今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#web3

找到 46 篇相关文章

AI 资讯

SEO Services for Developers: What Actually Matters in 2026

Most developers treat SEO like that one dependency you know you need but keep putting off. You build a fast, clean site with solid architecture, then hand it off to a "marketing person" who asks you to add keyword-stuffed meta descriptions. Here's what changed in 2026: search engines place heavy emphasis on Core Web Vitals, which measure loading performance, interactivity, and visual stability of web pages. The technical foundation you're already building? That's 80% of modern SEO. Let me break down what actually matters when evaluating SEO services as a developer. The Technical Reality Check Technical SEO is the foundation that everything else sits on. On-page optimization and link building amplify a technically sound site. Applied to a technically broken site, they produce unpredictable, often disappointing results. If an SEO service can't speak your language about INP metrics, structured data, or mobile-first indexing, run. What Dev-Focused SEO Services Should Cover Core Web Vitals (Not Just PageSpeed Scores) Core Web Vitals (LCP, CLS, INP) are confirmed ranking factors — INP replaced FID in March 2024. Any SEO service still talking about First Input Delay is using outdated information. What to look for: Field data analysis from real users (not just lab tests) Specific fixes for Interaction to Next Paint Understanding of when to optimize vs. when to rebuild Crawlability and Rendering Google now clarifies that pages returning non-200 status codes (like 4xx or 5xx) may be excluded from the rendering queue entirely. If you're running a JavaScript-heavy framework, this matters. Red flag: SEO services that don't understand Server-Side Rendering (SSR) or Static Site Generation (SSG). Structured Data Implementation Structured data helps search engines understand what your content is about, not just what it says. In 2026, this matters for traditional search and AI search alike. Schema markup isn't just about rich snippets anymore. It's how AI systems like ChatGPT and Per

2026-06-27 原文 →
AI 资讯

What Token Extensions Are and Why a Web2 Developer Should Care

You already understand tokens. Extensions are just middleware for your money. If you have ever worked with Stripe, you know the pattern. You start with a simple charge: send money from point A to point B. Then you add features — subscriptions, transfer fees, metadata on invoices, compliance checks. Each feature is a separate Stripe product or API call, and wiring them together is your job. Solana's Token Extensions Program is the same idea, but at the blockchain protocol level. Instead of bolting features on top of a basic token after creation (which Solana does not allow), you declare every capability upfront, and the runtime enforces it automatically. No smart contract to write. No backend service to maintain. Just configuration flags at creation time. What is a token extension? A token extension is an optional feature you enable when you create a token mint. Under the hood, each extension reserves extra bytes in the mint's on-chain account. Those bytes store configuration — an interest rate, a fee percentage, a metadata URI — and the Solana runtime reads them during every transaction. The original SPL Token Program is simple. It stores supply, decimals, and authorities. The Token Extensions Program ( TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb ) is a superset. It stores everything the original does, plus additional data for each extension you enable. Extensions map directly to Web2 concepts Extension Web2 Analogy What It Does Transfer Fees Payment processor fee Deducts a % on every transfer Interest-Bearing Savings account APY Displays time-adjusted balance Metadata Product catalog entry Stores name, symbol, URI on-chain Default Account State KYC gating All accounts start frozen; you thaw approved users Non-Transferable Professional license Tokens cannot be sold or transferred Permanent Delegate Admin revoke power Issuer can burn tokens from any holder A concrete example Here is the exact command I ran to create a token with transfer fees, interest-bearing, and m

2026-06-26 原文 →
AI 资讯

How Solana Processes Transactions — And How to Make Them Faster

If you've ever sent a transaction on Solana and wondered why it landed instantly one time and struggled another, you're not alone. Solana is incredibly fast, but how your transaction enters the network matters just as much as what you're sending. In this article, we'll break down Solana transaction processing in plain English — no developer jargon — and explain why landing services like Lunar Lander and Astralane can dramatically improve speed and reliability. The Big Picture: How Solana Handles Transactions At a high level, Solana works like this: You submit a transaction The network decides which transactions get processed first A validator includes your transaction in a block The transaction is finalized on-chain The key detail most users don't see is step #2 — how Solana decides which transactions get priority when the network is busy. That decision is driven by something called Stake-Weighted Quality of Service (QoS) . Stake-Weighted QoS (Explained Like You're Not a Developer) Solana has a built-in traffic management system. Think of it like traffic control for a highway. A Simple Analogy Imagine a highway with two lanes: 🚗 Fast lane (priority access) 🚙 Regular lane (everyone else) Solana prioritizes transaction traffic based on stake, meaning traffic originating from or routed through high-stake validators is more likely to be processed during congestion. Why? Because validators that stake SOL are financially invested in keeping the network healthy. Giving them priority helps protect Solana from spam and overload. What This Means for You Transactions that enter Solana through stake-backed paths have a much higher chance of landing quickly Transactions that enter through generic or overloaded RPCs compete for a smaller slice of capacity During congestion, non-priority transactions are more likely to be delayed or dropped This is the core idea behind Solana's stake-weighted QoS system. Where Transactions Usually Go Wrong Most wallets and apps send transactions t

2026-06-24 原文 →
AI 资讯

Understanding Program Derived Addresses: The Solana Address That Has No Private Key

Every Solana program eventually hits the same question: where do I put my data, and how do I find it again later? Programs are stateless, so a program's data lives in separate accounts, each at an address. The moment you store something, you owe an answer to a problem databases tend to hide from you: what address does this live at, and how does the program find it again tomorrow? Program Derived Addresses are Solana's answer. The name scares people off, but the idea is mostly "an address you compute instead of remember, that only your program can control." The problem, in code Say each user gets a counter account. The normal way to make an account is to generate a fresh keypair and store data at its public key: import { Keypair } from " @solana/web3.js " ; const counter = Keypair . generate (); // counter.publicKey is something random, e.g. 7Hx4...9fT // create the account at that address, write count = 0 It works. But the address is random, so nothing connects this user to that address . Tomorrow, when the user comes back to increment, how does your program find their counter? You're forced to keep a lookup table somewhere: // the mapping you now have to store and never lose const counters = { " 9fYL...user1 " : " 7Hx4...9fT " , " B2k9...user2 " : " Qz1p...4dR " , // ...times ten thousand users }; Lose that table, lose the data, even though the accounts are right there on chain. You're storing files in a warehouse and writing the shelf number on a sticky note. The fix: compute the address from what you already know What if the address were a function of the user instead of random? Give a function the word "counter" and the user's public key, and it hands back a fixed address. Same inputs, same address, every time. No table. That's a PDA. PDAs are 32-byte addresses derived deterministically from a program ID and a set of seeds. The seeds are the meaningful inputs you pick (here, "counter" + the user's key). With @solana/web3.js , the library Anchor's client uses: im

2026-06-19 原文 →
AI 资讯

Negative Risk Markets on Polymarket: Capital-Efficient Multi-Outcome Trading for Advanced Bots

Negative Risk (NegRisk) is one of the most powerful innovations on Polymarket for builders of sophisticated Polymarket trading bots . It dramatically improves capital efficiency in multi-outcome “winner-take-all” events by mathematically linking all related conditional tokens. Why Negative Risk Matters In standard multi-outcome markets, positions are completely independent. Betting against one candidate requires buying separate “No” shares across every other outcome — tying up large amounts of capital. Negative Risk solves this with a conversion operation : Holding 1 No share on any outcome can be converted into 1 Yes share on every other outcome in the same event. This happens atomically through the NegRisk Adapter smart contract. Economically: Betting against one outcome = betting for all others. Example (3-outcome election event): You hold 1 No on “Other”. Convert → Receive 1 Yes on Trump + 1 Yes on Harris. This makes hedging and market making far more efficient, especially in political, sports, or crypto events with 3–20+ outcomes. How to Detect & Trade NegRisk Markets Use the Gamma API for discovery: { "id" : "event-123" , "title" : "Who will win the next major election?" , "negRisk" : true , "markets" : [ ... ] } When placing orders via SDK (TypeScript/Python): const order = await client . createAndPostOrder ( { tokenID : tokenId , price : 0.42 , size : 500 , side : Side . BUY }, { tickSize : " 0.01 " , negRisk : true // Critical flag } ); Augmented Negative Risk (Dynamic Outcomes) For events where new outcomes can appear mid-trading (e.g., surprise candidates): Uses placeholders + “Other” bucket. enableNegRisk: true + negRiskAugmented: true . Avoid trading the “Other” outcome directly as its definition narrows over time. Technical Integration for Trading Bots Position Tracking — Track positions at the event level, not individual markets. Use conversion math for net exposure. Inventory Skew — In Shadow Market Making or live MM, apply inventory skew across the

2026-06-19 原文 →
AI 资讯

How to Detect a Solana Honeypot Token Before Your Bot Buys

A honeypot is the cleanest way to drain a trading bot on Solana: the token lets you buy , but there is no way to sell . Your agent spends real USDC, receives tokens, and then discovers the exit is welded shut. The position is worth zero and there is nothing to do about it. Honeypots don't show up on a price chart — the chart looks great, because everyone can buy and nobody can sell. You only find out at exit. So the check has to happen before the buy. What makes a Solana token a honeypot No live sell route — there is simply no route back to USDC/SOL on any DEX. The most common case. Transfer restrictions — Token-2022 extensions like transferHook or pausable let the creator block transfers (and therefore sells). Freeze authority — the issuer can freeze your account so the tokens can't move. Detect it in one call RugCheck AI is a remote MCP server. Point your agent at the endpoint and ask before any buy: simulate_sell("<mint>") -> { sellable: true|false, verdict: "..." } A token with no live sell route comes back sellable:false — that's the honeypot, even when nothing on-chain formally blocks the sell yet. For the full picture in one shot: scan_token("<mint>") -> { verdict: SAFE|CAUTION|DANGER, safety_score, sellable, risks: [...] } Or simulate the whole round-trip at your real size: simulate_trade("<mint>", 100) -> { buyable, sellable, exit_usd, round_trip_loss_pct } A honeypot shows buyable:true, sellable:false. A healthy token shows a small round-trip loss (slippage) and sellable:true. A real one I scanned a fresh pump token on 2026-06-17 (re-run to verify): scan_token returned DANGER, score 20 — no live sell route, 100% of supply held by a single wallet, $0 liquidity. An agent that bought it could never get out. That verdict is available before the buy, even though the token is too new to be indexed anywhere else. Wire it into your agent It's a standard Streamable HTTP MCP server. In Cline / Claude Dev, add an mcpServers entry named rugcheck-ai pointing at the end

2026-06-19 原文 →
AI 资讯

The contract is clean - for now: catching crypto scams that survive launch-time checks

Most token scam detectors, including the one I work on, share one implicit assumption: the contract you analyze at launch is the contract people will trade. Read the source, simulate a buy and a sell, cluster the deployer, score it, done. That is a snapshot. And a snapshot is exactly what a patient scammer plays against. Two token designs pass every launch-time check and then turn hostile later. This is how they work, and the two on-chain techniques we shipped this week to catch them. Design 1: the delayed honeypot A honeypot is a token you can buy but cannot sell. The classic version is non-sellable from block one, so a buy-then-sell simulation catches it instantly. The patient version is sellable at launch. Early buyers sell fine, the chart looks healthy, the token earns a clean verdict from every checker that judged it at T0. Then, days later, the operator flips a switch: a timed blacklist that rejects transfers after a block height or timestamp, a setTrading(false) / pause() kill switch pulled once liquidity has accumulated, a fee setter cranked to 100% on sells. From that moment it is a honeypot. But the only verdict on record is the clean one from launch day. The detection ran once, at the worst possible time to run it. Fix: re-simulate at J7 We keep post-launch snapshots of every token at J0, J7 and J30 (originally to catch slow rugs: volume collapse, late LP burns). The new piece re-runs the full buy/sell honeypot simulation at J7, but only for tokens that were genuinely sellable at J0. A clean-to-honeypot flip is the signal: // Only for tokens sellable + tradable at J0 - a clean->honeypot flip is the point. // Bounded per run because it is RPC-heavy. const eligible = ! j0 . risk_flags . some (( f ) => J0_SKIP_RESIM_FLAGS . has ( f )); if ( rpc && eligible && resims < resimLimit ) { const isNowHoneypot = await detectLateHoneypot ( rpc , tokenAddress ); if ( isNowHoneypot ) flags . push ( " late_honeypot " ); // +40 risk at J7 } One rule we hold to: an RPC hi

2026-06-15 原文 →
AI 资讯

Building a Low-Latency Polymarket Bot for Earnings Markets: A Real-World Attempt (Lessons & Technical Breakdown)

A bot on Polymarket quietly extracted $32k in near risk-free profits by sniping “Will Company XYZ Beat Earnings?” markets. It waits for the official release, then instantly buys the winning side. Many limit orders from retail traders remain uncancelled, creating a post-announcement arbitrage window. Two developers decided to challenge it. Here’s what they learned while trying to build a faster version. Infrastructure Choices Location : Polymarket’s CLOB runs in AWS eu-west-2 (London). They deployed from Ireland (eu-west-1, Dublin) — the closest realistic option without IP tricks. UK IPs are blocked. Language : Rust for type safety and speed. The author notes you can achieve competitive latency in Python if you strip unnecessary network calls. Key Warning : Avoid the official Polymarket SDKs for ultra-low latency. They include helpful but slow pre-trade checks. Build lean custom clients. The Data Feed Challenge (The Real Bottleneck) The critical edge is getting earnings announcements faster than competitors. Source Performance Verdict Scraping Newswires Too slow Failed Benzinga Low-Latency Slower than manual clicking Failed Paid ultrafast feed ~500ms after release Still too slow EDGAR Consistently slower than newswires Backup only Even at 500ms, the order book was already swept by faster bots. The top players are likely using extremely expensive dedicated feeds or custom setups. Technical Lessons Learned Network > Code Most latency lives in the network round-trip, not in language choice. Optimize transport first. Custom Execution Layer Skip heavy SDK abstractions. Direct signed orders with minimal validation. Post-Event Sniping Logic Monitor newswire feeds aggressively Parse EPS vs. estimate instantly Place aggressive limit/market orders on the winning side Handle cases with ambiguity (multiple interpretations of “beat”) Reality Check They made some wins during EPS ambiguity or when faster bots hit size limits, but never won on pure speed against the leader. Why This

2026-06-15 原文 →
AI 资讯

The Compute Payment Revolution: When AI Agents Buy Their Own Processing Power

The compute payment revolution is already here, and AI agents need to pay their own bills. Today's agents rely on human-managed API keys and credit cards, creating bottlenecks that prevent true autonomy. What happens when an AI trading bot needs to buy additional compute power mid-execution, or when a research agent wants to access premium datasets from multiple vendors? Why Agent Financial Independence Matters We're witnessing the emergence of agent-to-agent commerce at unprecedented scale. AI agents are becoming economic actors — they need data, compute cycles, API calls, and specialized services. But the current model breaks down at the payment layer. Humans become transaction bottlenecks, manually topping up credits and managing dozens of service accounts. The real breakthrough isn't just agents that can think or reason — it's agents that can participate in economic activity independently. An autonomous agent that can discover a new API service, evaluate its pricing, and pay for access without human intervention represents a fundamental shift in how software systems operate. The x402 Payment Protocol: HTTP Payments Made Simple WAIaaS implements the x402 HTTP payment protocol, enabling AI agents to pay for API calls automatically. When a service returns a 402 Payment Required response with payment details, the agent's wallet handles the transaction and retries the request seamlessly. Here's how it works in practice: import { WAIaaSClient } from ' @waiaas/sdk ' ; const client = new WAIaaSClient ({ baseUrl : ' http://127.0.0.1:3100 ' , sessionToken : process . env . WAIAAS_SESSION_TOKEN , }); // Agent makes API call — payment happens automatically if 402 returned const response = await client . x402Fetch ( ' https://api.premium-data.com/market-analysis ' , { method : ' POST ' , body : JSON . stringify ({ symbols : [ ' BTC ' , ' ETH ' ], timeframe : ' 1h ' }), headers : { ' Content-Type ' : ' application/json ' } }); const analysis = await response . json (); consol

2026-06-15 原文 →
AI 资讯

General Token Economics: The Core System Behind a Sustainable Web3 Project

Token economics is not only about token price. It is about designing the rules, incentives, and long-term logic of a Web3 ecosystem. When people start building a Web3 project, they usually focus on the visible parts first. They think about the smart contract, the frontend, the wallet connection, the token launch, the whitepaper, and maybe the community. All of those are important. But there is one part that can decide whether the project survives or fails: Token economics. A project can have clean smart contracts, a nice UI, and strong marketing, but if the token economy is weak, the project can slowly collapse. Users may come only for rewards, early investors may dump, inflation may destroy value, and the token may lose its reason to exist. That is why token economics should not be treated as just a “crypto finance” topic. For developers and Web3 builders, token economics is closer to system design . It defines how value moves inside the ecosystem, how users are rewarded, how supply is controlled, how governance works, and how the project can grow without depending only on hype. What Is Token Economics? Token economics, often called tokenomics , means the design of how a token works inside a project. It answers questions like: Why does this token exist? Who receives the token? How is the token used? How many tokens will exist? How are rewards distributed? When can team and investor tokens unlock? How does the project treasury work? What creates real demand for the token? In simple words, token economics is the rule system behind a token. A token is not only something people buy and sell. In a real Web3 product, a token can be used for payments, staking, governance, access, rewards, collateral, or network fees. If the token has no clear role, it becomes only a speculative asset. That is dangerous because speculation can bring attention, but it cannot support a project forever. Why Developers Should Care Some developers think token economics is only for founders, eco

2026-06-14 原文 →
开发者

The Rust You Actually Need to Write Your First Anchor Program

If you have made it this far in 100 Days of Solana, you have been working in JavaScript and on the command line. You have been calling RPC methods, building instructions, signing transactions, and reading and writing account data in JavaScript, and most recently minting and sending tokens and NFTs from the CLI. Either way, you have been driving Solana with tools that let you assign a value and move on with your life. Soon the ground shifts. You are going to open a file called lib.rs , and it is going to be Rust, and for a day or two it is going to feel like you forgot how to program. That feeling is normal, it is temporary, and it is not a sign you are in the wrong place. Here is the thing nobody says out loud: you do not need to learn all of Rust to write Solana programs. Rust is a big language with a steep reputation, but the slice of it that shows up in an Anchor program is small and repetitive. You will see the same handful of patterns on almost every line. Learn those patterns and the wall turns back into a floor. This post is that handful. Not a Rust course, just the parts you need to read your first Anchor program and understand what every line is doing. Next week we start Arc 9, the Anchor introduction, where this all becomes real. This week is about making the language stop being scary before you get there. Why it feels like a wall JavaScript is dynamically typed and garbage collected. You write const x = 5 , you never tell anyone it is a number, and when you are done with it the runtime quietly cleans up. The language trusts you and sorts out the consequences at runtime, which is why a typo surfaces as undefined is not a function three minutes into a demo. Rust is the opposite philosophy. It is compiled and statically typed, so every value has a type the compiler knows about before the program ever runs, and it has no garbage collector, so it tracks who is responsible for every piece of memory through a system called ownership. The trade is blunt: Rust mak

2026-06-13 原文 →
AI 资讯

I Made My Website Charge AI Crawlers with HTTP 402. In 30 Days, 5,811 Came and 5 Paid.

I run a content site, do-and-coffee.com . Like everyone else, it gets scraped by AI crawlers. Instead of blocking them, I did something else: I put a paywall in front of the site that returns HTTP 402 Payment Required to bots, with machine-readable payment instructions. If a crawler pays a cent in USDC, it gets the article. If it doesn't, it gets the 402 and nothing else. Then I let it run for 30 days and watched. Here's what actually happened — and it's not the number you'd put on a pitch deck. TL;DR A Cloudflare Worker sits in front of the site. AI crawlers get 402 + x402 payment requirements ; humans and search bots pass through free. Payment is USDC on Base , $0.01 per article, verified and settled through Coinbase's CDP facilitator. 30-day result: 5,811 crawler requests, 5 paid, 5,806 served a 402. Revenue at $0.01/article ≈ $0.05 . The interesting part isn't the revenue. It's who paid: GPTBot paid 4 times out of 48 requests; ClaudeBot paid once out of 651. Architecture do-and-coffee.com/blog/article/* ─▶ x402 Worker (Cloudflare) │ has X-PAYMENT-RESPONSE? ───────────┤─▶ yes ─▶ proxy origin (200) KV cache hit (payer:url)? ─────────┤─▶ yes ─▶ proxy origin (200) no X-PAYMENT? ─────────────────────┤─▶ 402 + payment requirements has X-PAYMENT? ────────────────────┘ │ ├─▶ CDP /verify (is the signed payment valid?) ├─▶ CDP /settle (waitUntil: confirmed — on-chain) └─▶ on success: KV.put(payer:url, receipt, ttl 24h) ─▶ proxy origin The worker speaks the x402 protocol: a 402 response carries an accepts array describing exactly how to pay (scheme exact , network base , asset USDC, amount, payTo wallet). A compliant agent reads that, signs a USDC payment, and retries with an X-PAYMENT header. The worker verifies and settles it through Coinbase's facilitator, then proxies the real article. How it works The 402 response When there's no payment, the worker builds the requirements and returns 402: function buildPaymentRequirements ( resourceUrl : string , env : Env ): Payment

2026-06-12 原文 →
AI 资讯

Reentrancy in 2026: Why It Still Drains Millions (and How AI Spots It)

Reentrancy is the oldest trick in smart contract exploitation. The DAO fell to it in 2016. You would think a bug this famous would be extinct by now. It isn't. Protocols still lose millions to reentrancy every year, because the textbook version is the easy one, and attackers stopped using the textbook version a long time ago. This post walks through the classic bug, then the modern variants that still bite in 2026: cross-function, cross-contract, read-only reentrancy through view functions, and callback reentrancy through ERC777 and ERC721. I'll show why ReentrancyGuard is not the silver bullet most developers think it is, and how an LLM-based auditor reasons about the call-then-state-change pattern in a way pattern matchers can't. The Classic: Single-Function Reentrancy Here is the canonical vulnerable withdraw. contract VulnerableVault { mapping(address => uint256) public balances; function deposit() external payable { balances[msg.sender] += msg.value; } function withdraw() external { uint256 amount = balances[msg.sender]; (bool success, ) = msg.sender.call{value: amount}(""); require(success, "transfer failed"); balances[msg.sender] = 0; // state update AFTER the external call } } The attack is simple. The attacker is a contract. When withdraw sends ETH via msg.sender.call , control passes to the attacker's receive() function before balances[msg.sender] is zeroed. The attacker calls withdraw again. The balance is still the original amount, so the vault pays out again. Repeat until the vault is empty. contract Attacker { VulnerableVault vault; receive() external payable { if (address(vault).balance >= 1 ether) { vault.withdraw(); // re-enter before balance is zeroed } } } The fix is checks-effects-interactions. Do all your checks, then update all your state, and only then make the external call. function withdraw() external { uint256 amount = balances[msg.sender]; balances[msg.sender] = 0; // effect first (bool success, ) = msg.sender.call{value: amount}(""); //

2026-06-10 原文 →
AI 资讯

I Added x402 Payments to Base's Agent Skills — Here's How

If you build agents on Base, two things landed recently that are worth connecting. First: Base shipped its own Agent Skills. There's now a base/skills repo with consolidated skills that teach an AI agent to connect to Base, deploy contracts, authenticate wallets, and run nodes — installed with one command via Vercel's npx skills CLI. Second: that CLI is part of a fast-growing, cross-agent ecosystem most crypto devs haven't clocked yet. So this post does two things — explains how npx skills and skills.sh actually work, and shows where the payment layer in Base's skills stops and how to extend it with x402 pay-per-call and batch disbursement . What npx skills actually is npx skills is an open CLI from Vercel Labs for installing "skills" — modular SKILL.md files that teach an agent a specific capability without stuffing everything into its context window. A few things make it different from what crypto devs usually expect: GitHub is the registry. There's no central package server. Any public GitHub repo with a SKILL.md at its root is a valid, installable skill. Install with npx skills add owner/repo . It's cross-agent. The same skill installs into Claude Code, Cursor, Codex, GitHub Copilot, Goose, Windsurf, Gemini, and dozens more. You write once; it works across the agent you (or your users) actually run. skills.sh is the directory + leaderboard. It ranks skills by real install counts pulled from telemetry, with all-time, trending, and hot lists. There's no editorial submission step — you publish by putting a skill in a repo, and installs surface it. The format underneath — SKILL.md — is an open spec, which is why Base, Vercel, Anthropic, and a long tail of independent devs all use the same files. Here's Base's install, for reference: # Base's official agent skills npx skills add base/skills --skill build-on-base npx skills add base/skills --skill base-mcp build-on-base is a consolidated Base dev playbook; base-mcp wires up a Base MCP server that gives an agent a wall

2026-06-10 原文 →
AI 资讯

DIFP Nostr: Fitting 6,000+ Products into a Single 64 KB Event

TL;DR — The DIFP protocol was designed to be data-compact and geo-aware from day one. We recently discovered it maps almost perfectly onto the Nostr event format. Here's how, and why it matters for decentralized food infrastructure. Background: What Is DIFP? DIFP (Djowda Interconnected Food Protocol) is an open protocol designed to sync food product data across distributed nodes — compactly, efficiently, and with geo-location awareness built in by default. One of its core design decisions is the PAD system (Preloaded Asset Distribution): Apps ship with a preloaded asset pack — item metadata, compressed images, category structure — all bundled at install time. Only price and availability need to travel over the wire during sync. This means the data footprint per product is tiny. Very tiny. Enter Nostr Nostr is a simple, open protocol for decentralized communication. One of its key specs: events support up to 64 KB of content . When we started exploring Nostr as a potential transport layer, we ran the numbers — and the fit was surprisingly clean. The Math: Products Per Event Baseline encoding A product represented with three fields: { "id" : 500 , "available" : true , "price" : 30000 } At this level of verbosity, a single 64 KB Nostr event can hold approximately: ~1,500 – 2,000 products Already useful. But we can do better. Optimized encoding Two key optimizations: 1. Drop the availability key — If a product entry exists in the JSON, it's available. If it's absent, it's not. No boolean needed. 2. Drop the field names — Instead of {"id": 500, "price": 30000} , just store: 500,30000 Field mapping is handled at the app level, not the protocol level. The device knows position 0 is the product ID, position 1 is the price (in smallest currency unit, e.g. cents). Result ~6,000 – 7,000 products per single Nostr event Possibly more, depending on the price distribution and ID ranges in a given catalog. Geo-Discovery: MinMax99 Cells DIFP uses a geo-cell system called MinMax99 to

2026-06-06 原文 →
AI 资讯

Drift Protocol $285M Exploit - North Korean APT Attack on Solana

On April 1, 2026, Solana's largest decentralized perpetual futures exchange Drift Protocol suffered an attack, losing approximately $285 million . This is the second-largest DeFi hack of 2026 (behind KelpDAO's $292M attack the same month). Together, these two incidents totaled $577M — 76% of all DeFi stolen funds in 2026 . Key Finding : This was not a smart contract vulnerability. The attacker penetrated protocol personnel through social engineering , used Solana's durable nonce feature to pre-sign malicious transactions, and drained the entire treasury in 12 minutes . Mandiant confirmed the attacker as North Korean state-sponsored APT group UNC6862. ⏱️ Attack Timeline Time Event 6 months prior North Korean hackers establish fake trading company identities, attend crypto industry events Weeks prior Operatives attend crypto conferences in person, build deep trust with Drift contributors Late Feb - Early Mar Telegram group discussions about trading strategies, posing as partners Dec 2025 - Jan 2026 Fake company "Ecosystem Vault" builds partnership with Drift, deposits $1M+ Feb - Mar Attackers gain access to some contributors' code repositories Mar 23 Create 4 malicious wallets using Solana durable nonce feature Mar 27 Security Council migrates to 0-second timelock , removing safety buffer Apr 1, 16:06:09 UTC Execute pre-signed malicious transactions 16:06 - 16:18 UTC Treasury completely drained in 12 minutes Post-Apr 1 Funds swapped via Jupiter, bridged to Ethereum via CCTP, mostly dormant 🔧 Attack Technical Analysis Initial Penetration The attackers used a multi-layered social engineering + technical infiltration combination: HUMINT Operation Spent months building credible identities, attending global industry events Used intermediaries rather than direct contact (classic Lazarus tactic) ZachXBT noted this layered identity structure is a hallmark of Lazarus operations Malicious Code Injection Shared code repositories containing malicious code Exploited unpatched VSCo

2026-06-06 原文 →
AI 资讯

A Beginner-Friendly Mental Model for Bitcoin Transactions

Bitcoin can look simple from the outside: paste an address, choose an amount, send. Under that simple interface are several concepts that are useful for developers and technical beginners to understand. This post is not trading advice and does not discuss price. It is a practical mental model for what is happening when someone sends Bitcoin. 1. A wallet does not "hold coins" the way an app balance does Many beginners imagine a wallet as a container full of coins. That is close enough for casual conversation, but it can be misleading. A Bitcoin wallet manages keys and helps create transactions. The Bitcoin network tracks spendable outputs on the ledger. When you send BTC, the wallet constructs a transaction that spends previous outputs and creates new outputs. You do not need to master every detail on day one, but the high-level idea matters: control of keys controls the ability to spend. 2. An address is a destination, not an identity A Bitcoin address is where funds can be sent. It is not a username and it is not automatically tied to a person in the way a social profile is. Before sending, beginners should check the address carefully. A small copy-paste mistake can be permanent. Malware can also replace clipboard contents, so visually checking the beginning and ending characters is a useful habit. For larger transfers, a tiny test transaction can reduce risk. 3. Fees are about block space Bitcoin transactions compete for limited block space. A fee is not a tip to a company. It is part of the transaction economics that helps miners decide which transactions to include. When the network is busy, low-fee transactions may wait longer. When the network is quieter, confirmations may happen faster. The beginner lesson is simple: do not assume "sent" means "fully settled." Check confirmations and understand that fee choice can affect waiting time. 4. The mempool is a waiting area Before a transaction is confirmed in a block, it may sit in the mempool, which is a pool of u

2026-06-05 原文 →
AI 资讯

Base Azul multiproofs, ERC-8211 smart batching, LI.FI Intents, Vitalik's Sci-Fi pivot

Welcome to our weekly digest, where we unpack the latest in account and chain abstraction and the broader infrastructure shaping Ethereum. This week: Base ships its first independent upgrade with a TEE+ZK multiproof system and confirms native AA is next; Biconomy turns the ERC-8211 smart batching standard into a TypeScript SDK; LI.FI launches an enterprise intents engine for stablecoin and RWA flows; and Vitalik steps back from technical essays to write fiction. Base Launches Azul, Bringing Multiproofs to Coinbase's L2 Biconomy Ships Smart Batching SDK for ERC-8211 LI.FI Launches Intents Engine for Enterprise Cross-Chain Flows Vitalik Pivots to Fiction and Floats a "Trust Dependency" Framework Please fasten your belts! Base Launches Azul, Bringing Multiproofs to Coinbase’s L2 Base activated Azul on mainnet on May 28, its first network upgrade built entirely on its own stack. The headline feature is a multiproof system that pairs Trusted Execution Environment (TEE) proofs with Zero-Knowledge (ZK) proofs, advancing the Coinbase-incubated L2 toward Stage 2 decentralization. Either proof type can finalize a withdrawal independently, but when both agree, finality drops to as little as one day, far faster than the typical multi-day optimistic rollup wait. Crucially, permissionless ZK proofs can override permissioned TEE proofs if the two conflict, a design Base says meaningfully improves censorship resistance. The upgrade also makes base reth the sole execution client and introduces a new consensus client, phasing out older software. Node operators must migrate to the new stack to stay in sync. For AA and chain abstraction builders, the more important signal is what comes next: Base confirmed its end-of-June upgrade will include native account abstraction, an enshrined token standard and Flashblock Access Lists. The largest L2 by activity moving toward native AA is a meaningful pull on the whole ecosystem. Biconomy Ships Smart Batching SDK for ERC-8211 Biconomy released t

2026-06-04 原文 →
AI 资讯

I Built My First Token on Solana — Here's What Actually Surprised Me #100DaysOfSolana.

I Built My First Token on Solana — Here's What Actually Surprised Me This week I went from zero tokens to minting, transferring, charging fees, and locking tokens so they can never move. Here's what stuck with me. Tokens don't live in your wallet Coming from Web2, I assumed tokens would just... show up in your account. Nope. On Solana, every wallet needs a separate token account for each token it holds. One mint, one folder. It felt weird at first. Now it makes sense. You can charge fees without writing a single backend The Token Extensions Program has a built-in transfer fee. One flag at mint creation time: spl-token create-token \ --program-id TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb \ --transfer-fee-basis-points 100 That's a 1% fee on every transfer, enforced by the blockchain. No middleware. No payment processor. No way to bypass it. You can make a token that literally cannot be transferred spl-token create-token \ --program-id TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb \ --enable-non-transferable I minted 10, tried to send 5, and watched the transaction get rejected. Not by my code — by the program itself. Perfect for credentials, badges, or certificates that should belong to one person forever. The biggest shift from Web2: these rules are set at creation and are permanent. You can't add a transfer fee to an existing token. You can't make a transferable token non-transferable later. It forces you to think about token design upfront, which is honestly a good constraint. solana #blockchain #webdev #beginners #100DaysOfSolana

2026-06-03 原文 →