Strategy's Preferred Stock Is Now a Stablecoin. And DeFi Has a Security Problem.

Hey, everybody. Welcome to Bits and Bips, where we explore how crypto and macro collide one basis point at a time. We're here to discuss the latest stories in the worlds of crypto and macro, and today, one or two interesting new developments and products. But before we begin, first, a word from our sponsors. If you've been loving Bits and Bips, don't forget that the show is transitioning to its own feeds on X, YouTube, and your favorite podcast player. If you're not already subscribed to Bits and Bits on its own channels, go there now and hit that subscribe button so you can keep up with our twice weekly live streams and Macromese crypto breakdowns. Bits and Bits will only be on the Unchained feed for a few more weeks, so subscribe today to be ready for launch. You can get all the links at UnchainedCrypto.com slash Bits and Bits. All right. Today is Monday, April 20th, and I am your host, Austin Campbell, high scholar of Zero Knowledge Group. Here with my co-hosts, Ram Alawalia, Maester of Wealth, the leader of Lumina, Chris Perkins, CEO of 250 Digital Asset Management. And today, we're going to be joined by multiple guests, but starting with Parker White, founding contributor to Apex. So let's start with that one, which is Apex. We've seen a significant set of products launch over the past few years, attempting to capitalize on blockchain rails, developments around crypto, and call it alternative means of creating, I guess in this case, stable coins. So Apex, Parker, I'm going to let you give us the download on this first to describe as our foundation here, what is it? How does this work? Sure. So the general idea is to create a stable coin or a stable like asset backed by digital credit. And digital credit is what Michael Saylor is calling their preferred equity instrument issued by strategy, STRC. So if anyone's been paying attention, I believe it was last week, they bought about two and a half billion dollars worth of Bitcoin. They are raising capital at a pretty astonishing pace. MicroStrategy's STRC or stretch instrument, as they call it, is the most traded, most liquid and largest preferred stock ever in history. Preferred stocks are kind of a somewhat niche area of the market. But interestingly, and many people don't know this, Stretch's IPO was actually the largest IPO of 2025, full stop. Larger than Circle, larger than any other asset, you know, IPO. And so it has really been catching on now. And but, you know, it's NASDAQ listed. It's not really accessible into the DeFi world. And so essentially what we did was we created a stable coin backed by this instrument, some cash in there as well, a little bit of SEDA. But we think a whole bunch of other debts are going to be issuing very similar variable rate non-convertible preferreds as well. And so this basically ports that yield from the NASDAQ into the on-chain world. So right now, APYUSD, the staked version, is paying about 12%. We target about 13%. And so it's, you know, good double-digit yield on chain, and it's super transparent backing. There's no, like, trading strategies or borrowing and lending across Aave and centralized exchanges. It's just people give us cash. We send it to the brokerage account. We buy the stretch. That's that. um now we of course are listed on pendle and we you know have the points farm and all that which helps to boost the yield a little bit but the underlying collateral base is you know itself yielding about 12 because we've got you know stretch in there which is 11 and a half and we've also got sata so um pretty straightforward pretty simple product but over the last seven and a half weeks, we've been growing pretty significantly. We've hit about $180 million in supply. We announced, I guess it was a week or so ago, crossing the million share, so $100 million worth of stretch on the balance sheet. So we're one of the largest holders of stretch at this point. And today, actually, the stablecoin was just listed on Kraken, which is pretty wild for a stablecoin pre-TGE to be listed on Kraken. Obviously, the entire team is ex-Kraken, so that certainly helped. But there's a lot of steam being built here around this narrative of digital credit on-chain. Excellent. So looking at this as we look at, call it press commentary out in the world. One, bull case. So if we look at Joseph Onorati, the CEO at DeFi Development Court, its apex creates a feedback mechanism that bridges between publicly listed balance sheets and on-chain markets. Benchmark Research was noting that Stretch is becoming the backbone of yield-backed stablecoin ecosystem. And Parker, you just gave us a good description of how to get this yield on chain. So bear case to go the other way. Alexander Bloom, CEO of Two Prime, says a product that pays more than 6% over treasuries must come with additional risk. And Stephen Strong says Apex USD is a BTC vol derivative dressed up as a dollar. If stretch trades below par, the yield story will break. Now, JPMorgan Research has pointed out that yield bearing stables are growing significantly faster than traditional stables. Call it 15x faster right now, though. Noting for everybody, coming off a small denominator is much easier than coming off a large denominator. 15x size from current non-yield-bearing stablecoins would be a giant amount of money. And post-genius, yield-bearing stablecoins are no longer, call it stablecoins in the United States. So what I want to dig into, and actually, I would like to start with Chris as a former investor and somebody who's managed a liquid fund and like currently looking at these strategies is where do you place this in the risk taxonomy in the world? Right. As we look at an instrument like this and where is it going to be used on chain? So I think you nailed it. This is definitely not a genius denominated stamp product, genius regulated stamp coin. Right. Like that's so names matter. And I think if we're United States, we have to call it something maybe differently. It's kind of a mix of on-chain private credit. I guess I've got a couple of questions, if it's OK. What's what's the goal of having a, quote, yield bearing stable coin versus it sounds like in this case is to maximize yield. but why call it a stable coin as the end use case to have that stable coin serve as collateral to additional exposures i wanted to just say this is a private credit exposure that's yielding 11.5 percent 12 percent well very importantly it's not private credit right it's not backed by illiquid assets it's not backed by apollo funds it's backed by a preferred stock trades on the NASDAQ. You can see it every day. It trades hundreds of millions, some days billions of dollars in volume. And so that's actually kind of the interesting juxtaposition here is that you've seen a lot of these private credit instruments come on chain, whether it's straight private credit or it's the reinsurance stuff. This is not that. This is kind of the opposite of those. It's just You can see the balance sheet. You can see the number of holdings. Got it. And then when you take something that's a security and you bring it on chain, isn't it still a security? So when you wrap it, it's part of a basket, right? So you've got a mix of some securities, some non-securities, some other stable coins, that kind of thing. But, you know, the asset or at least our front end is not available to folks in the U.S. so that is important you know you can't access it in the u.s it's kind of geo-blocked to a number of jurisdictions the reg s exemption offered to foreign foreign investors so is there any additional value added sorry just one click verification like is there any additional value added versus owning strc directly other than it's on chain well it's a couple things so you get the diversification of holding a little bit of as well and then there will be others of these um that'll be launched you know one or two from the large ethereum dots maybe one or two from some of the solana dots um and so you kind of get that the diversification um that basket there um the other one is because we are over collateralized and there's a mix of some cash in the pool as well as the preferreds you get a little bit of reduced vol so if the vol on the prefs is say you know well right now it's like one percent but let's say it's like historically it's maybe like five percent then the vol here might be like two and a half percent or something so you get some of that reduction there um those are like i'd say you'll be lower if it's over collateralized though because you're tying up more capital but if i understand correctly it matches the yield of strc it's it's a lower vol because it's over collateralized and we don't fully understand the question right so it's over collateralized then that's consuming some capital right so therefore shouldn't have a lower yield versus investing strc well because of the diversified basket right some of these other prefs do pay a little bit more yield um you know that generates some extra yield. And then, of course, because it's a crypto project, we've got the governance token. And so, you know, we can sell some of that to kind of build the reserve. But then very importantly here is the two token stable model. So it's very similar to Athena. We've got APXUSD is the non-staked version. And then APYUSD is the staked version. APYUSD is the only bucket that pays yield. And so right now we've got, let's just call it 50% of the balance sheet or 50% of the issued assets are staked. So the whole collateral base is paying yield to just the 50%. So that's how you actually get some, you know, kind of yield leverage, if you will. So that kind of allows us to be a little bit lower vol and a little bit higher yield than just holding stretch directly. So it's really kind of packaged to make it more accessible for set it and forget it investors. But then it also creates this ecosystem where you can have the active traders trading the non-staked version as well. And that all creates a liquidity flywheel such that our asset is much more liquid on chain than say like an STRCX, one of the X-stocks tokenized versions. so if we're thinking about the framework here and it's going to be a reg s issuance and it's going to non-us persons it sounds to me like the value prop is i don't have a u.s brokerage account i can't buy this thing natively i'm elsewhere in the world i would like to get my hands on this yield i go into defy and buy that thing a little bit like athena works right as you said which is a packaged version of the basis trade and then if we're thinking about the collateral pool that you have in there, the risk that these people are taking is basically a combination of stretch continuing to work because obviously impairments, they are just passed through. That is what it is. That is the nature of the risk that you're taking. And then the second part of that, I suppose, is all the usual DeFi protocol risks, which you will try to manage as well as you can in a relatively linear way. But do I have the profile right of the investors that you're looking for and what the underlying risks are there. Yeah, I think you've nailed the risks really well. I think the other demand pool is going to be investors that want to use this as a DeFi building block, a DeFi Lego. So right now you've got it trading on Fendel. People can farm the YT, points on the YT, or they can do the PT. We're talking to a number of these tranching protocols where they take the yield version and split it into a senior and junior tranch. So, you know, once it's kind of in that DeFi package, it can be used in all sorts of creative ways. And so investors that want exposure to, you know, stretch and some of this other, you know, pool basket, but they want it in a unique way, maybe a higher yield junior tranche, maybe a senior tranche, maybe a points farm, whatever. They can access it here versus, you know, stretch shareholding in your Schwab account. Like you can't use it in DeFi at all. It reminds me of some of the financial engineering that we saw, like in 2008, where you had CDO. It's like, wow, this product is so good. Let's just CDO the CDO. Let's take all the tranches and tranche it up again. You know, STRC is itself financial engineering. It's creating yield on an underline that has no yield, right? Now, your product is a pass-through. It improves portability and accessibility to non-U.S. investors. that's what i was going to say and it creates more yield for the junior charge through structural leverage it's really it's it's kind of fascinating you know humans love leverage right we'll find a way give me something with a stable yield we'll find a way to get more leverage juice it up distribute it to the far corners of the earth no ram humans love yield they don't love leverage they love humans love yield yes if it comes through leverage that's in the fine print humans love yield that's right with no drawdown risk that just always pays 10 that's what humans like yes equity return with bond like volatility the thing that's got to be keeping you awake at night right now is kind of the stuff that we saw at the kelp down right is it is it if defy is the utility use case here how do you get your head around that you know with what we continue to see over and over again Yeah it certainly I think slowing down our you know product roadmap and having to spend a lot more time on security getting audits on lots of different areas You know, we all of our minting and redeeming is done manually. We have a multi-sig that we do that. So that kind of would help us avoid the resolve issue. We also have time locks on all of our contracts. Everything is manually reviewed, so that would help us avoid the drift issue. And then right now we use for a bridge to base, we have, you know, use Chainlink CCIP protocol and also have amounts, daily limits for the bridging there, which would help us have avoided the kelp issue. But yeah, I mean, look, these are all issues and the next issue is probably not going to look like any of the last three or any of the last 20 that we've seen over the years. And so it's being, you know, it's all about being hypervigilant. And, you know, the team here, ex-Kraken, going all the way back to 2013 at Kraken, we've got a pretty good upbringing and, you know, training in the security realm just having been at Kraken. And so applying all that knowledge here. But yeah, it certainly makes things slower and more difficult. Yeah. Even if you have all of your act together, it's like the third party dependence. It seems like we can't control it. It must keep you awake. Look, I'm a big buyer of DeFi. I think it's going to be one of the fundamental unlocks into the future. But gosh, we really got to navigate this real critical juncture. Yeah, absolutely. So I'm going to go the other way as I think about this and say, I agree with Rom's commentary and Parker, what you're saying, that this is effective packaging to get these equities into the DeFi markets and distributed to people who cannot currently hold them. I think the risk profile of that becomes pretty clear, which is to say if bad things happen to strategy or stretch, bad things will happen here and vice versa. To me, as long as that is fairly disclosed to people. I believe people should be able to evaluate and take risks with their money. That sounds fine. If I were the founder behind this thing, though, in a strange way, are you not long, call it U.S. regulatory stasis? That is to say the worst nightmare in some ways would be Stretch being able to just trade in DeFi freely in the first place, because that reduces a lot of the value of the wrapper here so in a sense are you guys kind of call it betting on more restrictive versions of clarity less action from the sec or simply never finding a path to distribute u.s equities effectively on chain to non-us persons well today you already have um u.s equities on chain via x stocks and some of these other super state ondo so on So we're actually now the largest holder of STRCX on chain. So we just actually mint STRC into STRCX and then hold it ourselves. But there's no market for this stuff. It's not trading. It's not really being used in DeFi. It can be. There's nothing preventing X stocks. But there's just not a lot of demand for it. We are already far more liquid than STRCX on chain and more liquid than I think all of the X stocks maybe combined at this point. And so the packaging, you know, as I mentioned, it's not just straight STRC pass through. It's a basket. It's got some of those other things. Got the two token model, a couple of different kind of crypto modifications, if you will, that really boost the liquidity. And ultimately, that is going to be the moat for just a straight STRC on-chain. Because again, it's not just non-US investors that, like all non-US investors that can't get access to stretch. There's lots of brokers all over the world. People can buy this stuff directly in their brokerage accounts, interactive brokers, all these different brokers around the world. But people want to buy this because of the way that it's packaged. It's maybe more similar to, you know, an ETF with some unique crypto features than it is just holding stretch itself. And I think that will become more clear over time as more of these debts issue these instruments. And we can have a little more diversified base right now. It's just stretch and SATA and mostly stretch. But I think over time, you'll start to see that spread out. And, you know, that'll add some liquidity benefits as well. How do you. Sorry, Chris. I was just going to say for you, how do you get back on shore? I mean, you don't want to have an instrument that's only available to non-US persons in the long term. You want to have maximum liquidity as possible. How do you do that? Yeah, that's a great question. You know, I think there's probably going to be, you know, assuming clarity does eventually pass, there's probably going to be a lot of rulemaking around that. So it might take a little while, but we'd eventually need to see some type of regime for yield bearing instruments, you know, not exactly stable coins, but, you know, loosely stable coins or just loosely stable in value. But some kind of regime to offer that to U.S. users, you know, so we'll have to see what kind of developments come, but it might take a while. but interestingly on a secondary market basis so the primary issuer us you know we can't kind of issue roughly or relatively speaking to U.S. users but for example APX USD that just listed on Kraken it is available to U.S. users so on a secondary basis users can go out and trade it and you know we can't really do anything to control that and so this is kind of the you know I wouldn't say loophole, but kind of the construct that even like an xDox is using where xDox is not formally issued to US users. But if they happen to interact with it within DeFi, that's kind of like up to them. So I think over time, you know, it might just naturally get into the hands of folks. Again, we're not, you know, offering that or marketing that. But hopefully a sandbox does appear over time from the SEC and the CFTC to make this formally available to U.S. users. All right. So speaking of things available to U.S. users, Rom, stocks hit a record high. Bitcoin has been ripping and is up significantly right now back to things they're helping stretch. I think it's at like 76K today, if I'm seeing this correctly. And yet the war in Iran continues. We don't yet have a ceasefire and the markets appear to be shrugging. I mean, previously people used to think Trump would taco and back off when economic pain bites, but instead we're just not really having economic pain as we can see through the lens of Bitcoin right now. What do you make of what is going on, right? If Trump, you know, as the Wall Street Journal earlier alleged, is in the process of putting up impulsive posts and yelling at people, but the markets are shrugging it off and moving onwards, as though this will be, to quote you, a nothing burger, what's going on here? Two topics. One is positioning. And the second is Iran. So what happened is, and I mentioned this on Twitter, I think on April 7th, is that the hedging, the shorting is so significant. People also exited the market. BlackRock took a neutral view on equities. That's the largest asset manager in the world, which many investment advisors follow. And they're themselves an asset manager, went to a neutral position. So they're offside. There's a lot of cash offsides and they're trying to find a way to get back in. So that's one. The second thing that happened is Claude went from AI apocalypse to decimating whole categories when they had these product releases at a seemingly unstoppable frenetic pace of every two days, right? Hurting SaaS, hurting Wall Street names, trading names, Adobe, you name it. Now it is, hey, this AI stuff is real. The world is short, data center compute. So semis have to go up, industrials have to go up, financial services see a productivity boom. That is the new thing. And people are scrambling to get in. This is very reminiscent of last year, actually. This is a non-consensus rally. So I'm excited. I think you should be constructive. On the Iran piece, I think Iran is largely priced in now. The people that wanted to sell, sold out. The U.S. economy can handle oil at 85, 90, 95. It can't handle 120, but it seems largely contained. There's been no further escalation. The U.S. is blockading the straight-up from Moos, and tankers are lined up outside of Houston, then as well as increasing production. Not bad. So far, so good. There was a fantastic Wall Street Journal article that came out this weekend. I don't know if you guys had a chance to look at it. it gave a lot of insight into Trump's decision-making. There's a behind the scenes view into what is happening. We can talk about that, Austin, if you want to go there. I'll just kind of pause and give you the market view. Yeah, I know Parker has to depart momentarily. So Parker, I wanted to ask, do you want to throw anything in here on the global macro? Like how does this make you feel as somebody who's structurally long Bitcoin, shall we say? Sure. And, you know, just I've been structurally long personally for quite a while and basically in all the projects that I've worked on. I think it's really interesting seeing Bitcoin kind of decouple from equity markets during this crisis, started to move higher. That was a real interesting moment. But then I think as investors look at this catch up trade, look how to, you know, get back on sides here. you got to live across the risk spectrum, look at equities, and then you look at Bitcoin, still well off all-time highs. You got to think that there's going to be some type of catch-up trade here. I know we're in the throes of a bear market and all this DeFi stuff is going on, but Bitcoin's not impacted by that. And strategy's buying billions of dollars of Bitcoin a week now. I kind of like the setup from just a relative value perspective. How long do you think MicroStrategy continued to market Stretch and not run out of the marginal buyer? Isn't that what the Bitcoin complex depends on? Yeah. So what's really interesting about Stretch is rather than having to pitch to people, do you want to buy Bitcoin? Here's It's a story about Bitcoin. It's, you know, here's the returns, volatility, whatever. You just go pitch, do you want to buy a one vol asset that yields 11.5%? It's a much easier pitch. And as you see all the redemptions in private credit where investors were just slinging tens of billions, hundreds of billions of dollars in without fully understanding what was in there, right? Clearly, you've all these redemptions hitting all these gates. I think you're going to see a rotation and private credit investors that are used to double digit yields. They're not just going to say, well, I guess my mandate needs to change and I'm going to go buy treasuries. No, they're going to go look for something else that is also yielding double digits, but needs to solve the problems of the last, you know, area they were in. And the two problems of private credit are illiquidity and lack of transparency. Stretch is liquid and transparent. And so I think you're going to see people typically look at preferred stocks and be like, well, it's this tiny bit of the market and like the TAM is not really going to grow. But I think it's going to grow massively because you're going to see this huge wave of capital moving out of private credit into this. And investors can easily model it. You can short Bitcoin. You can short MicroStrategy Common. There's lots of ways you could hedge it on the TradFi side if you wanted. And so I think I think stretch can grow quite a bit. Now, it'll start to be a little bit constrained by the MicroStrategy balance sheet and the leverage ratio that they take on. But as long as they can continue to run a common ATM as well, they should be able to balance that out. And then, of course, you know, every move in Bitcoin to the upside also delevers the balance sheet. So I think they've got quite a bit of runway here. It's only an eight and a half billion dollar instrument, which is a drop in the bucket from, you know, global financial products perspective. I think you hit the nail on the head with the ultimate thing this all hangs on is micro strategies common and Bitcoin price. Right. Like Bitcoin having another very significant leg down is a very different story here than going back up towards the all time highs. And so all roads, you know, Ram, you've said this before, but all roads ultimately just lead back to sentiment to markets overall. So I guess we'll pause there on this one. Parker, thank you very much for joining us. We appreciate the time today. Thanks for having me on. See ya. Absolutely. And for everybody else, we're going to take a quick commercial break before we're back with our next guest. If you've been loving Bits and Bibs, don't forget that the show is transitioning to its own feeds on X, YouTube, and your favorite podcast player. If you're not already subscribed to Bits and Bibs on its own channels, Go there now and hit that subscribe button so you can keep up with our twice weekly live streams and macro meets crypto breakdowns. Bits and Bits will only be on the Unchained feed for a few more weeks, so subscribe today to be ready for launch. You can get all the links at UnchainedCrypto.com slash bitsandbips. all right everybody welcome back uh we are now joined by michael bentley uh lord protector of oiler um and we're going to be talking about the kelp dow hack so as an ongoing trend in defi we've continued to have some security issues kelp dow appears to have been about a 290 million dollar hack where attackers allegedly north korea's lazarus group drained 116 500 rsc valued at about 290 million uh from kelp dow via its layer zero bridge the attack mechanics are basically that attackers compromised two rpc nodes feeding layer zero single dvn swapped um the opgeth binary for malicious one and then the clean nodes were ddos to force a failover to what are essentially now poisoned nodes which approved a fraudulent cross-chain mint the malicious nodes straight up lied um selectively so the monitoring queues failed this is blockades analysis of what occurred um perhaps unsurprisingly layer zero and kelpdow are now fighting with each other um layer zero said kelpdow chose a one-of-one dvn configuration a hardened setup requires consensus across multiple independent dvns kelpdow countered layer zero's own quick start and github defaults point to the one-of-one structure and 40 percent of layer zero protocols use it um third-party analysts are to be honest blaming largely more layer zero here so zach rinds of chainlink uh oxngmi the Defiant and Dune analysis, and Euler have all said single verifier setups have always been centralized oracles. So I'm going to start right here before we get into some of the downstream economic implications of this, of what do people make of this specific attack, the sophistication, how the setup was done. Michael, I see you nodding. Do you want to start? yeah sure i mean this is is clearly a sophisticated attack there's no doubt about that i mean uh yeah changing the binaries managing to carry out a ddos at just the right time and being able to um yeah then trick the trick the rpc nodes into to essentially providing a false view of the world it's all quite sophisticated and clearly uh i think yeah it looks like a nation state level so i think the last race attribution is probably correct um yeah i think i i think there's i think there's all sorts of like uh issues here with sort of like risk and i wouldn't lay it all on layer zero although i do agree that uh the that yeah the default setup that's kind of uh out of the box for people to use is is probably not great and and i think it's something like 40 percent of people do tend to use that setup and so they're saying it's mainly it's mainly the the the fault of kelp dao for not sort of uh modifying that and going going further but uh i think there's there's some truth in that obviously there's 60 percent of people including oiler and all these other projects that decided to use more uh dvns but uh yeah certainly certainly there's some uh there's some blame across all parties here i would say chris you've been in this space for a while you've both had to invest in projects evaluate projects invest like trading setups like evaluate those. What do you make of this hack? What does this say to you about where DeFi is? Yeah, I think that we have a lot of challenges right now in the space. And again, what have we lost, like $600 million this month alone? I'm not the type of guy who's going to point fingers at Layer Zero or Kelp Dow. Let's point fingers at the people that really deserve it. And that's the criminals that perpetrated this attack, right? And what have we done? We continue to allow people to operate and attack our protocols without an all government response. I think it's unacceptable. I've been talking about this forever, but like, why are we blaming the victims again? Yes. Could they have been stronger? Absolutely. Yes. It's a very harsh environment. But when I'm walking down the street with my wallet and someone steals it from me, you know, those are the persons that need to be held accountable. So like, I think it's, I think everyone's going to point fingers, this and at, but why are we letting these threat actors destroy and impede our protocols? I think it's unacceptable. I think we need a whole government response. I think we need to take action in clarity. It is completely, completely unacceptable. We cannot tolerate this. We want innovation in this country, but then we need accountability when people try to attack it. We need to put them on defense. Anyway, that's- You guys see a mythos? Sorry, go ahead. Well, look, mythos is both an opportunity and a threat. right there are someone's cat is very excited right now but um but but look as ai comes into into effect it's going to provide brand new threat vectors ones we've never heard of but we have to be in front of that as well so look i think um it's going to take a while for confidence to be restored what investors care about investors will take market risk all day long what they won't take is operational risk and cyber risk and so we got to be very very careful so chris i'll ask you this as we look at clarity and i know it's a topic that you've had things to think about before and rom michael feel free to pile on here one part of this is clearly like privateering in your case that is to say when these assets are stolen deputizing people to go after them get them back and return them in a way that is now legal but secondarily to that What other fixes do we need in the ecosystem right now? And, you know, one of the things I observe is security in spaces like this have been a traditional tragedy of the commons type problem. That is to say, it needs to be done for everybody. But individually, many people don't have the incentive to spend on it if their competitors are not also spending on it. How do we get to a point where greatly hardening these systems and responding quickly is also the norm? Let me just add one other thing. The one thing that was pretty good here was that KelpDow was able to take action within 46 minutes. That's an eternity, actually. But what we talk about all the time here is latency matters. At least they were able to prevent incremental, other incremental $100 to $200 million of being stolen. So I think that is a very, everything when you're dealing with security comes down to latency. So to Rahm's point, we need to be much more aggressive with agentic activity, agentic defense. and frankly we need to be much more on offense. I've been talking about this from day one. We need to have our private sector supporting the security of our infrastructure. Yeah, let me later on here. Last week we talked about Mythos AI. I did some more homework on it. It is really quite remarkable. So Mythos from Anthropic was able to identify security vulnerabilities in BSD Linux, which has been battle tested out there for decades. And so a lot of these Fortune 50 companies are using Mythos to identify security vulnerabilities and protect against that. The point is that these nation state capabilities will be in the hands of corporates and then individuals within one to two years because of the democratization of AI. so it's a significant thing it's a disappointing setback defy is what like six seven years old now you're still getting these hacks it's hard to have confidence in the system when that happens i think people are going to stick in the capital markets world and the etf world because they value security first um i do think you know yes like hold governments accountable but what are we going do in North Korea. They already have sanctions. They're already a priori of the international system. It's hard to find what the marginal response is. Yeah, I think... But this is not North Korea, right? This is not North Korea. It's Lazarus Group, right? Why do I say that? It's a criminal organization. It's a criminal organization. We wouldn't attack. It's a nation-state. Are they directly connected to the DPRK, though? I know. Aren't they essentially an arm of the DPRK? Of course they are. What I'm saying is DPRK has to have plausible deniability because they're a nation-state. We need to shut down Lazarus Group, bottom line. Yeah, I mean, part is I'll be real quick. One is fight AI with AI is one, like, of course, but we need this technology. We need it yesterday. And it's not surety. The second is how do you create surety can use other technologies and insurance and reserve pools? You know, an insurance market, we have reinsurance, for example, there's a Berkshire Hathaway. They would collect a fee from fighting that insurance. How do they underwrite it? They perform their own security assessment. They just like a ratings agency, they'd rate it, They'd assess the protocol. They stand behind it, collect a fee for that. That's a free market response to this. And that can instill confidence and trust. Michael, we should talk about this. So, you know, in derivatives, we have guarantee funds, right, where we have socialized losses in case of extreme tail risks. Maybe that's the solution. Maybe we should start having these old type solutions to your point. It's a take on insurance, but it's a market driven socialized risk approach. the the so a few points just going back i mean i think the uh you know finding lazarus is very very difficult you've got some fantastic people out there i've worked with law enforcement before i mean there are people out there really trying it's just a really tough challenge and the other thing is in defy there's nowhere to hide right in the in in the years gone by it always used to be a smart contract exploit you know my early years in defy back in 2020 and sort of up to 2023 it was all smart contracts because they're out there public and that's something to be celebrated because it means that uh everybody can verify the code exactly exactly what it's doing but it also leaves you with a very little wiggle room uh there's no margin forever um people are spending a tremendous amount of money you know oiler we spent millions and millions of dollars on on security but there is really just no room forever whatsoever um you do tend to get one of the arguments I used to make about DeFi was that you would get a kind of anti-fragility emerging from protocols that had vulnerabilities would be exploited and would kind of fall away and the ones that remained would get this you know so-called Lindy effect and they'd be the ones that you knew weren't exploitable because their code's right there and then they've held billions of dollars and you know they can't be exploited. I think this kind of attack was quite different and the kinds of attacks that we're seeing now are quite different. A lot of them are kind of key leaks so people losing access to their private keys or also like leaking infrastructure and then this one was more sort of infrastructure level as well uh it was a very very i would say an entirely different class it's nothing too novel but the the way it's being carried out now it's not all at the smart contract level i think we're actually seeing quite a hardening of uh of protocols um on on ai ai is a great tool but it's it's an arms race right it's it can be used by the good guys and the bad guys i do think i think teams need to be using it much more and auditing end-to-end absolutely everything using ai and getting their hands on the best possible tools i think uh you see a lot of security firms are working to bring these tools out now and increasingly teams are using this but it's also in the hands of the bad guys and it's uh they're very very effective operators and it's speeding up their ability to to attack things as well and then yeah the last point on the pooled model and insurance and all the rest of it. One thing I've said to somebody today on social media was a lot of the mechanisms we have in DeFi today are kind of legacy from a period where you weren't really allowed to introduce centralizing elements into the systems. So people have been asking, you know, why are there not more monitoring systems and pause functionality and more control effectively and part of that comes from this uh you know regulatory stance from the past where you had to uh be fully decentralized have zero control because any any any amount of control you did have would uh would lead to persecution by the regulators so as that stance has sort of softened and changed i do think we'll start to see quite a big difference in how protocols are built up now and and the level of uh and the you know the the kind of um the kind of systems they have in place to firstly prevent attacks and then once that if an attack has happened as you said then how do you actually go about the process of socializing that how do you how do you who organizes that who's in charge i think now it's hopefully going to be easier for teams to actually step up and say no here's the system here's how it'll work here's how it'll work we're in charge we'll do this i mean i think you could have decent i'm gonna jump in i think you could have decentralized socialization of risk i honestly do um and the way that it would work would be you create a pool and i think most of the perps decks that should do this too because i hate this concept of adl and the beginning it should be at the end but essentially you create a pool and the pool members benefit from the yield of the protocol or they benefit from uh the revenue the protocol, however that protocol may work. A pool is creative. You can flex the pool. You can make it bigger with higher yield. You can make it smaller with little yield. And if there are certain A equals B, if there is a hack, that's the pool that becomes at risk. And provided that that's fully transparent, I think theoretically, it's very, very possible. But we just haven't seen that yet, really. We've seen nuances about it, but not really anything codified or anything hardened. I mean, one of the things that's interesting here to me is people start speaking about insurance for these protocols is insurance comes along with underwriting and it comes along with restrictions right and i'll tell you right in the current day if you look at what most insurance or reinsurance companies would charge you for defy you're not going to like the quotes and i think that is yeah i think that is a now well i mean there are people who will give them to you but i've seen the prices and they're an accurate reflection of risk right like how do you feel about a 30 per annum premium right like oh well why are you even buying something at that point But the reality is, Chris, as an extension of what you were saying, whether it's decentralized or centralized, the nice part about insurance pricing is it's going to be pretty functional and experience rated. There were structural upgrades we need to start making to crypto because we have to start, you know, and I think this feeds into the point that, Michael, you were making earlier about working in legacy frameworks. The belief that transactions are call it optimistically correct has to be discarded in this environment We are clearly getting enough hacks that all large transactions should probably be viewed with some degree of skepticism And I don know if that means delays withdrawing for protocols, choke points on bridges, needing significantly larger shares of votes to move assets. Like there are many ways to do that. And not all of them are implicated by having one centralized party that controls things. But I would say without a multiply redundant risk framework, I have a lot of doubts that we can solve that problem. And the reason I say that is as you look at the sophistication of some of these attacks, again, we're talking about like poisoning a bunch of like RPC nodes at the same time we're doing a DDoS attack at the same time we've compromised, like this is not trivial stuff to defend against. If we're saying it's nation state actors with their tremendous resources against individual protocols, the protocols will lose with certainty. However, you can still flip that security framework on its head if we make it a chain of things that have to fail with a redundant response across the ecosystem. Because the Lazarus Group, breaking a single protocol is relatively easy, but breaking eight protocols simultaneously, all of which work differently, becomes so complex that if they're capable of doing that, essentially the chain is unusable at that point. And so I would say DeFi, if you're thinking about how to get insurance and how to build things, has to stop operating from the framework of we assume transactions are legitimate. That has been my major takeaway of the past few hacks in a row of just like starting all the way back with Bybit and then another partial interdiction, which was the Cetus hack. We just had Kelp Dow here. We've had like attack after attack after attack. And to me, it raises the question. I'm curious, you know, for the rest of the group, do we have to change our default like thought model of transactions are legitimate? It's a good question, but you risk giving up concepts like immutability and the concept of non-reports and finality. Okay, so I will grant you that on finality. Yes, because if we slow down transactions processing, agreed. But immutability is just that we can't change the history of a chain. If there's like a 280 million exploit, and it goes into a queue, and everybody looks at it during the delay period and says, oh, that's not correct. and so a transaction spits out that then reverses it you still have an immutable chain where the history is transparent known and unalterable it's just a question of under what terms do we let them sort of transact down the chain right yeah it's interesting i mean you're asking all the correct questions it's not in my head there and you start to see how things naturally get centralized over time it's like over time people flow risk to trusted parties they're trusted because they're regulated and capitalized and have all sorts of oversight and auditing. We have to find a way to keep this going with code and technology, not bring it back into the system. You know, one would think that there's a way to transfer the risk of each transaction. Maybe it's not, you know, at the pool level. Maybe it's at a transaction level. There's more work to be done. It's a major setback. Like this puts DeFi back a couple of years. yeah i think go ahead press oh i was gonna say yeah you you can um you can try to build these you know i thought deeply about this kind of stuff as a sort of mechanism builder myself we used to try to think about how we could introduce these kind of mechanisms into uh into our protocol and it becomes quite difficult because there's there's all sorts of nuances here and and sort of edge cases when you think you fix one thing it's like pushing a bubble under the carpet you just sort of move it somewhere else but the bubble's still there um you know if you want to do you know rate limiting for instance on protocols you need to know what are you actually limiting you know what's the actual unit of of limit there is it the underlying asset well that the amount of asset in circulation can change so that needs to sort of adapt over time its value could certainly change you know a lot so then you need to start to bring in oracles and third parties and and that introduces new dependencies and things so adding adding these mechanisms in principle sounds like a great idea and people often ask what often ask builders like me why why aren't there more of these and it does come down to just being very very difficult to do it without adding new trust assumptions into the mix and uh and that carries a cost ultimately so i strongly agree that it carries a cost but let's look at the kind of factual, which is that in 48 hours, DeFi TVL has gone from what, 99.5 to 86.3 billion. I think the market may be speaking that the cost is what is currently there is just rapidly becoming unusual. Too high. Yeah, I agree. Yeah, I totally agree. So Michael, I would ask you, like as a builder yourself, and I know some others that have been posing this question to people, I kind of see two paths here. Path number one is increasing, like call it slowness, checkpoints, multiple redundancy in the system one way or another, because Chris has said the latency problem is real. And if we're going to be optimistic about transactions with zero latency, I don't see a pathway to interdicting these things. Caveat, if we continue to build relatively complicated things, because as a counterpoint, let's look at a model that's largely been successful and stood the test of time which is uniswap right if all of our lp pools are segregated and unalterable and to upgrade we've got to like withdraw from v2 and go to v3 withdraw from v3 and go to v4 and all of these can sort of blow up in their own self-contained box yes uniswap is a very simple thing they are not building complex like layers upon layers upon layers but is the future i guess i would ask you as a builder more likely to be actually we need to simplify a lot of these things and remove the attack surface area like go back to basics in defy or is it if we want to retain this complexity we need to think much harder about security which may as you noted lead to certain forms of centralization the the yeah this this came up up a lot through my time building a lending protocol. Ultimately, an AMM or an exchange is very self-contained. It really doesn't care about the outside world. It just looks at what's inside and it has to try to balance a single invariant in the pool. If you look at a credit market or lending market, there are all sorts of dependencies and the credit markets really care about the outside environment that they sit in. So they care about the volatility, the assets, they need to know the prices of those. The prices aren't intrinsic to the assets. So then you have to have some kind of third party report on those prices. Liquidity is a massive, massive issue. A DEX doesn't care what the liquid environment is outside of the DEX, right? It can operate with $10,000 or $10 billion. It doesn't matter. But lending protocols, as we've seen with the liquidity crisis we're in now very very heavily dependent on what's what else is going on i think that's the that's what makes it so difficult to build a you know fully truly immutable uniswap like lending protocol we've tried we've tried to get as close to that as possible you know morfo also building with similar sort of mindset um trying to trying to keep as much of that as you can while still offering a viable capital efficient lending market it's um it's just i i think but at this point i'm I'm resigned to say that it's just not possible for credit, really. We've had seen many teams come up with all sorts of interesting ideas on how to do this. And I just don't think it's possible. So then we have to accept this is the state of the world now. This is how it has to be. How do we what's the minimum amount of centralizing force that we can add back to these systems to make them not collapse so spectacularly when they do? wealth maintaining the corporate disposability and disintermediation, composability, and all the rest of it. So we saw Drift partner up with Tether. And I don't know, is it a centralization force that's going to restore security? Or is it just the resourcing that you need to have just to go through an inordinate amount of audits, bring in the AI? Clearly, for this industry to move forward, we need to provide confidence in whatever protocol you design. So I guess, is centralization the only option? Or can, you know, like you're seeing this partnership between Tether and Drift, don't know all the details yet, but is it more of a resourcing issue? It's really hard for a startup to compete. I really don't think it is. I think, you know, we talked earlier about mythos, like finding bugs and flaws in 26-year-old operating systems. And, you know, the amount of man hours spent on that, you know, is just more than anybody could afford to ever spend building a DeFi protocol. And yet there were still bugs that could be, you know, teased out there. So I don't think it's just purely a resource issue. Everybody's really, really cognizant of the importance of security. And they really, really are trying. It's very, very, it's just a very, very hard problem. I think it's unsolvable at the code level. So we need other fail safes. We need other mechanisms that are introduced, I think, at this point, to help safeguard things a little bit more than just relying purely on code alone. So working backwards, right, like one of – this is me putting on my business school professor hat. But looking at some of the lessons from history, I feel like there are two paths that we can go down here. One is exactly what you said, which is looking at TradFi lending markets and starting to build in a lot of the fail safes in modern markets. Like, great example, you know, if you have, call it, $200 million of supply and somebody deposits $500 million, not making all of that available for borrow immediately, right? Like allowing that only to increase by call it 10% per day or something like that gives you a very long runway to interdict these things. And yes, it obviously makes that protocol somewhat less efficient from like, I can't take a $300 million flash loan or, you know, immediately deposit something in size. But it might also be fair to say maybe that's a problem, not a feature. And why are you so intent on doing this, like, literally right now at 3 a.m. on a Sunday becomes a valid question, along with many of the other redundancies you build in. The other one, though, to go the other way, I'm like a lending protocol is I know this makes it less liquid, but there's no reason you can't structure it like an AMM of all of these are essentially bilateral offers for lend and borrow. And then you don't have this contagion risk, right? Like I will lend a hundred thousand dollars of USDT at this price and I will accept the following things as collateral. And that's that you can have like these prepackaged boxes where each person can do their own like lending and terms. the problem you run into there which i think you know you've spoken to this in your earlier answer is that's less efficient than it might otherwise be like i i if i recall i think there was an early version of like sushi swaps led protocol that was similar to that way back in the day exactly now it's being tried yeah it just didn't it just didn't it just didn't attract enough um enough users it's so clunky sort of almost peer-to-peer like and uh and when you're competing against the pool model which is you know i can just deposit and withdraw whenever i like and there's so much liquidity that you know people think it's about the technology it's really not what are they another like really large lending protocols are selling is liquidity it's that ability to go in and take out those huge loans and repay them whenever you like that's the main product when you've got liquidity that's that's king above all else and so when you have these isolated you know almost peer-to-peer like uh lending uh systems much much more secure as you say you don't need all these external dependencies and all the rest of it you just need to trust that the code a very simple piece of code works for that particular loan but then it's just how do people find each other that's the problem that i think uh compound originally solved and that the arve you know heavily modeled on the compound system you know followed on with and it's it worked so tremendously well that it's scaled up to billions and billions of dollars but with it has come this you know but you know other challenge which is uh when things go wrong they they sort of tend to uh cause contagion in in a way that those isolated models don't so yeah we we've we've experimented a lot in defy at this point and i'm i'm i'm sort of resigning to the fact that maybe it's just not possible uh to to get the best of all worlds and that we're going to have to sacrifice something somewhere along the line well i will say as a closing remark here as we are hitting time that i have resigned myself to the belief that i think you're probably correct about that that we are not going to be able to have our take and eat it too and we're going to have to figure out which by the way there are multiple paths to trade-offs but we're going to have to tolerate some of them because one thing i think all of us agree on is the current paradigm is not sustainable i'll give you one other concluding thought. When the Pentagon finally releases information on non-human intelligence and UAPs, we can encounter these. We're going to ask them, who is your leader? What are your intentions? And the third question will be, how do you manage money? Who do you trust? How do you exchange over vast distances? How do you represent value? Just give us the answer. And is there quantum money? That's question number four. All right. On that note, thank you everyone for joining us for this episode of Bits of Bips. Next up, Laura moderates a debate slash allegedly fistfight on Canton between Yuval Hasib of Dragonfly and Alex Krofsky of Matter Labs. It was pre-recorded and I have been whispered to that it got quite heated. So be sure to stick around for that one. Thank you. Thank you.