Pyggie

Alice swaps privately on L1 tldr: Privacy protocol users today depend on broadcasters that can see, frontrun, and censor their transactions. In this thread we show how four future protocol upgrades can remove this dependency step by step. Native AA (EIP-8141) and 2D nonces let users self-submit with no off-chain infrastructure. Encrypted frame transactions hide swap parameters until after block ordering is committed. FOCIL guarantees inclusion as long as one honest includer can see the transaction pending in the public mempool. 👇🧵

Aave LLC has filed an emergency motion to vacate a restraining notice served on Arbitrum DAO on May 1, 2026 that attempts to seize approximately $71 million in ETH belonging to victims of the April 18 exploit. A thief does not gain lawful ownership of stolen property simply by taking it, and the law is clear on this. Those assets were recovered to be returned to users victimized in the April 18, 2026 exploit. Freezing them harms the very people this recovery effort is designed to protect. We’ve asked the court for an expedited hearing and a temporary vacatur, and we are continuing to work alongside the Arbitrum community and DeFi United to make affected users whole.

Surely one of the most complex decisions ever made in Arbitrum governance history but a few things worth noting: 1. To all those screaming for the past few days “Arbitrum has a centralized sequencer so they can move funds”, take a few minutes to learn how Arbitrum works. The sequencer has absolutely no power to move funds and was not the one who acted here. 2. The decision to act was made entirely by the Arbitrum Security Council, a group of 12 individuals elected by the Arbitrum DAO (the annual election is currently underway — vote now!), which required 9/12 of them to agree. The council is independent from the Arbitrum Foundation and Offchain Labs (1/12 of the elected members is an OCL engineer), and came to this decision by themselves after much deliberation. You may not like the existence of security councils and you can form your own opinion on whether you agree with their actions, but this process was extremely distributed and coordinated by independent actors, and ina world where security councils exist, Arbitrum’s is a masterclass on how a truly independent security council should operate. 3. For many, the ultimate goal is to get rid of the security council entirely, but this is complicated. Technically it’s easy — the security council is elected by the DAO and operates at its pleasure, and the DAO can turn it off at any time. But the harder question is _should_ the DAO do that? L1s have the ability to hard fork. Security councils control the analogous power for the L2. If you get rid of it, you lose the ability to hard fork. You can still update the chain via DAO vote but that’s a slow process and you can no longer do fast emergency actions (which includes both actions like the security council took today as well as the ability to quickly upgrade the code in case an exploitable vulnerability in the software stack is discovered). As I’ve said many times, the best path that I see to getting rid of security councils is for the L1 itself to take on this burden for its most important L2s (as defined by objective criteria). In that case, in the case of a vulnerability or an exploit the conversation for L1 and L2 will be identical — does this warrant an L1 hard fork. I’m hopeful that we can reopen this conversation in the coming weeks.

Look guys, it's actually really straightforward, a bunch of people staked their ETH on the Ethereum blockchain to earn yield, except they didn't want their capital to be locked up, so they actually staked with a liquid staking protocol called Lido who provided them a liquid staking receipt token called stETH, except they decided to juice their yield further by depositing their stETH receipt tokens into a restaking protocol called Eigenlayer, except they didn't want to lock up their capital, so they actually restaked with a liquid restaking protocol called KelpDAO who provided them with a liquid restaking receipt token called rsETH, except they decided to juice their yield further by depositing their rsETH tokens into a lending protocol called Aave so that they could open a leveraged looping position that borrows ETH against the rsETH collateral and restakes the ETH into rsETH which is then deposited as collateral, except it turns out rsETH used a cross-chain bridge called LayerZero that was hacked by north koreans causing rsETH to become undercollateralized and now these looping positions are stuck and unprofitable, and everyone is pointing fingers at each other, and also DeFi is a very serious industry

The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications. After significant technical diligence and deliberation, the Security Council identified and executed a technical approach to move funds to safety without affecting any other chain state or Arbitrum users. As of April 20 11:26pm ET the funds have been successfully transferred to an intermediary frozen wallet. They are no longer accessible to the address that originally held the funds, and can only be moved by further action by Arbitrum governance, which will be coordinated with relevant parties.

the great news is that pretty much all of this is totally preventable ethereum and ETH are rapidly growing to global ubiquity. this doesn't change that one bit future defi solutions won't make these amateur errors (they'll eventually seem like amateur errors... already do to many experts) attacker supremacy from AI won't last, it's working through a backlog of exploits. the limit result will be much permanently more secure protocols and eth's neutrality and capital gravity well will be more valuable than ever if you have ETH lent in aave, imo you should get out right now by using onchain limit orders to sell to whale loopers who are actively buying aETH unwind leverage. you can take as little as a 1.1% haircut based on ongoing txns in mid 6-figs, which is much lower than some estimates of final socialized losses. why can ETH lenders take only a 1.1% haircut now? because loopers want to avoid liquidation from high rates caused by 100% utilization. on the bad debt side, loopers actually win from socialized losses because their debt token (aETH) is the one taking the haircut, so they'd owe less in ETH terms. the most remarkable thing in this crisis is clearly that billions of dollars in backbone eth lending on aave were in fact exposed to signer risk in a 3rd party bridge... effectively some random downstream fellow was actually an aave admin. aave additionally has negligently low borrow rates during 100% utilization, leading to extremely dangerous illiquidity. what if ethusd crashed for any reason... eg. if stocks were open and a politician said the wrong thing, btc goes down 5%, eth goes down 8%... this can lead to broader contagion and bad debt. protocols and their teams like fluid (who've had low level dynamic withdrawal rate limits in protocol from day 1 so can't be insta drained) and spark (who seem to have excellent scientific gov and no exposure for eth lenders to 3rd party bridge admins) deserve respect and attention for doing what they knew was right and possible even before the ecosystem had a forcing function to care about it. same goes with other kinds of security practices that are still fringe, maybe including formal verification and ipfs hashes for frontends nearly 24h since the attack, the lack of material updates from affected protocols, including kelp, layerzero, and aave, suggests to me the ongoing severity of the situation. many factors are in play, there's probably no great solution, somebody is going to lose big is just the bridged rsETH (that argubly took bridge risk intentionally) fully on the hook for the bridge failure, and L1 rsETH should be unaffected? however L1 rsETH *was* affected due to gov choices in aave. does aave's junior debt program, umbrella, take the full wipeout? however umbrella's terms & conditions say they have no bridge risk, which aave gov effectively violated without umbrella holders realizing it. does layerzero bear responsibility for allowing their users to be subject to terrible admin config in one of their ecosystem bridges? i'm probably missing aspects here, it's very messy. Just Use Aave is dead... nobody is going to Just Use Anything anymore the future of this industry is to do the smart obvious stuff even when it's unpopular, like withdrawal rate limits, better interest rate gov, avoiding toxic market share steroids like degen bridge looping affordances. and for 10x better user recognition and higher standards around protocol hygiene and security differentiation. degen stuff is fun and amazing but only when you understand the true risks in sum, if you are lending ETH in aave, get out now at a ~1.1-1.5% haircut by selling to loopers actively unwinding because when the dust settles, a material haircut for Aave v3 ETH lenders is a possibility ethereum and ETH are growing well to global ubiquity and will be massive net beneficiaries of our industry successfully navigating this crisis season of backlogs of exploits discovered by AI and preventably poor practices in defi architecture/gov. trillions await

because the final allocation of losses between rsETH on Ethereum (which is technically "fully backed") and external chains is still tbd, i can only read this as a statement of Aave Labs' preference - they would rather rsETH on mainnet to have zero haircut, and for rsETH on L2s/external chains to bear the full loss (essentially zeroed out) ultimately, the allocation of losses will be mostly decided by Kelpdao team (and lawyers) but we can consider why this outcome would be aave labs' preference, and what would be the impact on users if this is how it ends up working out # aave labs preference aave core market on ethereum is covered by umbrella insurance module, and is also explicitly covered by aave dao backstop (eg dao committed to using treasury to backstop against bad debt). so if rsETH on ethereum ends up with no haircut, then not only are umbrella users completely unaffected (other than potentially GHO stakers to cover unbacked GHO on external chains), but the aave treasury remains intact aave core is also the primary money-maker for the aave protocol, and preserving this is probably top priority for labs team # user impacts if rsETH on Ethereum has no socialized losses/haircut, users on Aave core would end up being mostly unimpacted however, certain L2 networks would face an extremely heavy burden, with WETH suppliers taking a direct hit from unbacked rsETH current rsETH collateral across external chains includes: - Base: $71 million - Arbitrum: $152 million - Mantle: $116 million - Ink: $21 million - Linea: $1.4 million in some cases, rsETH backed loop positions may comprise a large share of the backing of aWETH, meaning that any assets borrowed against ETH may also be at risk of a haircut (USDC and USDT0 markets) mantle, arbitrum, and base seem to have the highest risk here, with mantle in particular having the majority of aWETH backed by potentially zero value rsETH. it is possible that Aave could successfully maneuver these chains into bailing out their markets (this may be part of the reason why Aave Labs prefers no loss socialization on Ethereum, to force the issue with relatively better capitalized chain ecosystems) we also note that ethena has a material deposit amount in the mantle USDT pool (https://t.co/CXOGQR7OZu) which may face a haircut, potentially exceeding their excess capital buffer. if this is the case, then this would become another vector of contagion risk into Aave markets including Core and Plasma (which has been relatively less affected as it had no rsETH exposure at the time of the hack) # comparison with full socialization personally, i think that concentrating losses on external chains is actually a worse outcome for Aave in the case where losses are spread evenly including Ethereum users, this would engage Umbrella ETH depositors (roughly $50 million) and also enable using rsETH collateral on Aave Core to repay part of the debt, likely reducing the uncovered loss on Ethereum mainnet to an amount lower than Aave's current treasury reserves the loss levels on external chains would then be at much more manageable levels, with less risk of cascading spillover into large haircuts on stablecoin markets or impairment to other key aave collateral assets like USDe awaiting further updates from the Kelpdao team to see how this will play out in practice

You and your friend give mainnet eth to kelp, they stake it and give you rseth as a claim token for your eth + ongoing yields You decide to keep your rseth Your friend decides to deposit into a bridge and get another claim token on a different chain to his rseth in the bridge The bridge contract has its rseth which backs your friends bridged tokens stolen Should you get a haircut despite not being deposited in the bridge? Or should your friend take all the losses as he knew he was exposed to the bridge risk by using it?

A recent viral clip showed Don Wilson of DRW criticizing public blockchains for their lack of MEV-resistance. Wilson argued that, as a result of this, public blockchains are not suitable for financial markets. This critique isn't going to go unanswered. Last night, Category Labs published a frontier research result for encrypted mempools. This is a significant result that leads the way to practical MEV resistance, and is how our industry will prevail against the private blockchain crowd. Background When you submit a transaction on a blockchain, it sits in a pending state where it may be frontrun by a bot. The cleanest fix would be for users to encrypt transactions until they're included in a block, but doing that efficiently is very hard: you need a committee of servers that can jointly decrypt only the transactions that make it into each block, fast enough to keep up with block times. Up to now, this idea hasn't been practical, as the best threshold encryption schemes are too slow, introduce censorship attacks, or introduce impractical operational steps for users or validators. Category Labs has a solution: BTX, a new scheme for Batch threshold encryption (BTE) that is actually practical and performant. This leads the way to encrypted mempools on Monad. The result Batched Threshold Encryption (BTE) lets a committee of servers jointly decrypt a specified set of encrypted results from a pool while keeping the rest private. Prior BTE schemes each had a drawback: - some required per-block MPC setup - some bound each ciphertext to a specific block or epoch (limiting rollover and enabling censorship) - some required users to pick an index from a small namespace (resulting in occasional collisions) - and the ones that avoided all these issues were either computationally prohibitive or required a common reference string (CRS) that grows with the number of sessions. BTX, the new mechanism proposed in the paper, is simultaneously: - epochless - collision-free - computationally efficient, and - compact In the paper, the authors implement BTX and benchmark it against the strongest two prior schemes (PFE from Boneh et al. and BEAT++ from Agarwal et al.). (BEAT++ is a prior result by most of the authors of the present paper.) BEAT++ is fast but has a censorship-enabling design flaw; PFE is clean but slow and has bigger ciphertexts; and Fernando et al. (a third leading scheme) is clean but doesn't scale to long-lived deployments. BTX is the first construction that's simultaneously collision-free, epochless, compact, and fast. BTX is a significant result solving a huge problem. Check out the paper in the next post.