I've been farming @grass for a year and have brought in 1k referrals, 37M points.
CT, how much will I get from the airdrop?
And what is your allocation means?
@NalyMetaX@quipnetwork Great breakdown. Most quantum work stays stuck in papers because there’s no clear path to end users. Integrating classical + quantum resources like this feels like the missing piece
@bella_quack@NomismaNetwork@XOOBNetwork Totally agree, the silence is loud. Plummeting NFTs + no points/leaderboard updates for days is never a good combo. Do you think this is just temporary maintenance or something more serious? Holding any position or just observing?
I keep saying crypto has no competition
People are REALLY on H
No one in their right mind would:
1. Sign random txs
2. Fall for obvious phishing
3. Abandon subdomains
4. Ignore access hygiene
5. Etc
And yet teams with 8-figure treasuries still do it
The bar is underground
🚨Taiko drained for ~$1.7M. Root cause: a private key committed to a public GitHub repo.
enclave-key.pem, the RSA key used to sign all of Taiko's SGX enclaves, sat in the public taikoxyz/raiko repo. That key is the whole trust model.
The attacker derived MrSigner from the public key, signed their own malicious enclave with the leaked key, and registered as a trusted prover. The L1 contracts trust any enclave whose MrSigner matches. It matched.
From there: forged SGX attestations on fake L2 blocks, processMessage() sets the message to RETRIABLE, retryMessage() does zero proof verification, funds leave.
No key theft. No social engineering. No SGX exploit. Just a .pem in a public repo.
Good opportunity to recall that SGX is broken. But here, nobody even had to break it.
It's just yet another key management failure. The whole system was only ever as strong as the secrecy of one RSA key, and that secrecy depended on a human not running git add . on the wrong folder. AI greps every commit of every public repo at machine speed. Assume that is already happening.
The only real exit: a verifier that checks a succinct validity proof of the L2 state transition. It trusts no enclave, no MrSigner, no operator discipline. It checks the math. In that world this exact attack becomes cryptographically impossible rather than operationally unlikely, because there is no privileged key whose leak forges the entire system. There is just a proof.
Stay safe.