_hrkrshnn

Crypto doesn’t have a villain to rally against anymore.

So people keep trying to turn legitimate actors into villains instead.

Crypto has a data problem. So many places with the wrong data.

Funny how the most successful businesses in both crypto and AI are the same: token factories.

Humans yearn for the tokens.

“Browser Pay” should exist. Why doesn’t it?

Imagine a standardized browser popup that handles payments: one click to approve a credit‑card or stablecoin transaction.

Instead, the best option we have is a credit card autofill.

Anecdotally, blackhats start seriously paying attention once your project crosses $100M in TVL (or an equivalent metric).

This is especially true for non-EVM chains. Ethereum has painfully endured many hacks, so its security posture has matured over time. But non-EVM ecosystems often have a false sense of safety simply because they haven’t yet crossed that critical threshold.

It’s fine to move fast and break things early. But once you hit $25M in value at risk, it's time to get paranoid. At $100M, blackhats are guaranteed to be watching.

You’ll also attract extra Blackhat attention:

1. At launch, when folks hunt for low-hanging bugs (these stories rarely go public).

2. During integrations: devs poke around, and it only takes one bad actor to trigger an exploit.

If I could offer one piece of advice: rethink your security posture around the $25M mark, especially if you moved fast or were lax early on (totally normal for startups and nothing to be ashamed of).

I know a really cracked engineer who is looking for a co-founder. He's the real deal and can single-handedly ship a billion-dollar protocol.

An ideal person is business-savvy and customer-focused.

DM me if you want me to put you in touch.

userbeat dot com

Every chain competes for who has the most users.

The only way to save crypto.

Crypto payments today are not business-friendly, even stablecoin payments.

Today, the pitch for stablecoin is a global, uniform interface with cheap fees. But it's absolutely a mess for tracking. Try talking to a finance person who has to deal with it.

Lots of bad takes on KYC on here today.

Nobody wants to force KYC on their users, but you have to do it to stay compliant. Seriously, who in their right mind wants to build an onboarding flow where you ask your user to pull up an ID and verify the face? The churn on that step is massive.

I once talked with a lawyer about the risks, and how they enforce it is scary, even if you had no intent to transact with a sanctioned individual.

Unless the policymakers change this, if you want to run a legitimate business, you must comply, even at the expense of additional customer friction or security concerns about data.

Many products today perform 'silent KYCs' to minimize onboarding dropoffs and trigger a full KYC as transaction values and risks increase (they know who you are with the limited data you give them, like phone numbers).

TLDR: you're barking at the wrong tree on KYC. The correct tree is the regulators.

DM me if you're a founder who will be in Toronto for @consensus2025.

DM me if you're going to be in Toronto for @consensus2025.

My hot take is that most crypto projects launch a token way too early.

So many great teams build incredible products only to re-architect everything around a token. Most do not think about growth, distribution or scale.

Ethereum can fix all its problems with one simple trick.

Ship one hardfork a day.

The next few weeks are looking like the most crucial time for crypto.

Who signed the first 7702 transaction?

So, which wallets and chains will have day 1 support for EIP-7702?

Almost everything we did was early and controversial.

When we started Spearbit, we offered high-quality, scalable security reviews through independent researchers. We were told it was wrong, bad, and would never work. You can go back to the panel I was on at the 2022 DeFi Security Summit where everyone piled on Spearbit. Today, nearly every security company has changed its operations to a model where independent security researchers are the centerpiece.

When we launched competitions at Cantina, we built a platform where everything lived in one place. Customers and judges could immediately work on fixing the findings, which meant faster launches. That too was controversial, but the same people who accused us of 'rugging' researchers now have platforms that do the same.

We got here by deeply understanding both our customers and researchers. Few teams in Web3 security have experience on both sides like we do. We’ve built foundational tools: the Solidity compiler (the #1 programming language for smart contracts), the ETH staking contract (the #1 smart contract by TVL), and we won the #1 spot in OpenSea’s first 7-figure security competition. We're going to build the #1 web3 security platform.

Everyone has an opinion on how we should do things, but the way to track progress is by looking at these two questions:

1. Are customers shipping safer code to production?
2. Are security researchers earning more?

If the answer is yes, we're on the right track. And our numbers show we are.

How to think about million-dollar competitions as a security researcher:

- Teams treat these competitions as the final boss. They come with code that has been audited (often multiple times). The code that undergoes these competitions almost always has gone through audits. They are pretty effective at finding missed bugs, but in some cases, no more bugs are left.

- Rewards for the competitions can feel wildly disproportionate. When there are bugs, the winners can earn $100K–$200K+. If there are no severe bugs, the payouts will also be tiny. It’s a game of extremes: high highs, low lows.

- There's no perfect way to reward effort in a permissionless environment. Every suggestion I've seen can be gamed. As a security researcher, you're either selling your time or being rewarded by the outcome, i.e., getting paid for valid bugs you find. You cannot mix these two. If you do, you're setting yourself up for disappointment.

- The clearest sign that the industry is growing is researchers getting paid more, quarter after quarter. That’s what’s happening at Cantina. Our job is to create more opportunities for security researchers. More opportunities = more ways for you to earn. We've hosted more 7-figure competitions than anyone else, and have had more 7-figure competition payouts than anyone else. If you look at the competitions that did not unlock the full pool, they had incredibly hardened codebases, and they're successfully on mainnet with billions on the line.

- I talk to many security researchers, and I've yet to hear anyone who went all in on Web3 and regretted the move. The long-term opportunity is still here; we will 10x that in the next few years. On the contrary, I know many security researchers who have found life-changing success in this industry. Many of them have won big competitions and continue to do so.