zKYC

BREAKING: The EU's age verification app that was supposed to protect citizens globally got hacked in under two minutes. The app is part of an initiative by the European Commission to standardise age checks across online services The demonstration shared by Paul Moore shows attackers bypassing security features to access user credentials which is stored locally. The result isn't a broken app it’s a finalized ledger of every citizen’s digital footprint, packaged and sold as a safety upgrade. Offer a shield made of paper then watch it burn in real-time and replace the paper with a glass wall and call it reinforced security

🚨 ALERT: Researchers discover 26 third-party AI LLM routers secretly injecting malicious tool calls and stealing credentials. Developers using AI coding agents like Claude Code to work on smart contracts or wallets may be at risk of having private keys and seed phrases compromised.

Drift lost roughly ~$280M. No obvious smart contract bug. No simple private key leak. The exploit path did not look like the usual “code broke, funds vanished” story. That is what should make people uncomfortable. What actually happened: - An attacker manipulated multisig signers - Got approvals in advance - Didn’t execute immediately - Waited Then used durable nonce, a Solana feature that can keep a transaction executable longer than a normal blockhash window. When the timing was right, the attacker used that approval path to: - take admin control, - reshape market and collateral conditions, - weaken or remove safety protections, - and drain funds quickly. That is the core pattern. This was not just a normal hack story. It was a case of approvals gathered earlier being treated as valid authority later, after the context had changed. And the system largely asked: “Was this approved?” It did not adequately ask: “Should this still be allowed right now?” That is the dangerous part. You think multisig protects you. It does. But only at one moment in time. After that? 👉 You’re trusting that nothing changes 👉 That nobody got tricked 👉 That the situation is still safe That is a much bigger assumption than most people realize. Crypto systems ask: “Did enough people sign this?” They don’t ask: “Should this still happen right now, under current conditions?” That’s the gap. And that gap is what a Drift-style exploit makes painfully visible. We need a different rule: Critical actions should not execute just because they were approved at some earlier point. They should require a fresh decision at the moment execution happens. Not before. Not “a few days ago.” Not “it was signed already.” Now. This is exactly the gap we’re building around. Not replacing multisig. Not replacing timelocks or guardrails. Working alongside them to add the missing execution-time check before critical actions go through. Execution-Time Authority adds a fresh runtime decision before critical actions go through. Just making sure: approval doesn’t turn into permanent authority Drift was not just a story about broken code. It was a story about stale authority being treated like live authority. Approvals made in the past were treated as authority in the present. Execution-Time Authority fixes this by requiring every critical action to be validated in real time. If your system can’t do that, it’s not secure. It’s just delayed failure.

Drift lost roughly ~$280M. No obvious smart contract bug. No simple private key leak. The exploit path did not look like the usual “code broke, funds vanished” story. That is what should make people uncomfortable. What actually happened: - An attacker manipulated multisig signers - Got approvals in advance - Didn’t execute immediately - Waited Then used durable nonce, a Solana feature that can keep a transaction executable longer than a normal blockhash window. When the timing was right, the attacker used that approval path to: - take admin control, - reshape market and collateral conditions, - weaken or remove safety protections, - and drain funds quickly. That is the core pattern. This was not just a normal hack story. It was a case of approvals gathered earlier being treated as valid authority later, after the context had changed. And the system largely asked: “Was this approved?” It did not adequately ask: “Should this still be allowed right now?” That is the dangerous part. You think multisig protects you. It does. But only at one moment in time. After that? 👉 You’re trusting that nothing changes 👉 That nobody got tricked 👉 That the situation is still safe That is a much bigger assumption than most people realize. Crypto systems ask: “Did enough people sign this?” They don’t ask: “Should this still happen right now, under current conditions?” That’s the gap. And that gap is what a Drift-style exploit makes painfully visible. We need a different rule: Critical actions should not execute just because they were approved at some earlier point. They should require a fresh decision at the moment execution happens. Not before. Not “a few days ago.” Not “it was signed already.” Now. This is exactly the gap we’re building around. Not replacing multisig. Not replacing timelocks or guardrails. Working alongside them to add the missing execution-time check before critical actions go through. Execution-Time Authority adds a fresh runtime decision before critical actions go through. Just making sure: approval doesn’t turn into permanent authority Drift was not just a story about broken code. It was a story about stale authority being treated like live authority. Approvals made in the past were treated as authority in the present. Execution-Time Authority fixes this by requiring every critical action to be validated in real time. If your system can’t do that, it’s not secure. It’s just delayed failure.