Exited all my validators, and I think it's worth discussing: Ethereum has an incentive problem.

1/🧵 2/ Proof of stake is a simple concept on the surface: those with money at stake are rewarded in exchange for honest validation of new blocks.

If you're dishonest, your stake is vulnerable to slashing (aka, there is a high cost to dishonesty).

Flash loans are zero risk loans where the full loan amount must be paid back in the same transaction is was originated. They are useful for arbs or opportunities for profit where you simply don't have the ETH up front.

But this one actually sacrificed a punk...

1/🧵 2/ Today's loan was not a profit opportunity - at least, not directly (we'll get to that later).

To execute, two contracts were used (we'll call them Contract A and Contract B).

Contract A is in charge of listing the punk, and Contract B handles buying it.

Punk 2386, with a current high bid of 600 eth, sold for 10 ETH today.

A combination of clever sleuthing, followed by an unfortunate miscalculation leads to a 7 figure payday for 0x282.

🧵 2/ This ape punk was fractionalized into 10,000 ERC20 tokens on 9/26/2020, and spread out among what is now 257 holders.

This was done on a now decommissioned platform called niftex (the contracts continue to live forever).

One of the questions I'm asked the most is "how do I get started becoming a solidity dev?". While there's no right answer, my response is always similar. So here it is in a thread:

How to take yourself from 0-1 as a solidity dev
1/🧵 2/ This thread will assume you have dev experience already - if you don't solidity might not be the best place to start.

Solidity doesn't necessarily have a steeper learning curve than other languages, but it has steeper penalties for getting it wrong.

ERC404 has taken X by storm. Many have called it out for misusing the ERC label, and rightfully so, but let's take a moment to discuss another aspect of it: composability.

Is it safe?

1/🧵 2/ If you haven't read a technical breakdown of ERC404, check out my thread here:

I'll be referring back to the topics covered there throughout this thread.

https://x.com/0xQuit/status/1754853866120835239

When designing CryptoPunks721, we went through great lengths to ensure that the contract was:

a) ownerless
b) as gas efficient as possible

This led to the creation of a weird function!

The story behind `rescuePunk()`

1/🧵 2/ NFT contracts typically maintain a count of their total supply. Maintaining that count is pretty simple: increment the count when a mint occurs, and decrement when a burn occurs.

Simple, but it adds an additional SSTORE to each mint and burn - that's 5000 gas!

I'm super proud of the launch of CryptoPunks721 and Your Stash, and I'm hopeful for everything that it means both in the immediate term and in the future.

You may have heard we had to roll it back to fix some issues, and just re-launched today - here's what happened 1/🧵 2/ Two essential convictions underpin Your Stash:

- It introduces SO much potential, most of which we haven't yet dreamed up. So, it's upgradeable.

- Upgradeability introduces centralization risk not present in immutable contracts, so only YOU hold the power to upgrade.

👇

I've seen a lot of confusion over the past 24 hours regarding signatures, and what is or isn't safe to sign.

Here's the way I think about it, and how you can decide for yourself if a message is safe to sign or not 1/🧵 2/ Signatures are a core tenet of Ethereum, and cryptography in general.

At a base level, you take a message and you sign it with your wallet's private key. Anybody can verify that you signed this message as long as they know what the message is.

LFG is a new token launched on a Solana, with a goal of onboarding more ETH users to SOL.

Gotten several pings asking about the safety of it, so here's a quick rundown 1/🧵 2/ On the ETH side of things, you simply need to sign a gasless signature. Remember, gasless signatures that are simple, human readable messages (not typed data) are generally safe to sign.

That is the case here.

https://x.com/0xQuit/status/1549558357467336706

Last week, Yuga finalized a series of interconnected contracts that unlock new possibilities across our projects.

They'll start simple, but they're designed to allow evolution over time.

Introducing: Your Stash.

1/🧵 2/ The first unlocks are for Punks.

CryptoPunks are an OG collection, deployed before the ERC721 standard existed. This is a large part of what makes them so special, but it is also the cause of (imo) their two biggest issues.

As promised, a short code breakdown of how we were able to reverse exploit NFTs earlier today, and put them back in the hands of their rightful owners.

1/🧵 2/ For those unaware, NFTTrader was exploited today by using reentrancy to edit swap counterparties midswap.

Cygaar has a good thread on it here:

https://x.com/0xCygaar/status/1736056050816876626

It's been a while since I've done a contract walkthrough, so let's take a minute to discuss Bunnygirls.

Bunnygirls, which launched earlier today, has raised 138 eth ($237k) so far during their mint.

If you're new to solidity, this one's for you.

1/🧵 2/ Their contract is a basic ERC721A with a whitelist and a free mint list. It starts by declaring state variables.

Casing issues aside, note that bunnySupply and bunnyPrice are not declared constant. They can both be changed at any time by the contract owner (second image).

Gas is a mechanic fundamental to Ethereum, and yet it can be one of the hardest to grasp. The following will be my best attempt at explaining it in a way that's easy to digest for anybody in the space, from newbie to journeyman.

On gas.

1/🧵 2/ To start, let's understand what gas is in the first place.

Gas is designed to ensure that resources on Ethereum are used efficiently. It prevents network spam and is used to incentivize validators.

The more computationally expensive your transaction, the more gas it uses.

There are so many opportunities to change your life in crypto, but people aren't looking in the right places.

Here's how you can change your life and get RICH in just a few months

1/🧵 2/ Trade crypto.

The price of crypto sometimes moves up, and sometimes it moves down.

A lot of people trade, but they buy when it's high and sell when it's low. If you instead buy when it's low and sell when it's high, it's an infinite money glitch.

Pink drainer has learned how to hack his way into enabling private sales on Blur.

Normally, Blur doesn't offer private listings. Any listing you create is open to be fulfilled by anybody.

But lately, Pink has been buying items for 0 eth on Blur. How?
1/🧵 2/ Normally, if a scammer phishes a victim into creating a Blur listing for 0 eth, they'd immediately get frontrun by arb bots who are willing to pay most of the value of the NFT to block validators in order to land the purchase.

This is obviously no good for scammers.

"Quit, why do you keep warning people about the fake Jareds? He's not even scamming anybody"

Now you know why 👇 16 eth raised in 30 minutes

The account @duskylfg is either a scammer, or is currently compromised.

I have 267 mutuals with this account, so please spread awareness.

An old and simple scam, here's how it works 1/🧵 2/ Dusky posts about an MEV bot he's using to arb markets and earn eth (why is no one talking about this!?). He is benevolent and provides a link, so that you can make a quick profit too

$quit is LIVE.

There is a total supply of 0, all of which is mine. Sorry about that.

But while we're here, I made you something 👇

1/🧵 2/ Deploying shitcoins is repetitive, and gas intensive. We can do better.

Inspired by the below tweet, I thought...why not make deploying shitcoins *even easier?*

https://twitter.com/iamwhitelights/status/1654606270614126594

jaredfromsubway.eth is taking all of your eth.

I don't trade shitcoins, but maybe you do. And if you do, you should be using flashbots to protect yourself from sandwhiches (and failed transactions!).

Here's a quick guide to getting set up 1/🧵 2/ Flashbots is an organization focused on enabling a permissionless, transparent, and sustainable ecosystem for MEV. They provide a vast suite of tools, but today we'll just focus on Flashbots Protect.

In light of recent events, I've been seeing a lot of questions regarding what is and isn't safe to sign, as well as a lot of misinformed answers.

It's important that we aim to understand signatures, not avoid them. They're a key component of a decentralized web3.

1/🧵 2/ First, let's get a common misconception out of the way 👇

"Is it safe to connect to X website?"

The answer is always yes. Connecting to a site allows that site to read the contents of your wallet, and nothing else. It cannot perform actions on your behalf, or "hack" you.

1/21/23. I got hacked. Drained. All my apes gone.

This is a thread on what happened, and what I took away from it to be better moving forward.

1/🧵 2/ at about 2 am, I heard a noise come from downstairs. My wife heard it too. We each grabbed a leg off of an old wooden chair by our door, and ventured out into the house.

We checked every corner, nothing. Went back to sleep.