<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>[object Object]</title>
        <link>https://paragraph.com/@0xlynett</link>
        <description>The spirit within us is alight with telos. To build the divine, to become it.</description>
        <lastBuildDate>Sat, 11 Jul 2026 06:58:19 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>All rights reserved</copyright>
        <item>
            <title><![CDATA[You Don't Need Serverless]]></title>
            <link>https://paragraph.com/@0xlynett/you-dont-need-serverless</link>
            <guid>s6zEabrPvMj2IRmk8xon</guid>
            <pubDate>Tue, 24 Jun 2025 16:36:14 GMT</pubDate>
            <description><![CDATA[I'm a big fan of cheap things that just work. Servers are one of them.]]></description>
            <content:encoded><![CDATA[<p><em>Disclaimer: I'm the sales lead at </em><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://altivox.net"><em>Altivox Networks</em></a><em>, a cloud compute company with a presence in Springfield, MA and with plans for expansion into Amsterdam, NL.</em></p><p>I'm a big fan of cheap things that just work. Servers are one of them.</p><h2 id="h-not-very-cash-money-of-you" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">Not very cash money of you</h2><p>According to industry reports, <strong>33% of organizations are spending over $12 million annually on public cloud services</strong>, with small to medium businesses averaging <strong>over $1.2 million yearly</strong>. A good chunk of this is going to serverless or overpriced servers.</p><p>Take a new trendy web app (<a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://cataas.com/">meow?</a>) that handles steady traffic throughout the day. I'll do some quick calculations based on Vercel Pro's pricing to compare costs.</p><p>Let's say you:</p><ul><li><p>have 4 other team members ($20/seat)</p></li><li><p>get around 200,000 function invocations per day, or 6,000,000 per month ($0.60/M reqs minus 1M included reqs)</p></li><li><p>use 256MB RAM and 150ms on average per request, 90% of which is idle time ($0.18/GB-hr minus 1,000 GB-hr included)</p></li><li><p>get 100GB in and 1.5TB out ($0.06/GB Fast Origin Transfer minus 100GB included, $0.15/GB Fast Data Transfer minus 1TB included)</p></li></ul><p>For simplicity's sake, let's say we have enough scale for Fluid Compute to fill up all the idle time with other requests.</p><p>That's about $20 (plan) + $80 (seats) + $3 (invocations) + $832.50 (CPU time) + $30 (Fast Origin Transfer) + $75 (Fast Data Transfer), which sums to just over <strong>1 thousand US dollars per month</strong>.</p><p>Meanwhile, let's compare that pricing to a more server-based stack.</p><p>A <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://altivox.net/products/cloud-vps">12GB Budget VM</a> ($11.99/mo) from Altivox, which comes with 4 vCPU cores and 1TB included bandwidth can handle 200,000 rpd (2.3 rps) very very comfortably.</p><br><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/f269681295f73c5c415c590961ba6ece.png" alt="me: &quot;can a 12GB budget VM handle 2 requests per second?&quot;. david: &quot;Yes?&quot;" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAJCAIAAADcu7ldAAAACXBIWXMAAAsTAAALEwEAmpwYAAACG0lEQVR4nJ1SbWvTUBS+uBZDYnqT3Db3tjUxJG1v03Z9caWsSzvWuy59XbWjHc5KGZVNJ3UIUtAvfhD1k37TPyDug+Cv2R/xJ1RiYAxB5oTDgeccOM85z3NACKpCgGAlpSAky1jgFVEMI4QVmWAcR4jIMpZlDKGKELmA/x4A3+bPv33/PFreXJmRKJ5OH6+v11hvdHq62N+fEKJTuprJlFKpHM9DjpNEMSyKYX+PK8MjKOTjy5/L80/L+7UzCZJqtZ7OFFPpAmNtxtx8fo3SbC53l9JsIpEulSqWlTKMRC5XMM2kZVHDSBhGwrKoZVFdN00zqWle9rsIEYDQrSdH8/nuR7e/FhLIdtOt11m5vOG6vYODabe7y1j78PCo37/nOJvD4dhxtlqt/mj0gLF2rdZgrD0cjgeDPdftuW6XMddxtjqdQbPZaTR2vAtkiQDAAwACK1CWcTAY4jhJ4JXADQEADgBO4BUIVYFXOE4KBkO+Pr5EF0L5FQjVy1DgFY9AFMPZ1Xyr1cJEU2Ri23ldNy0zaZjUSmQozRKiRSIxQrRoTP/ts2cdQviy4X/470O/AqJEe/rs+PnJ7OTRQxXHJ5PpZDLdG45rO73Z8XyxeG3bBdsuFIuVYrESicSu/UXx+J0XL1/9OPv65e0bCNV6fbta3YzGdCgql5eCUIVQve50j4DjpH5/+O79h2QqLfBKpeKUyxv/8e9/I/gFJRB5OZyu0u0AAAAASUVORK5CYII=" nextheight="214" nextwidth="770" class="image-node embed"><figcaption htmlattributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>Extra bandwidth is $4/TB, so that's an extra $2.40 in transfer costs. Total server cost is $14.39, a large drop compared to the more 'modern', 'efficient' serverless stack.</p><h2 id="h-what-about-latency-being-close-to-my-users" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">What about latency / being close to my users?</h2><p>Spin up more servers in different regions. Altivox has limited scale, but there are various other inexpensive hosting providers like Hetzner and OVH.</p><br><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/e422f15cede9d2046719237b89b36866.png" alt="Map sourced from BeaconDB" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAUCAIAAABj86gYAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEL0lEQVR4nI1V3VLbRhTG0+jCF56KqGAJjJIIO7KDnB1bKAgcTAUmMirKLASUcSssLLyOpMVbzJ+ZzDB5g3SmfYa+RG/b2z5Db/sOvaBj7WAg/LTfhWZ3z+759uw559NIcAsY40qlkkqlFEVRVZXjOEEQarUaQohaMcZBECCEfN+nR6jpTozc9g4hFEWxECORSCRjAADoBgih4zgYY8/zXNelR0zT9DyPEj9E4Hleo9GAEKqqahiGIAgsy2YymWQyaZomISQIglqt1mg0hr4QQpQMQnhvBMPdtm3DGJVKhZ4ZGx9nWTaZTNYvCYZACNm2HQSB7/uKomQyGdd1CSGNRuNLAs/z6ETXdU3TvrMsAEC1Wj3t9wEAXz16xLLs8NaDbxRijH3fd10XQkhfkuM4URSr1aphGJZlXRFYlpVKpWRZVmJks1kAgKqqAADbtmu1WiKR0DQtiELq3UV+7sUL0zRt2wYAPH3yhI2RSqVotuhAkiRZlm3bHjEMg2EYuioIgiRJY+PjlmWZpgkhtCzrZbF40Ot1wjAMgp1mc2Flubz4ekIQEokEwzBfx65FUUyn09Q7wzB0kE6nIYQjjuO8Xlx0HCebzbIsm5+ZkSTJ9/1SuWwYRhAEe+02vfvB0ZHXau2dHNl7Xi6f1xfmx3iefTyaikGZkslkoVAwTdMwDM/zCCEjtK4P4uRIudwYz/OCIGYy34yOTkxO7rZaGONOEHQx/vjT598vLn67+Gf+zYoCAJhVp3O5p8+e8YIwzqd5QeA4jmEYXdcRQsOcXZXpfre7urUhF4vzdfOH87PNHnF3vc6ltYMQPjv99e+/fv7zj3e7zSXDUACQc8/zhcLE5CTHcYPoC3lFUcy1teuVeaMPtlF7zdmub268Ozvs//L59PBwuK+LcXM/nNN1Z2vLRWhpeXluYT6bzZbK5YF3jpsSxdm5Vx8/fTo+Pw/vazQqEguLi34UBFGILpWAtpIsy5IkCYKgqmoun58SxaVvlzRdnymBXF5O83zplRZEUeembNwg6MTtY62v7zSbQRCEUdTr9QghvV4PITSdHUCSpHQ6XSqXVVX1fd/e2LDevnUc5/2Oe3x60uv1vhCMKwKMMSGE5nyv3a5Wq5qm2bZNF6kK0bYSRXGhUqGKtNdudz500IfO+52dRqOBYvwHAZ2qqvqY4yYEIS/LVDUp98tikRcEY2UljFfolRFC37tuGEUYY8uyPM8L48a8Q02HZNb6+qB9eH5W046Pj6kQYYxL5bKiKJZlQQiHEVOT4ziyLAMArqvh3QQUU6KoAEAODoYvOxDzzc05Xb+uYMMyyxcKkiRlMhlVm6VhPRTB1vb29PPnhJB+vx9G0e0Nt095rZbv+7V6fcPZPj05+fHwcL/bvZuAELL6ZrW+VieEPPC3us06xOBOcUrujcCN8T9dP4B/AaQQaZq9XovNAAAAAElFTkSuQmCC" nextheight="1265" nextwidth="2037" class="image-node embed"><figcaption htmlattributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>To be within 200ms of your users, you only really need five servers: Europe, Tokyo, US East, US West and Australia. Even without calculations, you can already tell that it beats Vercel easily.</p><h2 id="h-server-management-is-not-hard" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">Server management is not hard</h2><p>Serverless companies <em>actually</em> make money off telling developers that the alternatives are difficult to manage, rather than providing high cost efficiency, as shown by the estimates above. This is also false due to modern tools like Docker and Kubernetes which make managing your apps easy.</p><p>Deploying an application today looks like this:</p><pre data-type="codeBlock" text="docker build -t myapp .
docker run -d -p 80:3000 myapp
"><code>docker build <span class="hljs-operator">-</span>t myapp .
docker run <span class="hljs-operator">-</span>d <span class="hljs-operator">-</span>p <span class="hljs-number">80</span>:<span class="hljs-number">3000</span> myapp
</code></pre><p>That's it. No dependency issues, no environment mismatches, no configuration drift. Want zero-downtime deployments? Docker Compose with a load balancer handles it fine. Need even more scale? Get another VM, or maybe even bare metal.</p><p>Compare that to debugging why your serverless function works locally but fails in production because of Node.js version mismatches between your development environment and Vercel's runtime. <strong>These environment inconsistencies literally cannot exist when you control the entire stack</strong>, especially when combined with devcontainers or other reproducible dev environments.</p><h2 id="h-complexity-is-transferred" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">Complexity is transferred</h2><p>Generally, serverless doesn't eliminate complexity, rather, it shifts it to a different place. Instead of managing servers, you're now managing:</p><ul><li><p>Function timeout limits and memory configurations</p></li><li><p>Cold start optimization strategies</p></li><li><p>Vendor-specific deployment configurations</p></li><li><p>Configuring efficient CDN and caching etc etc.</p></li></ul><p>You've traded straightforward server administration for vendor-specific serverless cloud architecture which changes based on your choice. Though the learning curve for a totally new dev is slightly simpler than managing Linux servers, these are skills that are solely useful for proprietary platforms, which leads to...</p><h2 id="h-vendor-lock-in" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">Vendor lock-in</h2><p>Traditional server applications, especially containerized ones, are portable. A Docker container running on DigitalOcean will run identically on Hetzner, OVH, or your laptop. Your nginx config, database setup, and deployment scripts work everywhere.</p><p>Serverless apps become strongly architecturally-coupled to their platforms. When you use AWS, you don't just use AWS Lambda, you use API Gateway's request/response format, CloudWatch's logging system, IAM's permission model, and tons of other AWS-only services. When you use Vercel, it's the same thing. <strong>Moving away ends up being a total rewrite of your code!</strong></p><p>This lock-in has real costs beyond just switching friction. It limits your ability to negotiate pricing, constrains your architectural choices, and makes you dependent on a single vendor's roadmap and reliability.</p><h2 id="h-building-linux-skills" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">Building Linux skills</h2><p>Server management teaches fundamental concepts: how operating systems allocate resources, how networks route traffic, how databases store and retrieve data, how applications scale under load. <strong>These concepts remain relevant even in serverless development</strong>, because they're not perfectly abstracted away!</p><p>The skills learned by developing with servers are transferable and valuable throughout a dev career. If you understand Linux, networking, and system administration, you become a better developer overall, regardless of your deployment target.</p><h2 id="h-a-practical-alternative" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0">A practical alternative</h2><p>Serverless is not always a bad option. For very event-driven workloads or applications with extremely variable traffic patterns, serverless can make sense. Do the numbers before making important decisions!</p><p>But for the majority of web apps: APIs, web services, background workers; traditional deployment models offer better pricing and more control.</p><p>Modern server management isn't the nightmare it was 10 years ago. With Docker, excellent VPS providers, and mature tooling, running your own infrastructure is more accessible than ever. You'll likely save money, gain flexibility, and build valuable skills.</p><p>Major cloud providers profit from your dependencies and won't teach you these fundamentals. But for most applications, well-managed servers outperform serverless on cost, perf, and maintainability while keeping you in control of your own technology stack.</p><hr><p><em>Ready to try it out for yourself? </em><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://coolify.io"><em>Coolify</em></a><em> offers an excellent self-hosted PaaS experience combined with a solid server like those provided by </em><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://altivox.net"><em>Altivox</em></a><em>.</em></p><div data-type="youtube" videoid="Cd9aRtwj9xA">
      <div class="youtube-player" data-id="Cd9aRtwj9xA" style="background-image: url('https://i.ytimg.com/vi/Cd9aRtwj9xA/hqdefault.jpg'); background-size: cover; background-position: center">
        <a href="https://www.youtube.com/watch?v=Cd9aRtwj9xA">
          <img src="https://paragraph.com/editor/youtube/play.png" class="play">
        </a>
      </div></div><br>]]></content:encoded>
            <author>0xlynett@newsletter.paragraph.com ([object Object])</author>
            <enclosure url="https://storage.googleapis.com/papyrus_images/7570ed3767b8693a50e5b63fb27f1dc8.jpg" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Ethereum for Software Developers]]></title>
            <link>https://paragraph.com/@0xlynett/ethereum-for-software-developers</link>
            <guid>faH98Xu8Nmh5IXZGEPQB</guid>
            <pubDate>Sun, 12 Jan 2025 01:12:06 GMT</pubDate>
            <description><![CDATA[The number one thing for me as a developer is how things on Ethereum are composable and built on open standards.]]></description>
            <content:encoded><![CDATA[<p>The number one thing for me as a developer is how things on Ethereum are composable and built on open standards.</p><p>For example, USD Coin and Wrapped Bitcoin are smart contracts (a program running on the Ethereum network). They store user balances in their own internal state and expose a standard API called ERC-20 for modifying it. Other smart contracts can talk with USDC, WBTC, and every other token using the same ERC-20 API.</p><p>DeFi (Decentralized Finance) has been called 'money legos' because of this composable nature. An example of a basic DeFi protocol (here in DeFi, protocol means something like a stateful system rather than a way of communicating) is Uniswap, which is an exchange. It holds balances of tokens and lets people swap between them according to its pricing formula.</p><p>When someone wants to buy WBTC, they first approve an allowance to Uniswap, then Uniswap pulls the funds and returns the corresponding amount of WBTC according to the pricing formula. It works for every token, because all tokens implement the same common APIs which Uniswap uses too.</p><p>Another example of a basic DeFi protocol is Aave. It's a lending platform that lets people take out loans against their crypto collateral. This means they don't need to sell if they need to pay bills, for example. They can simply borrow against it.</p><p>A more complex example is Yearn, which is a yield optimizer which takes your money and rotates it between different strategies to get you the best rates on your savings. It talks with Aave, and Morpho, and Euler, and all those different DeFi protocols using their APIs.</p><p>Not only is it composable, Ethereum DeFi is permissionless. This means that no one can stop you from building your own smart contract to interface with others for your own purposes.</p><p>And not only can you build finance, but you can also build governance onchain. DAOs are smart contracts that can manage money by vote of your organization. Arbitration protocols like Kleros allow people to make escrow deals. Etc.</p><p>Pretty much, Ethereum is the New Internet: a world of relationships between autonomous, open source code. Traditional finance is sort of like this, except instead of code, paperwork is used to compose businesses together. + Ethereum is much newer than traditional finance, so lacks a lot of the tech debt it has (clearinghouses, settlement, all those hacky solutions, ancient regulations)</p><p>This is not only limited to primarily financial assets. As the world goes onchain, more and more things will be 'tokenized', i.e. making it usable through these APIs.</p><p>An instance right now of a somewhat non-financial asset is ENS Domains. The fact they are tokenized means they can be held by DAOs or multisigs (smart contracts that require multiple different signatures to confirm a transaction) natively, allowing groups of people to manage these assets collectively.</p><p>Decentralization wins because decentralization lets more people build together. The more we build, the stronger we become. No need to for permission, just open APIs that anyone can write smart contracts to use.</p><p>Now wouldn't that be something great?</p>]]></content:encoded>
            <author>0xlynett@newsletter.paragraph.com ([object Object])</author>
            <enclosure url="https://storage.googleapis.com/papyrus_images/453193c63ca408af7a67f3801091b68c.jpg" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Arvensis Capital Security Guidelines]]></title>
            <link>https://paragraph.com/@0xlynett/arvensis-capital-security-guidelines</link>
            <guid>RGVod02eqvundZEeH7w9</guid>
            <pubDate>Fri, 20 Dec 2024 19:07:23 GMT</pubDate>
            <description><![CDATA[This is an incomplete, definitely non-exhaustive set of security guidelines for securing DeFi protocols.]]></description>
            <content:encoded><![CDATA[<blockquote><p>"Just because you're paranoid doesn't mean they aren't after you."</p></blockquote><p>This is an incomplete, definitely non-exhaustive set of security guidelines for securing DeFi protocols. Every protocol is different and even if you follow every single rule in here to the letter, you may still get hacked. The job of this guide is to reduce the chance of getting hacked by North Korea.</p><p>This guide is meant to be used in combination with other guidance.</p><p>This guide is a work in progress and will be updated as I learn more.</p><p>(If you'd like to see more of what we do, check out <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://arvensis.capital">our website</a>.)</p><div class="relative header-and-anchor"><h2 id="h-securing-your-contracts">Securing your contracts</h2></div><ol><li><p>Formally verify your code. It's not that hard unless your devs suck.</p></li><li><p>Get audited by a good auditing firm that isn't CertiK.</p></li><li><p>Test rigorously. Aim for 99% code coverage, with fuzz, integration and invariant tests.</p></li><li><p>Use circuit breakers to slow down or pause any suspiciously large outflows.</p></li></ol><div class="relative header-and-anchor"><h2 id="h-securing-the-process">Securing the process</h2></div><p>Development process, bug bounties, war rooms, multisigs, et cetera.</p><ol><li><p>Use <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://code.visualstudio.com/docs/devcontainers/containers">VS Code dev containers</a> to sandbox your development environment.</p><ul><li><p>DevPod or any homebrew Docker solution is acceptable. Just ensure it has no way to escape the sandbox.</p></li><li><p>Another benefit of this is that tooling across all developers is the same, so no more "works on my machine"</p></li><li><p>Or use a separate machine entirely for your dev work and connect to it via SSH. Maybe even GitHub Codespaces (ew).</p></li></ul></li><li><p>Fucking use Linux.</p><ul><li><p>An immutable distribution of Linux is preferred. MacOS is acceptable.</p></li><li><p>They don't usually build malware for Linux.</p></li><li><p>It's just generally a better experience for development.</p></li></ul></li><li><p>Force all your devs to stay up to date with all system updates.</p></li><li><p>Always set ownership in your contract initializers to a protocol DAO or multisig.</p></li><li><p>Never reuse a deployment key for a different purpose.</p></li><li><p>Never put deployment keys in environment variables.</p></li><li><p>Or you could use <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://archive.trufflesuite.com/blog/introducing-truffle-dashboard">Truffle Dashboard</a>.</p><ul><li><p>Unmaintained</p></li><li><p>From my experience, has some compatibility issues with Foundry</p></li></ul></li><li><p>Ensure all developer git commits are <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://withblue.ink/2020/05/17/how-and-why-to-sign-git-commits.html">signed</a>. I prefer SSH keys, but you can use GPG.</p></li><li><p>Open-source all code running in production.</p></li><li><p>Pay out your bug bounties.</p><ul><li><p>It's not rational at all to refuse to pay or be stingy, it's just retarded. You're setting up incentives for grayhats or whitehats to become blackhats.</p></li></ul></li><li><p>Always do the Kim Jong-Un test.</p><div data-type="twitter" tweetid="1828123772882231521"> 
  <div class="twitter-embed embed">
    <div class="twitter-header">
        <div style="display:flex">
          <a target="_blank" href="https://twitter.com/PopPunkOnChain">
              <img alt="User Avatar" class="twitter-avatar" src="https://storage.googleapis.com/papyrus_images/e6874525aebbf90b66453f425692b8bf.jpg">
            </a>
            <div style="margin-left:4px;margin-right:auto;line-height:1.2;">
              <a target="_blank" href="https://twitter.com/PopPunkOnChain" class="twitter-displayname">Pop Punk</a>
              <p><a target="_blank" href="https://twitter.com/PopPunkOnChain" class="twitter-username">@PopPunkOnChain</a></p>
    
            </div>
            <a href="https://twitter.com/PopPunkOnChain/status/1828123772882231521" target="_blank">
              <img alt="Twitter Logo" class="twitter-logo" src="https://paragraph.xyz/editor/twitter/logo.png">
            </a>
          </div>
        </div>
      
    <div class="twitter-body">
      This is how you identify a North Korean engineer.<br><br>I asked him to say something negative about North Korea and Kim Jong Un and he immediately deleted the chat. 
      <div class="twitter-media"><div class="twitter-two-images"><img class="twitter-image" src="https://storage.googleapis.com/papyrus_images/14fa3d6e69e4498f28db2871881ce9ec.png"></div></div>
      
       
    </div>
    
     <div class="twitter-footer">
          <a target="_blank" href="https://twitter.com/PopPunkOnChain/status/1828123772882231521" style="margin-right:16px; display:flex;">
            <img alt="Like Icon" class="twitter-heart" src="https://paragraph.xyz/editor/twitter/heart.png">
            9,003
          </a>
          <a target="_blank" href="https://twitter.com/PopPunkOnChain/status/1828123772882231521"><p>6:34 PM • Aug 26, 2024</p></a>
        </div>
    
  </div> 
  </div></li><li><p>Keep your development machine as minimal as possible. Browser, VSC, Docker, that's it.</p><ul><li><p>If you must install apps, use Flatpak.</p></li></ul></li><li><p>Make an incident response plan for what exactly to do in case of a hack.</p></li><li><p>Add your contact details to <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/crytic/blockchain-security-contacts">crytic/blockchain-security-contacts</a>.</p></li></ol><div class="relative header-and-anchor"><h2 id="h-securing-the-frontend">Securing the frontend</h2></div><p>You can't treat building a financial app in the same way you build any other web app. <strong>NORTH KOREA IS YOUR ADVERSARY.</strong> Therefore.</p><ol><li><p>Set up an IPFS instance of your dapp.</p><ul><li><p>Recommend not to set it up using Fleek or any managed provider</p></li></ul></li><li><p>Test every frontend update before it goes live using multiple wallets and browsers.</p><ul><li><p>You want to induce malicious behavior if it's present before it gets shipped out.</p></li></ul><ul><li><p>Watch for network requests to any domains you don't recognize.</p></li><li><p>Watch for any behavior you don't recognize, such as asking for infinite approvals to suspicious contracts.</p></li><li><p>Don't test using dev wallets.</p></li><li><p>Make yourself look like a new user every test.</p></li></ul></li><li><p>Nudge your users away from MetaMask.</p><ul><li><p>MetaMask promotes harmful practices such as blind signing</p></li><li><p>Wallets such as <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://rabby.io">Rabby</a> or <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://rainbow.me">Rainbow</a> which do transaction simulation are preferred</p></li></ul></li><li><p>Don't block VPNs. Please.</p><ul><li><p>This isn't technically a security concern, it's just very harmful to us anons</p></li></ul></li><li><p>Make your web app <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/hazae41/next-as-immutable">immutable</a></p><ul><li><p>This reduces the impact of a successful domain hijack only to new users or to those who have cleared cache</p></li><li><p>Ensure there is a way to update the frontend from inside</p></li></ul></li><li><p>Onchain is better than offchain. Hold your domains in a multisig using <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://3dns.box">3DNS</a>.</p><ul><li><p>Gives additional protection against having to trust 1 dev with domain ownership</p></li></ul></li><li><p>Follow <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.cloudflare.com/learning/dns/what-is-domain-hijacking/">Cloudflare's guide to preventing domain hijacking</a>.</p></li></ol><p></p>]]></content:encoded>
            <author>0xlynett@newsletter.paragraph.com ([object Object])</author>
            <enclosure url="https://storage.googleapis.com/papyrus_images/2c24e618d2d473a861e0c64151bfe32e.jpg" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Phishing People on Discord with Fake Links]]></title>
            <link>https://paragraph.com/@0xlynett/phishing-people-on-discord-with-fake-links</link>
            <guid>hxhMp470ChcpTD5P19nk</guid>
            <pubDate>Tue, 26 Nov 2024 21:15:03 GMT</pubDate>
            <description><![CDATA[Phishing does not fall under the scope of the Discord bug bounty. Not responsible disclosure, but it sure is fun.]]></description>
            <content:encoded><![CDATA[<p>Phishing does not fall under the scope of the Discord bug bounty. Not sure if this is responsible disclosure, but it sure is fun.</p><p><strong>TL;DR</strong>: You can use Unicode characters that mimic colons in markdown links to create very realistic looking links. I use the Hebrew Punctuation Sof Pasuq character:</p><pre data-type="codeBlock" text="׃"><code></code></pre><p>Then just use it in a Markdown link in the text. For example, [https׃ //google.com](https://youtube.com) - the first colon is not actually colon.</p><div class="relative header-and-anchor"><h2 id="h-discovery">Discovery</h2></div><ol><li><p>"Oh cool Discord made Markdown links"</p></li><li><p>"How should I rickroll people with this...?"</p></li><li><p>"Nope anything starting with http:// or https:// as text doesn't work"</p></li><li><p>"Hey wait what if I replaced one of the characters at the start"</p></li><li><p>GG</p></li></ol><p>I then proceeded to abuse this by trolling people with fake links</p>]]></content:encoded>
            <author>0xlynett@newsletter.paragraph.com ([object Object])</author>
            <enclosure url="https://storage.googleapis.com/papyrus_images/f3f47d2898bb6eb05d3487d8f6e42881.jpg" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Selfhosting behind a VPN]]></title>
            <link>https://paragraph.com/@0xlynett/selfhosting-vpn</link>
            <guid>utuSghncYGE5ml0GU4P6</guid>
            <pubDate>Sun, 25 Aug 2024 20:49:36 GMT</pubDate>
            <description><![CDATA[As a paranoid cypherpunk unfortunately living under an authoritarian government, I have some privacy requirements. It took me quite a bit of finagling and research to get this selfhosting setup to work just right.]]></description>
            <content:encoded><![CDATA[<p>So I recently received my <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.raspberrypi.com/products/raspberry-pi-4-case-fan/">Raspberry Pi case fan</a>, making my Pi 4 actually usable without it spiking to 80 degrees Celsius. Hooray!</p><p>As a paranoid cypherpunk unfortunately living under <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.theverge.com/2022/2/7/22912054/uk-grossly-offensive-tweet-prosecution-section-127-2003-communications-act">an authoritarian government</a>, I have some privacy requirements: only Windscribe, my own devices, and some very select services are allowed to see my IP; and connections between the Pi and my other devices must always be encrypted.</p><p>This ruled out Tailscale (although that could be useful especially with the integration with Mullvad as exit nodes) as that poses the risk of leaking my IP address to things linked to my digital identity.</p><p>It took me quite a bit of finagling and research to get this setup to work just right. I hope my experiences can save you time even if you don't have an extremely niche use case.</p><div class="relative header-and-anchor"><h2 id="h-my-final-setup">My final setup</h2></div><p>I have two VPNs active at once on my devices: <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://windscribe.com">Windscribe</a> and <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://nebula.defined.net/docs/">Nebula</a>. Windscribe routes my outgoing traffic through their network, while Nebula connects the devices together, somewhat like Tailscale.</p><p>On the Windscribe page, I used the config generator to generate me a WireGuard config for a certain location. I simply copied this config to my Raspberry Pi and started the connection with <code>wg-quick</code> (I'm not gonna go into details here, should be trivial enough with <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.perplexity.ai/search/how-do-you-use-wg-quick-to-qui-p0CrUqKfRxmXLjm5BypGnA">a Perplexity search</a>)</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4aa4d2dc6875d798fd034a40bef104b8.png" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAMCAIAAACMdijuAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAKHRFWHRDcmVhdGlvbgBTdW4gMjUgQXVnIDIwMjQgMDk6NDQ6NTEgUE0gQlNUeDdZCQAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAJUSURBVHicjZFNbxJhEMcnSiqmBsJbgaKtUhGhKGkp7vKyoUAC1AZtKEEhxBqNB4Ne/ACejF+iN8BD4WpMGnrquZdeqwfoogu7LGlxQVraYh4WsCiYTn6ZzM4z89/nmQGYCmC+1/ZAYs79yhZITFtiILSD2DkckROmAnDDj7juR/Gkz/Pu3tvs3aX3erH+kS2QcDx8Y3K9AI0fJrwgdgDIXaDxoWq+R+VFQhICpATykj6dpIQAxSIo3KhL4QalB+Qu1QPcGLSqbVZQe8d1wXHdY8HtZVQgIZAUiBxwzY5uLbSjQOToXlaA9cC7wZgNcQlDjOHdQIAB2ADsAARq52uEtj86w0cxsThLvLyDP5uxxrXWmMYc0WFrNy3RSXPE4Hyux9e0C9Fbltj0fFQz/1SHx9X3QyDv3Lf/0L7UEPXOsdSwojSFZcaQwhTWzD2RGUNXZpZls6syY0i7EFWYVpWmsNSwIjOGNObIVV1w5NoGB30OoR3NQUqgrag8oHSfCzxd1F60EgGGhjNKB80RrAPwGd5fxtBA0YY6w0XgvaD3yS/jL5E+yUyuT3rQf8pu8aQ2NpMdUhub6UwuhYJcOruVzqAjPpkcAbRHWKPBMTTF0CXqR5HjDo6PG40Gx/2sMXSpztVqtYMS9Z2hqWazfnRUb/5qjNKBVuvkX05Pzyosu79PkmQxXyhQVImmmWrlsMJUiyTFVg7LZSafL5AkSdNMuUyzbHWoTqt1MvIFg3bWbrc/f/2wvhtf341/+faRz/T8/+yCP0C2x27vUJkdKrPHbl+86zdjowU0rejWKwAAAABJRU5ErkJggg==" nextheight="1037" nextwidth="2681" class="image-node embed"><figcaption htmlattributes="[object Object]" class="">Yes, 'Florida Man' is a real VPN location. When companies shitpost as heavily as Windscribe does, that's an instant reputation boost in my book.</figcaption></figure><div class="relative header-and-anchor"><h2 id="h-windscribe-nebula">Windscribe + Nebula</h2></div><p>Nebula requires one always-online server called a lighthouse with a static IP (I believe it may work with dynamic DNS, but untested) in order to direct devices to reach each other. I set it up on my Raspberry Pi and opened up a port on my router to make it reachable from the Internet.</p><p>Following the Nebula docs worked out pretty well, got nothing extra to say there.</p><p>As Nebula doesn't come with systemd services, I had to write them myself. On my Raspberry Pi, I created a new system user account called <code>nebula</code>, gave it ownership of <code>/etc/nebula/</code> and set it up as a service:</p><pre data-type="codeBlock"><code><span class="hljs-section">[Unit]</span>
<span class="hljs-attr">Description</span>=Nebula Overlay Networking
<span class="hljs-attr">After</span>=network.target

<span class="hljs-section">[Service]</span>
<span class="hljs-attr">Type</span>=simple
<span class="hljs-attr">ExecStart</span>=/bin/nebula -config /etc/nebula/config.yaml
<span class="hljs-attr">Restart</span>=always
<span class="hljs-attr">RestartSec</span>=<span class="hljs-number">10</span>
<span class="hljs-attr">User</span>=nebula
<span class="hljs-attr">Group</span>=nebula
<span class="hljs-attr">AmbientCapabilities</span>=CAP_NET_ADMIN

<span class="hljs-section">[Install]</span>
<span class="hljs-attr">WantedBy</span>=multi-user.target</code></pre><p>I did a similar one for my laptop, setting up Nebula as a service that runs after Windscribe starts and making sure to create the necessary user accounts:</p><pre data-type="codeBlock"><code><span class="hljs-section">[Unit]</span>
<span class="hljs-attr">Description</span>=Nebula Overlay Networking
<span class="hljs-attr">After</span>=network.target

<span class="hljs-section">[Service]</span>
<span class="hljs-attr">Type</span>=simple
<span class="hljs-attr">ExecStart</span>=/bin/nebula -config /etc/nebula/config.yaml
<span class="hljs-attr">Restart</span>=always
<span class="hljs-attr">RestartSec</span>=<span class="hljs-number">10</span>
<span class="hljs-attr">User</span>=nebula
<span class="hljs-attr">Group</span>=nebula
<span class="hljs-attr">AmbientCapabilities</span>=CAP_NET_ADMIN

<span class="hljs-section">[Install]</span>
<span class="hljs-attr">WantedBy</span>=multi-user.target</code></pre><p>Additionally, I had to add my chosen range to Windscribe's split tunneling on my laptop in order to allow connections to go through Nebula. (Why did I use TEST-NET-2 and not the designated CGNAT range? Scroll further)</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/172179dc727bdaa41f151ce7eec8f24e.png" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAUCAIAAABj86gYAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAKHRFWHRDcmVhdGlvbgBTdW4gMjUgQXVnIDIwMjQgMDk6MDY6MjUgUE0gQlNUw3a4hAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAN/SURBVHictVXNj9NGFB9nPxQ7G49t/BFPbI+/4jix42zsZDdhdyEsWmBZRHehXS1bKFtVINoKoV56ggMX1Gv/G1B7aK+99NRjVam3qpf+AaVUM5MsKWU5UCr9NH5+bzzv4/f8BoCK8/8CsIdgAb4OBCJz0CtJwTsBqGIABGtODsxotdYYkPcqJoaJS0QEvk707FWwJsIrmLXSQ8iHIi5JPnEg4+6nXzzcO7y7qDZoBu6iFml+IdkZtFNoZwruSXamerlkZ1WzzQTVzyWnK6JkCSUiSlUvl53lsha9dEli9QHgkYiSzasfxv3zHPRAFXPQXVBCLSy0sJDwMjsF2pnmTzR60FdwTw/6qpcb4aAej6BFrCwIaGWVWgtAd+qAVIPSINI6UAcl6FXMNrRTESW83hSMuGzEVJMtoaRsxHytWdaJpqzHVbNdNuKqmfBGS0Sp7HShlZGjK87UwTEmeU05YJi1kkawaEBUz6zHO4Upc0wvuqQkQLAW1EZrsOV21oHoMkNJ8hk40lGTdRbcP02vbOOgx0DbVLBUL7/+0WdbV28Rkplz1gn/ESw5IFi83jy9dS0dXmAZiChRcK7gXPXeErLTVXBPwT0OulMOgAi4U8yz7CzjZM2MVvWgrwd9IxwY4YAJdJ0oSVO9DqqXR/mm3VrT/GJeCUkGgEe7B5/0N3ZASQXQg1Znee1Se3UrzM46yXrQ2XDTDbt12s/GIYXfORNm43pzpHr5vx0ouLe5c9hauajgHnUApMdfff3nXy+eP39xbnsfcKrmFyx8zS9Ys2s+OUj1Ci3o61TJcFIG06+KeTkAgDv17Nvvf/jxp99+/+PLR08AWKrNVMZ4K9QaK7XGihEOaAZzWrGx8/Mvvz795jvBiAFfZyEouMcY02hQ8gyHelAwnESDZGey09WDYo5kUMVgXgeLNTCngkUTVDEbAzhdt1trqDkywgFqjqg8RNEQxaOTinOMlfFuZ3RR9fIpyaLL11plPWZ/gGR3/ezswccP9m7eu3Tt9njn8L2Dux/c/vzy9aMr+3eu7N8xo+Fr6T3G7o17Z7ZvSHZ34kCy0+33j4abewtKCCoOG2GERlpQMxrSmpLKomhoMtMbEfXO4XT9ZZvKTnf/6P748sEC/ZMFIyaD2upAKxPrHQKUQousTIBW9mZUzDbdnNALhw4fBZOZ/C5vSnZHVZy/AcIs4WLWwyB8AAAAAElFTkSuQmCC" nextheight="401" nextwidth="640" class="image-node embed"><figcaption htmlattributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>When I change my Windscribe location, I have to also restart the Nebula service, but aside from that it's perfect.</p><div class="relative header-and-anchor"><h3 id="h-android">Android</h3></div><p>On my Android, I use a work profile to run Nebula while using the main profile with Windscribe. This bypasses the Android restriction of only one VPN active at a time, so now I can have most of my apps behind Windscribe and the selfhosted apps on Nebula. Nice!</p><div class="relative header-and-anchor"><h2 id="h-ufw-kill-switch">UFW kill switch</h2></div><p>It took me a while to get it done, but:</p><pre data-type="codeBlock" language="bash"><code>sudo ufw allow ssh
sudo ufw allow 
sudo ufw default deny outgoing</code></pre><div class="relative header-and-anchor"><h2 id="h-routing-conflict">Routing conflict</h2></div><p>On my first try, I decided to set Nebula up on the CGNAT range. Too bad Windscribe uses it.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/35f9c1b7e635b123d8aa2038ddb4823a.png" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAGCAIAAAAt7QuIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAKHRFWHRDcmVhdGlvbgBTdW4gMjUgQXVnIDIwMjQgMDk6MDg6NDUgUE0gQlNU4hrqCAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAGPSURBVHicLZCRFuwwEIZLi5FIIBIYiEQCkcCNFCKhQmlhKVKJLC2UKqFKJRSJlEIr632FPsI+wPI9t7kfzJn5z8z5z/xdCKGUAgDjOE7T9LrY9x0htCzL5/N5X5znWWs9jmNZlpTSeZ7f7zeEkFKa59l7//v9zvMcx/H9focQnHM5Z2NMZ8wfY4wQIsaYUlrX9fV65ZyllACglNJaCyG01lJKrTXn3BjT9327MsZIKZVSzrm+7/UFY0wIYa3lnHeEkK7rACBePB6PGGMpRWsNABhjdkEI4Zy3S3LBGOOcY4wBgHMOAIQQSmnTW73dbh2lFCEEADln773Wetu2lJJz7jiOYRhKKSEE730p5fl8LstirZ2mKedcSnHO1VpLKcdxWGvv9/tyEWOstf4zIIRgjAkhCCGtda3Ve59Sstbu+y6ljDFu21ZKWdd1GIZ5ntuL27at65pS8t4315ZtjHHfd2tt13UY4/8GDUqplJJz3vIBAEopAEgpxQXnXCnVmia2scXIGFNKtR3GGEIIY/wX+RXG7ct047QAAAAASUVORK5CYII=" nextheight="183" nextwidth="999" class="image-node embed"><figcaption htmlattributes="[object Object]" class="">sigh</figcaption></figure><p>I had to redo my Nebula network to use TEST-NET-2, which is <code>198.51.100.0/24</code>. So yeah, double check your ranges.</p><div class="relative header-and-anchor"><h2 id="h-windscribe-doesnt-play-well-with-ipv6">Windscribe doesn't play well with IPv6</h2></div><p>Windscribe doesn't support split tunneling IPv6 ranges unfortunately. (and after I finished setting up Yggdrasil!) That was one of the things that stopped me from using <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://yggdrasil-network.github.io">Yggdrasil</a>, the other being the high latency.</p><div data-type="embedly" src="https://github.com/Windscribe/Desktop-App/issues/176" data="{&quot;provider_url&quot;:&quot;https://github.com&quot;,&quot;description&quot;:&quot;Is your feature request related to a problem? Please describe. I'm trying to use Yggdrasil, which is a mesh network that uses an IPv6 range (0200::/7). I don't want to have to turn off the Windscribe firewall to access it. Describe the s...&quot;,&quot;title&quot;:&quot;Support IPv6 ranges in split tunneling · Issue #176 · Windscribe/Desktop-App&quot;,&quot;author_name&quot;:&quot;Windscribe&quot;,&quot;thumbnail_width&quot;:1200,&quot;url&quot;:&quot;https://github.com/Windscribe/Desktop-App/issues/176&quot;,&quot;thumbnail_url&quot;:&quot;https://opengraph.githubassets.com/90bf5ba5cbc1bde4bf7063c0b120abac629a3a9f1c1f62f0fa5fbcb5867f7734/Windscribe/Desktop-App/issues/176&quot;,&quot;author_url&quot;:&quot;https://github.com/Windscribe&quot;,&quot;version&quot;:&quot;1.0&quot;,&quot;provider_name&quot;:&quot;GitHub&quot;,&quot;type&quot;:&quot;link&quot;,&quot;thumbnail_height&quot;:600}" format="small"><div class="react-component embed my-5" data-drag-handle="true" data-node-view-wrapper="" style="white-space:normal"><a class="twitter-card-link" href="https://github.com/Windscribe/Desktop-App/issues/176" target="_blank" rel="noreferrer"><div class="twitter-summary"><img src="https://opengraph.githubassets.com/90bf5ba5cbc1bde4bf7063c0b120abac629a3a9f1c1f62f0fa5fbcb5867f7734/Windscribe/Desktop-App/issues/176" class="false"><div class="twitter-summary-card-text"><span>https://github.com</span><h2>Support IPv6 ranges in split tunneling · Issue #176 · Windscribe/Desktop-App</h2><p>Is your feature request related to a problem? Please describe. I'm trying to use Yggdrasil, which is a mesh network that uses an IPv6 range (0200::/7). I don't want to have to turn off the Windscribe firewall to access it. Describe the s...</p></div></div></a></div></div><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/c967ab28a6788faeb4eb96f0936afa3a.png" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAAsTAAALEwEAmpwYAAAMDElEQVR4nB2QeVSTB9rF35nT6TfTFtkhKDvIKlEhhEASsu8hK0kgGyEhQNAAAQWiLIEghH0xoYQIGQWNUJYRkBEZqKU6ULVUHT6tO3VBa1FBqlilzRzmnvvnc+/vORdQSZJlqdTR6X+/+GB/um5/sm7/ac3+YGXzyuKzyZnrZostP1dzyjY+NX3t3OSVyemFkdHZwbHZ7+/+cuvZ2usP9tUP9tWP9qdv7I/X7A9f2u89+3jx6sN0uVyjVvO5lIqKQ4BGkVIo59RWlP9rdnF27u6/ZhfPf3tz+Mzs0aMWXWmFtqiktETbabKcOjE8PXPNNjDVPzg1t7B0f+X3x2sf327a3320v96wv9qwr7+3v1jbfLq8/mR5/e5PK5Zjljy1kkFFAAcyBBXqtEMqha6kzNRuGRo6P3h6olFvKC3WlhUVNdc2GPQ1ZqN5ZGRyfHzWdnpiavr65evPrz9Ye/Hevvr71vurH+wv3tjX3v2x+vbj69WNV79uvn77++rab5d/eGjpGQDUUl6pSqZVKfTlupPH+y3tHV82m2rKKvXllTVlZXX6IzU6vaWz29rT13t88EvTsdGxbyYvLF65tfJ4dfPNH/a3m/a13+w/rdofvfrj4fLGnaW1h0837j5+OzVz9coPS5fn7wC5aalalawkS9KgNzTW1Ok0ufrCopoyXXuLqbGm1nDkSGNdfaexw2Q09dtGenr6zp2f//bfP96892pp5eO7TfvGpv3XD/Znq/aHzz/cvv/61t2X9x6t336wennh4YUL1+e+WQDy5PxChUgtFWgyZAVKub64pLaiwlBR0d7cZjFbTUeNTQ0N7a1txjaj6ajxzMi5s2e/nZq+Mnf1waPnH1/9av9ldfPNxtZED37+7cd7K/+59fOdpTc/3n995drjf4x9/f31R4BKyClQpOUr0jQZslL1fl1R8ZHDh8vz89qamrtMncamJmNzc6epo7fX1mE0jo6Mf3fx6rWLV7+bW1xa3vhlzf7k53fr7+3LKx9vL63evP/q9tKbpyubS0/fXZxbnJz+9tLl64BKxM6WMNIFdLmYX6BML1LKNXKpRp5WcVDTZTI1VldVa4vamhvOnv3n5MTU/TtLqz/cfDf73do380+uLC4/XX/+auPNe/u9J2sXLi5cuDC/tLy+vPJ++eVv124tTZ6fWbh2C+AzcHw2mktHpguYaqkwTyrOV0iLVBm6Ao2hqqKluqK8uFBXcuCrU7a1178/W/j/ZydPvzxx8qWt/2nvqUcXrzxf+fD4xcaNe89PDwx1GE0X5248fP7+1v2fF27cHxmdGB87B0h4FA4VwaIlylPYuWlilUiQKeJrMtIPq3MaddomnVZXXHCkTDs/f+Px3eXFPtuSufNFd/fzLsv91rabf7fe/s+9S5cWZmfmu82WWl350MDQtWt3Tlmt3e2NU+cv/HP8LBAXHxEe5YuAR7CpcB6dIOMwZIJkhTglN02gzZEfUCnKizSlB/JOnuj9furr+bbWuYaGG0eqF6urFxoa55obrn4z39dnM3d2Hm1qqj2sPWG1fD19rr6ypLGi2GIy1+uqgJ2h23fv9kmIC+HTkKk0nJBOSRdwlZKUbIlAmcJQSdhVZYeKijUmdeZkc+tA6aFGQfJxpbxbLm4X80YqyoeMX5rrm1rqDIaqCkNZSY/ZOHjcUp6vatFru4zthspKICDAPT4+BI2IZBBgihSWQpScI5fIxXyNRlNYXamU8vP3KQsK1CIMuj9PPX7gwESmcqa4dLqweEQumdSW5JFIQSBQnlRcolI0VGn7jllaDXq5KLVEozZUl9Yb9EBClH9YkNsO189wcWCJgK3JVRUdyJWKhTJRalZOdqaYlSXhklCIQA+PKoHg7H71WEqaTSDp54vPpoh6ZWJ/Z2cAAAK2g8R0nKm5tOdY9cFCJRwei8HG4rC7GdR4QEaL4aJ30hKCFFxMtoSlSkvOz5JoMoRpFEQKEZWfTODjYM4ODkE+3tsAoDtddlokridT64nkYZFEhUB6Ojp6uIIAAICEh+QqUvT6fXk5rEwFV5rOkMkYWSIc0FqnHbC2nLDojfX5LfocQ0l6ZX5qpYq/T0jWSJJLBZQMOj4qYhciBgIAADYszCpKaSKQTCRaN48N9fPDw6BMAgUK3iOkU4wG/Slr7+Cp/tPW7kO5oiwRQpEMAfr6bDNfXzo/NTM6OjJ+ZnhqYmzizMjU5MTk5GR/b+/RmtoS1T4+hYqNg7k4OHl+5qRGI49LxMfEYs6eqN1B/mwMap8wJU8qPqRSdbYYu80dxQcVMhmRwdwtF6Er8tIBk9E0PDQ8MjwyNjp25szo8OCQ1XpC19DaZeqsKiwuy1EXyOQSJpMYj4CEBPt6ugc6O8K2gwIdHTz/8ikkOJiJRkqZ9DyppDhLWZqzX6NM0x7KrWusaTW2dHZ1tHfUAl1m8/Dg8ICt39bb+3eL5aTVajR2CVWFuoPag4rMAkXGfpEkkydgYfDQsPDYqPDwQH8fV9dIPz9k1C4OHpNKJWbyknOEKftFQo1cVqLKaW9tPtbdYTTpzV1NlmNHgcaGxi6Tqb2x8ct2U6/VNvTVxOT5+da2bjk/NZPHy05NVfKS05gMAYmIgezd5e+HBIdDQnz3Bvsn7tlNhcdxcEgZhyHnMJU8Tiafp+CySvI1vSeHenqON9ZX1eoOAoVqtaGqusNo6esdHhqZGTt7YWLyUpWuloXD8Yg4CZMuZtFTaRQeEcfGo6hwGA0ez0DDSPHRxDgwBR7NJaCEdIqQTkpjMUQ0MiU+NluYUqJR5GazcxX0LBkRqKtutNnGbbaJ48dHBgYmv/pqqsc6mCWVwaOisLDY/1XjeSQCl4Bl4FFUBDwpEcHGY1hYFBOdwMah+BQij0pKJuLETBoVCYeDI6VMpigZoZQiFCJ4Kj8aaG07ZrUOm839ZrOtra2zvq6pqLAwlcmOj4gM9/NLSkSysBgekcDAopPQSHICjIZEMDEoGhKRlIjkEnBcwhaejcfyiLi48DBIaCAHj6fj45MZkeykSDE3FijQFJYeLqusNBQVFOxXCPZn8pRSEQWBwkGhod7eOCiUCocTYQlEGIycAMPDYskJMCoSTkHAifFQKhJBT9ziMdBIGhIR6bdjT5AvEQblEBACxi42PZRNDwbSRKn79+VkK9LSeaR0Pj5HIZQIJCgoFBoW6vlnIHrnzsRoMCwqAh61KxGyJxGyBxWzBwPZi4HsRe0Bw8GRqBgwLjaanACLCdnpve1vu/x3EGGxDCyKTgqlkv1ZtBCARUgQcDA8egKXHM1Ngufuy02mMXh0OjoOEhsVEQcGs8kEBgHLIGBpaAQNjWThsclUsoTLoaGRDDxOwuUohcJUBh0aFeHl+EVMSCAuLoaYACOhwumkIA4NDJATwRR0JB6+k4zZmy6Ti0UyFBSWLUsvKSioLD0kFQhq9XpDVZW+7LA6M6OsuKjfZmsyGFrq6pRSUVWpttlgaGuqr6+pam2oCw30D9nuHhcWDI0IR0AC0TAvEioEoGGhyQwEh4VR56qrj7QfKNDSCEQWmYiLh8J2R8LAYAoSmYRBswh4GhrJoRIzpRIulYRPTKDjMWwigYZFERBxKGh0chIlPgYcDw4nImE0DDqZjuUxECR0JEBEQ/LVObn5B6uq6ssrjmRnqRhkMp/FImOQcbvBCdHRKSymXJgq4rLoeEwSFsMkELhUEp2AFXKZWVJRCoNOx6NIiQlMGgkBgyKhe9kUPJOMS+HQ08UMNi0BgMVEMRkCQUo6myOg0dkRoeE73Fxcv/jkc2BL7n/9a7CXp6+Xe4A3KADk4evhEujtGeQDCvIB+Xu5h3h7hfhu3+nr5eflDnLZSrh99idfd+dgb1CIHygqwBUSth1AofBMtoDJFnC4IhqdvSss1NfT08tpm9MnWwCnTz4J2uHl4+EeAPIM9gL5uLt4uzn7gFx8PV38vFx9vdx8Pd28PZx9PJydP/szAADOnwKezn8L3OEZ7rcjKtg9zM8ZiI2Ni49HJsATEUgMBAINDgjYAQK5OTk6/GWLsO3zz0Gurl5OrttdnECuzl5Ojp4ujiBXR0+3/9l1m4ezg4ezA8jV0cXhi637/wNcHT71cHbY7uYU6OsS5Ov0X2T7R7OEMZpnAAAAAElFTkSuQmCC" nextheight="888" nextwidth="882" class="image-node embed"><figcaption htmlattributes="[object Object]" class="">Jokes aside, Windscribe is a really good VPN. If you want private VPNs, go for either Mullvad, Windscribe, or Njalla. And if you pick Windscribe, tell em in the Discord that I sent you ;p</figcaption></figure><div class="relative header-and-anchor"><h2 id="h-closing-remarks">Closing remarks</h2></div><p>Now I've got the basic networking out of the way, I am finally free to finally get some selfhosted services up.</p><p>This journey taught me <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://cidr.xyz">CIDR notation</a> and a little more about being a sysadmin. It would never have been possible (or at least, would take 10 times more time) without the help of my beloved Claude and Perplexity.</p><p>During my research, I came across a list of different projects. I opted for Nebula, but here's a small inexhaustive list of the stuff I came across during my search:</p><ul><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://blog.tonari.no/introducing-innernet">Innernet</a>, a mesh network based on CIDRs</p></li><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/juanfont/headscale">Headscale</a>, an open source Tailscale control server implementation</p></li><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/reddec/tinc-boot">tinc-boot</a>, a wrapper over <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://tinc-vpn.org">tinc</a>, which is a full-mesh, auto-healing VPN system supporting many many OSes</p></li><li><p>A blog post from fmac titled '<a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://fmac.xyz/posts/2021/12/07/nested-wireguard-tunnels/">Nested WireGuard tunnels to my home</a>'</p></li><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/qdm12/gluetun">gluetun</a>, a tool for running a VPN (the privacy tool kind, not the access tool kind) inside Docker</p></li><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://git.zx2c4.com/wireguard-go">wireguard-go</a>, a userspace implementation of WireGuard</p></li><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/netbirdio/netbird">NetBird</a>, a mesh net with a full GUI and centralized access control like Tailscale (actually now that I'm writing this post I think I should've just used this but whatever i've set it up already)</p></li></ul><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/bb1c11bfef5c19b3a960e3c2945cd087.png" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAICAIAAAAX52r4AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAKHRFWHRDcmVhdGlvbgBTdW4gMjUgQXVnIDIwMjQgMDk6MDk6MzMgUE0gQlNUgZpRhgAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAIUSURBVHichVLLbtNAFB0pC6B52R57Hh6/Yid+xCSOE6fBTaEklIoKKtSKRopKGimpIK0oG4RUNjx28AF8AT/CBokNfAMSn8GiKJ0gEFR0dDSae3TvPZp7D1CwxpGhBqCmgA30i/kXssIKkIIsyuSwhBgnEdE5zi0BCGsiYhiz0WX5EIglQc5zDTJvJ8P5zd8IawWkNsPa6/HuyeCexqwCJHkR50UsQCJCIkAiQVWCFCoqVOhCQDkTGAfpezf9sjP97MROQSoqGqp7SlqVO4G8VpNXQyV0lX6UWfYG99dPv388/fQhqTeSlV4nvdlIukGt1Ui61Vpyrdtrtrv9ja3rvTsCJHOBLNHXZPXwEgEA5DD9xuy3IAOohR1T8GzRsYqeDUuG7NowcHKa1o6Dr69mJ7d7ImJ+2Kw306uNjhtEXhjbju+HTTeInErV9euLH4iIeURNW21wdn6E8juQA0R3TDcME021Az/SzYqulzXmaLoTRW3LLkNqUGZTZiGiG1aFUMOwKn4Y83Fx/B6RRAyBGrklabC9/wbbZYivyGorWdnc2pk8Onr+4uX2g2F/4+7ucH9vNDmYHY8ns+Onz/q3NqePn6zeWJ8cHD0cT/dG08FwTFnp7yVzGxSKCGSWmnGK7WpRptxIAiTcG4joUFER0Qk1oaISatbjZR4qWOMMzznHRX9YzcgWEYSL7v9HXsQX5nCBn1lKbzj/94vjAAAAAElFTkSuQmCC" nextheight="128" nextwidth="543" class="image-node embed"><figcaption htmlattributes="[object Object]" class="">The pleasures of [networking] are pains that become desirable, where sweetness and torment blend, and so [networking] is voluntary insanity, infernal paradise, and celestial hell - in short, harmony of opposite yearnings, sorrowful laughter, soft diamond.</figcaption></figure><p></p>]]></content:encoded>
            <author>0xlynett@newsletter.paragraph.com ([object Object])</author>
            <enclosure url="https://storage.googleapis.com/papyrus_images/a1b0656ebe3e6770dd89e9d7f54a6c3a.jpg" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Perfect leveraged tokens]]></title>
            <link>https://paragraph.com/@0xlynett/perfect-leveraged-tokens</link>
            <guid>ql9Lrt1aX26MLpGci5Fi</guid>
            <pubDate>Sun, 18 Aug 2024 00:00:00 GMT</pubDate>
            <description><![CDATA[The synth aims to track a perfect constant-leverage index. People can borrow against collateral to mint these synths (let's say ETH2L) and short it by selling ETH2L. On the other side, people can long by buying ETH2L off the market.]]></description>
            <content:encoded><![CDATA[<figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/8a9e3866c4c52dc6344689b3ae10893f.png" blurdataurl="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAMCAIAAACMdijuAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAKHRFWHRDcmVhdGlvbgBUaHUgMTUgQXVnIDIwMjQgMDc6MTY6MTYgUE0gQlNUtwxDWQAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAKRSURBVHicY5BXVBOTV5VW0rDWMfC0tLewc7GycQIjZysbJ1tHdysbJ3tHD2/f4MDgSHtHD1sHNwcnT4iglY2TiZmNvaMHMtvKxhkiYu/ooaKmzSApp1IaHOVk62ptYlmfWzRnwfJp0+clJGcVltaUltfXNnYUltZk5ZUFBkdGx6ZAUEJyVlpmQUJyVkJyVmh4XHxCRkJyVmx8amBwZFpmAQTFxmdk5ZVpahsy2OsYzQuN+lGRl1NUcf/Zm5WrNu7YfSg6NiUxJScsIh5inIqatrqWvqKSuqKSuryimryimrCYNDISEZNC5goKSUBIeUU1BgUlNTUltVoHZ1+/kNaO/ura5rzC8ilTZ8+as6i+qbO0vK6+qbOpvae6tnnKtLlbtu3tnTBt9pzFVjZOEJsIIgZpeWVNbUMJFS0P78D6ps6E5Kzq2ubS8rrq2ubZcxZPmTa3vqlzyrS5JmY28opqKmraRJqLsABCSUjIurr79k6YlpZZAI4fN3tHN1d3X2/fYG/fYFd3X01tQ1KNRrFAUlrR3tGjurY5MDhSUloRjoRBYSojLCYjKa1IvgUqqlpiknKQtMHDL0aeQfK4LFBT12FnExOXUFRS1YSLiknJk+1keTQLIIBXmtlY2zw1OC47LLU4JeP/n4/+QVHevqHevsGx8RnObj7IqRAWdAjEwy+Gy0Eg09ecqmLgY7C2dl++bO3k/ulTJs/YunlbfVPngsWrVq3bMn32gvqmzura5t4J00rL6/IKy0vL63r7p9Y3dbZ29OcVlvdOmLZ85YawiHisdjCoqGqB/cBkZGrl7OZj6+ju6u5rYe2kb2ju6u4DKR5c3X2tbJy8fYNhCQwk4uruCykPAoMjY+NTIekY0wIAPlAWNDdy1yQAAAAASUVORK5CYII=" nextheight="471" nextwidth="1250" class="image-node embed"><figcaption htmlattributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>Originally thought about in the TLX Discord.</p><p>Currently, TLX leveraged tokens work by rebalancing to maintain a leverage within a range to avoid liquidations, which is what causes "<a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.etf.com/sections/etf-basics/why-do-leveraged-etfs-decay">volatility decay</a>". It only rebalances after hitting the leverage bound (or on deposit and withdrawal) and also incurs swap fees.</p><p>Volatility decay would not be a factor if there were perfect rebalancing, i.e. maintaining a perfect constant leverage and having no swap fees.</p><p>My scheme: The synth aims to track a perfect constant-leverage index. People can borrow against collateral to mint these synths (let's say ETH2L) and short it by selling ETH2L. On the other side, people can long by buying ETH2L off the market.</p><p>Shorters get liquidation risk while longers don't, which could be an issue for getting people to mint in the first place, but they could be compensated by trading fees and fees on the token itself.</p>]]></content:encoded>
            <author>0xlynett@newsletter.paragraph.com ([object Object])</author>
            <enclosure url="https://storage.googleapis.com/papyrus_images/f11ed214f42359a3cbe68c68743783d2.jpg" length="0" type="image/jpg"/>
        </item>
    </channel>
</rss>