Ethereum can already start preparing accounts for a post quantum world, without waiting for a hard fork.
Today, it would be just 0.07$ .
Further audits incoming. Though I squeezed in a review with Fable before Uncle Sam crashed my party. Verity formal proof included for my lean enjoyers
https://t.co/hfOx08X17Q
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
Per-customer deposit addresses are live on Tempo.
On most chains, giving every customer a unique deposit address means initializing, monitoring, and sweeping a real onchain wallet for each.
With virtual addresses, funds credit directly to a master wallet at the protocol layer.
So for now 9 protocols hit because of this
@KelpDAO got exploited their liquid restaking token $rsETH was compromised with 116.5k ETH ($293M) withdrawn
Then attacker used rsETH as collateral to borrow ETH on @aave, creating massive bad debt and pushing AAVE token down
Now Aave multisig froze rsETH on the lending market
Attacker wallets funded via Tornado Cash
Kelp’s team emergency pauser multisig froze the protocol’s core contracts roughly 46 minutes after the successful drain
They still haven't posted anything publicly after almost 3h
Protocols that froze their markets:
- Aave V3 (could be in a bad debt)
- SparkLend
- Lido Earn (Mellow strategy meta-vault)
- Fluid
- Compound
- Euler
- Upshift (paused High Growth ETH and Kelp Gain vaults)
- Pendle PT/YT tokens
- some Beefy strategies, possibly Yearn and LayerZero
LSTs and restaking have been the fastest growing narrative this cycle
Morpho's fixed rate protocol now has a name: Morpho Midnight.
Morpho Midnight is not an iteration of Morpho Blue. It is a completely new paradigm for onchain lending, and should not be considered a "V2" of Blue.
Blue = pool-based open term variable markets with externalized risk management.
Midnight = intent-based fixed term fixed rate markets with externalized risk AND rate management.
The two will coexist, complementing one another to extend the capabilities of the Morpho network. We’ll start sharing more updates on Midnight as audits finalize.
My dear front-end developers (and anyone who’s interested in the future of interfaces):
I have crawled through depths of hell to bring you, for the foreseeable years, one of the more important foundational pieces of UI engineering (if not in implementation then certainly at least in concept):
Fast, accurate and comprehensive userland text measurement algorithm in pure TypeScript, usable for laying out entire web pages without CSS, bypassing DOM measurements and reflow
Tempo Mainnet is live! Starting today, anyone can build on Tempo through our public RPC endpoints.
Alongside mainnet, we’re introducing the Machine Payments Protocol, an open standard for machine payments.
Perpl is officially going live tomorrow, and here are some insane code stats:
- 11,301 lines of solidity
- 60,281 lines of typescript
- 27,082 lines of comments
1 developer -> alien tech handcrafted by @0slippage