builder of ethereum data tools, smart contracts, defi systems.
Joined April 2021
- Tweets 1,324
- Following 2,098
- Followers 3,342
- Likes 8,342
162 Photos and videos
wavey retweeted
Jun 5
On May 4th an APYX affiliated wallet (0xD17) incorrectly supplied $3m USDC directly to a Morpho market using the Morpho Blue address itself as the onBehalfOf parameter.
etherscan.io/tx/0x0059fc47ba…
This means the entire deposit was credited to morpho itself and thereby lost and permanently stuck.
It appears they realized seven days later and used $3.6m of collateral to borrow back that $3m USDC from the market. To this day the wallet remains both the largest borrower and primary supplier in this apyUSD PT market.
Notably, at the current spot prices this position has already become under collateralized, however the oracle used in the market is preventing it from being liquidated.
The market uses a "fundamental" oracle that is meant to be the minimum of the APYX system collateral ratio or 1. However, until just the past day the collateral ratio oracle has had not been updated since depoloyment.
It does appear the team has begun updating the collateral oracle to reflect the true backing which has begun to lead to liquidations. So far liquidations on this market over the past couple days have been manually done by the APYX team itself with the apxUSD backing and holding the mark to market loss on the balance sheet, since the market cannot clear them profitiably even accounting for the liquidation bonus.
Worth noting the APYX has claimed this wallet is not theirs and is not holding backing assets of apxUSD itself. However, shared signer executions, funding practices, overall value amounts and cross wallet transfer matches would suggest otherwise.
21
22
207
34,332
github appears to have banned my account from publishing/sharing gists, likely because my exploit analysis agent was posting reports there
... naturally spent a few hours building a better, self-hosted, agent-first, censorship-resistant version of gists: github.com/wavey0x/gist
1
1
20
805
wavey retweeted
Jun 1
the 60% APY days are over (for now)
but the 30% APY days are still here!
current yvUSD loop numbers (max loop):
- ~$300k USDC available @ 2.3% borrow --> ~30% APY
- (for the humbler farmers) ~$640k @ 3.5% borrow --> ~20%
farmer's paradise 🧑🏻🌾🌾
2
4
12
3,038
introducing evm compiler bench
i generated a matrix of solidity and vyper versions, their optimizer settings, codegen backends. then i added 62 equivalent benchmarks that include hand written contracts, generated scaling tests, and real equivalent ports of production contracts to both languages from projects like yearn, curve, uniswap.
i ended up with over 7,000 measurements you can explore interactively. the report includes an interactive head-to-head explorer, version-over-time charts, scale curves, compiler failure grouping, and methodology notes.
compiler tradeoffs are now trivial to inspect: gas, bytecode size, deploy cost, compile time, version drift, optimizer/codegen choices, and compiler limitations.
the headline result: vyper gas profile beats solc legacy optimizer on runtime gas, and vyper venom beats solc viaIR on both gas and bytecode size.
report: evm.banteg.xyz/
repo: github.com/banteg/evm-compil…
12
35
262
37,154
bunny's takopi is the key primitive here:
always-on, telegram-ready agent wired directly into your codex sub.
i’ve connected it to my custom web3 tooling to methodically analyze any txn and ask follow-ups.
best part: expert-grade forensic analysis, even while walking the dog.
pretty amazing exploit investigation harness based on takopi made by @wavey0x
you just send a tx hash and it gets back to you in 15-30 mins with a full report and a root cause.
3
4
34
3,749
wavey retweeted
May 20
Hi @veda_labs! I submitted a report to your BBP 5 months ago
Since then I've received shifting justifications for non-payment. I even offered a ZERO reward if you can publicly state no fix is needed
If fixing your contracts matters, please support my work by paying your bounties!
4
6
83
7,218
defi's first fixed rate lending market written in @vyperlang? very interesting new mechanism.
5
26
6,010
huge congrats to the chads at @ConvexFinance on being a cornerstone of defi for 5 years now.
awesome video. some heartwarming mems from the trenches.
7
505
wavey retweeted
May 18
It's been FIVE YEARS!
Happy Birthday Convex
118
45
291
60,432
as recently as 6 hours ago, i did not have @Tailscale installed on my devices
... life has significantly improved over that time
7
1
20
3,562
thorchain gg20/tss attack path
i reproduced the suspected gg20 leakage mechanics against the tss-lib version they used. it accepts malformed paillier material, exposes a type 5 / type 7 oracle shape, and the go-tss wrapper misses some important checks.
banteg.xyz/posts/thorchain-t…
19
34
322
59,489
there was a second, more critical, bug in the attacker's 7702 impl contract.
live for a full ~20 min before the attack, it allowed anyone to drain the vault's full 1,087 ETH balance
a single block later it was found, and the remaining 0.82 ETH was taken
etherscan.io/tx/0x935b366688…
fun fact:
attacker reverted on the atomic drain via his 7702 delegate contract
why? bc his agent cheated on tests during vibe-code
the decompiled bugged logic req'd caller to be anvil's well-known default address `0xf39`. that's why his fork tests succeed, but reverted live
3
12
148
28,343
fun fact:
attacker reverted on the atomic drain via his 7702 delegate contract
why? bc his agent cheated on tests during vibe-code
the decompiled bugged logic req'd caller to be anvil's well-known default address `0xf39`. that's why his fork tests succeed, but reverted live
May 15
Important Announcement
Trading on THORChain is currently halted after a vault was compromised. Initial indications are user funds are safe and only protocol owned funds are affected.
The network automatically detected abnormal behavior and halted signing activity, which alerted the broader community and prevented further outbound transactions.
The investigation is still ongoing to determine the root cause. Contributors are actively working on the issue and we will report updates as we progress toward a solution.
What we currently know:
* One of the six Asgard vaults appears to have been compromised.
* Current estimates place the loss at approximately $10.7m USD
* The network automatically detected the abnormal behavior and halted signing activity, preventing further outbound activity.
* Nodes securing the vault were subject to their bonded RUNE being slashed as a result of the unauthorized outbound transactions.
* Churn activity has been paused while the investigation and remediation efforts are ongoing.
* Onboarding additional chains and operations requiring churns will be delayed until the network is stabilized.
* Initial indications show no individual user swaps were affected.
We are asking all node operators to immediately review their infrastructure, hosts, key management systems, and operational security for any signs of compromise or abnormal behavior, and to report anything suspicious in Discord.
Node operators participating in the affected vault are requested to securely provide Bifrost logs to the dev team for analysis using 'make relay' .
8
21
219
83,519
... and explains why he ended up manually broadcasting the individual drain transactions over the next 1hr
revert 1: etherscan.io/tx/0x72682bcd0c…
revert 2: etherscan.io/tx/0x7a2e479be3…
3
19
3,875
great summary from @coincenter
Our take on Clarity advancing out of Senate Banking today. What happened and what it means for developers. coincenter.org/the-brca-surv…
1
522
ah, yes, @humntech the purported "sybil resistant" identity app also happens to be extremely fkn talented at sybil'ing @thedaofund qf round.
May 13
great dashboard. I am very surprised by the projects in the round 😅
Why is this humantech thing such a huge outlier. Looks sus due to the huge difference of donations amount. Something is off there? Also no idea what that is
1
2
13
2,562
sourcify is an underrated public good and has been essential to many of my projects
that's why they received one of my highest contributions on this qf round (w/ a 4x multiplier via my ethsecurity badge)
May 14
Some contracts live on hundreds of EVM chains at their canonical addresses and verified on Sourcify:
- SafeProxyFactory @safe - verified on 113 chains (`0x4e1d...ec67`)
- CreateX @pcaversaccio - verified on 81 chains (`0xba5e...a5ed`)
- EntryPoint (ERC4337) - verified on 59 chains (`0x5ff1...2789`)
- Multicall3 - verified on 51 chains (`0xca11...ca11`)
SafeProxyFactory is just one of 13 @safe contracts in the top spots, the full suite runs deep.
How I did it:
1. Go to Sourcify's "Dataset Playground" (link below)
2. Ask "Which address in contract deployments has the most number of chain Ids?"
3. Change the model to `inclusionai/ring-2.6-1t:free` as the default is no longer free :(
3. Let the LLM generate the query and execute
2
3
21
3,014
wavey retweeted
May 13
the most infuriating part of my entire ethereum experience has been watching Vyper get repeatedly neglected by anyone with power
the most inspiring part has been watching the hard work of people like @big_tech_sux @pcaversaccio @fubuloubu and others to keep it alive
argot was spun out of ethereum foundation with a mandate to maintain ethereum's core programming languages and developer tooling.
then it immediately begins to launder research as if it was core infrastructure maintenance.
if you read their blog, they spend a lot of resources on fe, a language that has been "emerging" for over 5 years. they have long plans for fe, while the language itself has seen zero adoption and zero production use. their long term goal is "non-trivial contracts in production-like setting".
meanwhile vyper is actual production infrastructure. it secures real protocols, with real users and tvl, and real audit surface. curve, lido, yearn, frax, velodrome all use vyper.
yet vyper lives grant-to-grant, while argot started with a $16.6m check, about as much as ethereum started with.
argot doesn't disclose how much time and energy it spends on the fe fantasy versus solidity, sourcify, hevm, or other genuinely core tooling. but clearly this pet project abuses and stretches the mandate. even though it's a programming language, by no serious measure it's "core". it should spin out and try to survive and prove demand independently.
production compiler maintenance should get baseline funding before speculative language incubation gets considererd.
vyper is in good shape today despite the ecosystem, not because of it. and it still does not sit right with me that resources keep getting misallocated away from the compiler people actually use.
ethereum keeps saying "public goods", then funds the toy compiler like infrastructure and makes the production compiler pass the hat. that is not stewardship.
12
11
78
8,154
a drama-maxxing tabloid is beating out real security projects with one day remaining in the ethereum security funding round.
... ouch
excuse me, but how is cumrag called rekt news related to securing ethereum? it's long been replaced with an llm that writes snarky "wow hacked again" articles.
1
3
22
3,623