Get the latest ideas from Unchained.
Plus the best new takeaways from other top podcasts — read in minutes, not hours.
or
By continuing, you agree to podbrain's Terms and Privacy Policy.
Kane Warwick hosts this episode of Uneasy Money with co-host Taylor Monaghan (security expert), Luca Netz (CEO of Pudgy Penguins), and special guest Omer Goldberg (CEO of Chaos Labs). The discussion centers on the Resolve protocol hack that resulted in $54 million in losses and its cascading effects across DeFi lending markets.
The conversation explores the technical details of how an AWS key compromise led to unlimited token minting, the subsequent contagion through Morpho's automated liquidity systems, and broader questions about risk management in DeFi. The team also discusses Aave V4's new architecture designed to address some of these systemic risks through isolated market structures.
Resolve Protocol Hack: From AWS to $54M Loss
Attacker compromised Resolve's AWS-hosted private key on Sunday, minting $80 million of unbacked USR tokens for just $300K investment, causing USR to crash from $1 to 2.5 cents.
"This is a very web 2 oriented hack. This is a key that was compromised, that was controlled by us" - Taylor on the fundamental security failure being traditional infrastructure compromise rather than smart contract exploit.
The protocol took three hours to pause after the attack began, with the attacker making multiple minting calls rather than a single atomic transaction, suggesting either limited sophistication or cautious execution.
Kane draws parallels to Normal Accidents theory from the nuclear industry, describing how cascading failures of multiple systems create catastrophic outcomes that seem unlikely but are actually predictable.
Contagion Through Automated DeFi Systems
The hack spread through lending protocols including Fluid ($20M+), Venus ($20M+), and Morpho ($10M+) as attackers used minted USR as collateral to drain legitimate assets.
Morpho's "public allocator" feature automatically routed liquidity to markets with spiking interest rates, turning initial $5K exposure into millions as the system interpreted the attack as legitimate demand.
"When interest spikes, there's a lot of demand. It's probably a white swan, not a black swan" - Omer explaining the flawed assumption behind automated liquidity allocation during the hack.
Hard-coded Oracle pricing at $1 for USR created unlimited borrowing capacity even as the token crashed, with final backing ratio reaching 266:1 minted tokens to reserves.
DeFi's Risk Assessment Problem
"DeFi does not know how to reason about risk whatsoever" - Kane arguing that the industry treats all risks as equivalent rather than developing sophisticated risk models.
Taylor emphasizes that basic operational security gets ignored while teams focus on novel smart contract risks: "The biggest, most basic top of mind one, it doesn't seem like people have paid enough attention to."
Omer notes that even within AWS, multiple security layers exist including 2FA, biometrics, and multi-signature requirements that weren't implemented for the critical minting function.
"There's a 24/7 bug bounty on your product" - Kane quoting Larry Surmack on the constant security pressure facing DeFi protocols, with attackers worldwide targeting vulnerabilities.
Institutional Standards and Operational Security
Luca describes Pudgy Penguins' security approach: "We pay a guy a six-figure salary to literally do OPSEC all day. We have a head of security... ex-CIA guy named Bo."
Enterprise adoption requires SOC2 compliance and proper alerting infrastructure, with Omer noting that "most financial institutions won't even talk to you if you don't have it."
The team discusses how institutional capital demands better risk-adjusted returns rather than retail's tendency to chase high yields while assuming zero risk.
"PagerDuty, App Shiny, gotta have that" - Omer on essential alerting systems, noting that when emergencies happen, "it will be 3 a.m. wherever you are every single time."
Aave V4: Hub-and-Spoke Risk Architecture
Aave V4 introduces hub-and-spoke architecture replacing monolithic pools, allowing risk segregation while maintaining capital efficiency across different asset classes.
"The core innovation around it is just like this hub and spoke architecture... it lets us segregate the risk in a much more intentional way" - Omer explaining the architectural benefits.
The new system addresses V3's difficulty in delisting assets, with Omer noting how DeFi tokens that peaked at $5B+ market caps became problematic during bear market conditions.
Aave's market power creates forcing functions for better security practices, with protocols requiring asset issuers to meet baseline security standards before integration.
From Unchained. Get a note like this from every new episode.