It's 3am UTC. Someone in your Discord pastes a transaction hash and the message: "did i just get drained??"
What happens next is mechanical. A moderator opens the block explorer, scrolls past gas limits and method calls and log topics, decodes the transfer, translates 0xa9059cbb into "this was an ERC20 transfer," cross-references the destination address, then types something like "looks like you swapped on Uniswap, here's the route." The user replies with a follow-up. Maybe the same flow runs five more times.
That same conversation will run two hundred times in this channel tonight. The moderator wasn't hired for forensics. The protocol didn't budget for it either.
The notification gap
The Drift exploit on April 1 ran for about twelve minutes. 31 withdrawal transactions, $285M out the door, and the protocol's first X post telling users to halt deposits arrived after on-chain analytics firms had already flagged the active attack. Wasabi on April 30 followed the same shape: the attacker started draining at 07:48 UTC, kept going for roughly two hours, and the official acknowledgment showed up afterward. Users watching the price action on their phones knew something was wrong before the team confirmed it.
This isn't anyone's fault. The sequence has to be: detect, pause, investigate, post. Posting first risks broadcasting an exploit before the contract is safe. Pausing first protects the funds. Communication is last because it has to be.
But during that gap, the people who deposited into the protocol have no answer to the question they care about most: is my position safe right now. They get told to "monitor official channels," and the official channel is silent.
The "am I affected?" flood
April 18, Kelp DAO: a forged LayerZero message drained 116,500 rsETH, about $292M. Within hours, nine downstream protocols had paused something. Aave froze rsETH and WETH markets. Around $8.45B fled Aave's pools in the next forty-eight hours. The Aave forum's incident report counted 119 borrower positions at liquidation risk after the dust settled.
Each of those protocols got the same wave. Discord channels filled with the same five questions: am I affected, do I need to do anything, where is my money, can I withdraw, what should I revoke. Same questions, hundreds of times, in parallel across nine protocols. Each answer requires looking at the user's specific position. The volunteer mod can't batch them.
Revoke.cash maintains a permanent page at revoke.cash/exploits called "Check If You're Affected." It exists because every exploit produces this exact flood, and someone built a static site as the least-bad triage tool. The existence of that page is the evidence.
The revoke.cash gap
After Wasabi, the official guidance was to revoke approvals at revoke.cash. Within hours, a phishing account named "Wascbi Profocol" posted a fake revoke link in the same threads where users were asking what to do. Per Blockzeit's coverage, it "apparently misled several people."
Read what the official advice actually asks of a user. Identify which contracts you've approved. Recognize the real protocol's account from the impostor. Open a tool you've probably never used. Sign a transaction whose effects you can't preview. Do all of this fast, while panicking, while scammers are setting up imitation links.
The revoke.cash advice is correct. It's also incomplete in a way that matters. Users following the safety procedure got drained again because the procedure assumed knowledge they didn't have, on the day they could least afford a wrong click.
The layer nobody built
Protocols have monitoring. Hypernative, Blockaid, Cyvers all detected the recent exploits within seconds. Protocols have docs, audit reports, X accounts, status pages, Discord. What's missing isn't information. It's translation.
A monitoring alert says "rsETH/WETH market frozen." A user wants to know "is my $40K still there, what is the worst case for me, and what do I need to do in the next ten minutes."
These are not the same artifact. One is protocol-shaped. The other is position-shaped. The translation between them is what Discord moderators have been doing manually, one user at a time, with a block explorer open in another tab.
Morpho moved its public Discord to read-only on February 1, 2026. Co-founder Merlin Egalite, on record: "Discord is actually full of scammers. people would get phished while actually searching for answers despite heavy monitoring, safeguards, etc." DefiLlama is migrating off Discord too. The volunteer-mod-with-block-explorer model is being abandoned by the protocols that originally built it.
What the workflow looks like instead
The piece I've been building is the translation layer. TxDesk (txdesk.io) takes one input, an address or a transaction hash, plus a question in plain English. It runs the lookups a moderator would run, against the user's actual on-chain state, and returns the answer in seconds.
A user pastes a tx hash and asks "what happened?" The agent decodes the transaction, returns status, parties, amounts, fees, and the decoded method call, in a paragraph a non-technical user can read.
A user asks "will I get liquidated if ETH drops 20%?" The agent calls explain_liquidation_risk against their lending position. It returns currentHealthFactor, distanceToLiquidationPercent, and an array of perAssetLiquidationPrices with one row per collateral asset. Plus suggestions: requiredDebtRepaymentUsd to hit a target health factor, or requiredCollateralAddUsd to add instead. The user gets a number, not a vibe.
A user pastes a Sui package ID and asks "is this safe?" The package risk tool returns riskLevel, isLatestVersion (false flags deprecated versions, the pattern that bit Scallop), and upgradeCapOwnerKind (AddressOwner with an upgradeable policy is the single-key blast-radius pattern that bit Volo). A full Cetus CLMM scan returns end-to-end in 1.7 seconds.
A user pastes a failed transaction. The diagnosis tool returns one of eight Sui failure categories, with two or three suggested fixes computed from the user's wallet state.
Every field is tagged dataAvailable: full | partial | unavailable, so the agent can't invent values that didn't load. 39 tools, 43+ chains.
Every exploit in April produced the same support failure. Different attack vector each time, same broken communication on the user side. The fix isn't more moderators, faster Discord triage, or better Twitter posts. It's an answer that runs in seconds, in plain English, against the user's actual on-chain position, available the moment the user asks. That layer didn't exist. Now it does.
Top comments (0)