admin account lifts stored credentials from two other logged-on (and even disconnected) users with Edge running.
Most protocols spend a lot on audits and bug bounties but have zero internal security
Launching https://t.co/c3v75lXHdD to highlight the ones that do
Having an internal security team should be in every protocol's New Year's resolutions for 2026
Aave saying only rsETH on Ethereum is 100% backed.
LayerZero saying everything worked as expected.
KelpDAO saying LayerZero's fault.
Looks like blame game instead of collaborative effort to help users.
8/8
Still waiting for a proper post-mortem.
The real value is not just what failed, but the full exploit lifecycle — ideally the next update should mirror the kind of disclosure done by Gnosis after Bybit hack.
1/8
Playing devil’s advocate on the LZ / KelpDAO situation:
Yes, DVN got compromised—but the impact was mostly limited to rsETH. This could’ve easily turned into something way bigger on multiple OFTs & across the entire bridge if multiple DVNs architecture didn't exist.
7/8
What I’m really curious about is the infra side of this—
How exactly was the RPC compromised? How did they get access to the cluster in the first place? If this came through a dev, why didn’t EDR catch it?
Feels like we need much stronger XDR coverage across whole infra.