Le psychiatre :
« Le Pierre Perret argentin qui danse le mia n'existe pas, il ne peut pas te faire de mal. »
Le Pierre Perret argentin qui danse le mia :
huge day for victims of the kelp dao hack, i hope that we can look back on today as the day our industry realized that we can simultaneously build useful products while also protecting users rather than be a consequence-free infinite money glitch for hackers
we should get layerzero, kelp, aave into a room to figure things out between them. so far things are not looking good, everyone has lawyered up and going full pvp on each other.
went through layerzero gasolina aws deployment repo + extracted app source.
tl;dr concerning
the reference deployment is public by design. and the sample providers.json ships with rpc quorum: 1 on every mainnet chain.
1. the recommended cdk stack puts a public api gateway in front of a private alb in front of fargate in private subnets. publicLoadBalancer: false, taskSubnets: PRIVATE_WITH_NAT, and an HttpApi with HttpAlbIntegration. the readme literally tells operators to send the resulting ApiGatewayUrl to layerzero labs.
2. no authorizer, no iam auth mode, no ip allowlist, no waf, no route-level policy anywhere in the repo. the app itself (bootstrap.ts) registers /provider-health, which leaks configured rpcs. server.listen(port) without host arg binds to public ip.
3. cdk/gasolina/config/providers/mainnet/providers.json sets quorum: 1 for ethereum, bsc, polygon, arbitrum, optimism, fantom, and the rest. multiple rpc urls are configured as failover, not consensus. the multiprovider code only enforces quorum when quorum > 1 and explicitly bypasses the wrapper when it's 1. rpcs are mostly public endpoints (llamarpc, publicnode, ankr).
4. provider config lives in an s3 bucket that the cdk stack creates, uploads to, and passes via env vars (PROVIDER_CONFIG_TYPE, CONFIG_BUCKET_NAME). so the trust boundary is the app + the mutable config plane + the upstream rpc tier + whatever's in front of api gateway.
5. operators are told to validate by curling the public url for /available-chains, /signer-info?chainName=ethereum, /provider-health (again, leaks rpc). external reachability is an encouraged documented requirement.
caveats: this is the public repo and extracted non-public source. it doesn't prove the config they had for kelp bridge. but the public info and the defaults the operators are pointed at look concerning.
read more here: https://t.co/ZR5bwLzCEn
layerzero attack was not rpc poisoning
in networking poisoning is when the attacker outside the trust boundary taints a shared lookup (dns, arp, cache). the consumer has no reason to distrust the source.
this was not that.
the attackers got inside layerzero's trust boundary. they accessed the rpc list, compromised two nodes the dvn depended on, and swapped the op-geth binaries. that's an infra breach within the perimeter. supply-chain shaped, not network shaped.
and the payload was surgical. the malicious binary cloaked by ip, served forged payload only to the dvn, told the truth to scan and every other caller, then self-destructed to wipe logs and binaries.
rpc poisoning makes it sound like something that happened to the infra from the outside. the real story is a targeted implant operating inside the trust boundary.
that's a meaningfully scarier attack than the label suggests.
Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of the quantum stack. The results are shocking. I expect a narrative shift and a further R&D boost toward post-quantum cryptography.
The first paper is by Google Quantum AI. They tackle the (logical) Shor algorithm, tailoring it to crack Bitcoin and Ethereum signatures. The algorithm runs on ~1K logical qubits for the 256-bit elliptic curve secp256k1. Due to the low circuit depth, a fast superconducting computer would recover private keys in minutes. I'm grateful to have joined as a late paper co-author, in large part for the chance to interact with experts and the alpha gleaned from internal discussions.
The second paper is by a stealthy startup called Oratomic, with ex-Google and prominent Caltech faculty. Their starting point is Google's improvements to the logical quantum circuit. They then apply improvements at the physical layer, with tricks specific to neutral atom quantum computers. The result estimates that 26,000 atomic qubits are sufficient to break 256-bit elliptic curve signatures. This would be roughly a 40x improvement in physical qubit count over previous state-of-the-art. On the flip side, a single Shor run would take ~10 days due to the relatively slow speed of neutral atoms.
Below are my key takeaways. As a disclaimer, I am not a quantum expert. Time is needed for the results to be properly vetted. Based on my interactions with the team, I have faith the Google Quantum AI results are conservative. The Oratomic paper is much harder for me to assess, especially because of the use of more exotic qLDPC codes. I will take it with a grain of salt until the dust settles.
→ q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. While a cryptographically-relevant quantum computer (CRQC) before 2030 still feels unlikely, now is undoubtedly the time to start preparing.
→ censorship: The Google paper uses a zero-knowledge (ZK) proof to demonstrate the algorithm's existence without leaking actual optimisations. From now on, assume state-of-the-art algorithms will be censored. There may be self-censorship for moral or commercial reasons, or because of government pressure. A blackout in academic publications would be a tell-tale sign.
→ cracking time: A superconducting quantum computer, the type Google is building, could crack keys in minutes. This is because the optimised quantum circuit is just 100M Toffoli gates, which is surprisingly shallow. (Toffoli gates are hard because they require production of so-called "magic states".) Toffoli gates would consume ~10 microseconds on a superconducting platform, totalling ~1,000 sec of Shor runtime.
→ latency optimisations: Two latency optimisations bring key cracking time to single-digit minutes. The first parallelises computation across quantum devices. The second involves feeding the pubkey to the quantum computer mid-flight, after a generic setup phase.
→ fast- and slow-clock: At first approximation there are two families of quantum computers. The fast-clock flavour, which includes superconducting and photonic architectures, runs at roughly 100 kHz. The slow-clock flavour, which includes trapped ion and neutral atom architectures, runs roughly 1,000x slower (~100 Hz, or ~1 week to crack a single key).
→ qubit count: The size-optimised variant of the algorithm runs on 1,200 logical qubits. On a superconducting computer with surface code error correction that's roughly 500K physical qubits, a 400:1 physical-to-logical ratio. The surface code is conservative, assuming only four-way nearest-neighbour grid connectivity. It was demonstrated last year by Google on a real quantum computer.
→ future gains: Low-hanging fruit is still being picked, with at least one of the Google optimisations resulting from a surprisingly simple observation. Interestingly, AI was not (yet!) tasked to find optimisations. This was also the first time authors such as Craig Gidney attacked elliptic curves (as opposed to RSA). Shor logical qubit count could plausibly go under 1K soonish.
→ error correction: The physical-to-logical ratio for superconducting computers could go under 100:1. For superconducting computers that would be mean ~100K physical qubits for a CRQC, two orders of magnitude away from state of the art. Neutral atoms quantum computers are amenable to error correcting codes other than the surface code. While much slower to run, they can bring down the physical to logical qubit ratio closer to 10:1.
→ Bitcoin PoW: Commercially-viable Bitcoin PoW via Grover's algorithm is not happening any time soon. We're talking decades, possibly centuries away. This observation should help focus the discussion on ECDSA and Schnorr. (Side note: as unofficial Bitcoin security researcher, I still believe Bitcoin PoW is cooked due to the dwindling security budget.)
→ team quality: The folks at Google Quantum AI are the real deal. Craig Gidney (@CraigGidney) is arguably the world's top quantum circuit optimisooor. Just last year he squeezed 10x out of Shor for RSA, bringing the physical qubit count down from 10M to 1M. Special thanks to the Google team for patiently answering all my newb questions with detailed, fact-based answers. I was expecting some hype, but found none.
Web 1.0 came with new channels:
- email, search, link sharing, etc
Web 2.0 too:
- feeds, creators, viral invites, etc
Mobile:
- app stores, SMS invites, vertical vid, mobile ads
What about AI? I’ve been complaining that AI hasn’t come with much. But we’re seeing a big growth channel opening now: Products that are built as APIs/CLIs that can be pulled into new projects by Codex/Claude on the fly
Maybe the “AI-native hotel app” doesn’t mean a mobile booking app with an AI chat panel. It means a CLI that can book a hotel for you, that an AI agent can pull into a bespoke answer or project or into code. Bolting on an AI chat panel is this generation’s weak form of AI. Maybe the full reinvention involves making it agent-first not human-first
and once you start looking at it that way, a lot of existing products suddenly feel mis-specified. they’re built as destinations, but agents don’t want destinations. they want capabilities. composable, callable, reliable capabilities.
So instead of “go to Expedia” or “open the app,” the future interaction is more like: an agent assembles a workflow on the fly. it pulls a flight search tool, a hotel booking tool, maybe a weather model, maybe even your personal preference graph. none of these are full products in the traditional sense. they’re more like endpoints with taste and state.
This flips distribution completely. historically you win by owning the surface area. seo, app store ranking, homepage traffic. in an agent world, you win by being the default callable primitive. the thing that shows up again and again in agent-generated plans because it works, has clean interfaces, and returns structured outputs. distribution shifts from “top of funnel” to “top of call stack.”
And the crazy part is this might actually compress product surface area dramatically. the best products might look more like tight, extremely well-designed CLIs with opinionated defaults rather than sprawling UIs. almost like the stripe api moment, but for everything. imagine if every vertical had a “stripe-level” primitive that agents preferentially use.
there’s also a weird inversion of brand here. humans used to choose brands. now agents will. so the brand becomes partially machine-legible. reliability, latency, error rates, schema clarity. you can almost imagine “agent seo” where the ranking factors are things like success rate across thousands of agent runs, or how easy your tool is to integrate in a chain-of-thought execution loop.
This also suggests a new kind of moat. not just data or network effects, but integration depth with agent ecosystems. if claude or codex or openclaw learns that your tool is the safest way to accomplish X, it gets baked into prompts, templates, maybe even fine-tunes. you become a default. and defaults, historically, are insanely sticky.
The contrarian take is that most current “AI features” are a local maximum. chat panels, copilots, assistants. they’re transitional. the real end state might look closer to invisible infrastructure that agents orchestrate. the ui is just a debug layer for humans to peek into what the agents are doing.
so maybe the new growth channels for ai look like:
- being callable
- being composable
- being reliable at scale in agent loops
- being embedded in agent templates and workflows
- being the default primitive in a given domain
and if that’s right, then the question for any new product isn’t “what’s the ui” or even “what’s the killer feature.” it’s “what’s the minimal, highest-leverage capability we can expose such that agents will repeatedly choose us when building something new.”
🚨🇦🇪🇺🇸 Prominent UAE billionaire Khalaf Ahmad Al Habtoor just published an open letter to Trump. It's brutal.
"Who gave you the authority to drag our region into a war with Iran? Who gave you permission to turn our region into a battlefield?"
Al Habtoor's a major figure: billionaire, former diplomat, outspoken political voice in the Gulf. When he talks, UAE leadership's listening.
His questions:
* Was this your decision or Netanyahu's pressure?
* Did you calculate collateral damage before firing?
* You placed GCC countries at the heart of danger they didn't choose
* Your "Board of Peace" initiatives were funded by Gulf states. Now we're getting attacked. Where did that money go?
* You promised no wars. You've conducted operations in 7 countries: Somalia, Iraq, Yemen, Nigeria, Syria, Iran, Venezuela
* 658 airstrikes in your first year back = Biden's entire term (which you criticized)
* War costs $40-65 billion for operations, possibly $210 billion total
* Your approval rating's down 9% in 400 days
* Americans were promised peace. They're getting war funded by their taxes
The sharpest line: "Before the ink has dried on your Board of Peace initiative, we find ourselves facing military escalation that endangers the entire region. So where did those initiatives go?"
Al Habtoor's not some random critic. He's establishment. Connected. When UAE elites start publicly questioning Trump's decision-making, that's America's closest Arab allies saying "we didn't sign up for this."
The letter ends: "True leadership is not measured by war decisions, but by wisdom, respect for others, and pushing toward achieving peace."
@KhalafAlHabtoor
optimism is the best life and longevity hack
negative thinking destroys your brain and is associated with alzheimers disease
whereas optimism is associated with longevity
you must retain your childlike optimism and be a silly goose