Mikko Ohtamaa

Mikko Ohtamaa

17,959 Twitter followers

Follow

Follow us at @tradingprotocol

Posts

Private credit excessive redemptions explained. If the book value of a private credit issuer is too high, and they redeem at par, it makes sense to sell overpriced and later buy back corrected price. At first investors in these funds were spooked by the realisation that nearly a third of their loans are to software firms, which could be disrupted by artificial intelligence. Now they are spooked by how spooked everyone else seems to be, including those in charge. Funds typically allow up to 5% of shareholdings to be withdrawn each quarter. Investors get out their cash by selling shares back to the fund at book value. Those values look too high. Redemption requests at the big funds have exceeded 5%, causing fund managers either to enforce the limit (as is their right, and probably their best option) or strain to please these investors by allowing more to sell. The spiral will continue until fund managers can convince investors that the loans they hold are worth what they say they are. Some will struggle because investors have made up their minds; others, because the valuations really are wrong. How worried should you be about private credit? economist.com/leaders/2026/04/...… From The Economist

This is why you want to run @firefox with uBlock Origin or similar blocker github.com/gorhill/ublock (Not available for Chrome whose owner, Google, makes its profit of selling your data as well)

LinkedIn bends the knee for Israel and Mossad. They specifically search to "anti-zionist" hints in your web browser plugin context, encrypt the data and send to Israeli firm. LinkedIn’s scan reveals the religious beliefs, political opinions, disabilities, and job search activity of identified individuals. LinkedIn scans for extensions that identify practicing Muslims, extensions that reveal political orientation, extensions built for neurodivergent users, and 509 job search tools that expose who is secretly looking for work on the very platform where their current employer can see their profile. browsergate.eu

HOW TO AVOID RIGGED NPM PACKAGES. Today, Axios, one of the most popular packages on npm, got compromised. Axios is an HTTP request client. If you installed axios from the npm package repository, you are screwed now. Your organisation is screwed as well. But this can be avoided. Use pnpm, a drop-in replacement for npm. It has the minimumReleaseAge setting to avoid fresh releases. The compromised releases are likely to be noticed within a week. pnpm.io/supply-chain-security…

Solidity is hot again.

London-based engineer Matt Cortland created an AI voice agent that called over 3,000 pubs on St. Patrick’s Day weekend to ask how much a pint of Guiness cost. The Irish government used to track this price up until 2011. Cortland stepped up with his “Guinndex”, which cost €200 to make and showed that the national price of €5.95. He used ElevenLabs to created “Rachel” and “getting the voice proved critical” (a Northen Irish accent inspired by a TV show).

How many stablecoin providers are actually resistant to private key compromise? If there's one thing everyone should learn from Resolv, it's that you must EXPECT your private keys to be compromised.🧵

🚨No Joke: Conservatives in the EU Parliament (EVP) want the vote on #ChatControl 1.0 to be repeated this Thursday - even though the Parliament already voted NO! 😡 Make sure your MP stays strong. Contact them now! 👉 fightchatcontrol.eu/#contact-t... Make the voluntary scanning by Gmail, Microsoft, LinkedIn etc stop! 🚨 tuta.com/blog/voluntary-scanni...…

THE RESOLV HACK AND LESSONS NOT LEARNT This time, the damage was 100% self-caused and avoidable. Resolv $50M + $30M mint was "unauthorised" meaning its private key was compromised, good old North Korean style. The wrong kind of Kimchi premium could have been easily prevented. This was not markets going wrong, prices dipping, collateral becoming useless. This was simply caused by incompetence, a classical shotgun into your foot style kind of stupidity. Now, for 13 years, since 2013, when multisigs were added to Bitcoin, we have known how to avoid unauthorised private key usage: - Not to use a private key in the first place, but use a multisignature wallet - Use Hardware Security Module (HSM) with additional protections for the signing process But why did Resolv do this?? It is not exactly rocket science. WHAT CAUSED THE UNAUTHORIZATION "SERVICE_ROLE is a privileged role in Resolv's USR protocol contracts (part of the two-phase request/complete mint/swap flow). There is no detailed official documentation from Resolv explaining its purpose, security model, assignment process, or risks. It is mentioned nowhere in the public litepaper, user docs (http:/docs.resolv.xyz), or the GitHub README." (Quote by Grok) AUDITED 18 TIMES Why didn't Resolv catch this despite multiple audits? Because auditors, outside rare cases like @sherlockdefi do not care if the project gets hacked or not. They do not take any kind of responsibility for a deployed system. No skin in the game. Just cash payment, and "code looks good." And even then, all of these auditors failed to flag this obvious thing. We have this SERVICE_ROLE that can mint unlimited amounts of our stablecoin, NOT DOCUMENTED ANYWHERE. Come on, man! "This all-powerful private key in the system", but if you pay us our little fees, your SOFTWARE is good, we do not really care what happens afterwards. Just don't hold it wrong, m'kay? INVESTED BY COINBASE, PRAISED BY STEAKHOUSE Brian's seal of approval did not help either. Only six days ago, Steakhouse wrote this in their Steakhouse Financial Insights: "Operationally, Resolv demonstrates institutional rigor through third-party custody, multi-oracle redundancy, and programmatic safeguards. Resolv has operated without incident to date and has demonstrated self-correcting behavior under adverse conditions" kitchen.steakhouse.financial/p... This is so hand-wavey that it could be an ISO 9001 quality audit report as well, by failing to name the actual systems, processes, and their properties. "I went for lunch with the guys, and after a glass of French red wine, I was shure the system is good." Third-party custody? Does this mean they used Fireblocks to secure the private key? A private key wallet written by an ex-Mossad agent is still a private key wallet, and even more risky because the key is likely stolen by your closed source software-as-a-service provider directly, as you cannot know how rotten their software is inside. HOW TO AVOID THESE IN THE FUTURE It is not that hard. Especially with $10M seed money and a peak of $500M at stake, one can easily do better. 1. Less privileged private keys 2. Use skin-in-the-game auditors 3. Transparency and follow the way of decentralised finance HOW CAN YOU AS A DEFI USER TO AVOID THESE INCIDENTS This is a tricky one. The problem is that the underlying smart contracts are written in Solidity, a hodgepodge homebrew language. It's very hard to reason about the security properties of Solidity smart contracts. There are better languages, but it seems we are stuck with legacy Solidity. Despite Solidity's well-known flaws, there has been little actual effort to make it safer by looking past incidents and having someone paid to figure out how to pluck these holes at the language level. AI is going to help a lot. Because we haven't been able to hold security auditors accountable, as their staked reputation doesn't seem to correlate with the hacks, the way forward is to get rid of security auditors. One day, and very soon, anyone will be able to point an AI agent to a complex deployed smart contract system, and it will give you a thumbs-up or thumbs-down report. On this topic, I already did a small pilot here github.com/tradingstrategy-ai/...… and Claude Code was able to pick a priviledged private key in one of our partners system on a deployed smart contract that should not have been there. Ps. For HSM: You do not have any of the other commercial opaque crap to secure your critical private keys. If you are building security-critical smart contract systems that need an offchain highly trusted private key, you can use Google Cloud for this. Here is our free and open source Ethereum signing module for Google Cloud: web3-ethereum-defi.tradingstra...… - just remember to set the organisation policies accordingly. Kudos to @zacodil and @omeragoldberg for the research.

Loading..