Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure' - Unchained

Summary7 min read

Podcast Summary: Uneasy Money – "How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'"

Unchained Podcast | Host: Kane Warrick with Taylor Monahan & Luca (CEO of Pudgy Penguins) | Special Guest: Omer Goldberg (CEO, Chaos Labs) | March 27, 2026

Episode Overview

This episode dives deep into the recent $54 million Resolv hack, exploring how a seemingly “audited” project was compromised through basic operational weaknesses. The roundtable—comprising security expert Taylor Monahan, Pudgy Penguins CEO Luca, and Chaos Labs CEO Omer Goldberg—breaks down how a breached AWS key enabled the hack, why audits alone cannot assure true security, and the broader implications for DeFi lending markets, risk modeling, and industry practices. The discussion balances technical details with philosophical takes on responsibility and risk in rapidly evolving crypto ecosystems.

Key Discussion Points & Insights

The Mechanics of the Resolv Hack ([01:56]–[14:50])

Attack Summary: The hack started when the attacker compromised Resolv’s AWS-hosted private key, minted $80M of unbacked USR stablecoins for just $300K worth of collateral, dumped them via Curve for about $24M in ETH, and tanked the USR price.
- Quote (Kane, [01:56]): "$300,000 in and $54,000,000 gone. What happened on Sunday night? An attacker compromised resolves AWS hosted private key, minted $80 million of unbacked USR, and walked away with 24 million in ETH."
Key Point: The root problem was classic operational security failure—single-key control in a cloud solution, not a smart contract bug.
- Quote (Taylor, [03:56]): "At the root…we go back to the fact that a single party had a single key. That thing was compromised and allowed them to take unilateral action..."
AWS Key Management Limitations: Moving a key to AWS doesn't prevent compromise; it simply changes the attack vector from "steal the key on Metamask" to "compromise the AWS account." ([06:00]–[08:21])
Basic Risk Modeling Neglected: The event highlights a DeFi-wide pattern of over-focusing on cutting-edge smart contract risks and ignoring “boring” but critical operational basics.

The Problem with Audits and Security Theater ([17:07]–[22:34])

Audit Limitations: Multiple auditors often review only isolated components; operational and architectural risks frequently go unaudited.
- Quote (Omer, [17:57]): "When people hear security audit or risk, they assume the auditor is engaged or looking at every part of the system, which isn't necessarily the case..."
- Audit Overlap Stats: Out of 14 audits, no system part was reviewed more than twice—and most audits focused on different elements.
Security Theater: Merely obtaining an audit “stamp” without foundational risk modeling and opsec creates a false sense of safety.
- Quote (Taylor, [20:27]): "At some point, I do feel like the audits become like security theater…if you don't have that initial threat model, you end up being like, okay, we just need an audit..."
Call to Basic Diligence: Auditors should minimally confirm basic controls (e.g., infinite mint private key not casually stored in cloud notes), rather than just rubber-stamping smart contract logic.

Operational Security, Leadership Responsibility & Industry Context ([23:56]–[28:49])

Opsec as Leadership Duty: Non-technical founders must prioritize and fund security processes—no room for shortcuts here.
- Quote (Luca, [24:56]): "It's the one place I will never question the cost...it's the place that if it costs a gargantuan amount of money, it costs a gargantuan amount of money."
Reputational Risk: Founders face being blamed for third-party failures integrated into their platforms—leading them to establish stricter audit requirements for curated interfaces.
Attack Surface Reality: Security teams must balance between internal opsec and the risk latent in DeFi’s composability and third-party dependencies.

DeFi’s Composability & The Chain Reaction of Hacks ([28:49]–[47:39])

Contagion Explained: The root compromise enabled the attacker to ripple losses through a web of interconnected protocols—Curve, Fluid, Venus, Morpho—by leveraging USR as collateral.
- Quote (Omer, [33:09]): "Curve was a big one...the attacker…started swapping there before moving ultimately into Ethereum. Then all the Lending protocols…They got hit up and the attack is very simple: deposit USR as collateral and start draining...as much as you can."
“Normal Accidents” in DeFi: Multiple redundancies can fail in rare, compounding chains—akin to nuclear plant “normal accidents.”
Automated Allocation Gone Wrong: Features like Morpho’s Public Allocator, designed for efficiency, inadvertently spread losses by routing fresh liquidity into compromised pools ([35:10–36:39]).
Oracle Missteps: Hardcoding a stablecoin’s price at $1 enables further losses when the peg is broken—demonstrating a key architectural error ([49:50–54:18]).

Industry-Wide Reflections: Risk, Recourse, and Curation ([55:27]–[63:13])

Curation Models and Recourse: Losses cascade without clear recourse; DeFi “curators” often incentivized to maximize yield, not minimize risk.
- Quote (Taylor, [55:27]): "If I am a...theoretically, people lost money here...I have no recourse though, right?"
Varied Accountability: Not all losses are spawned equal—there’s a difference between naive single-key leaks and sophisticated, multi-step exploits. ([56:19])
DeFi’s Risk Illiteracy: Widespread inability to reason about (or price) risk, leading to “group insanity” and false equivalences between highly distinct risks.
- Quote (Taylor, [59:44]): "Defi does not know how to reason about risk whatsoever. And it’s a freaking joke. Because people will literally say...the risk of an alien coming down and exploding me is the same as Resolv having an Infinite Mint bug..."
Perpetually on Alert: The always-on, open bounty nature of DeFi pushes mental strain and often inures builders to systemic vulnerabilities.

Lending Market Evolution: V4 and Institutionalization ([65:18]–[81:38])

AAVE V4 & Architecture Improvements: The move from monolithic pools to a hub-and-spoke model enables granular risk segregation, smarter curation, and learnings from old crises (e.g., CRV, Mango).
- Quote (Omer, [67:58]): "There are so many improvements to be done...V4 introduces features that allow us to price risk more accurately and build a better lending product for retail and institutions alike."
Forcing Functions: Big protocols like AAVE, through market power, can and do force better security practices on asset issuers—sometimes requiring technical upgrades before listing ([79:19]).
Institutions Forcing Maturity: The inflow of institutional money is driving higher operational standards—SOC 2 certification, incident response, risk ceilings—benefiting retail user safety as well.

Notable Quotes & Timestamps

(Taylor, [03:56]): “At the root…we go back to the fact that a single party had a single key. That thing was compromised and allowed them to take unilateral action...”
(Kane, [20:16]): “You could do 50 end to end holistic audits on smart contracts. And no one looks at like the KMS OpSec. And no one says to you, hey, like is by any chance the password in Apple Notes for this AWS account?”
(Luca, [24:56]): “It's the one place I will never question the cost...if it costs a gargantuan amount of money, it costs a gargantuan amount of money.”
(Omer, [33:09]): "Curve was a big one...the attacker…started swapping there before moving ultimately into Ethereum. Then all the Lending protocols…They got hit up and the attack is very simple: deposit USR as collateral and start draining..."
(Taylor, [59:44]): "Defi does not know how to reason about risk whatsoever. And it’s a freaking joke. Because people will literally say...the risk of an alien coming down and exploding me is the same as Resolv having an Infinite Mint bug..."
(Kane, [62:05]): "That part hasn't changed. It is a 24, 7, 365 day a year bug bounty."
(Omer, [67:58]): "There are so many improvements to be done...V4 introduces features that allow us to price risk more accurately and build a better lending product for retail and institutions alike."

Takeaways & Closing Thoughts

Audit ≠ Secure: Even heavily audited projects can be totally compromised by basic opsec failures (e.g., single-key control in cloud platforms).
Security Foundations Beat Security Theater: No number of smart contract audits will save you if no one is threat modeling operational basics or enforcing key management discipline.
Responsibility is Collective: Founders, protocol teams, curators, users, auditors all share the burden of maintaining security and transparency—especially as institutional players demand higher standards.
Risk Must Be Modeled Rationally: Defi must move from “yield at all costs” to nuanced, layered, and context-specific risk analysis.
Composability = Contagion: Composable, interconnected protocols amplify the blast radius of any single compromise—making resilient design and real risk controls absolutely vital.
Institutions Drive Maturity: As TradFi and enterprise money enters DeFi, expect operational and architectural standards to rise—not just for institutions but for all users.

The episode provides a sobering reminder that operational basics, not advanced cryptography or complex smart contract logics, are often where fate is decided in DeFi. The panel calls on all ecosystem actors to recognize, reason about, and proactively address the boring but deadly risks at the heart of financial trust.

For further insights and future episodes, follow the Uneasy Money podcast on the Unchained feed.

Loading summary

Transcript145 lines

[00:01]
Venmo Advertiser
Get in the game with the College branded Venmo Debit card. Wreck your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Bancorp Bank NA Select Schools available Venmo stash terms and exclusions apply at Venmo me stash terms max $100 cash back per month.
[00:32]
Kane Warrick
Hey everyone, I'm Kane Warrick and welcome to Uneasy Money. Because what happens on Chain never stays on chain. Before we start, nothing you hear on Uneasy Money is financial advice. We're just for builders talking about what's happening on chain and we want you to always do your own research before aping it. You can find all our disclosures@unchained crypto.com uneasymoney
[00:52]
Fuse Energy Representative
the Energy Network is an intelligent decentralized grid that coordinates smart devices to balance supply and demand. Energy dollar is the n token of the network from one of Europe's fastest growing energy startups. Follow Use Energy on X to find out more.
[01:11]
Multichain Advisors Representative
Multichain Advisors is an emerging technology growth firm that has helped create 50+ billion dollars in enterprise value for 80+ clients over the past four years. They're the partner to help navigate markets build real traction Today at multichainadv. Com if crypto taxes feel overwhelming, you are not alone. That's why Crypto Tax Girl, a team that's been helping crypto investors since 2017, is offering $100 off on one on one crypto tax help. To get $100 off your crypto tax services, go to CryptoTaxGirl.com Unchained Again, that's CryptoTaxGirl.com Unchained.
[01:56]
Omer Goldberg
All right.
[01:56]
Kane Warrick
I'm here with my co host Taylor Monahan, security expert. We could definitely use a few more security experts on this show this week where we got some stuff to cover and Lucanet, CEO of Pudgy Penguins. And joining us today we have a special guest, Omer Goldberg, CEO of Chaos Labs. Welcome Omer. We have a lot of wild stuff to cover today, so let's just dive in. The first thing is this resolve situation. $300,000 in and $54,000,000 gone. So what happened on Sunday night? I believe an attacker compromised resolves AWS hosted private key minted $80 million of unbacked usr for 300k dubbed it on curve and walked away with 24 million in eth. Usr crashed from a dollar to 2 and a half cents, I think not too bad, not zero. Held up okay there. And the protocol pulls three hours later. The three hours later thing, I guess we'll get into that, but that seems like a decent amount of time for something like this to happen. And, and so yeah, there were a bunch of issues with morpho lending markets. Steakhouse was also caught up in this. And I think, you know, there's, there's this kind of automated allocation on the, on the minting side and you know, we can probably, we can probably jump into it here, Tay with your take. But like this idea of like making it as convenient as possible to mint stablecoins. There was a long period of time, right. If you go back to like the tether days where everyone was always mad at tether because it was like this black box minting process and only certain people are allowed to mint. And maybe there's some stuff we can learn from cefi, I guess.
[03:56]
Taylor Monahan
Yeah. Well, I'm very excited to hear Omar's perspective because for me, my perspective is this is actually there's a lot of wild stuff that happened and there's a lot of complexity in what happened and how, where bad debt was accrued, where the losses happen, where things can be improved there. But at the root, we do in fact go back to the fact that a single party had a single key. That thing was compromised by some bad actors and that allowed them to take unilateral action. And apparently this unilateral action, basically minting a whole bunch of USR was either not monitored or it. Maybe they had alerts on it, but nobody was monitoring those alerts. And so it, you know, as we go into all of the more interesting complexities around this, I just want to remind everyone that at the end of the day, this is a very Web2 oriented hack. This is a key that was compromised, that was controlled by. Yeah, so it's. Yeah, so it wasn't. It's not quite your perfectly classic private key compromise, but it's about as close as it gets. Basically the key to AWS was compromised and the aws, AWS and basically all infra have like key management solutions. And so you like put your private key in this little section of AWS and you're like, now it can't be exported, now it can't be compromised. But in order to interact with that key and in order to take actions like minting or any sort of Actions, wherever that key lives, you have to be able to interact with it. And so sometimes the system can allow the key to be exported, or if it's slightly more secure, then you just have to ask the key to mint or burn or whatever, do whatever, move everyone's money, whatever the case may be.
[06:01]
Kane Warrick
So just a question on that. Right. The old school defi way was you just have unencrypted private key thing on your laptop.
[06:15]
Omer Goldberg
Yeah.
[06:16]
Taylor Monahan
In your metamask.
[06:16]
Kane Warrick
On your laptop.
[06:17]
Omer Goldberg
Yeah.
[06:18]
Kane Warrick
And someone breaks into your laptop and steals it. But we're like, no, that's crazy. You wouldn't do that anymore. Now we're just going to put a single private key into aws. And Jeff Bezos, they're into the, into
[06:31]
Taylor Monahan
their Secrets Manager, where keys.
[06:33]
Kane Warrick
And so, so just to be clear, this was not someone breaking AWS's key management system or something like that. This is just someone getting a password for something effectively.
[06:45]
Taylor Monahan
Yeah, basically like getting into the AWS account. And then once you're in the AWS account, you can basically command that key to do whatever you want. In most cases, in most hacks that we see, they just export the key from the secrets Manager. In this case, it sounds like that wasn't what happened. They just were able to, once they were in aws, they're able to say, yo, mint me all this money. Thank you.
[07:12]
Kane Warrick
Right. So they didn't even have to exfiltrate the key. They could just. It's like super user access as soon as you're in aws.
[07:20]
Omer Goldberg
Yeah.
[07:20]
Taylor Monahan
And it, you know, it goes back to, you know, the, the, the, the attack service. But also, in my opinion, like, this is basic risk management. The reason you don't want your private key compromised, the reason you don't keep it in your metamask, is because that key can then go and do things that harm your protocol or people or whatever. Um, just because you move that key to AWS or another secure solution doesn't mean that those outcomes are now impossible. It just changes how those outcomes are accomplished. And so instead of hacking the one computer and taking it out of metamask, you hack the AWS and you take it out of AWS Secrets Manager, those sorts of things. And so I think we do need to get more robust in terms of just actually doing the threat modeling and actually understanding what are we protecting against. How do you monitor these things? How do you prevent these things from happening? Because in my opinion, like, I'm just,
[08:21]
Kane Warrick
as a, as a pudgy maxi, I just want to make sure Luca, the private key that allows you to mint more pudgy penguin NFTs, right? That. That's not in AWS. Yeah, yeah, we're good. Okay. All right, Omar, what's your. What's your take on this?
[08:39]
Omer Goldberg
Yeah, I mean, hey, let's start with a lot of money was lost and bad debt was created. So first thing, it's like a difficult event for the industry, just like on the AWS front. Like, even within aws, there are levels to it, right? Like, so probably the most straightforward thing is like storing a single key in your EKs. But even if you are using AWS and you're using their secret manager, you can have two fac on aws, you can have biometrics, and of course, on top of everything, like, if you care about security, you don't want to have a single key that ever has unlimited permission to do an infinite mint. So even if one person in the organization is compromised, you want it to at least require several more. And that makes it all the more difficult for any attacker to get unilateral control over the minting function. So even in AWS and kind of Web two, there are levels to security that you can take in order to kind of protect protocols.
[09:44]
Kane Warrick
So just a question on that, right? Like, is there any good reason why someone would have a single, like, is this some, like, architectural choice where they're like, we don't want to be there when minting happens. We want people to be able to mint anytime we want it to be convenient or whatever. So we need this key that has the minting control to live in AWS so that at any time someone can turn up and we can mint tokens. Is that like, architecturally, is that kind of the intent here or is it just not? Well, yeah.
[10:20]
Omer Goldberg
So a. I mean, I haven't at least seen like an official postmortem, I
[10:24]
Kane Warrick
think, post mortem yet. Right?
[10:25]
Omer Goldberg
Yeah, some of it is still ongoing and I think they're negotiating with the exploiter and, you know, expect them to kind of share more details once it's no longer an ongoing situation. But I don't think that anyone would be interested to hear their take. But I don't think that anyone would argue that this is like an architectural, like, decision or that it's like, superior in any way. I don't know, like, what the circumstances were that. That led them to kind of making that choice. Interestingly, like on the audit, there were other parts of the contract that required multi six and had a different operational security model. So to answer Your question? I don't know, but it does seem like for any kind of stable coin, we've seen these hacks before. Infinite Mint hacks like super prevalent in 2021, 2022, kind of one of the core functions that you need to be careful of. So we'll be interested to hear the reasoning. But there are a lot of ways to do it and that's just on the AWS front. Like also there are defi native solutions
[11:25]
Luca (CEO of Pudgy Penguins)
like to do do this.
[11:26]
Omer Goldberg
Right. So there are things like proof of reserve oracles, right? So you have like a separate oracle that is basically tasked with understanding the value of the reserves at any given time. And there's just like an on chain check. Right. Like there shouldn't be a gap. I think at the end the ratio between the minted USR to what was back was 266 to 1. Right, right. And many stable coins today will do things a. Like controlling the velocity at which something should be minted. So, you know, maybe there shouldn't be more than 10 million mints within an hour. Like the, the max is 10 million per hour and if you want to mint 80 million, it takes you a day, which is totally like a legitimate choice.
[12:10]
Kane Warrick
I don't have time for that. I don't have time for that. I need my 80 mil in 3 milliseconds or I'll find another stablecoin. This is a competitive market. I can't wait all day for 80 mil.
[12:22]
Omer Goldberg
There are trade offs and trade offs were made. But there are ways to mitigate this both on the Web three side and the Web two side.
[12:29]
Kane Warrick
Yeah, right.
[12:31]
Taylor Monahan
Yeah.
[12:31]
Kane Warrick
Interesting. I mean, so this like most defi things and I'm sure, Tay, you got more takes here, but it feels like there are what in the nuclear industry they call normal accidents, right? Like these cascading things of the guy just like leaves the door open because it's cold that day. And then old wind blows onto the console and the console gets cold and it does a weird thing that it doesn't usually do. And then like something catches on fire down and then all of a sudden you get a nuclear meltdown. And you know, there's a bunch of things where it's like, oh man, we were supposed to have an alarm if the door was open for too long, but the alarm, the battery ran out and you know, like you just have these like weird series of events that, you know, you think, well, there's not going to be five of these things or seven of these things. You know, we've got Seven fail safes. There's no way that seven things could go wrong consecutively. I mean, it's funny, like, people probably forget this, but Synthetics had an oracle related issue like this where we printed $11 billion worth of synthetic Ethereum back in 2019. This is when we learned not to roll our own oracles and switch to chainlink. But we had a bunch of checks there as well, like, oh, you can't do this, you can't do this. But it was this weird situation and we didn't have any cap on minting because it was defi. We were like, we can't stop things from happening. Code is all bro. So, you know, we had all of these things that we could have done that we didn't do that, like were, you know, very obvious checks. But we then subsequently were like, okay, we've learned our lesson, we'll do this. We also had, you know, where we had to negotiate with the hacker. I think we paid him like 50 ETH and got the money back. But we, luckily we paused the protocol fairly quickly. We had like a pause thing and I think post it within like an hour or something like that, less than an hour after it happened. So, so yeah, Tay, what's your, what's, what's your take on this? Like from an architectural standpoint, even though we don't have a postmortem yet. But what.
[14:52]
Taylor Monahan
I think it just, again, it just goes back to defi. Spends a lot of time, I think, thinking about and analyzing and obsessing about sort of more novel risks and more interesting things and especially the things that seem like impossible to mitigate. And as a result, somehow like the basic operational security and basic threat modeling just doesn't get paid attention to. It's a very weird thing. Smart contract auditors, I mean, that's, that's
[15:27]
Kane Warrick
like startup life, right? Like, I'm sure if you, I'm sure if you go back to the start, I'm sure it is. You go back to the start of this thing. There's someone that was like, we just use aws KMS for the first six weeks and then we'll like switch to this, like multi. And they've got a whole plan of like all these things that they're going to do. And then life, life comes at you fast and you're like, holy, we have a billion dollars for the tvl this is. Yeah, we got other things we're scrambling to solve.
[15:56]
Taylor Monahan
It's just, it's, it's. It's so interesting to me because if you if you just imagine like the most basic threat model for a stablecoin, like an Infinite Mint, basically like losing control of, of the supply is like top of the list. Okay, so how does that happen? Right. And so you just go down the list and it's interesting to me that there was, you know, because there are, they have undergone audits, there have been discussions. They, they obviously do. It's not like they're just complete idiots and not thinking about risk. They are but like the, the biggest, most basic top of mind one it doesn't seem like people have paid enough attention to. And it's not just them. Like I don't, I really don't want to pick on them. They're probably better than most of Defi because at least it's in an aws. Like no joke.
[16:50]
Kane Warrick
Yeah, there's a lot of people, I mean, you know, you don't, you don't hear about the things that don't happen. Right. And you know, there's a lot of people that just have like an infinite mint piece PK sitting in MetaMask on their like machine. Right. And for whatever reason they don't get the zoom call or something. And so you never hear about it.
[17:07]
Taylor Monahan
Yeah, exactly. So I would just encourage people like again, just go back to, and especially the security auditors and the risk people. Like, I understand that you want to look at the most novel, most defi, most smart contract, these hard, impossible, like super fun things. But if you're not going to just sit there and like, at least like write down what the requirements are to mint and acknowledge that it's like whoever has access to this AWS can mint forever, then I just question like how you can call that a security audit. Right. It's just the most basic stuff. But I want to give Omer the chance to talk about his perspective on this because it's definitely very different than mine.
[17:58]
Omer Goldberg
No, I think I'm like pretty aligned with everything that you've said thus far. Kane, to your comment on the startup life and things moving fast. On one hand that's true, but I think just every startup has trade offs that are acceptable. So if you're running a social media site and you're obsessed with growth and you're going to make some trade offs or prioritize differently security and the worst case is some, you know, consumer aspect being leaked, which isn't great either. But maybe there's like an argument there. But like as a stablecoin startup, just for any or any asset issuer in general, I think there's like I don't know if there's. It's the worst case scenario. Right. So that should be top of mind for, for everyone. Even if it does introduce friction. And like yes, security introduces friction, but there is a reason for it. And so yeah, I think that's like just a good framing for anyone who's working with Access. Taylor, really interested to hear your perspective on like the security audit itself. Because I think when people hear security audit or like risk in their mind, they assume that the auditor is engaged or looking at every part of the system. Which isn't necessarily the case because a lot of these protocols are iterating. They'll work with like many auditors and each will look at different parts of the system and also different points in time. I think the, the metric for this or the number someone had said something like 14 audits had been done. But when you look at the audits I think and it needs to be verified but that no part of the system was audited more than twice and that most of the audits were on separate components.
[19:38]
Kane Warrick
So which is a bit too like, even for me that feels unusual, right? Like, you know, the iterative audit approach is definitely something that I think has kind of like grown over time. But it used to be that you would sit there and like do three full holistic end to end audits. But to your point, Tay, you could do 50 end to end holistic audits on smart contracts. And no one looks at like the kms, you know, opsec. Right. And no one says to you hey, like is by any chance is the password in like a Apple Notes for this AWS account?
[20:16]
Taylor Monahan
Yeah.
[20:17]
Kane Warrick
And you're like, oh yeah it is. Yeah. But like it's sc. Like it's fine, it's fine. Like Amazon's safe. Don't worry about it, bro.
[20:27]
Taylor Monahan
Yeah, it's. I think you're right on the audits. I didn't look, I didn't dive into every single one, but I. There are a huge amount of audits but they did seem to be pretty narrow in scope. At some point I do feel like the audits become like security theater. And this like sort of even what we're sort of seeing with like the, the risk people and like this sort of like partnership, engagement relationship thing that's emerging. It feels a bit like security theater. The way that like I would approach this is like you're gonna sit down first as a team and you're going to again like attack surface threat model. Like what are the bad things that can Happen and let's prioritize them. And then, yeah, there's going to be certain experts that can help, like, check your stuff, help you write the test, help you understand the stuff, help you mitigate the risk, whatever it may be. But if you don't have that, it's just like the approach, right? If you don't have the initial threat model done so that you know exactly what you're trying to accomplish and what risk you're trying to mitigate, then you end up being like, okay, we just, we need an audit. And so you find the available auditor at the price point that you want with the brand name that you want, and then you're like, hey, audit me. And like, yeah, it's.
[21:54]
Kane Warrick
It's like a rubber stamp sort of. I need, yeah, I need to put the audit on my, you know, sort of thing. So.
[22:02]
Taylor Monahan
And, and this is in defense of security auditors. This is why the auditors are like, that's out of scope. Like, we were not engaged to look at that thing. We weren't supposed to look at that thing. Why didn't we ask that question? Because that's not what we were there for. I do get it, but I do think, like, at some point. Oops, sorry. At some point, baby shark broke through my do not disturb, even at talk
[22:31]
Kane Warrick
about it next week, whatever that was.
[22:35]
Taylor Monahan
At some point, I just think the security honors have to, like, I don't know, figure out a way to, to, to make sure that the teams are properly prepared and are sort of aligned. Like, fundamentally there's a position to get an audit.
[22:54]
Kane Warrick
Like, just be like, hey, guys, like, we're not going to audit this, but if we're going to put our name on your website, we want to make sure, like some basic due diligence of, you know, just checking to make sure that the infinite mint password is not in Apple notes. Just. Yeah, we'll just check on that. Hey, Luca, like, you know, you have. For what it's worth, I was joking about the NFTs, right? But you've got a lot of attack surface in your life, right? You know, like, you, you have to, you have to think about this sort of stuff, you know, particularly when it comes to, like, abstract, right? Like, there's a wall, there's wallet in front. Like, you've got like a lot of tax attack surface across all of the abstract stuff, let alone, you know, Pengu. Presumably you. You guys kind of close that off, right? And. And pudgies. I was joking about the NFTs. You can't. You can't mint more than pudgies unfortunately. But, but on the abstract side like you have a lot of attack surface. Like how, how do you think about this?
[23:56]
Luca (CEO of Pudgy Penguins)
Yeah, I mean as somebody who's not a technical lead, all I can say is it's, it's for a while. And a lot of the members on the team can quote me on this has been my biggest fear and I remind them consistently that it's my biggest fear and that you know, there's a lot of things that we can fight but one of the, you know, that's a code red delta force, you know, you can't go back from that. And so, you know, all I can do as a non technical founder is stress the rest of the guys and saying that you know, we have to make sure we practice, you know, best in class opsec. And I really trust them to do it. But you know, I have the beauty is about our organization is the president of Igloo who's Lorenzo is like a four times national robotics champion. He was our CTO before he was our president. And so he has a really great deep dive to kind of DD when I, when I make those call to actions to make sure that when those guys say you know, we're practicing best in class OPSEC and it's not, and
[24:55]
Kane Warrick
I probably would say it's like the
[24:56]
Luca (CEO of Pudgy Penguins)
one place I will never question the cost. It's the one place I will never question the resources or the effort or you know, the parameters that are needed to make certain changes. I think we need, you know, multiple lawyers to sign multiple people in different jurisdictions. You know, one person can't, you know, ruin the whole ship if there's some reason hogtied, you know, in a hotel room, you know, we, we as best practice as you can kind of enable. I've basically encouraged them and said like look, there's places we can cut corners and places we can be cheap. This is the place that if it costs a gargantuan amount of money, it costs a gargantuan amount of money. And that's probably the best that I can do as a non technical founder and then have my guy Lorenzo fact check when these guys say that we're we' you know, taking the best steps to making sure that everything is as safe as possible. But like you know, the change, it's
[25:49]
Kane Warrick
also like posture, right? Like it's like, you know, I'm non technical, like don't bother me about this guys. Like I'm talking to Walmart, you know, about like the next you know, merch deal. That kind of attitude I think is, is what becomes like very concerning, right. If there, if there isn't like a sense of, you know, ownership, even if you're non technical.
[26:12]
Omer Goldberg
Right.
[26:13]
Kane Warrick
That like, hey, let's make sure we don't do really dumb stuff like let's actually invest the time and effort and that's like, it's not even usually money, right. It's just like the time to slow down to say let's do opsec. Right. As opposed to whatever is expedient to just, you know, get things done.
[26:30]
Luca (CEO of Pudgy Penguins)
Yeah, I'm super paranoid about this. So like I, every couple of weeks I drop a chat to some people just thinking of things actually on the chain side, the difficult element actually is because we have that interface and that curated interface, it's actually less about the back end and our side of the ship that I worry about. It's the other people's side of the ship. But because, because I curate the interface in the front end, if some of the third parties get hacked, they blame me as a curator. And that has actually happened. And when that happened, we actually went out of our own pocket to refund. Probably set a bad press precedent in that respect. But, but you know, we, it was the first time that it had happened. It was really early after launch. You know, today, you know, we obviously have to be featured on the portal and the platform that we curate, you have to go through a couple audits, you know, through trusted people that we obviously respect, you know, whose audits we respect. But that's actually the more complicated one is, is if I curate something and I say something to the community that some, you know, by, by being on our platform that it's safe and then that gets compromised. Unfortunately they blame me. Even though being frank, like you can only do best practice and that's ultimately, you know, to the builder. But that's the more tricky one. I am pretty confident on our boat, especially because one, I'm super paranoid and I repeat it to the team consistently across both organizations, Pudgy Penguins and Abstract. And I'm very confident in that team's talent and ability to like listen and understand that that's a huge risk factor or if not the biggest respect, you can come back from pretty much everything. Like that's one of the few things I think is very hard to come back from. So like in that, you know, I can come back from fud, I can come back from low sentiment, like that thing hat those things happen. A big hack is something that's really hard to come back from. Even on the social side. I had my socials hit. So then you have that like everyone's on yubikeys. You know, at Pudgy Penguins, we pay a guy a six figure salary to literally do opsec all day. We have a head of security at Pudgy Penguins. You want to even believe that ex CIA guy named Bo. So he's great. You know, most organizations don't have a, you know, head of security running around, but like, I'm that paranoid about it that it, it means a ton to me. And so some fishing things like that. So we take it very seriously here.
[28:50]
Omer Goldberg
Nice.
[28:51]
Kane Warrick
Awesome. So let's talk about contagion here because I think this is another very interesting thing. Tay, do you want to just walk us through?
[29:00]
Taylor Monahan
I know I am here to listen. I'm here to listen. It is because this is like quite over my head once we get into the weeds on this. This is over my head and so I'm here to learn on this one.
[29:13]
Kane Warrick
All right, Omer, walk us through it.
[29:15]
Omer Goldberg
All right, I'll do my best to go through the timeline. And then also, Luca, there's some interesting like parallels like with what you were describing with the front end. Because usually when you get. There are actually like many different types of front end attacks, but I think the one that it seems that nation state actors like dprk, like North Korea have been weaponizing is what's called a supply chain attack. And the supply chain attack, let's say on your website you're using a bunch of JavaScript packages, like popular ones. Someone through social engineering or any other vector is able to get control of that package and then makes a small modification where they put like a special surprise in the package for anyone who's downloading it. And effectively like what that does in many cases is it gives an attacker root access to your machine. So Kane, in like your example of someone holding like a PK on their laptop, there are just many cases where someone might be installing like a JavaScript or Python package and suddenly like all the keys are, are compromised. So it could actually come from.
[30:20]
Kane Warrick
We actually, we don't, we don't have this on, on the list of things from this week because it's probably been crazy, but I actually had a small scare yesterday morning where the Python. Yeah, yeah, yeah, got compromised. And I had literally been in the process the night before of installing a bunch of Python stuff related to agents. And my immediate thought was like, I have no idea what dependencies I pulled down. It was probably like a hundred things that I pulled down to make this stupid thing that I was by coding work, right? And I like, I just was not paying attention to it. I was like, I was like, this is fine. And then I woke up the next morning and I was like, oh, Python that, Python LLM, that sounds bad. I was doing a bunch of Python stuff. So.
[31:11]
Omer Goldberg
So machine, like I don't know what you installed 100.
[31:14]
Kane Warrick
No, I checked. I. Yeah, I checked. Yeah, I checked it, but I wasn't at the machine. And I was like, this is not great.
[31:22]
Omer Goldberg
So it's really common. And I'll just say on that note, even for this our solution. So there are companies that all they do is make sure that all the packages that are being solved in an organization are safe. And when you're working with Claude, he's probably. Or open it like Codex, it's pulling in whatever it needs at runtime. But there's something called package pinning. You've reviewed a version of the package, you're not auto updating. It only allows you to auto update after it's clean. That's also the best practice for everyone. But we can speak more about what happened over the weekend in transition there during the weekend at around 2:20 UTC I think it was. The exploit started was an infinite mint and the attacker I think did several calls to mint, if I'm not mistaken. So it wasn't some like atomic thing that they ran and that's when the contagion started. So fine, like USR is infinitely minted, but it's backed off chain and in and of itself, like if it wasn't integrated anywhere at that point, they could contain everything, right? Because they'd be able to say like, hey, we know what was minted before and after this happened. We'll take a snapshot and either we'll make a new token that all the holders before that hack had and just invalidate everything that the attacker had. But it's defi. And everything is like I was about
[32:54]
Kane Warrick
to say, I don't know if you've heard of composability. Yeah, this is kind of our number one thing. We, we don't want it to be only connected to one thing. We want it to be connected to 100 things in a way.
[33:05]
Omer Goldberg
That part we did well,
[33:08]
Kane Warrick
we nailed that part.
[33:10]
Omer Goldberg
It was connected in many, many places. And basically the attacker curve was a big one. So there were curve pools that had USR against other stablecoins, started swapping there then before moving ultimately into Ethereum. And then all the Lending protocols. So I think it was Fluid, Venus, Morpho were the main venues. They got hit up and the attack from that point is like very simple. These venues accept USR as collateral. So you deposit it as collateral. It's a stablecoin and lets you kind of. Most platforms will give you like a high loan to value ratio against it. So not one to one, but let's say like 95% on each one and just start draining, draining, draining, draining as much as you can in big batches. So Fluid and Venus I think were like over 20 million a piece. Then there was Morpho, which I think in aggregate is over 10 million. And that's where the contagion happened. And it's the same kind of a method of operation. Just take whatever stable you can or kind of blue chip asset, move into eth and then figure out how you're going to, to get it off chain. So there is still a difference. I think that like in Fluid and Venus there were just actual markets for this, so the attacker could do it pretty quickly. And there was liquidity against it, which allowed for it. In Morpho, at the time of the hack, there was actually very little liquidity across most of the vault. So at the time of the hack there was. In Morpho the damage was 5k, which is great. It's nothing at that point. Right. And you'd expect it to end. But Morpho has this feature called Public Allocator and in theory it's supposed to be really nice. Like you say, hey, if there's like an area where the, or a market where the interest rate spikes and I've whitelisted it as a vault curator, I can route liquidity there automatically. Automation, defi compression.
[35:10]
Kane Warrick
Something good is probably happening in this situation, right? When interest spikes, there's a lot of demand. It's probably a white swan, not a black swan is the reason here. I'm assuming like that's one.
[35:23]
Omer Goldberg
I think that's like in the first two seconds that you think about it, you're like, oh, this is great. We're going to make more yield like off of this, like interest rate and let's just send all of the funds there. But then I think the immediate question is like, wait, like this thing had 5k, why is it not compliant? Pay to like, you know, tens of millions of dollars in like, you know, the 20 minutes. It's kind of weird. And so yeah, I think we're waiting for like several postmortems. But from what it looks like and what you can see on chain, there were batches of USCC and other stable coins that we don't know if it's an attacker or just random meth bots, but we're requesting to borrow against usr. And it was happily, like, approved. So you had all the USCC flowing through, and it went from being like a 5k exposure on Morpho to, I think, across all the markets, it's around 10. I want to say eight, but it could be more. There's a lot of markets that had it listed. So that was like, part two of the hack, which is a little bit less, I don't think. I don't recall something like that where we've seen, definitely seen, like, stables or infinite mints. Go into like, a lending protocol or like a curve pool and take whatever you can until it dries up. But it's.
[36:40]
Kane Warrick
But the liquidity is done, right? Like, it's.
[36:42]
Omer Goldberg
Yeah, yeah, but this part was different. It lasted for. So. So the gauntlet vaults were the ones that were hit hardest, that was open, I think, for, like, between 90 minutes and two hours. But there were different kind of curators. I think up to 10 hours were supplying liquidity. And it's important to note also that there was. Sorry, go ahead.
[37:06]
Kane Warrick
Yeah, so. So one. One question that I always ask with these things, right? Because in my experience, living in Australia, every single time anyone's ever tried to do something with, like, any protocol I've been involved in, it's like 3am Sydney time.
[37:23]
Omer Goldberg
And.
[37:24]
Kane Warrick
And, you know, like, they know what they're doing, right? They know the time, they know where you'll. Where you'll be. So Sunday afternoon feels like a decent Choice, right? Like 2 2pm UTC. But I'm. I'm a little bit surprised like, that it wasn't, you know, middle of the night, like, you know, daytime Asia time or something like that, that. That this happened or that it happened in the middle of the day, even on a Sunday. And, you know, the visibility was. Was still so low. I know we haven't had postmortems yet, but that. That part to me stood out as, like, the. The fact that the person, like, did it in multiple, you know, multiple hops. It's almost like they. It was somewhat planned, but maybe like, they stumbled across this and then they're like, oh, and we've seen this before, Tay. Like, you know, someone's like, oh, I have all of the keys. What should I do? Right? And then they panic and, like, start stealing money. So this, like, what's your take on. On that. It doesn't. It. There's a few little signals here that feel like this was like the person stumbled upon this somehow and didn't. Didn't know what they had and then started doing.
[38:37]
Taylor Monahan
Yeah, a bit. I was. Well, yeah, you go. I don't. I would say a bit just because, like, they didn't. It seemed a little bit like a. Like, because they minted, then they minted again and they're like that to me, all right, let me go rent a curve. And then they're like, oh, like, let's. It just. It felt like they had sun. Some semblance of a plan, but it did not feel like they had like run through this whole thing top to bottom beforehand or that they necessarily knew. Maybe they didn't know. You know, they're kind of. They had the first, the initial. The initial thing planned out, but they didn't, you know, they were rapidly evolving over time generally in terms of like, the timing of hacks. It doesn't matter what time zone you're in. When a really bad thing happens, it will be 3am wherever you are every single time. Like, you have to expect that. And yeah, I saw like, there was like, commentary on pager duty. Guys. Like, you have to have pagers. Like, I'm sorry. Like, I mean, you just heard my, my phone. Breakthrough do not deserve. Right? Like, that's, that's my life and that's, you know, that should be everyone's life. When there is an emergency and someone needs to get a hold of you, even if you're in like, do not disturb, even if you're asleep, it will break through and it will, you know, bug you.
[39:58]
Kane Warrick
And yeah, the Alps Genie, like little like ringtone. Even my wife knows that. Like, if that thing goes off, she's like, you need to get over here immediately.
[40:10]
Taylor Monahan
Yeah.
[40:11]
Omer Goldberg
Yeah. I mean that's like, like every organization that's managing money, I think that's like expected. Unfortunately, not everyone does it. And in Web two, there's like a standard called sock too. It's not like anything crazy. I think that most financial or all financial institutions won't even talk to you if you don't have it. And just because you have it, it doesn't mean that you're some fortress. But it's, it's the basics. And part of that is having like, alerts. And here it's. I don't know how many teams do that, right? So pager duty optionI gotta have that in terms of the attacker. There's a few ways that I would interpret it. One is, you know, potentially the attacker might have expected that the second that they received the PK that there would be an alert. So there are solutions. For example, like where you will get that Ops genie phone call or a pager duty immediately if it's detected that like any sensitive data leaves your system. Right. Again, there are big, big companies that like this is all they do. So perhaps he got the key or they got the key and thought that they had limited time and it wasn't the middle of the night. But you know, the key would be rotated and they had to do whatever they had to do right, right at that moment. So that's one possibility. The other possibility is something that like, you know, we call it like an operator attack. So it's not like a script or something. There's actually someone on the other end, which in this case it seems clear that there was that is thinking about how to do the attack. And at that point, you know, if you mint $100 million, like maybe the thinking process is okay, I'm going to be exposed immediately. I'd rather do this in smaller increments and batches. I think I'll get better like execution or maybe be able to kind of COVID up my trails faster and do it in that way. And if someone did it in that way, it could potentially suggest that they knew the team didn't have that security posture. But yeah, this is like all speculation. Both of those things would make sense to me, right. If someone just thought that they had the key and they had to do it now because it'd be covered up. Or someone more sophisticated that knows like the Oregon knows that they don't have these or the learning infrastructure in place and is taking their time maybe not to draw public attention and have like a better outcome.
[42:35]
Taylor Monahan
Yeah, yeah. And it is all speculative, but it is super fun to speculate. It's. Yeah, it's. I spent a lot of time doing it and yeah, on your note, like the operator versus like automation. Most things in crypto these days, like almost all them are like what we call like hands on keyboard, like manual operations. It doesn't mean that they're messy or immature or unsophisticated. It just means that. There's just not a lot of great opportunities in crypto to pre script something where that increases the chances that you'll be successful at your hack. And the best, most sophisticated operators are the ones that like practice beforehand and have a really solid plan, but are also just so deeply familiar with how crypto Works and janky things and error messages and all of that that they adapt really quickly. One example was. Was the UX link. When they had their mint happen, they were just. They were just dumping it. Ever they could find liquidity, they were dumping it. There were also, like, every single swapper in front end was trying to block them. There was addresses all over the place. And at one point, they got phished by, like, Inferno Drainer, like a wallet drainer. So basically, DPRK Lazlo's group was like, trying to dump all these coins that they just infinitely minted. They get blocked on one front and go to a second front end, accidentally get fished, lose a bunch of money to the fish, right? And probably, I think it was like two minutes later, did another mint of like 900 trillion coins. And to me, like, that was, like, wild because it was so clear that they. That these were offers. These are people with their hands on the keyboard using crypto, just like we do. But. But just how they. It didn't even. They didn't even flinch. They're like, oh, we just got drained here. Yeah, just go mint some more and then go to the proper housewar. Wherever they were going, it was wild. And that's. In crypto. That's the difference between unsophisticated and sophisticated.
[44:55]
Kane Warrick
It's not also, like, a level of, like, they clearly didn't. You know, they're like, all right, we've done the thing now let's run around and, like, hit some front ends and see what happens.
[45:06]
Luca (CEO of Pudgy Penguins)
Right?
[45:06]
Kane Warrick
Like, yeah, they didn't have that, you know, phishing link already scoped out. Like, oh, let's not. Let's make sure we don't go to this one, guys.
[45:15]
Taylor Monahan
Like, you know, they were not using MetaMask because we had the URL block.
[45:19]
Kane Warrick
You had a block? Yeah, probably. I'm sure for the DPRK, that's like a contractual obligation to not use MetaMask at this point.
[45:27]
Taylor Monahan
It's so funny. It's so funny. I'm like, ah, so, suckers.
[45:33]
Kane Warrick
All right, do we have any. Any closing thoughts on this before we go to our next omer?
[45:39]
Taylor Monahan
What's your. What's your. Your biggest takeaway on, like, what people should do or what we should be looking for next in terms of, like, the team or the risk people or the curators or whatever?
[45:54]
Omer Goldberg
A few things. So I think there's a whole other part of this which is like, okay, USR was compromised. Whether it was hard to do it or sophisticated nation state or just random person on The Internet that got the key, that's one story. The second level of defense is like anyone who's running a lending protocol in this case, right? So when you're onboarding an asset, like you look at counterparty risk, part of that is like it's unique for every asset, right? And there are just kind of measures you put in place, right? So you review the asset, you can put like a debt ceiling like on top of it, so like a limit and basically limit the credit line that you give for every asset. Typically, I mean, or always if I give Ave as an example, those limits and ceilings are always in line with demand, right? And just generally you always think of like risk and reward as like two sides of the same token. So for a relatively small token like usr, those ceilings and limits would be very low unless you saw some like real demand coming in and you wouldn't expect it to happen within an hour out of nowhere, right? So those teams as well, like if you're running a lending protocol, if you're a vault curator, like you need to think about the assets you're onboarding, you need to think about the assets you're whitelisting. And even if the asset issuer, for whatever reason is compromised, there are many, many measures that you can take in place in order to protect yourself. And yeah, maybe, maybe, maybe we can
[47:29]
Kane Warrick
cover that quickly after we go to ads, because I am curious about that because like, you know, a lot of these lending protocols, the entire point is curation, right? That like, you know, so, so let's, let's go to ads quickly. So before we continue, here's a quick commercial break.
[47:50]
Fuse Energy Representative
The world is about to see one of the largest infrastructure shifts of the century. New technologies are using more energy than ever before. But our legacy grids can't supply the demand and we are barreling towards a global bottleneck. So Fuse is rebuilding it. The Energy Network is an intelligent, decentralized grid that coordinates smart devices to balance supply and demand. The network harmonizes existing infrastructure, increases grid capacity and unlocks low cost clean energy. Energy dollar is the native token of the network. The more electricity the world needs, the higher the demand for the energy network. The value of energy dollars may fluctuate from one of Europe's fastest growing energy startups. Follow at Fuse Energy on X to find out more.
[48:46]
Multichain Advisors Representative
Multichain Advisors is an emerging technology growth firm that has helped create over $50 billion in enterprise value for more than 80 clients like Pith, Moonpay Commerce and Wormhole. They've worked with some of the Largest and most impactful companies in the space. They're the partner you want when you're navigating markets and trying to break out from the noise. They help navigate TGEs. Go to market, BD and partnerships, capital markets, advisory, PR, media placements, KOL activations and more. Driving execution from launch to scale. Their results are measurable. To learn more and start building real traction today, visit multichainadv.com if you're looking for help with crypto taxes, Crypto Tax Grill is offering $100 off for Unchained listeners. They provide personalized crypto tax reports and returns and spots before April 15th are limited. Go to cryptotaxgirl.com Unchained to save $100. Once again, the link is cryptotaxgirl.com unchained
[49:51]
Kane Warrick
all right, we are back. We are just wrapping up our discussions of the Resolve hack, but I think this is a more broad question around DeFi lending markets, etc. You know, one of the things certainly with Morpho that is, you know the claim to fame, right, is that these are like isolated markets that are curated that you know, have have you know, individual operators of the market or curators of the market who are responsible for doing their own risk assessment. And therefore it's not like a centralized party. Right. This feels like it somewhat undermines that thesis, right that you know, some of the things that happen here with like I mean in particular the, the we haven't even talked about this. The Oracle being hard coded to a dollar on a stable coin. Like and it's not like it's tether. I mean you wouldn't hardcode tether either but like you know, you wouldn't. You shouldn't be hard coding any stable. Every single stable coin over time at some point will have something that happens that causes it to depeg to some level. You know, maybe it's 97 cents, maybe it's 50 cents. Right. But, but like you know I've, I've traded a couple of stablecoin dpegs myself but. But yeah like the idea that you would just hard code that but also then have these like just in time liquidity. Like all of these things don't really speak to like manual well thought out curation. What's your, what's your take on, on that in terms of the like curated liquidity markets.
[51:34]
Omer Goldberg
A lot of thoughts. So like we won't go into this tangent but just like how to price an asset is there's a lot there like on stable coins. So I'll just give an example, if the collateral is high quality and let's say that you're using whatever data source, typically stable coins, people will loop them or borrow at very thin margins. And what you don't want, for example, is if there's just a big swap that moves it from a dollar to 98 cents for 30 seconds. You don't want to on one hand like liquidate people for hundreds of millions of dollars. It's just like bad ux. So that's like one side of it, but it's really not binary. Like there we have risk oracles or other solutions in the market. Like you really need to understand what is it that you're pricing, what is the use case that you're solving for and within that what are the, the trade offs and limitations that you're willing to make. So that's number one, it's like it's not a binary. Like either hard code it or have the live market price and deal with the volatility. There, there are solutions that are engineered exactly for this on the. So how that relates to Morpho, Morpho, like one of the features, maybe in this case you would say it's a bug, is that the markets are immutable. So the second you spin up a market, you cannot change the configuration of those of those markets at all. Here the Oracle was initialized at hard coded to one and it was one forever, right? It was one before the hack, it was one after the hack. And basically what that creates is like that vector in this example for the attacker to just drain everything. And I guess as a vault curator, what is in my eyes the role or the responsibility of the curator? We're in crypto and everyone likes to chase super high returns. So certainly one of it is you're going to optimize the capital allocation on behalf of any of the depositors. Right. But again, going back to that point, risk and reward, two sides of the same token, it's not worth kind of getting incremental yield at the risk of financial ruin. Right. So that also needs to be in the kind of mind of everyone as they're configuring these markets. Each curator has their own process that they take. I'm not deeply familiar with how they approach the things or how these decisions were made. But on top of that is just also this unlimited credit line. Like even in traditional finance, you know, banks won't just extend that to everyone. Right there, there's ways that you, I
[54:18]
Kane Warrick
mean you might even say especially like, you know, this is what this is One of the, you know, like, talk about composability, right? Also, everyone's money is equal, even if it's not real, right? Like, you know, the idea that you, the idea that you would like have some kind of check and be like, oh, this wallet doesn't look good. We're not going to. It's just not really contemplated in defi. It's like everything's fungible. Every wallet, every position, every asset. And you know, that's where these like downstream kind of contagion things happen, right? Like one thing goes wrong upstream of you and you're like, oh, those guys are probably fine. I'll just treat everything that they do as completely safe. And then you go, oh, oops. Okay, I didn't realize that. And it's hard to reason about, right? Like, as you were saying, Tate, there's like a hundred interrelated connections of things, right? Like how you know. But also that's your job. That's kind of the job, right?
[55:27]
Taylor Monahan
Like, okay, so I have a question. So if I am a. Like, I get. It's defi and nobody has any rights and there's no accountability or whatever. But like theoretically, like people lost money here and it's not, it's. It's due to some, like, I put my money here and I expected XYZ to happen. Promises were made, whether they were literal or implied. But like, they were right. I have no recourse though, right? Like, or, or is there, is there potential recourse, like starting to be baked into these things? Because this feels like especially. The curator model feels especially prone to, like this is a pretty established sort of relationship type situation and yet everyone's just shirking responsibility for the sake of it.
[56:19]
Omer Goldberg
No, it's difficult. It's a difficult one because a, there's like nuance in this in the sense that not all. There's different levels of accountability. I would say, like, not all loss of funds are equal, right? Like if you mistake posts on Twitter, your PK and everything gets drained. Like, maybe I'll think about that. Different. Differently than a super sophisticated nation state sponsored attack where your multi sig was compromised and four people were hacked over the course of a year, like that kind of changes things, at least with my mind. That's number one. There is inherent like risk in these things. And I think just like the vault curation model is something right now that is. It's unclear. Like there is no, like if you went to go get like a money transmission license or commodity pool operator, those wouldn't Even necessarily kind of like cover it anyways. So it's just like this new primitive that there is no exact path. But I think having said all of that, the question is just like, you know, how. What is the accountability of people and how responsible are they and how transparent are they in communicating like the different things? And I think everyone's taking like their own like path on that and we're seeing this industry of vaults like unfold in real time. So I don't really have like a good answer for that. But I would say that not all exploits are equal and there's different levels of responsibility. Certainly in this one. Like, obviously it started with usr, but then the ability to contain could have been contained on multiple levels. So that is like a question. And yeah, extending unlimited credit lines. I don't know, it doesn't sound like a good idea. Like it any point. But hopefully like as an industry we can like learn from it. And I would like to say that we're not going to see the same mistakes again, but it depends on us as a collective.
[58:16]
Taylor Monahan
Yeah, yeah. Why would, why would you use a cure? What's the value of using like a curated vault versus just like doing myself or yield, right?
[58:28]
Kane Warrick
Like, that's my, like, I mean, better risk adjusted yield is the.
[58:32]
Omer Goldberg
Yeah, that's what I would say, right?
[58:34]
Kane Warrick
But like the curators typically in my experience, right, are like chasing like more long tail yield opportunities, right? Like that's their, their. Like if you think about what like the principal agent problem here, like, what is the job of a curator? Like, make me more money, not keep me more safe, right? Like, and this is part of, this is like a classic defi, you know, style, right? Of like assume that the risk is zero and then like take me out the risk curve as far as you can take me. So my yield is as high as possible, but like the risk remains zero, right? Like, because that's your job. Like keep the risk at zero and keep the. And it's like, that's just not how it works, bro. Like, like if someone's paying you 25% for something and you're like, this is total. This is like treasure.
[59:27]
Taylor Monahan
This is risk.
[59:28]
Kane Warrick
It's risk free, right? Like, you know, there's, there's and like there's this like false equivocation of like all risk is risky and therefore all risks are the same because everything is risk. Like you could get hit by a bus.
[59:44]
Taylor Monahan
Yes, Defi, this is my hot take. Defi does not know how to reason about risk whatsoever. And it's a freaking joke. Because people will literally say that. They'll say, the risk of an alien coming down and exploding me is the
[60:01]
Kane Warrick
same as Resolve having an Infinite Mint bug.
[60:05]
Taylor Monahan
Yeah. Because their AWS was protected by key that was on whatever X employees, computers and you know, blah, blah, blah. No, it's not. There are ways to reason about this. There's ways to reason about it. And there's also ways for you to mitigate. You can mitigate your risk by putting the liability on someone else. But we don't do that either. We don't have any liability or responsibility or accountability.
[60:30]
Kane Warrick
So, like, it's a bit of like group insanity as well. Right? Like, one of my favorite quotes ever is the Larry Cermak quote where he's like iconic. This is like 20 late 2020. Right. And he's like, I cannot imagine the level of stress that defi teams are under. You have a 24. 7 bug bounty on your product. And this is like when we definitely had no idea what we're doing. Like, the technology is about like new people have shown up like Omer, who like, actually, I can help you to solve some of these problems. But like back then you had to roll your own oracle. You have to do all this crazy shit. And it is, it was like. That part hasn't changed. It is a 24, 77365 day a year bug bounty. In the case of resolve, it was $150 million bug bounty, or 80, whatever the number is right. For anyone, anywhere in the world to get that AWS key. And that's the way that you need to live. Right? Like that there are people outside your door, clawing at your windows, trying to get in. And if you don't think like that, if you don't, I go to a hotel and I like immediately start looking around like. And you know, I know Luca, you're. You're super paranoid as well. But like, there, like, you have to think, you know, especially if you deal with North Korea. It's why having a North Korean pen pal is so useful for me. Because, like, you can't forget, like, the guy's there all the time. He like DMS me with like his all the time stuff. And so, so like, I don't forget that North Korea exists ever. Right. Like, my friend is over there, he's like doing stuff all the time.
[62:05]
Omer Goldberg
Right?
[62:05]
Kane Warrick
So, so, so to utc. I know, right? Yeah, exactly.
[62:13]
Luca (CEO of Pudgy Penguins)
I know.
[62:14]
Kane Warrick
It's interesting. Yeah, yeah, yeah. So. So, yeah. So, like, I just, I think that there's like this this like very fundamental like inability to judge risk that we have where, where everything is so risky. And, and this is like an adaptation, this is a psychological thing, right? Like a human psychological thing that if you live in a war zone, if you live in a place where like it's constant risk of death and you know, total loss, right? You become a bit inure to it and it's easy for this like false equivocation to creep in of like everything's risk aliens, bro. Like what are you talking about? It's like no, no, like we have a way of judging risk and it's called like the yield on the thing that you're doing. If the yield is 25%, that's the market to end. Like you know, not saying that markets are efficient at all, certainly not a defi. But like there were signs if things, if something's paying you 25% interest, there's
[63:13]
Omer Goldberg
like, that's a signal, there's a, there's a catch, right? We, we all live through Tera. So a side note, I think like OpenAI is like offering a 17.5% return to investors on the latest round. But we could talk about that later. I'm the first to say this is like if I, I'd be lying if I told you that I slept well since I started this company. It's literally 24, 7, 365. But solutions exist and I think that's the goal of like the curator, right? Like most people don't understand and they're delegating responsibility to you for that. They pay you a fee and the expectation is, is that you're doing everything possible to get them the best, the best risk adjusted return to frame it though a little bit differently. Like right now where we are is while things might feel bearish, there's so much happening in terms of like enterprises, fintechs coming in on chain. So we have the vaults with Kraken, obviously Coinbase launched theirs last year and this is like a completely like different risk profile where they're not degens. Like obviously they want like high yield but before anything what they want is to make sure that there's no principal loss for any of these users. And the current market that we're in is just everything is compressed so the yields have come down like crazy in many cases we're not above like the T bill rate and for many folks who might not be super long term oriented, that is enough incentive to venture further out on the risk curve. And you know, markets are markets and there's Been reversion and like if you're playing that game there's just a matter of time, right? So you need to think about like what is, where are you depositing your funds, what type of yield product is it? Is it something that's always trying to be the highest returning? If it is, it's, it's a really risky game that you're playing and I think retail delegates because of that and I think enterprise looks differently. So hopefully as the space matures like there's just a different incentive structure for people who are like more long term oriented and not chasing the latest trade.
[65:18]
Kane Warrick
I mean that's a good, it's a good segue into the next topic which is that AAVE V4 has emerged out of governance hell and I guess the good guys won. I don't know but it looks like it looks, I mean Mark Zeller would say just use ave. I'll say it for him. But, but you know it looks, or maybe not anymore. I guess you wouldn't say it anymore. So, so it looks, it looks like, I think this whole you know, ignoring the governance for a second, right. Like the point of this aave move from V3 to V4, you know, the thinking behind it is to replace the monolithic pools, right like to you know, kind of spread the risk out, you know, while mitigating contagion risk. There's a bunch of things that they have done. It's why like you know I was always a bit of a skeptic towards the like AAVE 3 is some magical system that like will never be surpassed sort of thing. Like that was, that was one of the things in this whole governance debate of like we shouldn't be moving away from before. Like of course we should have market driven shifts in things. Like we shouldn't necessarily four we shouldn't kick everyone out of V3 into V4, but we can't do that anyway, right? It's going to, it's going to come down to like market incentives right Whether people move or not. But, but yeah I think, I think there is, there is this element of like you know, V4 is been three years of thinking about how to reason about these things from some people who you know have, have got a pretty good take on it. So yeah, my, my, my take on this is like, you know, this is an interesting evolution. Another, another option out there like V3 will continue to operate for the foreseeable future is my understanding. So, so yeah, what do we, what do we think about the fact that AAVE is really leaning into V4 and the architecture. Mayor, have you got a take on that?
[67:27]
Omer Goldberg
I have a lot of thoughts as the risk manager about it. V3. It's the biggest defi protocol in the world and the growth over the past two plus years has been incredible. At the same time it's like it's not the end state, right? And to think it's like it imposes some type of like innovators dilemma that a lot of other companies or daos or groups might get stuck in. Like don't fix what's not broken but
[67:56]
Kane Warrick
that
[67:59]
Omer Goldberg
there are so many improvements to be done and I think just you need to keep securely, you know, pushing like the innovation. V4 introduces a lot of features that allow us to price risk more accurately and then just also overall build a better lending product for retail and institutions alike. So that's like the motivation behind it and I just think it's the next evolution in what is today lending.
[68:27]
Kane Warrick
I mean, yeah, it's interesting, right? Like clearly if you're launching a new, a new lending protocol, it has to be focused on institutions, right? Like we just talked about how retail can't price risk. That becomes hard, right? If retail is not pricing risk, you're not then incentivized to properly price risk, right? Like your incentive is just go out the risk curve as far as possible. If everyone assume zero. Like institutions don't do that. I mean like not always, right? Some do, some do, but like collectively, right. Like I think Tradfi probably has a more sophisticated eye towards risk than your average dj. And therefore if you're going to curate those people and their money, you know, like an endowment or you know, something like they're probably not just going to like YOLO into some, you know, weird, weird like 25 APY vault, right? Not, not in size, right. And so, you know, like there is, there is definitely something to be said for like identifying the things that an institutional allocator is looking for or wants, right? You know, you talk about like Soc 2 and stuff like that. Like, you know, there was a long period of time where the institutions were coming, but they weren't here yet. So we didn't need to like prepare for it by like doing stuff. Right? Like we could just like do whatever we felt like and invent everything ourselves. But it does feel like now that institutions are here, we do need to adapt. You know, like having pager duty, like have like just having things that if someone even applies like a cursory level of scrutiny to your operation, they're not going to be like this is, this is not viable, right? Like, you know, so, so I think there is like architectural stuff, but then there's a bunch of other elements that in order to attract institutional capital Defi just has to do and get better at. And hopefully that will be a forcing function that is, is actually better for retail. Because if the institutions are forcing you, you know, this is, it's like a similar argument like the regulator thing, right? If regulators are forcing you to be compliant and you know, release disclosures and stuff like that, in theory, that should drag along, you know, better, better risk adjusted yields for everyone involved. Right?
[70:56]
Omer Goldberg
So yeah, it should. I would say that the nice thing about V4 is that it's, it's not binary in the sense of like, hey, this is optimized for enterprise and it's not good for retail. Like the core innovation around it is just like this hub and spoke architecture and in just a sentence it lets us segregate the risk in a much more intentional way. So if people do want that, like those more experimental lending experience that have larger risk, you can do that and you don't run the risk of contaminating larger pools. So you basically have both. And it's an evolution of like, you know, what AAVE did really well with is like the pooled architecture. It's like the main pool where you deposit all of these. And here it's just going to allow us to kind of target things on an asset by asset basis for certain pairs, configure, what should the interest rate model be and things like that. So it's the most, I would say like highly configurable specific lending experience while at the same time abstracting that stuff from the users. Right? So that's what we're excited for because hopefully, or I'm confident that it's going to make our lives easier as we have better levers and could be more granular about what trade offs we're making, if any.
[72:14]
Kane Warrick
So this is maybe a spicy take, right? But like one of the,
[72:19]
Luca (CEO of Pudgy Penguins)
I guess
[72:20]
Kane Warrick
unintended consequences of like even AAVE 2v3, this pool model, right, is you got to be really careful about what you put in there. There's a lot of thought that there's a very high bar, right? There is something to be said for like that is a feature and not a bug, right? I know people would get annoyed by it. I mean I've been annoyed by it in the past where I'm like, come on guys, this is fine, put this asset in the pool. So that we can start doing stuff with it. Having this segregated hub and spoke thing. There is an argument that will cause people to be less wary of things because like oh no, it's in aave, it'll be fine, but actually it's in some weird experimental pool. How do you think about that?
[73:08]
Omer Goldberg
Yeah, so I mean like it's sort of similar today in the sense that we're going to have. There'll be several hubs but like the big ones will be like the core and the main hub. Right. And those are the ones that you know, just blue chip, like safest assets. And then you'll have. I think we'll start with one or two other hubs and over time that will grow. It'll be very clear like on the product, like what it is. And like you said, like there's also an element of education like not only in aave, just generally yield should reflect like units of risk that you're taking. So I mean whether you know it or you don't know it. So it's just kind of just taking the best of the capital efficiency of what worked in V3 but allowing us to get more granular. Another thing which is I think not many people know with the why it was so hard and sometimes for like asset issuers annoying to integrate into aave. We had to deal with this heavily in the migration from V2 to V3 is that once something is listed it's super hard to delist it. And in the from the bull market to the bear post fdx we had a bunch of defi tokens that at their peak were trading at like 5 billion plus market cap ftv super late.
[74:23]
Kane Warrick
I'm aware of a couple of them.
[74:24]
Omer Goldberg
Yeah, yeah. Not naming names but CRV crisis. Right. And for the OGs like the AVI Eisenberg attacks on Mango markets and others and I think V4 is like takes all the learnings that we had of that and just kind of packages it into like a new release. So for asset issuers that are going to integrate it should be a smoother experience and allows us to think and react more to what's happening in the market versus saying like hey, we're taking token X, we're putting it in the core market. It's going to probably be here forever now or it's going to be really hard to off board it. So that was I think one of the core learnings.
[75:04]
Taylor Monahan
Yeah. Are you still. So for like the core markets and stuff is obvious, still going to, let's say like uphold the I don't know how they even describe it. Like the diligence they do on those assets. Right. Because right now they, they. There actually is quite a bit of work with a bunch of different parties that goes into. I mean one of them, for example, is how can you mint this asset? And making sure it's behind not necessarily a literal multi state, but that it is requires multiple independent parties. Cement. Right. Are they still doing that for all of the markets or so.
[75:40]
Omer Goldberg
So, yeah, I mean that's, that's Chaos Labs. That's one of our responsibilities is that we do risk assessments for any asset. But at the same time they're ave's been running for a long time and there's a clear segregation of responsibilities. Right. So we're primarily tasked with financial risk leading smart contract at the time. So over the past years, BGD and AIT Labs are responsible for the smart contract risk under that, you know, access control. And a lot of the stuff that we spoke about today, obviously as a collective, we're all responsible for everything, but those are the kind of ways that we. For a single asset, there is like a smart contract, if it gets close to an actual listing, like all these things happen and then even when we list assets, the important thing is it's not carte blanche. So an asset with a tiny market cap, even if it has a promising yield, like historically, we might start it in an isolated market where there's a ceiling that's defined and yeah. Over time, based on the demand, based on the security posture, you increase that or don't, depending on what you find. But there's like a public, actual, documented process of how all of this happens and probably at this point several hundred references that are living in the form amongst other places.
[77:03]
Kane Warrick
Yeah.
[77:03]
Taylor Monahan
Okay. And so this is going to. For V4, not only is this, these processes going to continue, but they're probably. You even have a little bit more freedom for like what it's not, let's say like as like black, white. Right. Because now you have these different hubs of these different waves and these different mechanisms and processes by which you can sort of like elevate something or downgrade it or whatever.
[77:29]
Omer Goldberg
Yeah, yeah. I mean, so a lot of freedom. It's also a ton of work. Like it's. There's not one day where we're not spending hours like as a team on everything that's aave. Chaos AI is our AI product which helps us stream mine.
[77:46]
Kane Warrick
Like I was going to say, like we.
[77:50]
Omer Goldberg
Yeah, like we have a team.
[77:51]
Kane Warrick
Right.
[77:51]
Omer Goldberg
We're 50.
[77:51]
Kane Warrick
Claude.
[77:52]
Omer Goldberg
Claude.
[77:52]
Kane Warrick
Claude.
[77:55]
Omer Goldberg
Only chaos. AI only chaos. No, Claude.
[77:58]
Kane Warrick
Fair enough, fair enough.
[78:00]
Omer Goldberg
But. But yeah, it's a ton of work. I think every team naturally wants to be listed in the most liquid pools, so, you know, teams will vie for it and, like, make a case. Why, yes, why no. But ultimately, like, as a dao, we. We kind of decide, and it's always better to kind of see the demand and then think about what the reward is and versus that risk and make decisions on an asset by asset basis.
[78:23]
Taylor Monahan
Yeah. I mean, I'll just say, like, from my. I don't live in this world as deeply as Kane does, obviously, but I do have adjacent minimal experience. And I will say I was shocked when someone was like, hey, we need to upgrade our token, because AAVE said so. And I was like, what? And they're like, yeah, our mint functionality is like, super weak or some, like, help us. And I was like, all right, like, let's go. But that was like one of the first times where it was. It was like a forcing function, right? And it was like a win win. It wasn't a regulation thing. It wasn't some government thing. It wasn't because Tay was on Twitter preaching, right? It's like, no, they want something. The way that you get this, the way that everyone benefits, right, is by having baseline, like, default secure configurations. And yeah, it's one of the rare times,
[79:19]
Kane Warrick
like, you know, AAVE has market power. It's one of the few protocols that has market power to say, you know, like, if they. If they went to LUCA and they're like, all right, like, we'll let you, you know, borrow against pudgies, but you just got to, you know, throw away that infinite mint private key. You'd be like, okay, fine, I was enjoying having that, but I guess I don't really need it. You know, like, you would. You would, like, people will do things. It's like exchange listings, right? You know, exchanges. Unfortunately, the exchanges don't necessarily have the most aligned interests in the way that, say, AAVE does with, like, you know, composable defi stuff. But there's still a forcing function for, like, at least tell us what the emissions on the token are, bro. We need that document. You can't just invent your own vesting schedule and have it off chain and not tell anyone, right? There's certain things that it does. So I think AAVE having market power, probably they didn't use it enough. Arguably in the past, you could say. But maybe in V4 that will change.
[80:24]
Omer Goldberg
Yeah, V4 is a clean slate. It lets us do a lot of things in the way that we wanted to do them over the years. I will say on the exchanges, I think this year was like the first time that some of the exchanges actually woke up to the fact that they needed diligence assets as well. Because there was a case with Binance, I think where they ended up paying. I don't know if it's like 300 or $400 million out of pocket where Athena didn't de peg, but like on their exchange there was low liquidity on the weekend and they discovered from first principles what an oracle is and why it needs to kind of accurately price the assets and it had to pay everything out of pocket. So the worlds are colliding. Yeah, you'd hope that even without these incentives, like people take these things seriously, but these things definitely push because when you're launching a token, you want that liquidity, you want to be able to borrow against it, you want to be on a centralized exchange and for all parties involved. I think this weekend showed it. There are consequences. Not just acid issuer, also the protocols that are taking on bad debt, paying out of pocket, also the curators. So you need to do the max that you can do on your level and there's still always going to be risk, but you want to be able to mitigate and minimize.
[81:38]
Taylor Monahan
Yeah, also I agree and I, I, I just want, I think that's a great, great place to end. And I think that for far too long we think about it as like sort of everyone's on the most level playing field and it's like, well, the users want this and they'll do this and then the protocol doesn't have any say over how the token is or how the asset is issued or whatever. No, no, no. Like in order to get this ecosystem to be strong and robust and valuable, every single player has to play and has to do what's in their best interest and their users best interest. And sometimes that means asking hard questions and holding the people that they have relationships with accountable. And a lot of times the end user doesn't have the ability or the relationship or the incentive to do that to say the token or the protocol. And so the more times we see the protocols, the asset issuers, the adjacent parties come in and, and say like, this is how it works guys, this is how you mitigate this risk. And it's a bare minimum for us to even look at you, the better that everyone will be. And that's how we're going to keep leveling it up.
[82:52]
Omer Goldberg
Well said.
[82:54]
Luca (CEO of Pudgy Penguins)
Agreed.
[82:55]
Kane Warrick
Agreed. Awesome. Special thank you to Omer from Gas Labs. Thanks for joining us. That was super useful. That's it for this episode of Uneasy Money. I'll see you guys next week. Thanks, Tay and Luca. If you enjoy the conversation, follow the show on the Unchained feed on X and subscribe. Wherever you listen to podcasts and if you're watching on YouTube, please like and subscribe or drop a comment. It really helps new people to reach the show. Until next time, Foreign.