This incident highlights the pragmatic necessity of centralized "training wheels" in Layer 2 scaling, where human intervention remains the final line of defense against irreversible exploits. It serves as a sobering reminder that true decentralization is currently being sacrificed for the sake of security and asset protection.
Install our extension to search inside any video instantly.
🟢 LIVE From The Nest: Arbitrum freezes 30K ETH, Odysseas, Sky Founder & Coinbase CSO JoinAdded:
[music] [music] [music] [music] [music] [music] >> We'll see you around the timeline.
>> [music] >> Feels good to be back.
I think The Rollup [music] is one of the most premier media brands in crypto and Andy and Robbie are great experts [music] at everything they talk about and it's my favorite podcast. We need to grow our library as we see. Potentially multi-chain deployments. We are at Def Connect Day One [music] here at the testing from space.
>> [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] >> JP Morgan, BlackRock, DTCC, Fidelity, the entire thing was just institutions.
It's just It's next level. This industry is going to the next level and guys, I I don't know what to say.
I'm bullish.
YOU SAID IT. YOU FINALLY SAID IT. I'M SO BULLISH. Andy's bullish. I'm bullish.
We're bullish.
>> [music] [music] [music] [music] [music] >> The Rollup [music] is headed to the top.
If we're not already at the top, we're going to the top.
>> The Rollup is my favorite.
>> People from all walks of life, all over the world, all over this industry [music] come together for The Rollup.
>> [music] [music] [music] [music] [music] >> We're buying the moon out. Institutions aren't coming. They're simply here.
It's the golden age of crypto, guys. Get right. Let's go.
>> [music] >> Welcome to The Nest. See you on the show.
Welcome back to the tokenization tower.
You're watching The Rollup. We are here live in The Nest, broadcasting live from the financial capital of the world.
Today's April 21st and we are live.
Guys, I am on restream right now. I will see what you guys have to say in a second. We are live. Shout out to The Plume, The Nest, bringing on-chain asset management infrastructure to the masses.
They just put out a tweet today saying that they have scanned 40 million transactions in their sequencer, meaning that they are keeping track of who's using the chain. Today, Arbitrum Actually, last night, Arbitrum put out a post announcing that they have froze 30,000 ETH tokens of the 106,000 that were hacked.
Today, we've got Odysseus of File X Systems, a local security expert down there in Brooklyn somewhere.
And we got Rune, the founder of Sky, and Philip, the chief security officer of Coinbase.
Guys, um going to be a show today, kind of following up yesterday's show, a little bit different today, though.
Um not so focused on what's happened over the last kind of uh 72-96 hours, a bit more kind of broad.
You know, I've We talked a lot yesterday about what happened this weekend, why it happened. Now, we're going to get into, you know, more of like what's to come.
You know, we have Sky, Rune on. He's going to talk to us a lot about what they're looking at. Spark Land has had a massive jump in terms of total deposits on their lending market. And then obviously, Odysseus and uh Philip are going to talk more on the security side.
So, let's get into today's topics. I kind of just went over it all already.
But today, we do have our lovely friends here. File X stable up brought to you by Frax with Sky's co-founder as mentioned. Coinbase CSO also joins the show. We are live from the tower. Markets and weather coming up next.
First, let me tell you about Frax, our local in-house stablecoin partner, building the infrastructure for the future of digital money, open, stable, and borderless.
Guys, visit frax.finance today.
All right, guys. It is a cool cool 48° here in New York City. Beautiful day outside, actually. I did wear that trench coat again. So, Robbie, if you're listening to this, I know you're still recovering from the wisdom tree or wisdom teeth uh surgery.
Um it is still officially trench coat weather, especially in the mornings.
Crisp and clean, classic cool spring day out here in New York. The Knicks lost by one last night.
Don't know how that happened. I was watching the game. They were up by 10 or 11, 12 points. Came out very very weak in the fourth quarter. Um I imagine just down here, I can actually see Penn Station.
Uh it was probably pretty hectic last night after after the game. Let's get into the markets. Today's weather is powered by relay. relay.link.
All right, guys.
Uh it's green.
Um it's green. It looks good. It looks stronger than previous um days. Today, we had Kevin Warsh, the new Fed chair, come out and kind of say that kind of some I guess you could say hawkish things. I don't know. It wasn't too bad. But yeah, I mean, look. This is holding on.
Um Hyper liquid struggling.
Um we'll see kind of how that pans out. I think this whole security thing is getting getting everyone all riled up based on the on-chain kind of security preferences and what they're seeing out there. So, wouldn't be surprised if some of these, you know, DeFi names kind of struggle a bit. Aave is struggling a bit. $10 billion lost in terms of TVL.
Um Sky's not. Sky's doing well. Sky's up a percent today.
Um but yeah, if you if you look at that bottom ticker, kind of a mix of red and green, mostly a bit of red today. The big names here almost seem like they're just staying where they've been.
Chainlink, NEAR, etc. So, that's the markets today powered by Zama, our local in-house privacy solution, encrypted assets on-chain on Ethereum, confidential transactions as well. Equities getting a bit of a pullback here. Haven't been paying too much attention there since the kind of big breakout. And of course, the the ups and downs of Trump are never going to end, it seems. So, all right, guys. Let's get into the news. Before we do, let me tell you about NEAR, our in-house local AI partner, the blockchain designed for AI native applications and autonomous agents start to start developing at near.org, near.com, or near.ai.
All right.
So, Apple has named John Turnus as the new CEO replacing Tim Cook who will transition to executive chairman.
15 years for Tim Cook, did an absolutely amazing job. The only pushback that I've been seeing on Twitter is the AI development on Apple's side as of late. Uh that has not been competitive apparently compared to Gemini and Google.
So, Turnus is a 25-year veteran here. He will become the CEO as of September 1st, which is pretty pretty big for them. Um and yeah, I expect a lot of focus on AR, VR, next-gen product developments, and just different different new AI developments. So, shout out to Apple, shout out to Tim Cook, what a run.
Um a um amazing run. Doubling down on hardware, probably going to double down on Apple intelligence and Siri.
I know all of us Apple users are probably wondering, you know, when that's going to improve. I think that's probably going to be part of the focus.
So, all right guys, let's move on into uh what came out last night.
Something that I think ruffled a lot of feathers in the community for good and for bad. So, the Arbitrum Security Council came out and said that they are taking emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One.
About $71 million.
So, this is really interesting that the hacker actually kept this on Arbitrum.
And what as soon as the hacker went and saw that Arbitrum froze it, they started immediately pushing the assets on mainnet ETH through ThorChain, Umbra, and a couple other solutions to get it over to Bitcoin.
Um the arguments here are basically around whether or not this is decentralized or not.
And obviously this isn't this isn't an immutable action in the sense that this isn't a blockchain that is meant to be similar to a Bitcoin or Ethereum. This is a stage-one roll-up. Uh the Security Council is is is a feature in this regard. This is the first time I've ever seen a layer-two like this get so deeply involved. And so, what happened was there was a 9 of 12 Security Council that chose to effectively freeze these funds.
Um and this is a massive win for all the parties involved. Uh anybody who's worried about Layer Zero or Aave getting a loan, this is a massive massive win.
This is undoubtedly the right thing to do in this situation. If you have the power to stop the DPRK and North Korean hackers and you don't exercise that power, I think that is wrong. This is not This is definitely still like not DeFi. It's not decentralized. This is like multi-sig interaction from the Security Council, but that's fine. It's the It's the state of a stage-one L2. This is why a lot of these chains have opted to stay in stage one rather than moving to stage two because once you do get to stage two, the ability to change things really goes out of the window.
And look, man, I think Arbitrum did the right did the right thing here. I think they undoubtedly did the right thing here. I'm curious what Odysseus has to say about it, what some of the other folks coming on today have to say about it, but I think they did the right thing here and I think it's it's it's going to go down as extremely helpful to the entire process of getting the rest of the funds back. They only need to get 70,000 ETH back now, which means that Aave's loan amounts um that they're going out and trying to to source have came down. Layer Zero and Kelp's liability has came down. Obviously the rest of the funds are gone.
Unfortunately, those are being transferred over to Bitcoin.
Uh those will not be frozen on mainnet Ethereum. They will not be frozen on Bitcoin.
Uh but I think in this regard, Arbitrum did the right thing. I tweeted that. The comments in that tweet were were like a mix of supportive and not. Um Anyone who says otherwise is just playing devil's advocate.
I don't agree. The only thing proven by this is that layer-twos are Trojan horse enforcement mechanisms that allow the tyrannical state influence.
Stop a bad guy today, sub- sub- subjugate the innocent tomorrow.
Okay.
Totally agree. The best Bitcoin advertisement from a shitcoin clown show.
Okay.
Best move, to be honest.
Ethereum should hard fork to claw back the stolen funds. Don't know about that.
Um so, I mean look, there's a lot of people that agree with this being a net positive for the space um and for Arbitrum, and then people that are also pushing back on it. I expect that that's, you know, somewhat normal in these circumstances.
So, yeah, I mean guys, like Arbitrum Arbitrum had a tough choice here. Um they they were forced to induce a new question, which is how much control is too much control in these decentralized systems? And they came out and answered what they think to be the correct answer.
And so, look, man, I think again, if you have the power to stop a bad actor doing an illegal activity on chain, it is your duty and responsibility to do so. And I think Arbitrum recognized that and they acted on that. And that's all I have to say about this. So, big win for all of DeFi and for all the people who are trying to save these protocols and secure these funds.
All right, let's move on into the next topic here.
Uh getting off of this hack and all this news. [snorts] Uh looks like Anthropic secures a massive compute deal with Amazon. Uh they're looking to secure 5 gigawatts of compute for training and deploying Claude.
I mean, this compute war is just absolutely accelerating. It will continue to accelerate. I mean, I expect um Amazon added also a $5 billion investment in this deal with potential to up to $20 billion. So, yeah, there is there's a lot here in terms of the compute race happening. It will continue to happen, I expect. And yeah, I mean, big big congrats to Amazon, congrats to Anthropic as well.
All right, let's move on. I think this next this next topic is just I mean, this is the most classic crypto thing.
Bitcoin is a sovereign settlement asset for 20% of of global oil.
And today maritime security firms are warning of scammers exploiting the chaos.
So, apparently there was a group of people who scammed a ship settling their transactions in either Tether or Bitcoin, and then that ship proceeded to get fired at after they had already paid the amount to or, you know, the toll to get through.
So, I mean, come on. I mean, this is just I mean, come on. Let Let's watch this video here.
Iran, we're talking about people can pay their toll fees on the Strait of Hormuz in in Bitcoin. Yeah, I mean, I I I I Isn't that quite positive for Bitcoin? I thought that for me was like massive news.
Um But just from a signaling standpoint.
>> Yeah, yeah, just like I I wrote in in my newsletter this week, um like it's like a real sort of shifting of the Overton window, right? It's that moment of cuz again, it's kind of the reason it's the reason they're looking at wherever it ends up being used or not, it's the reason they're they're choosing that as like kind of really the only neutral asset out there. Not even gold, right?
Not even gold cuz gold gold still for settlement needs a needs a third party for custody. So, you need to trust someone. But then also with gold, you haven't got like in terms of actually as a payment um mechanism, and Bitcoin settles within within minutes. Um so, it was I I I I think that's quite a big moment. Um and and to think to to think that that could be potentially facilitating 20% of the, you know, Bitcoin is the currency potentially to facilitate 20% of the world's oil trade is huge. Now again, whether who knows how that's going to play out.
I mean, I mean, I think a lot of this is going to probably end up settling in Bitcoin, perhaps.
I think the news that I saw about this uh kind of like scamming thing happening was actually in Tether. So, the the uh Tether uh transaction was actually the one that was um misrepresented and then sent to this wrong person and then the they got attacked. Look, I think it's it's great for Bitcoin if it's being used as a kind of this neutral asset.
That was always kind of part of the appeal and of the pitch.
Yet to be seen what this means more longer term though.
Um but yeah, interesting nonetheless.
All right, let's move on here from the Strait of Hormuz and from our lovely Bitcoin bulls.
Into um I believe we have some quantum computing news.
Quantum computing won't break StarkNet.
Unlike most ecosystems we've been building with that threat in mind since day one. Let's go to watch this video.
I think um I think these guys are pretty, you know, they're going pretty hard on the STARKs being quantum resistant rather than SNARKs angle.
Which then brings us to cryptography, one of the main things that one of the main classes of mazes that a quantum computer can break are things related to a branch of cryptography. And now I just we won't go into details, but in cryptography there are two huge branches. There are branches and problems which a quantum computer can break and these are things usually related to a discrete logarithm or factoring.
And that's one kind of cryptography and if we have tomorrow a large-scale quantum computer, all of that cryptography just goes to the garbage can and it cannot be used.
Okay, and then there's this other branch of cryptography that usually involves things like hashes like SHA-2 um and also some kinds of encryption systems like AES.
And that part is not affected by a quantum computer. So a quantum computer doesn't break all of crypto cryptography, but it does break a very big branch of cryptography including things like ECDSA which is a piece of cryptography that's used to sign Bitcoin transactions. So now we let's summarize what we said so far. If a quantum computer which does not exist yet today, but if there was a large-scale computer a quantum computer tomorrow, it could break a large class of cryptographic systems including the signature scheme that is currently used to sign Bitcoin transactions, okay? And there's this other class of problems or cryptography that by the way includes things like ZK-STARKs which is what where has, you know, invented and productized and uses to secure its network.
>> Yeah.
And a bunch of other things like SHA-2 and, you know, the proof of work used in Bitcoin. All of those things are not susceptible to quantum computers. So even if a large-scale quantum computer emerges tomorrow, those kinds of cryptographic primitives are safe.
Things like ZK-STARKs, SHA-2, AES, they stay safe. Yep.
Yeah.
So I think again, when we had Mert on, he was talking about this transition from SNARKs to STARKs eventually and that how these STARK proofs rely on hash functions not elliptic curve cryptography. Effectively, StarkNet has been working on this problem for so long and yeah, I mean, just makes sense for them. It they this is like a very, very strong marketing angle for them.
Uh quantum resistant blockchains will rise in popularity as quantum fears increase.
Um [snorts] and now it's becoming a competitive differentiator for blockchains.
The question is like can they actually export their technology to other blockchains and help them as well?
Specifically larger blockchains. Um that is an answer to a question that I would be really, really curious to see from StarkNet's side because I think that's something that the the the entire industry is going to want and need. And so yeah.
All right, guys, we're going to get into this exploit a bit deeper with Odysseus.
He's coming up, the founder of Filecoin systems. Um he should be our kind of local in-house security representative today. Um yeah, I mean, he's going to probably explain to us what happened over the last several I mean, it's really been a series of 96 hours now or so.
And so yeah, I mean, we're going to learn about kind of how he thinks this happened, what he thinks happened and more. So looking forward to this one.
Let's bring him up and get this show started here with Odysseus, a friend.
First time on the show.
All righty, man. Welcome to the show.
Good to see you, man.
>> Good to see you, man. Thank you for having me. Yeah, of course, man. What a weekend, right? What a what a 96 hours?
Yeah, right? I mean, the last past 2 weeks or 3 weeks have been insane.
Starting with the Drift hack, Marcel, now this, right?
Yeah, man. I mean, what we saw I was I was asleep when Arbitrum put out their announcement of freezing the funds.
That's obviously a big contribution to the efforts here. I'd like to just start from like the highest level, man. Like I'm I'm I'm curious if you have any particular insights into really why you think this happened or how you think this happened from a security lens. Just just kind of walk us through more of a high level and then we can get into some of the nuance here.
Yeah, so it's it was a very sophisticated hack, right? They Banteg which is a, you know, very famous developer in the community and security researcher had a very nice analysis where basically the attackers were able to infiltrate inside the trust boundary inside the systems of LayerZero and basically replace uh the RPC nodes that are used as a source of truth for messaging with malicious binaries with a malicious version that were used to create these fake messages, right? It's it's a very sophisticated attack.
And LayerZero is basically saying that it was a RPC that was compromised, but it are you're pretty certain it was more of the internal system?
Yeah, exactly. They are running the RPCs, right? So it seems that they were able to infiltrate their systems and replace the RPC nodes they run, right? They don't It appears at least from the communication they were not using an external RPC provider, but they were running their own RPC nodes.
Yeah.
Yeah. But the the kind of question that people are asking and that I'm, you know, also curious about is if that one-of-one DVN was taken down, right, internally, why were the other, I don't know, 40 to 50 DVNs not taken down?
that was the most EV um that, you know, probably they calculated, right? And they say, "Okay, we have access to the system. What is the best attack we can carry out, right? What's the most money we can extract?" And they calculated that, well, if we uh we go through this route through this re-staking token and then we can use Aave to, you know, take the loan, right?
Uh calculate that was the most profitable attack because the more, you know, tokens or the more uh tokens they attacked, right? This would raise the probability that the alerting systems they have they could they would see something.
But it's interesting that I think if they really wanted, they could spoof probably tens of OFTs, right? And create havoc like 2008 havoc in DeFi.
And they didn't.
Yeah, because they don't care about you know, they they prefer to not kill the cow, but just extract as much milk for as long as possible. Yeah.
So are we certain this is DPRK, you think?
I mean, it's too early, um but this the level of sophistication tracks with a state actor.
It was a very sophisticated attack because not only they uh replaced the RPCs, but they also um you know, DOSed the honest RPCs to make sure that these were and not able to offer honest answers and also they um they they they manipulated the observability stack and they removed logs afterwards such that it takes more time to identify the root cause.
Very sophisticated attack. They had root level access probably.
Yeah.
So at Filecoin you guys do a lot of work on kind of preventing exploits before they happen or helping after, you know, I guess like this is a silly question perhaps, but like how preventable was this from, you know, in hindsight how preventable was something like this?
So, you know, an obvious first way to prevent this is to have multiple sources checking for these bridge messages, right? Because all the bridge hacks that have happened, effectively there is a very basic rule that breaks, right? You have a depo you have a withdrawal on the one side without the deposit on the other side, right? So if you have an external system uh but uses completely different stack and completely different technology to track this very basic accounting, then this could have been prevented and all bridge attacks actually.
Um the second thing and you know, this is where circuit breakers become very interesting is that you can limit the spread of the contagion, right?
Because now we're having bank run on Aave. Yeah.
Yeah. I mean, I had um Rob from Dragonfly on and asked him about rate limits yesterday. I think you you saw one of the clips there and you know, he he basically said that in in traditional systems, they've been using these for you know, forever as a way to help retail, as a way to prevent uh you know, massive large-scale liquidations, exploits, etc. And so, it is part of your vision for where DeFi is headed? Is is it more akin to traditional systems? Like what what would rate limits actually look like in these systems?
Yeah, I think it's interesting because in traditional finance, we use this rate limiting for financial types of events, right? A stock drops 5% in, you know, 5 minutes, you you know, you pause the market and then you reactivate it.
You don't really have securities issues because you have long settlement.
Right? Worst-case scenario is it's expensive, but you have a couple of meetings, you go back and you modify the ledger.
Um in crypto a hack is a physics event. Right? It happened.
Um and you know why these are institutions are coming on chain is because they have instant settlement, because it's more capital efficient.
But this efficiency is also what's causing all so much pain now and why security needs to be top of mind is because you have instant settlement. You can't drop into a meeting and and fix it. Um so, I think uh yeah, circuit breaker is going to be a vital piece uh of the security infrastructure such that you basically say if there is an abnormal outflow outflow or inflow of funds you know, stop it and then ask questions later. Or maybe you allow certain parties to do that, like maybe market makers Yeah.
who are trusted to perform a lot of, you know, movement, but if an unknown address does it, then you don't allow them.
And is that something that you guys are working on on the Filex side it kind of implementing these types of rate limits and circuit breakers into DeFi? Like is that at a smart contract level, is it at the account level, protocol level? How how would that actually look?
Yeah, so with the EVM, you know, you have a very constrained environment.
Naturally, so there's not a lot of things you can do. So, our approach is basically doing that at the network level. So, implementing technology that runs at the network level either the sequencer or the block builder and surfaces this extra functionality to uh to protect themselves.
And so, at the network level, you're able to actually have like, for example, there's some products that do like KYC and AML scanning at the sequencer level for L2s. Yeah.
>> Right? Like that's something that I've heard about and seen. It Like I don't Agora has, I think, $10 million rate limit on some of their stablecoin uh side of things. They came out and said that guy from Atheta came out and said that that they've got these kind of preemptive measures already. It it kind of just seems like a failure on the part of the teams involved to have this not already implemented.
Yeah, it's it it gets complicated because on the token level, if you just have a token, maybe you can do a very basic uh circuit breaker. But when you have a complicated protocol like a lending protocol or a DEX um you need extra functionality to make the circuit breaker not trigger all the time.
Because it's natural in these environments to have you need something smarter. Right? You need to have more um logic that decides when to circuit breaker or not. And this is where we come in.
Okay. And so, this is like if X like it's a very conditional kind of operation like, okay, so like if this capital amount is deposited or if this amount is withdrawn or if this event hap it's it's like a very if-then conditional logic basically for these rate limits. Exactly, but uh custom to every protocol, right? So, we make it easy for the protocol to express conditions that are not possible on the EVM.
Um Yeah. And that's how you you end up in a system and I think that's important that's credibly neutral.
It's aligned with the with the Clarity Act. Because if you have KYC and AML, then um it's not really decentralized and then probably you will be regulated as you should.
Well, that's what Arbitrum found themselves in when they made this announcement was okay, look you know, the argument is if you have the power to stop this and you don't, then you're, you know, effectively complicit.
Um and if you do stop it, then you raise the immediate question of like, all right, well, this was never a decentralized system anyways. And then people are like, well, it's a stage one roll-up, it's supposed to be able to do these things. That's the whole point of being a stage one roll-up. So, there's kind of two sides to this. Where do you where do you think the the proper answer is here? Is is Arbitrum freezing the funds a sufficient enough kind of way for them to step in and stop what's happened on on their chain without kind of losing users' trust? Did users even care anyways? Like what's your what's your reaction to to Arbitrum freezing these funds?
>> [sighs] >> It's a very complicated question. Um I think if you if you can do it, you should do it.
Um but at the same time this is going to circle back.
Right? Because with the Clarity Act specifically, there were a number of roll-ups and they were making the point that, you know, we're the mature blockchain systems, we are digital commodities, we are decentralized because we have the forced inclusion, forced exit.
Um when they try to make this argument again in the future uh the incident today will be used Yeah.
to tell them you're actually not as as decentralized as you're saying.
Yeah.
And I mean, they didn't really I don't really think they had a choice.
No. No, when you have so much you have everyday's people's money at stake. Um you you know, it's not ethical to say um you know, this is this is life, right?
But ideally, we create systems and I think you know, there was a similar discussion about Circle with Drift, right?
I think it's you can make an argument that Circle should freeze funds only if the space has done everything they could on security and we're just talking about extremely edge cases that are impossible to prevent. But the reality is we're not.
So, I think it's too early to, you know, perform this type of surgeries with a butcher knife as a preventative measure. I think we should further, you know, invest more in security tooling like circuit breakers uh create more preventative measures and then um have that as a result of because you can't have Circle policing the the DeFi space. Right? What that's a security model.
Yeah.
Yeah. I mean, they got a lot of they got a lot of pushback for not stepping in there on Drift.
Yeah, and I think personally, that's my personal opinion. I'm going to get a lot of hate mail for this.
But I think they made the right choice.
Because once they stop saying, well court orders, then further down the line and maybe not that much further um law enforcement agencies can ask them for other types of freezing.
Right?
>> Right.
At least with uh Arbitrum, you have a credible decentralized you know, security council, multiple parties involved and also it's a very complicated technically thing to do, right? So, asking them to do it, they have arguments in favor of saying, well guys, we just performed open heart surgery. It's we can't just do it whenever.
Yeah, I just pulled up Steven's tweet, uh the co-founder of Chain Labs, and he says um the sequencer has absolutely no power to move funds and was not the one who acted here. It was made entirely by the Arbitrum security council, group of 12 individuals elected by the DAO which requires a nine of 12 vote for them to agree.
And for many, the ultimate goal is to get rid of the security council entirely, but this is complicated. Um >> Yeah.
It is very complicated. Yeah.
I mean, they must have been in the war room talking about the political, legal, regulatory financial like the combination of all those factors they they all kind of step on each other's toes in different ways.
And the most obvious Yeah.
There's no good decision, right? There's no there was no good option. There was only bad options and just identifying the least bad one.
Yeah.
So, where do we go from here for for the rest of these funds? I think Aave is trying to work on getting some loans. Um I think obviously, Kelp DAO and LayerZero are kind of pushing back on each other on in in the public landscape. Kind of like like how do you how do you anticipate this resolves? Users are still frozen on Aave across multiple chains.
There's a couple L2s specifically that are going to be on the hook. Um Mantle put out a statement this morning. How do you how do you anticipate this kind of resolves and uh you know, I'm curious if you have any thoughts on how long you may think Aave's markets will be frozen.
Um I'm guessing that everybody's trying to find a lender of, you know, last resort to give them the money to recoup that some of the funds.
Um you know, Ave is having a bank run and everything is frozen and and it just shows how how much of a systemic risk we have.
Right? Because in Ave, even if you were aware of the most safe deposit uh the most safe position, you're frozen in the right. Um I expect it to be weeks, especially seeing how most you know, both teams are pointing fingers at one another. Um you know, you you definitely have lawyers involved. So, all the communications we're seeing are airtight from a legal perspective.
Um I think it's going to be ugly.
Yeah.
Yeah.
So, just from the Filecoin perspective about some of the work that you guys have done, um I know that you you guys have done some exploit prevent uh prevention on Linea and some other chains. Maybe you could just explain some of these stories. Um kind of like how you guys stepped in and what that process actually looks like for other chains, other protocols. And yeah, just would would love to hear some some of those anecdotes.
Yeah, so we are integrated with Linea.
Um it was a first network, uh a great team. Uh they're taking security very seriously.
Um and basically there we had um it was an immutable contract where uh because of a misconfiguration of a front end, uh users were allowing an immutable contract with their funds. Which means uh a drainer started taking notice of that. And then the drainer would just call uh the immutable contract and just take the money from the from the users, right? So, we work with 0x um and we added uh uh an assertion and invariant on that contract. Even though it wasn't 0x uh vulnerability, right? They they went above and beyond to protect user funds even from an external integration.
And now whenever a transaction from a the drainer tries to hit the network uh to drain a user, um it stopped, right? The the the software just sees the transaction, runs the policy, sees the policy is uh implicated, and then it doesn't allow it, right? And 0x was the only party that could add this policy. So, the system is very um um decentralized, right? Only the protocol itself can add policies to itself.
Uh and we stopped hundreds of transactions. The the drainer is really not taking the signal.
>> [laughter] >> Yeah.
And so, they keep trying to put these like malicious transactions through and then you guys are able to just to block them at the Sequencer level, yes. At the sequencer level. It's not even us. We just provide the software. The software runs within the trust boundary of the Linea sequencer. And we just coordinated [clears throat] with 0x to add the right policy. Um it's completely out of our control. Even if we wanted we wouldn't be able to stop anything.
Yeah.
Wow.
So, you think it's going to be weeks of the frozen funds?
I mean unless someone jumps in, maybe we see Tether doing another leveraged buyout.
Um I yeah, like it seems the parties don't want to work it out, right? They just sh- shifting blame. There is um because there's a lot of legal um liability, right? Like even if after a hack, you know, the the the people I I don't think know that even after you have a hack and even if you survive it as a protocol, as a team, you are bound for life. The moment the protocol succeeds again, even if they manage to succeed, you you can be sued.
Right? That's what they're fighting for.
It's not just covering the money.
But it's all the possible future litigation they will receive the moment they get any kind of revenue. Yeah.
Well, I mean I think all the loan part from Ave is is is going to be based on paying them paying that loan back on future revenue, kind of what happened to Bybit.
Yes.
>> I think it was less so on like the I mean, you raise a good point. It's more on the on the legal side. I was just thinking purely financial. It's a loan that's going to be paid back over time you know, based on Ave's revenues basically.
Yeah. Um but Ave is probably off the hook from a litigation point of point of perspective, right? Because they're just running the market. Um the real question is who who will take the blame, either Kepple or LayerZero. Mhm.
And then when they do that, all the future litigation they can receive.
But maybe they succeed, they're doing great, and two years they're hit hit with a uh a group lawsuit.
Yeah.
Right? That's what they're fighting for.
It's not just covering the Uh whenever there is a hack, if they can't recoup the money, th- usually the legal vehicle the the development company uh is disbanded.
Yeah.
And that's probably more something that Kepple and LayerZero are actively thinking about then. And that's why you see the the like the way that their comms are structured.
Yeah, because you have it for life.
Yeah. Like even if you succeed, you find the money, you make people whole, uh you're open for litigation for life.
Yeah.
Wow, man.
>> [laughter] >> Well, Adisesh, man. Um I'm sure you're busy. I know that there's a lot of security conversations going on between different people who believe different things.
So, thank you for joining us. Uh quite a quite a sobering 96 hours here in DeFi.
We'll continue to monitor this as as basically that this evolves. I mean, we're seeing now each day different parties come out. I anticipate that a lot of like the major major announcements and major moves have been made. Now we're really just waiting for how the socialization of these losses are going to come out.
And we still don't know the vertic- how LayerZero has not yet shared how the attackers got access to their systems.
That's That's a very important piece of information we don't know yet.
Yeah.
Well, to be continued. Adisesh, thanks for joining, man. Thank you so much for having me.
Best of luck.
All righty, [cheering] man.
Wow, guys. I mean, goodness.
Goodness, goodness, goodness. DeFi is in a very very interesting place as we kind of navigate this situation. I mean, it has been it has been a very very very hectic last couple of days.
Um for those who are sitting in Ave waiting for their funds, I mean, it is it is very very tough. It is a very very tough situation to be in. Ladies and gentlemen, we've got Rune Christensen, the co-founder of Sky. He's going to join us to talk uh USDS, Sky, more.
We're just going to take a super quick break, get Rune in, and we'll be right back, guys. This should be a good one.
We're going to talk about what's going on with Spark, what's going on with Sky, his take on DeFi on DeFi, and more.
We'll be right back, guys.
>> [music] [music] [music] [music] [music] [music] >> Money, power, I'm >> [music] [music] >> We get deep.
>> [music] >> Maybe know we get deep.
Maybe know we get We get deep.
Maybe know we get deep.
>> [music] >> We get We get deep.
We get deep. We get We get We get deep.
>> [music] >> Maybe know we get deep.
>> [music] [music] >> We get deep.
We get deep.
Maybe know we get deep.
>> [music] >> We get deep.
We get deep.
Maybe know we get deep.
>> [music] >> We get deep.
We get deep.
Maybe know we get deep.
>> [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] >> Welcome back to another episode of Stable Up, our premier weekly show covering the ins and outs of digital dollars, stable coins, and the future of decentralized finance. The show is made possible by Frax, and Frax is powering the financial engine of the internet, powering FRX USD and genius compliant stablecoins. This is the stablecoin supercycle made possible by Frax. Now, enjoy Stable Up, our weekly stablecoin show.
All right, guys. Welcome to Stable Up episode number 28, our premier weekly stablecoin oriented show powered by our friends at Frax and their FRX USD product. We've got Rune Christensen here, co-founder of Sky Rune, what a 96 hours in DeFi, man.
Yeah, it's another day in DeFi, I guess. Yeah, indeed. Indeed.
Where do we start here? Well, Rune, I mean, I would just love to just get a bit of your perspective. We'll start on kind of this exploit, what happened, transition this convo into a just kind of more broadly stablecoins, USDS, Sky. Starting on this exploit here, I mean, initial reactions, thoughts.
So much has happened from Arbitrum earlier today with KelpDAO's statement later LayerZero's statement, Aave's statement, kind of finding out what actually happened. Rune, I mean, from your perspective, what went wrong, what happened to your, and just any immediate reflections and lessons here?
Yeah, I mean, I think first of all, it's pretty uh it feels pretty shocking, right, that it happened so close to the Drift incident, which was I don't feel like that was like 2 weeks ago or something, almost.
You know, that that was very recent as well.
And uh I mean, my understanding was that this was a pretty deep attack into the the you know, the off-chain infrastructure of LayerZero combined with basically uh suboptimal configurations on the smart contract side for both uh Kelp and then uh Aave, which which led a lot of these uh assets basically then get sort of cashed out.
Um But ultimately, like I I mean, it was just it's still like it's it's still quite surprising to actually see this kind of attack where North Korea like literally got onto like sort of very deep into the systems of a to my understanding, like quite security-focused uh organization like LayerZero.
And I mean, a lot of the sort of fear that's that I'm sort of you know, that I've been sensing recently is this like fear around AI-powered uh hacking basically and and and attacks on DeFi. And and I I think I remember from one of the statements that there were literally there literally was this uh mention of like that there were you know, this could have been somehow AI-accelerated, which of course, I mean, it's you can't really tell, I guess, necessarily. And and on the other hand, every exploit always like it always happens because there's some kind of mistake like you can't have you know, AI systems can't just like literally like hack something that is like built fully correctly just through magic. So, it's not like everybody should be really scared and like expect you know, anything to blow up any moment. But definitely like I think across the whole industry, I mean, already following the the Drift hack to some extent, everyone is just realizing like North Korea's watching. You know, they are running you know, 100 agents scanning a protocol right now, you know, 24/7. They're looking for every single possible vulnerability, and everybody must just be prioritizing security even greater than they were before, right? That should have been priority number one already, but now it needs to be sort of an even bigger part of what you're doing is just basically, everybody should be just keeping all of their money safe, looking for every single attack vector, and and basically fix it before the the agents find it.
And I think Rune, one of the other kind of preemptive points that you made was around this idea of the political post exploit dynamic between protocols and voices in the space kind of almost operating without a I mean, really without a plan, without a kind of emergency plan. And you know, you kind of wrote about how you think this is something that Sky should really work on and think about, and anybody should think about you know, I I'm curious kind of what you think about how how a protocol is or a you know, community here, right, of the of the shareholders, of the token holders, of the participants of any given ecosystem should think preemptively about designing a post potential post exploit um command system or you know, a line of fire as far as like you know, XYZ is to happen. How do you think about this?
What is your kind of ideal end outcome for for for company like Sky or others who you know, maybe face with something like this in the future or perhaps not, but of course, always being careful is better than um you know, not being.
Yeah, I mean, I just I think that I mean, I think a lot of people have been mentioning this, right, that in many ways, the damage done to the DeFi industry from the uncertainty around this might actually have been greater than the loss of the hack itself.
Just because you've had like several days of this like completely unprecedented sort of liquidity seizing up, and it's kind it's as if it's like the great financial crisis, and uh the mortgage-backed securities just turn out to be worthless and so on. But the reality is this is actually I mean, sadly for DeFi, this is not a like this is it's a big hack, sure, but it's not like it's you know, a a similarly-sized hack that happened like a couple of weeks ago, right? So, the real problem here is actually just that there's a lot of you know, it it brought a lot of systems into uh sort of states uh they were not prepared to be in, where suddenly there's this like uncertainty around what is this you know, like sort of Schrödinger's collateral? Like you don't really know if it's worth anything, and then you can't run liquidations, and you can't sort of you don't know if is it going to be a bailout or not, and all of these things like all of the uncertainty just just results in everybody sort of being more conservative and basically not taking action.
And that can just be incredibly bad for interconnected financial systems because they're all about liquidity. Once you remove the liquidity, it's just like it becomes very, very damaging and harmful, and you have like you just like loopers that can be sort of really you know, that sort of depend on the ability to to to jump in and out of positions, and just like a lot of damage being caused by uh the uncertainty rather than the the the incident itself, right? It's like the classic like um you know, we have to fear fear itself, right? That that actually the this is itself a very harmful thing.
Uh but I think there's great news. Like I mean, I think the the fact that the Arbitrum assets were frozen, and there's some indication that like even Mantle, which is a completely uh you know, external project is like stepping up to actually help and try to backstop this. I think that's going to like you know, these kinds of of of of movements is something that at least if I was a uh like an affected DeFi user, I would feel you know, that would be something that would sort of be comforting in the sense that I would expect that this type of stuff is what's going to lead up to some kind of I mean, some kind of resolution uh happening because the momentum and like the goodwill shown is going to make it a lot easier for everybody to come to the table and figure out how to basically resolve this instead of what I think there was some fear of in the early days, which was some kind of like total PVP uh lawsuits everywhere, everything is frozen for months, right? Which would just be so bad for everybody. So, I'm very happy to see that there's this collect like that that there's this like likely collaborative uh solution, and hopefully uh things can get sort of fixed and and recovered before it gets completely out of hand with the damage from the liquidity issues and the fear.
Yeah.
Um the staked USDS APR or APY to supply on Sky hit upwards of 25% in the past 24-ish hours due to a large people withdrawing. Is this a Is this a a general broad risk-off sentiment thing? You know, maybe you could just explain the the dynamic behind this kind of yield ratio and and and and how the Sky asset is involved here because I think there's generally just this kind of risk-off sentiment happening as you're as you're you know, explaining here, the fear being more problematic than the actual event itself. Uh you know, clearly this is a very high yield opportunity for uh s USDS holders. What's happening here?
Well, okay. So, maybe I should just first explain STUSDS and sort of the the broader landscape of Sky um products. And I mean, so Sky, of course, is it's primarily known as a decentralized stablecoin protocol, right? With USDS, that's the largest yield-generating stablecoin, the third largest stablecoin in the world. But, actually Sky has like a lot of financial primitives, a lot of building blocks uh for different financial use cases.
And you know, famously the Sky agents that are just enabling really a lot of stuff to happen within Sky uh even though it's like one ecosystem. It's it's you know, it has the ability to sort of do a lot of different things all at once.
And then one of the things that this that also really uh enables basically the the ability for Sky to to um to basically be very flexible and very complex in in the types of things that are possible is uh risk trunching. So, basically uh you have sort of multiple different types of uh financial products that that sit at different layers of what's called a capital stack. So, basically you know, like if you want to take like basically I mean, I guess what people are used to in in crypto and DeFi is usually like, well, here's the safe project, so I can put my money there and it's like low yield and low risk. And here's the super risky project and then if I put my money there, it's like high yield and high risk. Well, with Sky, there's actually like, you know, you can hold STUSDS that is like, you know, absolutely optimized for risk-adjusted return, right? It's like the definitely the most uh proven best Lindy uh like stablecoin uh product with a really, really reasonable uh rate of return, right? Right now it's at 3.75%, which is actually 10 points above SOFR, which you know, a lot of people dunking on DeFi to not for not being able to beat TradFi, but USDS does in fact still uh beat TradFi and is very much highly risk optimized, right? But, with Sky you can also use a product like STUSDS, which is a sort of um you know, it's a higher-risk token that is still uh that still has this link to the US dollar. And you can actually go even more, you know, higher risk and and buy something like SPK, right? Which is then uh you know, a a completely volatile governance token of of one of the Sky agents. But, so STUSDS uh because it's a risk token and it's explicitly like marketed as risk capital, uh you know, it's like um it's for it's for advanced users, right?
Because it has higher risk. It's not just a stablecoin that is designed to to, you know, protect you uh above everything else. With STUSDS, it's also about being able to offer a higher rate of return.
Uh and one of the things that one of the consequences of this is that uh it can have its liquidity it's it's one-to-one uh liquidity with USDS frozen when there's a lot of withdrawals. And that did happen for about I think for maybe for 24 hours or maybe a little bit longer uh right as the big uh crisis and the initial shock occurred.
Sorry.
But, actually uh the liquidity returned actually quite rapidly. Yeah. So, and then this is also a very good uh sort of story about, you know, and and I think this should be very encouraging to everybody in DeFi that because uh Sky is sort of the the protocol that is um really optimized for security, right?
We've always been focused on security, always focused on risk management. This has always been our messaging, right?
It's always been how we sort of built and conducted uh ourselves in the ecosystem.
Uh and as we as as the products were marketed from from uh yeah, from the Sky from the foundation, from all the Sky agents, as they market their individual products, right?
And that really paid off in this crisis because you got a sort of like partially like a flight to quality, right? Where so, STUSDS is something like I mean, it wasn't affected by this at all, but people are just risk off, they're scared. And then they're like first they pull out the money, but quite rapidly uh they basically put it back in because um you know, they got to have them assets somewhere and if they're not ready to completely leave leave uh the on-chain world, then what Sky has to offer is sort of at this point very, right? It has a lot of Lindy effect.
It's quite uh trusted.
Yeah. No, I mean, for sure. And I think, you know, we've seen a kind of transition of capital or a a shifting of capital into one of the uh stars as well being Spark. I think has got a ton of deposits. And you also mentioned, and you got some pushback for this a post about um Spark's SPUSDT being one of the few USDT yield products that uh actually stayed fully liquid during the market stress. Maybe you could just explain why that happened and um you know, what what the dynamics of that SPUSDT uh stablecoin yield product in Spark is and why wasn't affected.
Yeah, so well, so similar to what we just talked about with STUSDS, which is like a one of these like it's a a DeFi yield product.
Uh you know, I mean, the basically there's the the two bread-and-butter primary types of DeFi products that exist are USDC vaults and USDT vault, right? So, basically where you can put your USDT, you put your USDC and get a a return on that.
And typically USDT uh products tend to have an easier time like they tend to more easily get run into liquidity issues.
Uh why exactly that's the case, I'm actually not 100% sure. One of the reasons might be because of the Sky PSM because Sky has like gigantic amounts of USDC liquidity and this might generally help uh kind of deal with users moving in and out of of uh getting a yield on the USDC specifically. But, because there's no um USDT PSM in Sky, uh although actually there is an ongoing effort to increase USDT liquidity actually in Sky. But, but currently there's not nearly as much USDT liquidity in Sky as there is in USDC.
And I think this might be one of the contributing factors to USDT generally in crisis events like this, uh it can it's it's often much more easy for the USDT pools to dry up and the USDT to get stuck.
Uh and this like happened across the board uh I think in all of DeFi.
I actually, you know, there might actually have been, you know, I can't actually be 100% I didn't literally verify this myself, right? But, from all the major pools I looked at, the only one I I saw that that never uh ceased up even once uh was the SPUSDT uh Spark pool. And I actually heard from some of the contributors that Spark was like actively managing this and actually losing money just trying to maintain that liquidity uh in this like sort of throughout the the event, right? As there was like a sort of a run on the bank across the the the whole uh ecosystem.
And in my opinion, that was like a really clever move. So, even though it cost them some money to to subsidize this, uh it will I think it will have really, uh bought them a lot of goodwill.
Uh and that's because I think if you I mean, so, somebody like me, I mean, I'm I'm in DeFi 24/7, right? So, I all the time DeFi finance, you know, asset liability management. Like, I'm pretty it's not a surprise to me that your USDT can get stuck in a DeFi pool. That sort of seems like this is this is some of the most basic stuff that's like, yeah, that's one of the risks you accept, right? But, for a lot of normal people who who try this kind of stuff, I mean, if if it's crypto, it's already scary, right? It's already hard to understand.
And then your money is suddenly stuck and you can't get it out, that's really going to like affect you emotionally.
And I think uh you know, like the price of of not giving your users that shock where they maybe have a day where they think maybe they will lose their savings or something, like the value of that is is is really priceless in a in an emerging market like DeFi and crypto, right? Where it's all about like establishing that that uh brand and that sort of market presence.
And I think the fact that the the Spark guys, they they actually made this decision and they sort of really doubled down on investing during this crisis in order to build uh their brand and and build build trust with the users for the long term. I think that that must have really paid off. And I also want to highlight how it's quite you know, unique and sort of very yeah, it's like very unique to to um to Sky specifically, right? That as a sort of as a Sky agent, right? They're like a sub component of of Sky basically, right?
They exist inside the sort of broader Sky uh ecosystem running on Sky protocol rails and everything, but they still had enough flexibility to build a system that let them do this.
Like, I wasn't actually I wasn't even aware that they could they could even do this. So, I was like surprised like, how do you even pull it off? And they were like, oh, this is, you know, we use these primitives and then this way we were able to to do it, right? And I think that's that's really cool, right? That you can have this uh you know, the overarching like standardized risk management, security, and processes of Sky. And then they were able to basically put it together into into some very useful features that really paid off uh in this moment of crisis. Yeah. Yeah, and I think it it kind of goes to explain some of the risk management choices holistically within, you know, the Sky ecosystem. And obviously been prioritizing ETH, staked ETH, a lot of RWAs to back USDs and just kind of very, you know, more like what people would call pristine collateral over more exotic collateral. You know, I'm curious how your general view of collateral backing has changed as a result of this RS ETH kind of exploit here. Obviously, you know, we've even seen Athena come out as of late and say that their sole basis trade backing for USDE is not what their future is going to look like. They're, you know, they're looking at other RWA collateral, the basis trade on commodities, etc. You know, I'm just curious following this this event, has your view on DeFi native versus kind of more RWA or TradFi, if you will, collateral, has that view shifted, changed, is it staying the same? Kind of generally, how is your viewpoint on the way DeFi should be thinking about collateral and the types of collateral, you know, changed or has it been just further reinforced?
Yeah, so I mean, so Sky is at this point, it's I guess a more it's more than 11 years old, right? It's the oldest DeFi protocol.
It has maintained stablecoin products without ever suffering any kind of loss or major instability for almost 9 years.
And so end-to-end the protocol has had no security incidents of any kind for more than 6 years.
And this is all because the whole time what Sky has fundamentally always obsessed over is security, risk management, you know, what's going to happen to the collateral, right? I mean, that's what has kept me up every single night for the last 10 years, right? It's just thinking about what what if something happens to the collateral, right? And I mean, and so what the kind of I mean, the kind of things that have been happening in DeFi lately, despite it being very shocking and you know, even to me, definitely makes me feel uncomfortable to see sort of big hits being being taken sort of left and right like this. Like none of what's the types of things that are being exploited and the kind of things that are going wrong right now is not actually at all the kind of stuff that I'm scared of in the sense that it's all preventable.
Like you know, this recent RS ETH situation, you know, doesn't at all teach us anything new in Sky because that's it's been very clear to us for for many, many years, right? That you you shouldn't you know, you shouldn't do that kind of stuff, right? You need to have a lot more clarity about the security setups of these types of assets and even just generally the degree to which you can I mean, use these like highly complex assets like restaking and so on, it's not really something that that is allowed very much or at all in in Sky.
Because it's just not like it and it really comes down to like the the risk-adjusted return. It's just not worth the tradeoff of the risk to to use these kind of assets generally, but in order to understand that you need to have very advanced like risk management frameworks and capabilities and and monitoring systems and so on.
And I think about 6 months ago actually in Sky, we we got we we managed to kind of really increase our risk management capabilities and risk assessment capabilities and we actually from that realized that even though we had been obsessing about risk for so long and we had been building everything to be as low risk as possible, there was still like we actually realized we were definitely overweight on on the level of risk the protocol was carrying. So actually for the past the last 6 months, like Sky has been consistently in this like deleveraging risk off just like simplifying the exposures, reducing um you know, like yeah, like just reducing sort of the bulk of like concentration into some of the more I mean, I would say some of the more sort of interesting assets, right? That originally was the kind of stuff that I mean, it still is the kind of stuff that like makes Sky really unique.
Like it, you know, for instance, it's backed by by CLO ETFs, yeah, which are quite interesting assets, but uh about 6 months ago, it was determined that that it had gone a little bit too far and and that was the kind of stuff that that that has been had the exposure quite decreased.
Um and yeah, like I mean, the the crazy technical stuff like yeah, restaking and bridges and that kind of stuff. I mean, that's something Sky has had a very low tolerance to that for for for quite a long time already.
I think honestly in the end, the really big takeaway for me from this is actually to the earlier like understanding the fallout of everything in advance is really like there's got to be you know, there's always got to be like a clear protocol, like a clear rule set for what happens if a bridge gets compromised. Like that's got to be, you know, and I mean, I think by default, I think the simple answer probably should be you got to make it really clear to the users that choose to use a bridge that they are taking on additional risk that applies to them only. And on the contrary, like the mainnet users, Ethereum mainnet users that are consciously, right, that choosing Ethereum mainnet because they want to be safe, they they need that reassurance that you're not going to get contagion from other users that choose to to use a bridge, right? And but I mean, this is of course this is kind of one of the major things that are being really examined in Sky now as a consequence of everything that happened. So you guys just pushed a native deployment of USDs and sUSDs onto Avalanche using this kind of Sky link technology.
It's already live on Solana. So you guys are obviously pushing a multi-chain strategy forward as well. How do you how do you avoid the give the kind of native issuance problem when it comes to Ethereum being kind of the home and you've got these other chains with their other security practices, models, validator sets, sequencers. How do you ensure that the representations of USDs and sUSDs across the broader multi-chain you know, cross-chain ecosystem also remain resilient? What does that look like for the users on other chains of Sky's assets?
I mean, so definitely something that that has been like a core tenant of like the the Sky like Sky's approach to to multi-chain for quite a while is that it must be built I guess you could say in-house. Like there used to be a time where, you know, there were you would have other projects do bridges and you'd have these like I mean, you also have you have the example of like USDC, right? Where sometimes you go on on on like multi-chain blockchains and they will have like multiple different versions of USDC because you have kind of different bridges doing different versions.
And that's something that I believe I mean, I think later it you know, I found out or I believe it's like it can be quite risky, right? You really don't want your product and sort of users that that, you know, like I mean, let's say users that want to use USDs and then somebody conveniently bridges USDs somewhere and then it's available and then you get this organic adoption.
That sounds good in theory, but in practice that can actually be a huge mess and very dangerous because once you have that adoption going, it can be difficult to actually then transition it. And if you can't easily upgrade the bridge, it could be a huge problem if the bridge turns out to not be very secure. So actually Sky link was this this innovation that was basically designed to ensure that you only do USDs bridges and you only do multi-chain USDs when it's built following the Sky link standard, which ensures that it can be upgraded by Sky governance. And there's not going to be like external multi-six or external parties that they're involved in the I mean, potentially the management of this or the decision about how should it be upgraded or what to do in how to set the the safety limits and so on, right? That should all be something set by Sky core governance.
And yeah, I mean, that that part of the the strategy I think was totally correct. I think now again, what what probably needs to be re-examined by Sky and everyone else is like just how you know, just how strict should these limits be and they should possibly be stricter than people were expecting up until until this point, right? Because you really want to avoid again this kind of situation where a loss occurs and it's big enough. Like an event happens and the the security incident is big enough that it creates this concern and fear of contagion and things start to like to to seize up and that's just a very bad thing. You really got to enjoy like got to avoid that at all costs. Yeah. Yeah, 100%.
We're kind of getting into a more of a forward-looking environment here in in conversation.
Interestingly enough, the new Fed chair, Warsh, came out today and had a, you know, a bit of a speech about his policies and his views. And ultimately, I think it's it's decently certain that we're going to get at least one, two, if not three rate cuts this year, probably just 25 bips.
A lot of the stablecoin products and and use cases for yield are directly derived from Treasury bills and T-bills from, you know, short-dated assets in you know, these very you know, these very very safe, very liquid opportunities on chain.
And so, as you mentioned earlier in an earlier point, there's this rhetoric right now that DeFi um is less yield than this the risk-free rate with a lot more risk. And I've kind of got this like inverse thesis here where as the macro fed rates decline, more speculative activity picks up on chain driving the demand to borrow stablecoins, driving the the yield to lenders up. And the opposite happens in environments kind of like now with, you know, somewhat elevated rates and lower rates on chain. Now, obviously, you guys have a special kind of situation here, but that is what begs the question, you know, in in in a in a lower rate environment coming up with even if it's just 50 bips, 75 bips by the end of the year, you know, you can kind of see that the administration is pushing this forward, that the Fed wants this. Obviously, Trump is, you know, screaming about it. I'm just curious like how much of your strategy changed from a collateral perspective, from a yield perspective, from an expansion perspective when you have a lower rate environment versus a higher rate environment? Um what you expect from users, what kind of uh you know, anticipatory measures you may be taking as a protocol, or maybe none at all, and it doesn't really matter.
Just curious how you think about the broader macro fed interest rates as it pertains to the value prop of something like sUSDs on chain.
Yeah, Sky has been engineered carefully to be able to handle whatever macro environment it it finds itself in.
Uh and I think actually I mean to some extent as rates go lower uh increasingly credit spreads get more important.
Um so, basically it's you know, it's no longer enough to just be able to sort of like deliver the yield. It's like you got to be more you got to be able to handle more complexity and then source the yield from from basically through different avenues. And this is through this you can you can you can basically offer um like you can capture credit spreads, right? But the thing is, I mean, even when rates are high you still want to capture credit spreads and offer the best possible risk-adjusted return, right? And I think like I mean, I think this idea of like uh you know, DeFi uh gives you like lower rates and way higher risk.
That applies whether rates generally are lower or they're high. Like it's just as annoying to take tons of risk and then get you know, 4% when the risk-free rate is 5% as it is to to do the same thing and then take tons of risk and get 2% when the risk-free rate is 3%, right? In either case, you're underperforming and taking extra risk.
Uh and the I would say the opportunity for DeFi is to on one hand really, really, really deal with the risk uh first of all. And I mean, I think in Sky's case, uh the ecosystem has really done almost uh everything it it possibly could, right? Because I mean, it's maintained uh a clear track record for many, many years at this point even as as um like even as other projects have been uh dealt with like dealing with issues, it's just not really something that has been happening to Sky uh in the same way. And that's of course I mean, that really matters a lot, but then on top of that, there's also this whole I mean, just the transparency and like the effort that goes into actually explaining the risk, understanding the risk, right? Because it's not just like through luck it's that that Sky didn't uh have security incidents, right? And and or or risk events. It's because it's like very carefully engineered, very carefully designed and um all of the thinking that goes into that design is made as public and open and transparent as possible because this is essential for the, you know, like sophisticated users, right? Institutions and crypto whales that that use Sky and and hold their assets in sUSDs.
Uh they really need to be able to do their due diligence and actually you know, access public information uh in things like our risk dashboards or our uh governance rule sets, so they can sort of directly actually look at like sort of look at how the sausage is made on their own rather than listening to some salesman telling them it's all good, right? Yeah. Um and uh yeah, uh that's just going to be continuously improved over time.
And what's interesting is like it sounds like, well, you know, we're just you know, Sky's just focusing more and more security, managing risk better and better, like it sounds really boring, right? Like it's just like a bunch of going in circles and making everything more safe and more secure, but the thing about in particular decentralized systems in in DeFi, right? And and I guess I guess maybe you can think more broadly decentralized systems.
There's this really interesting characteristic that security and risk management is what enables scale.
So, without I mean, so so basically like when we when we think about like when I'm thinking about like, "Oh, how are we going to grow Sky to get really huge and massive and like a huge business and make tons of money and so on."
Like the key to that is through security and risk management. And that's because if you do tons of security like if you have extremely solid, extremely scalable security and risk management processes, you can open up for more complexity. So, actually like in theory Sky could like do 10 times what it's doing right now. Like it it the protocol absolutely has the capacity to onboard like 10 times as much collateral and uh you know, like go into like do this sort of very diversify like into all sorts of high risk not necessarily high risk, but like all these like exotic, super innovative things out there.
Um but the problem is uh like at that point it gets impossible to track end-to-end what's happening everywhere all at once, right? And and that's the kind of that's the key to this. Like you you shouldn't be uh you know, you shouldn't be scaling so fast you can't track and explain exactly what's going on in every single corner.
Uh and this is really like I mean, with Sky the the the the kind of the the model that Sky is going with for scaling is modularity, right? So, you have multiple Sky agents, right? You have Spark focusing on a DeFi, you have Grow focusing on an RWA, right? You have um OPEX, Keel, like other agents that are all focusing on different areas.
And they all have their own autonomy to go and and do things, right? So, with that approach, you could really just like open the floodgates and let's be like, "Yeah, go do whatever you want." And they would dig up, you know, a thousand opportunities within a very short amount of time.
Um but that's exactly the opposite of what we want, right? It has to be that everything they do it must be sort of possible to essentially like I guess you could say mathematically prove that this is within the risk tolerances, this is within the existing approved risk categories, it's following the the capital ratios, it's like following best practice. And ultimately I mean, the goal is really to be able to at all times prove that Sky is following best practice that is equivalent to or better than what you see in modern banking, right? So, all the risk management frameworks are sort of fundamentally uh based on and and and kind of building on top of uh the Basel uh banking risk management framework.
Rune, um one of your points was particularly interesting about kind of managing all of the you know, disparate risk parameters that are present in a given DeFi protocol. One of the things that uh Rob Hadick said yesterday on the show is that this is just another clear example that the that the design of pooled lending is really likely going to slowly kind of consolidate into uh much more of this isolated model as the Fidelities and the and the Revoluts and these larger firms come on chain. Do you agree that the future of on chain lending is very isolated, it's very single collateral asset, single debt asset, very clear as far as what you're getting into from that perspective? Like I'm just curious like what what you think about how on chain lending is going to evolve cuz I think Spark, you know, maybe is not exactly in this direction, Morpho probably closer, but you know, maybe that's not the right take. Like just generally curious, is this another example of, "Hey, on chain lending is moving towards isolated, curated risk design rather than the pooled model?" How do you think about this transition?
Yeah, I mean, it's a I can I guess it's an interesting topic and it's kind of frying my brain a little bit in the sense that a lot when you talk about finance, it's like often you use a lot of different words for more or less like one or two or three maybe like basic concepts, right?
So, I guess the question is, do you consider uh like stablecoin? Do you think like of banking of of deposits? Do you think of that as lending your money? Like if you you put your money in the bank, is that lending to the bank?
And depending on how you sort of want to answer that semantic question, right?
Then uh I mean, if you if you if you basically defined lending as you know, I'm like I have something I consider myself my currency, my my risk-free asset, and then I'm going out and I'm deliberately taking some additional risk with it. Then I think it's absolutely true. Like in that case, and you're sort of thinking and you're like, "I'm going to go and take some risk." Yeah. You know, like nobody should ever be like, "Oh, I'm going to take some risk. I don't know what the hell I'm doing, but let's take some risk, right?" Like, that's a horrible way to to do stuff, right? But, what's interesting is as a type of, I mean, financial activity, which is essentially like savings or uh stablecoins, right? So, stability.
That's it That's specifically the type of product that is designed to be Here, you don't have to think super carefully, right? And really like analyze everything into it. I mean, you should be able to if you want to, right? This is everything we strive for in in Sky, right? But, the the point with with Sky is exactly that it's this massive diversified pool. Everybody goes in the same Well, it's Okay, let me take it back.
It's not a It's not a pool. It's a It's It's It's a token, right? Everybody goes in the same token, and the token then like deploys through the um I mean, through the Sky agents, they through the core vaults, the all the RWAs, right? That are backed by large, regulated, you know, the large global institutions, and all like this this massive diversified portfolio. And ultimately, uh I think the point is really that like I mean, that's a massive responsibility, right? Like, if you if you if you ultimately regulate such a large portfolio, which is what Sky does, it's just, you know, it's like a very serious, very uh significant task to at all times monitor and monitor that, right? Measure the risk left and right.
Like, and once you get big enough, also you get this issue that like it's no longer all about um Well, I guess I mean, actually, this is like a, you know, the recent incident is a perfect case of this, right? That one thing is like insolvency, uh like literally losing money and like, "Whoops, the money's gone." type of stuff.
But, increasingly as you get bigger and as it gets more like uh sort of liquidity focused and and currency-like, this issue of just purely like liquidity and fear and like "I want my money and I want to feel safe." and so on. Like, that itself becomes a huge risk vector, which is uh something that, you know, gets Yeah, it gets just gets more and more complicated the more you you dive into it.
But, um I mean, from my perspective, if you think of like if you like if you say lending and you define that as like you sort of define that as like risk, sort of risky, uh very deliberate lending, then yes, that's absolutely going in individual collateral individual collateral direction. If you think of like DeFi as a whole and sort of this concept of like holding your assets in DeFi and and getting a good return on your assets in DeFi, uh it it can't really be done. Like, it has to be diversified. It has to be this uh sort of large-scale managed, governed stuff.
And I think what will happen is it will consolidate. I mean, this has always been the the case, right? That there's been like a few very large players in DeFi.
Uh and I also think that um actually, I mean, it will be a lot easier actually for for the large players to distinguish themselves and and kind of benefit from focusing on security and risk management. Uh I mean, I I really do feel like that is that is is the, you know, the market has been changing a lot, and that sentiment has been been a lot in the forefront. Actually, like the big moment was exactly like in the fall, like around uh 1010, actually, was like that's commonly known as like that's the moment when the vibe really really changed, and suddenly uh as a project, you had to really, you know, I mean, not only did you have to focus on security. That's one thing, and like sort of focus on being like, "This is how I'm keeping everything safe. This is how I'm keeping it stable." But, what's so amazing actually from that is that it started giving you like an advantage.
Like, it started you know, the market finally gave you positive feedback when you did the right thing, which was care about security, care about uh stability. And uh I mean, I feel like that's it's been sort of a frustrating thing for Sky because it's the project that has always been so massively obsessed with security and stability and and safety.
Uh but, you know, sort of crypto cycle after crypto cycle, we sort of getting clowned on every time there's a bull market, then everyone is like, "Oh, they're so like boring and lame, right?"
And then everything crashes, and suddenly people want to talk to us again.
Um but like I think I think finally we're past that now, and and there is this like fundamental understanding that the low-risk stuff, the risk-adjusted returns, I mean, that's actually when you know, um that is when there's a massive opportunity. That's And to my earlier point, right? That's how you get massive scale, right? That's how you get economies of scale. That's going to give you profits, right? That's going to give you the stuff that the market is not looking for. So, I really think, you know, I don't think DeFi is over at all from this. I think it's going to evolve. It's going to get way stronger and way better. And I mean, overall, it's a terrible situation, and I hope it gets resolved really soon, right? But, I also really hope that the whole industry and everyone who sort of survives and comes out on the other end, right? And and and are able to reconstitute themselves, right? That they uh really seize this opportunity to to to have stability, safety, security be the the cornerstone of like their growth and their business case.
I agree. I I I think DeFi is going to be fine. I appreciate the thorough answer on the on the lending model side of things. I mean, it's it's going to be rapidly evolving. The entire space, I mean, Arbitrum freezing those funds was was a big win, and I think the situation hopefully is resolved sooner sooner than later, Rune.
So, appreciate you spending some time with us today, man. Um looking forward to seeing Sky hit that 20 billion mark this year. Best of luck, man.
Thanks a lot. Happy to be here.
Thanks, Rune.
All righty, guys. That's Stable up episode number 28. We're going to take a super quick break, get Philip, the CSO of Coinbase, into the show. Our last guest of the day. We'll be right back.
>> [music] [music] [music] [music] [music] >> Money, power, I'm >> [music] >> big big big big big big big big big big big big big big I'm I'm big big big big big >> [music] >> big big big big big big big big Money, power, I'm big big big big big big big big big [music] big big big big big Maybe you know we get deep hard.
We get deep.
Maybe you know we get deep.
Maybe you know we get [music] deep hard.
We get deep. Maybe you know we get deep.
We get We get deep.
>> [music] >> We get deep. We get We get We get deep hard.
>> [music] >> Maybe you know we get deep.
>> [music] >> We get deep [music] hard.
We get deep.
Maybe you know we get deep.
We get deep hard.
We get deep.
Maybe you know we get deep.
We get deep hard.
We get deep. [music] Maybe you know we get deep.
>> [music] [music] [music] [music] [music] [music] >> We get deep hard.
We get deep.
>> [music] >> Maybe you know we get deep.
We get deep hard.
>> [music] >> We get deep.
Maybe you know we get deep.
Maybe you know we get deep hard.
We get deep.
Maybe you know we get deep.
Maybe you know we [music] get deep hard.
We get deep.
Maybe you know we get >> [music] >> Maybe you know we get deep hard.
We get deep.
Maybe you know we get deep.
>> [music] >> We get We get deep.
We get deep. We get We get >> [music] >> We get deep hard.
Maybe you know we get deep.
>> [music] [music] >> We get deep hard.
We get deep.
Maybe you know we get deep.
>> [music] >> We get deep hard.
We get deep.
Maybe you know we get deep.
We get deep [music] hard.
We get deep.
Maybe you know we get deep.
>> [music] [music] [music] [music] >> All right, you guys. We are back with Philip Martin, the chief security officer at Coinbase. Um notably been in conversation with Anthropic about Mythos, apparently, as of late. A US Army veteran, a smoked meat enjoyer.
Phil, how are you, man? Doing well. How are you?
Doing well, as well. Uh what a what a crazy couple of days for DeFi. Uh it's been absolutely wild. Absolutely wild.
And I think you know, the reality is we're going to see more of this going forward.
Um I think it's a very interesting overlap of some of the new frontier AI models and their ability to to be really impressively good at cybersecurity. And the fact of the matter that that, you know, for for DeFi, we're really running code in the open. Right? Um makes it much more susceptible to that kind of attack than you know, just trying to point a model at an API endpoint.
Yeah. So, I had um Dragonfly GP on yesterday, Rob Hadduck, and he said a lot of people misrepresent the amount of AI involved in these exploits. He said it's basically a lot of just internal infrastructure malpractice from a security perspective.
Do you agree with that? Broadly, yes. Um I think uh but I think we will see the amount of AI involved in these things increase. Um in my view, increase pretty substantially as time goes on.
And do you think that the prevalence of uh exploits for that are AI-related are more you know, more possible on chain or this more of this kind of like traditional security DNS domain hijacking, phishing?
How do you How do you think about the the surface area for for these types of things in terms of the different uh attack vectors? Yeah, so for AI specifically, right? Um context management is really important.
Um right? The ability for uh you to provide that model with as much information, at least as much relevant information as you can, is going to help it do a do a lot better. Right? So, that's why in general, I believe AI actually favors the defender over the attacker.
I think that's turned a little bit on its head for things like smart contracts, right? Where um the the context is actually pretty evenly shared between the attacker and the defender because it's all on chain, right? Um and it allows a defender or an attacker to move very very quickly, much much more so than in traditional sort of the assumptions we might we might make traditionally. Right? And so, I think that'll be a uniquely um uniquely harmful for uh DeFi protocols. Um I also I think we will see the the pace of cyberattacks increase generally, right?
Um because AI enables uh both bad guys and good guys, right? To do more and do it faster.
Um and so, uh being able to, you know, maybe the initial entry vector, right? Is is some sort of infrastructure thing, but then being able to leverage AI agents to to move laterally, move internally, that's going to make the pace of an incident a lot faster than it is today.
Mm.
Interesting. You put out or you contributed to a report around quantum as of late. Um it was a very well-done piece, and wanted to talk more about that. I mean, we've had quite a few different conversations.
One of the uh maybe overly optimistic takes that I've been sharing that is probably even you know, one could say silly, is that Q-Day's not actually coming. I mean, that that that this day is just not coming.
Um why am I so absurdly wrong on that?
You know what? You're not necessarily.
Um this is a really interesting area where very smart, well-informed people um at the forefront of this field have wildly divergent opinions um on when and in some cases even if Q-Day is coming.
Now, I I I think we can look at and sort of extrapolate from the pace of research and from some of the break breakthroughs that we're seeing.
And I think it's becoming harder and harder to say that Q-Day is never coming. Um in even even some of the most um you know, sort of dedicated advocates um are having a harder and harder time justifying their position.
Um but the reality is, right? We're still doing basic research. This is not an engineering problem. This is not a we know the answer, we just have to scale it, right? We're still doing fundamental research into how quantum computers operate scale.
Um and there is no clear technique or winner that's going to take us from here to a cryptographically relevant quantum computer, right? So, there there I think there is there is still room for doubt.
My overall position on this, however, is it doesn't actually matter. The timeline doesn't matter. Um the if question doesn't actually matter because the risk here is actually a trust risk for cryptocurrencies.
Right? And so, doing nothing at all, um having no plan for a post-quantum future, um you know, maybe Q-Day comes, maybe it doesn't, um but that's causing harm right now to the trust in the ecosystem.
Yeah, I agree with that. I mean, it's been a big headwind for the Bitcoin I think for Bitcoin institutional adoption as of late, I think this is a question that is like it's like a very easy question to ask from that from an allocator perspective, like, oh, well, the how how are you going to solve this, right? Because a lot of these guys think you know, far longer term than perhaps the average current uh you know, user or speculator in the in the market. And it's a very easy like 2035's around the corner.
You know, what happens then, right? And and that's something that they want to avoid. Now, one of the things that I haven't particularly heard or been educated too much about on has been around why post-quantum post-quantum uh computing and cryptography needs to be um at both the execution layer and the consensus layer of blockchains. Uh this is you know, this was part of this report. Maybe you could just help us unpack what that means. We're pretty technical here, but not understanding exactly why you you need it on the on the consensus side and on the execution side. Yeah. Um so, the the execution side I think is is is fairly obvious.
You guys had um I've had a couple of guests on, right? I I think I think I had Alex Friedland relatively recently, um who was I think one of the incredibly uh smart and thoughtful about the space.
Um but like that's straightforward, right? You use private keys um to sign uh your transactions uh to the extent that those the the corresponding public key is is made public in that transaction. That That's what gives the um the quantum computer something to bite into, right? Uh and lets it in theory, assuming, you know, big enough performant enough, factor that uh that that public key so that we can get back at the private key so they can you know, sign messages. Um I think what we also need to um pay attention to, however, and and it's actually not just the consensus like we have to we have to pay attention to the entire ecosystem and infrastructure. Like we were talking earlier about like hey, do these do these are these really AI-assisted assisted hacks or they like just basic infrastructure stuff, right? A quantum computer that can that can break public key cryptography and weaken, um although not entirely break uh you know, hash-based systems is isn't just about, you know, uh doing a uh a spin-related transaction, um it's also about the entire infrastructure layer.
Um right? So, suddenly now I can inject messages in an SSL-secured uh communications path between two systems, right? I can start to spoof um information in there. I can start to do things like I mean, we just saw with um uh with the recent uh DAO hack, right?
Um that was an RPC um issue, right? Um so, imagine that I could suddenly if I could get in the middle of a communication like that and start to tamper with it without having to break into the endpoints on either side, right?
Um so, there's there's a bunch of surface area that's exposed from a quantum computer here that's more than just my private key for for for crypto is going to get is going to get broken.
So, the the idea is that in the kind of gossiping of data amongst nodes, that there could be a interference from a quantum computer, not just necessarily on the transaction signing or the execution of that transaction.
>> there's and not just that, right? There's a there's a ton of surface area. If if you can if you can say, hey, I can now um with with a performant enough quantum computer, I can real time, right? Break SSL. Yeah. That opens up a lot of surface area for mischief.
Okay.
Do you do you think that there is any credence to these um current quantum-resistant chains? Like it it seems to me that nothing's quantum-resistant on chain today, but for some reason, this Google paper this Google paper came out and it listed Algorand a couple other chains and projects like even Justin Sun came out and said, you know, Tron's got these NIST signatures coming on chain and it's happening. Like how how how much credence do you give to the idea of these NIST signatures being adopted today? Also something like Stark Starknet Starkware has came out that they're their STARKs. This is their notable improvement to the ZK technology of SNARKs is quantum resistant. They don't use elliptic elliptic curve cryptography. I just how much credence do you give to the current state of, you know, we have post-quantum in our, you know, XYZ stack?
>> Yeah, so I don't think any major cryptocurrency today has a anything more than a testnet stood up that is quantum resistant. That last time I checked. It may have changed, right? But I don't believe there's anything more than a testnet.
Also, so the the the NIST standard you're talking about in particular, the one I think will be implemented by most blockchains just because it's called Falcon.
Is is really one of the more efficient signature schemes for post-quantum, but it's still something like 10 times larger from a signature perspective than a traditional ECC signature which is very very compact.
That that that is going to cause throughput issues on blockchains as this stuff is is adopted. And all the other signatures are even worse from a size perspective, right? Which is why I think Falcon will probably be the winner for most blockchains cuz it's the it's the least bad of the current known implementations.
And so there's there's actually quite a bit of I think engineering left to do to figure out what this is going to look like on chain and what the impacts to throughput are going to be.
And you know, how we want to think about the issue of these algorithms are actually quite new, right?
We look at you know, all the various sort of NIST, you know, sort of blessed algorithms.
We don't necessarily know that there's going that there isn't a classical computing vulnerability in these algorithms, [clears throat] right?
Cryptography is one of those unique spaces where smart people who spend, you know, careers in the space make mistakes quite frequently because it is so complicated both from a theory perspective and from an implementation perspective, right? And so I worry that rushing to bring this sort of quantum resistant algorithm to chain is actually premature right now because we don't yet fully understand the threat model or the potential vulnerability space for these algorithms. Yeah.
Man, kind of shifting into something that's relevant in terms of the rushing and the timing, but not, you know, necessarily quantum here.
I did see some news that that Coinbase was, you know, speaking with Anthropic about potential mythos, you know, AGI to hacking and these things.
Are are you are you worried about Claude mythos as a serious attack vector for a large-scale financial services company like Coinbase?
I'm worried about these sort of bleeding edge models in not necessarily today cuz I think they're very tightly controlled. What I'm worried about is a year or two years down the line when we start to get the efficiency of these things up and we start to get sort of open weight models that have, you know, sort of on par performance.
You know, today these are these are enormous models, right?
Very impractical to run outside of an organization like like Anthropic or OpenAI or any of the big AI labs.
But we're going to see improvements both in efficiency as well as but really across the board, right?
Efficiency, we're going to see better sort of model model streaming. We've already seen some interesting interesting research around sort of running models not fully in memory, but from from from flash, right? So the efficiency picture is going to get better and these models are going to be able to be run you know, without having to spend 10 million dollars on hardware. Maybe you're only spending 100,000 dollars on hardware, right? And for an attacker group, that's going to be very very tempting.
Right?
And so so I'm like today, I don't think, you know, mythos is going to take over the world as it escapes the sandbox and, you know, breaks everything, right?
That's not that's not a real fear. But in a couple of years, I could see being in a in a much more worrying state, which is why I think it's so good that, you know, Anthropic and others are being very careful with how this model is being released.
You know, they want to make sure that defenders have enough of a head start to to patch things.
And we've seen some of the bugs it's found, right? It found a 27-year-old bug at OpenBSD, right? One of the most audited codebases in the entire world.
It's like very very impressive stuff.
>> Yeah. Yeah, so on the defenders front, you made an interesting point earlier about that. Wouldn't it just be sufficient for the defenders to get I say a bit of a head start using something like this and then providing that as a ample, you know, defense to the potential bad actors or is it just not that simple?
You know, I I don't I don't think it's going to be that simple um because you're never going to find all the bugs the first time, right? When when you use an AI model like this as a defender, um you're running these things hundreds, thousands of times across your various pieces of of code and services and infrastructure.
And you get, you know, new and different results as you as you run it again, as you tweak its approach.
So it's not a simple like, oh, I ran it and I found all the bad things and we're everything's good and and wonderful now, right? And so there's it's always going to be a bit of an arms race, I think, as both the models improve, as the ways of using them improve. So it's not going to be as simple as just, oh, the good guys get it before the bad guys because the bad guys will get it eventually and they're going to run it in in new and different ways that maybe the defenders didn't think about. Yeah.
And so from like a from a large-scale company like Coinbase, what is the what is the preparation process look like? Like what is this what is the security hardening for the team for the, you know, anything from a a password to a security key to a signer to a email account to a browser to a webcam call?
Like like what is the like scope and length of security hardening processes look like, you know, to prepare for for this advanced intelligence?
>> So I mean so we already use AI extensively internally in how we do, you know, application security and security hardening and and really in every piece of how we do security today.
And so when we think about, you know, a new model like like like mythos or you know, OpenAI's five or cyber or whatever else comes next, it's really about learning the nuances of how those models need to be prompted, how they manage context, like how how we need to tweak our approach as we swap a new model in. This is even true of moving from like Claude 4.6 to 4.7.
Yeah. Right? Is is the the big difference is what do we need to do to give this model the the instructions and the context in the way that it that it sort of best consumes it. Yeah. And then it's about making sure that we have the right sandboxes in place, right? So like as we do, let's say, AI-assisted pen testing or red teaming, we we're always very very careful and think very very hard about the environment we're doing that in. Not because, oh, AI is going to escape and do something crazy, but but because, hey, in the process AI might choose to exploit a vulnerability to do a POC, right? Which is which is fine and normal and and part of any good pen testing process.
But AI doesn't necessarily realize that, oh, that exploit is going to result in deleting data, or that exploit is going to result in or or or a DDoS of some sort, right?
And so we want to think long and hard about the environments we're setting up so that so that the models get as close as possible to a live instance without it without the potential for that model going a little bit off the rails and doing something it shouldn't do.
Yep.
Phil, man, I know you're I know you're probably slammed right now. It's been a busy it's been a busy week in DeFi. There's a lot of there's a lot of people running around trying to make what's happened right. And then in addition to that, obviously, the ever the ever-increasing amount of intelligence, you know, happening. I think this this way to think about this from the defender and attacker perspective is is quite interesting and I think that you know, you'll you'll think that this model is going to be the one that you have to solve and then a year two later, it's going to be a whole 'nother level of a model that you have to solve and then you have to, you know, prepare for.
The internet is in for a very interesting, you know, decade or so as we as we scale this intelligence.
>> I I I fully believe that to be true and I think you're exactly right, right? So I I my my 10-year anniversary at Coinbase was last last week.
Thanks.
And you You I I've never seen an industry evolve so quickly and take so many left turns that you you know, you didn't see coming a year a year prior than than than this one, right? So, it's it's it's always a fun place to be.
Well, Phil, thanks for joining us, man.
Have a great rest of your week and day.
Congrats on the 10 years and appreciate you keeping us safe, man. Yeah, anytime.
All right, buddy. We'll see you soon, all right?
All right, Phil.
All righty, guys.
That is That is the Claude mythos uh you know, future of how these industries are going to protect themselves, how crypto's going to protect itself. That is also our show for today, guys. It is Tuesday, April 21st.
And I battle Rhino is getting suspicious about the coins. Oh, goodness. Oh, goodness. Ladies and gentlemen, we will see you guys tomorrow, bright and early here from the nest. Stay safe out there.
Stay sound. I hope you 5 figures all of these little nooks and crannies out sooner than later.
Tomorrow, we'll hop off the uh security exploit conversation. I think these last 2 days have been very They've been sobering. They've been real. And they've been very important to have a discussion about. I think after these types of events, the industry takes this stuff very seriously for, you know, 4 6 8 weeks. And then we kind of continue on. I I hope this time this event, things are taken very seriously.
We'll see you guys here tomorrow, Wednesday, April 22nd from the nest, from Tokenization Tower.
Thanks for rocking with us.
>> [music] [music]
Related Videos
Free TON in 2026? How I Tested This Reddit TON Tool
SirenHead-z9y
2K views•2026-05-28
Are our DeFi tools becoming too easy to exploit?
saidotfun
228 views•2026-05-30
Solana Unchained ($UCHN) Explained: Solana’s Next Big Utility Project?
CryptoVlogOfficial
339 views•2026-05-30
🚨 Access Network App FREE Withdrawal to MetaMask?! Only 25M Supply 🔥
Airdrop26Alpha
459 views•2026-05-28
GDOR tokenization amid oil shock hedge
sam.dmitri
720 views•2026-05-28
⚠️ALGO Has a Very Bright Future! ✅ One #Crypto Everyone Should Own!
MetaShackle
184 views•2026-05-30
BingX EventX: Trade Sports, Crypto & Global Events With One Click
AidenCryptox
311 views•2026-05-31
XRP IS GOING TO VANISH! A SUPPLY SHOCK IS INEVITABLE! (THIS IS THE PROOF!)
NCash
2K views•2026-05-31
