Paulius

rant time: people are so fucking obsessed with building more tools, more products, more services, more "security" layers. are you guys all fucking insane?? every single thing you add is more complexity. and complexity is exactly what makes systems _dangerous_. you don't get safer by stacking abstractions on top of abstractions. you just increase the attack surface and pray the whole dependency chain doesn't collapse (hint: it will collapse!!). now you depend on 10, 50, 100 moving parts. all needing updates, all with their own bugs, all potential supply chain failures and we call that "security" like fucking retards. dude, it's the fucking opposite. we're not building safer systems. we're building systems so complex nobody actually understands them anymore. and almost nobody is asking the obvious question: **what can we remove?** everyone wants to add. nobody wants to reduce. that's how you end up in a nightmare system (hint: we're already in that nightmare). not because of one big failure. but because of thousands of tiny dependencies you never should have had in the first place.

Kelp rsETH exploit is terrible due to extensive DeFi integrations. Not sure how big the exposure is yet but: - Aave V3: Markets already frozen - SparkLend: Also froze the rsETH market - Lido Earn via Mellow strategy meta-vault. I think it was a leveraged market - Fluid: Frozen market - Compound - Euler - Upshift: Paused High Growth ETH and Kelp Gain vaults - Pendle PT YT tokens - Some Beefy strategies. Yearn? I suppose LayerZero is probably affected too, as rsETH were bridged from L2s, so I wonder if those rsETH on L2s aren't worthless right now. The situation is still developing, so I don't want to FUD any protocol, but it seems there are not many places to hide in DeFi.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

Source Code Intelligence is now live in EVM Chronicle. Variables are now inline-clickable in source view, so you can inspect live storage instantly. Functions are now simulatable directly from code, with inputs and execution traces in one flow. From source → state → execution, without leaving the page.