Letโs clear the air: I am not Nomi Chef. It is shocking and amusing that people have made these claims. This is nothing more than a personal attack on me and a strike at Band.
Spent sometime looking into the recent exploit of
@CoverProtocol
$COVER. While not confirmed yet, here's my understanding of the attack in case someone is wondering. Hint: it involves using `storage` and `memory` incorrectly.
Small thread ๐. Need someone to help verify.
I barely get enough time to eat and sleep in the past few weeks, you can ask every one of our partners. Yet people seem to think I was somehow able to create and launch Sushiswap, be active on CT, manage governance discussions, and work on 20+ band integration. LOL
Quick explainer of Euler attack as I understand, stealing >$150M. Attacker utilizes abilities to:
(1) Mint both E (lender) and D (borrow) tokens at once without needing to have assets
(2) Donate to reserve, making you underwater instantly.
A quick ๐งต
@eulerfinance
@peckshield
We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.
1/ PSA:๐ทโโ๏ธ๐ทโโ๏ธโ Provably Rare Gem launched on rarity Fantom. Head over to to start mining $GEMs. You will need to connect to the Fantom Opera network to start mining.
@AndreCronjeTech
@AlphaFinanceLab
1/ Provably Rare Gem for rarity summoners are deployed to
@FantomFDN
mainnet . Working with
@AlphaFinanceLab
to get the frontend and everything up by tomorrow. Mining will start when frontend is ready to allow everyone to have fun together!
@AndreCronjeTech
What's so underrated during this crazy price movement period is that all oracle systems are operating very robustly and making DeFi working as expected. We rarely hear about oracle issues now.
No news is good news.
@cryptosavedmyl1
@AlphaFinanceLab
Each BLOOT holder will have at least 4 GEMs saved to be claimed at any time. Each BLOOT ID can claim only once. So if you buy a BLOOT that already claims, you can't claim with that.
Quick explanation of
@CreamdotFinance
>$100M exploit:
1. Flash mint ~500m DAI to mint curve y Pool to mint ~500m yUSD
2. Use account A to deposit yUSD to CREAM
3. Flash loan ~500k (worth $2B) ETH from AAVE
4. Use account B to deposit ETH to borrow all yUSD and send to A
cont..
While token prices go down and gas prices shoot up,
@BandProtocol
continues to operate and is robustly feeding price data for DeFi protocols across the all supported blockchains.
1/ ๐ฆ TIL that Uniswap V3's `exactOutput` swap works using a series of flash swaps. IMO, this is quite neat and worth a thread explaining so here we are ๐. Warning. All is code.
cc:
@Uniswap
@haydenzadams
@samczsun
@danrobinson
. If I say stupid things, corrections are welcome.
I have a full-time role at Band and am busting my ass trying to work with the long list of partners we have to code up the integrations to their platforms.
.
@BandProtocol
oracle has removed FTX from the data sources since the situation started to escalated. We also closely monitor FTX / Alameda affiliated tokens closely.
1/ Have been thinking + tinker on how
@BandProtocol
can go multichain and keep up with the space with fast pace development + throughput. A bit of history and thoughts ๐งต:
Note: This is only early stage thinking. Take it as your want.
Bear market is when $BAND was born. It's the period when we can stay focused and innovate new things to serve the market.
In the previous cycle, we have iterated BAND through TCR to on-chain curation to app-specific chain. Expect more innovation this cycle ๐ซ
.
@BandProtocol
does not feed price to
@anchor_protocol
smart contract. We primarily serve
@mirror_protocol
on Terra and there's no report issue on that. This is not a transaction from Band. Please verify before spreading false news.
[$BAND] Yesterday we ran an internal stress migration test using the recently released
@cosmos
v0.44 codebase. Everything went well. Laozi upgrade proposal to come soon. cc
@BandProtocol
Just started playing around with
@code4rena
for the first time as a warden. It's actually very fun and engaging way to hone your
@solidity_lang
skill. Highly recommend for anyone wanting to have some fun while also earning! ๐
Also a good prep for the upcoming
@paradigm_ctf
!
I don't think we have seen this type of exploit yet in the recent hacks. Very interesting to see how attackers become more sophisticated over time.
I may be wrong so any confirms from other experts would be appreciated
@samczsun
@bantg
@peckshield
@RektHQ
1/ The attack was due an incorrect way to check token balances in Uniswap V2 (or its clones)'s pair contracts. In this thread, I will explain the issue quickly. ๐
The issue was first brought to my attention in Oct 2020 when
@samczsun
& I were reviewing
@AlphaFinanceLab
homorav1
What we know so far -
*Attacker used $61m in BNB to overcome the pools via a as yet unknown economic exploit path to remove roughly $30m in funds from the pools.
Reach out if you can help identify and analyse the exploit.
CC
@RektHQ
@samczsun
@bneiluj
Just took a quick look on $BAND token stats, and saw that $BAND's on-chain activities have been growing a lot in April. The number of unique addresses has also increased more than twofold. +๐ฏ%
Privilege of building a chain (L1 or L2) is that if it stops, there's likely no fund loss, maybe arb opportunity but that's about it.
Try having an oracle network stop for hours ๐ฑ. That's why we
@BandProtocol
is very careful with network upgrades to ensure things don't break.
1/ ๐ We are developing a new chain alongside ETH / BTC with on-chain arbitrary event oracles, provided natively by chain validators.
Most layer-1 blockchains do not have oracle as the native functionality and we are building decentralized bridges (IBC) to serve this to them.
If I were designing a new chain to live alongside bitcoin and ethereum, I would take *all* the political tradeoffs that BTC and ETH aren't willing to take.
* On-chain gov w QV
* On-chain oracles for not just prices but arbitrary events
* All the built-in cryptographic operations
An ape dude just casually withdrew $1.3M worth of ETH and use that to set NFT buy walls on
@AlphaFinanceLab
's newly launched ABW. Will the walls break by tomorrow or will more people come and help strengthen them?
1/ Haven't been tweeting much since the last DeFi summer, where I intentionally took a break from CT (oh drama). Feel like it's time to come back and start (shit)posting.
CT has a lot of cool people and you just feel bad if you don't get a chance to interact with them much.
The attack does 4 things:
1. Deposit LP tokens to Blacksmith contract
2. Withdraw *almost* all LP tokens to inflate `accRewardsPerToken`
3. Deposit LP tokens again (this is the interesting bit)
4. Claim COVER rewards and trick the contract to mint quintillion of $COVER tokens.
For 3) When you use `memory`, Solidity makes a *copy* of the struct from storage for future uses. This makes it efficient for subsequent reads.
However, any change into the underlying storage *will not* affect loaded data. See below for deposit function.
1/6 This is good news! If you already trust the source, then there's no need for you to use decentralized oracle networks.
But don't take this as game over for oracles. Rather, this validates the need for off-chain data and shows why oracle protocols are needed. More below ๐
#DeFi
has grown to more than $1B in assets pooled in a range of protocols. The Coinbase Price Oracle provides a critical service to the DeFi ecosystem: a trusted price feed that will make platforms safer, more reliable and unlock the next wave of adoption.
1/ Exactly on point. Many protocols on BSC do 1:1 copies from Ethereum while changing minimal things. Some even claim to be the original inventor of the protocol, hoping to attract more users.
@chadrexcapital
@ThinkingLSD
@CryptoMessiah
Just a consequence of changing a few parameters disregarding state growth and then encouraging 1:1 copies from Ethereum while only changing tokenomics parameters to spike the APY and attract noobs to farm. Never have I seen original projects built on BSC and itโs catching up now
2/ So what did I do during the past months? Many.
@BandProtocol
is growing strong serving data to many protocols with more than 10B acc TVL (+ phrase 2 soon).
I also helped advice and launch quite a few DeFi protocols. I bet many of you interact with my code on daily basis!
Building oracle is not easy. As easy as it sounds (just feed price from API to blockchains!), there's a lot of design details to make it work robustly. And if things fail, lost can be substantial (think if this happens to
@compoundfinance
,
@AaveAave
,
@AlphaFinanceLab
, etc)
Today around UTC 13:22, the
@PythNetwork
oracle's BTC/USD price feed suffered a flash crash with the price of $BTC going as low as $8k. This caused a series of liquidation events on the Audaces protocol BTC-PERP market (unfortunately working as intended).
#BitSwing
- Seamless UX. Trusted real-time data.
Datapoint is processed through
#BandProtocol
to dapp within same transaction as a query occurs. No intermediate block confirmations required. Cheap. Secured.
Excited to see financial products built with real-time data! $BAND $BNB
1/ We are excited to spotlight the first dApp built on Band Protocol Kovan testnet: BitSwing - a binary options trading platform where users will be able to take a 1-min long or short position on Bitcoin ๐ช
#BandProtocol
#band
Play now:
3/ Band has a deep root in Ethereum ecosystem. We first launched on Ethereum in 2019. Our token contract (address 0xba11d...) featured a number of cool techs back then like balance snapshot (mini me) for on-chain voting and `transferAndCall`. Now we act like an oracle sidechain.
This is an awesome development. We will be integrating with tmkms to make sure the validators can submit data report transactions signed by secure key storage systems!
Super excited to making progress in the KMS's support for transaction signing. This provides a framework for supporting the key storage needs of oracles like
@BandProtocol
and
@terra_money
. Support for Ethereum transactions are coming soon.
One Web3 concept that's still largely unexplored is oracle design, especially how data get to smart contracts.
We've been stuck with push-based and pull-based for too long.
I've been delving into alternative approaches. It will be one of
@BandProtocol
's key focuses in 2024.
Spent some time thinking about other applications of Bonding Curve and came up with this idea. Any suggestion is very much appreciated! -- Short Selling without Counterparty using Bonding Curve
At
@BandProtocol
, we have *everything* open source with *permissive license*. Heck, we don't actually have any private repo that is in active development. So hint: If you come scan through our repo (commits/issues/PRs), you can know our announcements ahead of time ๐
1/ ๐ค๐ฅ Introducing Wrapped Gemsโข, allowing you to wrap your ERC-1155 GEMs into ERC-20 tokens. Smart contract available for inspection at . You can use frontend at to conduct token wrapping unwrapping starting now!
.
@BNBchain
is currently under maintenance.
We will suspend all deposits and withdrawals via BNB chain temporarily until there are further updates.
We apologise for the inconvenience. Thank you for your patience!
Today in DeFi: A victim of
@eulerfinance
hack sent an on-chain message to hacker, claiming that he lost "78 wstETH as my life savings deposited into Euler"
13 hours later, the hacker actually sent him 100 ETH to the victim ๐คฏ
The dude now becomes NFT giga BagHodler with tons of BLOOTs (
@beaniemaxi
) + some LOOTs (
@lootproject
) and some Pengus. Is he GMI with all these JPEG bag? Only time will tell.
@AlphaFinanceLab
Buy wall seems to be working well as intended lmao.
An ape dude just casually withdrew $1.3M worth of ETH and use that to set NFT buy walls on
@AlphaFinanceLab
's newly launched ABW. Will the walls break by tomorrow or will more people come and help strengthen them?
Great post by Vitalik explaining why it's probably not a good idea to have native oracle on layer-1. I agree with most points there. My opinions below ๐
Laozi is out! On-chain fee is live! The team has been hard over the past months. We caught some Cosmos-SDK bugs in and help strengthened the multichain community.
Next step for Band is even more exciting. hint: Extend Band beyond oracle but to other dev infra. Stay tuned.
1/ ๐ We are proud to announce that Band Protocol has successfully launched BandChain Phase 2 on the Mainnet - upgrading to support streamed revenue for data providers and upcoming IBC integrations.
Great news! Built wirh Cosmos-SDK, $BAND
@BandProtocol
will support all of the features too. In fact, our module implementation is already using Protobuf codec. Open source = ๐๐๐
๐ Stargate upgrade is coming to
@cosmos
!
* Inter-Blockchain Communication (IBC)๐
* Protobuf Migration โperformance increase & better UIs
* State Sync โminutes to sync new nodes
* Full-Featured Light Clients
* Chain Upgrade Module
Art by
@Ether_Gavin
๐
When this happens, `rewardWriteoff` is supposed to also increase a lot to reflect the writeoff after the new deposit . However, `rewardWriteoff` is updated during the call to `_claimCoverRewards` which uses the `pool` struct loaded before `accRewardsPerToken` was updated.
In this case, `_updatePool` was called to update the pool's `accRewardsPerToken`. Because the amount of total LP tokens deposit is very small. `accRewardsPerToken` increases vastly from 3369487996 to 2674182425419677972537559143
@BandProtocol
Phase 1 GuanYu release v1.0.2-alpha is out.
Release link ๐
Devnet link ๐
Notable changes include full spec & impl of custom oracle script encoding (OBI) and various bug fixes across chain / scan / bridges.
1/5 Another example of how improper oracle design can pose a serious threat to the underlying protocol.
In PegNet case, the system relies on most of the hashing power acting honestly. This obviously does not work in practice. โฌ๏ธ
Internal testing of
@BandProtocol
BandChain v3 actually shows promising result.
As we learned from
@injective
and
@SeiNetwork
how far we can push Cosmos SDK throughput.
The scale of sub-second block time enables Band software to store all crypto prices on-chain as public good.
As you can see from the image above, `rewardWriteoff` only increases to become 51403402065939829310 - very small compared to `accRewardsPerToken`.
Now when the attacker calls `claimRewards`, the contract thinks the attacker has very small writeoff and mints tons of $COVER to him
Just hacked up Wrapped Rarity Goldโข to allow players to wrap Rarity Gold back to address-owned ERC20 for compat with DeFi tools like DEXes, lending platforms, ..
Not reviewed or deployed yet. Feedbacks are welcome + anyone can to deploy
@AndreCronjeTech
5/ Anyways, I plan to start tweeting more about my thoughts on DeFi, oracles, Solidity practice, exploits, and other things blockchain related.
Will also start replying to people. This will be quite a challenge for an introvert and non eng native like me, but I'm very excited!
But seriously though if you have >$3M of clean capital. Why would you want to convert to $15M of dirty money. I guess the only explanation is that the initial capital comes from another attackโฆ.
Oracles vary:
Some lack a chain, solely relying on reputation for security.
Some build POA chainsโa curious choice ๐ซ
@BandProtocol
builds a decentralized chain for security, auditability, and permissionlessness, at the cost of higher coordination and performance overhead.
[PSA] ๐ $GEM rarity mining of Amber ($AMBER) and Spinel ($SPINEL) will start this weekend.
- Amber ๐ Sep 11, 2021 5am UTC.
- Spinel ๐ Sep 12, 2021 1pm UTC.
I'm trying to random the time to make it friendly with people from different timezones.
Coming up next on ๐LLFn: ๐ docs website it deserves
๐ LLFn is a light-weight framework for building AI apps. If you're already using
@LangChainAI
, LLFn will work nicely with your stack and 10x your dev speed.
@nomorebear
and I will also be porting
@BlockAGI
to LLFn in a bit
Glad to be working
@GoogleCloud
and pushing this out to the public! This is just a part of what we have been working together ๐
btw. Probably my first time doing an interview session so please excuse my nervosity ๐ฅถ.
1/ We are excited to release an Architecting Startups episode with
@GoogleCloud
feat. our very own CTO
@nomorebear
on how
@BandProtocol
leverages GCP infrastructure to create a robust data oracle to improve the usability of blockchain technology!
๐
1/๐ It is official - the IBC token transfer is now live on BandChain!
$BAND holders can transfer their tokens to our partner chains with IBC-capability and perform activity on those chains with BAND tokens
[
#GEM
] Mining for rarity Spinel started and within minutes the difficulty is skyrocketing very quickly. Which is kinda expected as a lot of GPU miners are participating.
For the remaining GEMs, we may need to adjust distribution mechanism to make it more fairly distributed.
๐จ If you are holding tokens with Atomic app (including $BAND) you should be aware of this potential incident. Better to move funds out to stay on the safe side.
2/ As a layer-1 protocol, it's better is to have only the lightweight, publicly-verifiable, deterministic logic that everyone can trust and build with.
Bundling more features like Oracles, DEX, Stablecoins, etc to layer-1 itself makes it harder to maintain the security promise.
Amidst all this price volatility, I just wanted to give a shout-out to all the builders, dreamers, investors, and users out there.
You are crypto. And crypto is nothing without you.
The fact that this "typo" (not a "bug" according to them!) passed unit tests / integrated tests onto the production on mainnet is beyond my understanding...
Guys if we are dealing with hard-earned real money from real people, we need to step our security game up.
โผ๏ธ ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts canโt be unlocked for new options. โผ๏ธ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.
3/ That's why at
@BandProtocol
' we really believe in cross-chain decentralized oracle.
Oracle networks are complementary to layer-1s. Users should have freedom to choose the oracle that suit their need, or even combine them in an innovative way for maximum security / usability.
Shout out to
@graphprotocol
. Very simple to integrate and write code to index smart contract data. At
@BandProtocol
, we use the service for all our apps: governance portal, staking portal, and BitSwing. They all have been working great for several months!
1/ We're proud to be supported by
@graphprotocol
, the decentralized protocol for indexing and querying data.
Read more on how $BAND has implemented The Graph! ๐
1/ ๐ We have just published our April community update for $BAND!
Our key milestones for this month include:
- Successful Testnet
#2
w/ 20+ Validators
- Hackathon w/
@cosmos
@agoric
-
@KyberSwap
Listing
- 12 New Partnerships
- Community AMA & Outreach
1/5
Weโre back to interesting exploits, and
@InverseFinance
users lost money today.
As a result, $15.6M was stolen in the form of:
- 1588 ETH
- 94 WBTC
- 4M DOLA
- 39.3 YFI
6/6 All the above is just about spot crypto price data. As the blockchain ecosystem grows, you will need data from other sectors as well.
That's why oracle protocols are very much needed to accelerate the growth of the ecosystem while making sure that data is trusted.
.
@nipun_pit
@tascha_panpan
@AlphaFinanceLab
. AFAIK, the upcoming Alpha Buy Wall product is exactly this. Allowing people to bid for floor NFTs on chain. Can we add some pool2 mechanism (distribute more NFTs for those who bid for NFTs) on top for more fun ๐คฉ?
Let's move fast but not break things!
Great save by
@BandProtocol
engineers to prevent production consensus failure that may very likely happen after the next IBC upgrade on
@cosmos
SDK family chains.
1/ ๐ On the night of Tuesday 24 August, $BAND team discovered a critical issue affecting the latest release of
@Cosmos
SDK v0.43, specifically ibc-go v1.0.0 that leads to non-deterministic code execution.
Brief outline of the issue here:
.
@BandProtocol
real time price streaming is such a game changer in the oracle data space. Open version of CMC/Coingecko where data is always available for anyone free of charge and fully auditable, with incentives purely driven by tokenomics. ๐
Ascii diagram is the best kind of diagram. For those who are interested, this is
@cosmos
-SDK v0.37 /
@tendermint_team
v0.32's block header struct. We are re-building it on Ethereum to do some on-chain lite-client verification for $BAND chain.
See code โก
5/ It's midnight now in Thailand ๐ด, so I will save more typing for tomorrow. Looking forward to mining GEMs in Fantom with you all!
P.S. the experience of deploying contracts to Fantom is awesome. If you haven't tried, recommend you try. All the same ETH tooling works great.
For anybody wants to read the code before launch. Head over to ๐ .
Code is not yet audited but risk to ape should be minimal as the contract never takes your ETH or NFTs. We will launch with basic browser mining. Mining program coming later.
1/ So what is
#Alpha
together with
@nomorebear
launching for
#Loot
and
#Bloot
?
It's called Provably Rare Gems. Launching in <4 hours.
Combining the Proof-of-Work (PoW) concept with gems to be used in the metaverse. These
#LootGEMs
and
#BlootGEMs
can be mined using PoW.
๐งต๐
Sure you heard of parallelized EVM by now but have you ever thought about parallelized oracle networks? ๐ค
The current Band Protocol iteration, while having fairly high throughput, is fundamentally limited by validator coordination on BandChain. What if we bring it offchain?