Pybast

Thrilled to announce I’ve joined @Corkprotocol as CTO. After a great run working for top web3 projects, traveling to conferences, and winning hackathons, it’s clear where I want to focus: bringing TradFi onchain. 🧵 Let me share what convinced me to join Cork (+ we are hiring) What makes me especially excited to build Cork is the market growth for tokenized assets. We’re entering a new phase of scale: • real world assets: $3B → $25B in 3 years, • stablecoins: $260B total market, • vault protocols like @MorphoLabs & @veda_labs: triple-digit growth As DeFi is rapidly becoming TradFi’s technology backbone, this transition needs to happen with the same rigor, transparency, and automation that underpin traditional financial markets. Cork is the solution, serving as a programmable risk layer for onchain assets such as vault tokens, yield-bearing stablecoins, and liquid (re)staking tokens. Prior to joining Cork, I cofounded and was the CTO of @Nefture, a security product aiming to protect DeFi. Through this experience, I came to deeply understand one of the biggest challenges of DeFi, security. More recently, I expanded my horizon and worked on: • building a DeFi locker on Linea with @StakeDAOHQ, • building a secure reward distribution system on Arbitrum with @cedelabs, • analyzing Permit2 phishing scams with @RevokeCash, • auditing an ERC4626 vault for @trumarket_tech, • building UniV4 hooks at UHI @AtriumAcademy • won 6 hackathons (@ETHGlobal, @alephhackathon), with projects actively developed like PolySwap (grant by @CoWSwap) and @BackupBuddy_io, well on its way to make wallet recovery secure and accessible, • attended confs and popup cities, making amazing friends and deepening my understanding of the ambitious vision for @Ethereum. Best examples being @Zuitzerland where I spent a month learning about d/acc. It’s this journey, when meeting @robdogeth at @EthCC, that allowed me to understand the important and inevitable vision of @Corkprotocol. I’m incredibly excited to contribute to Cork’s vision of institutional-grade risk management for onchain finance. The next trillion in liquidity will require transparent risk layers, and that’s what we’re here to build. We’re working on cutting-edge DeFi and building a top-tier team. This is why I’m excited to be building here. If this is interesting to you, come build with me. We’ll be hiring a senior smart-contract developer to support our build (see link in the comments). Follow @Pybast & @Corkprotocol to see what we're cooking!

After 6 months of work, we're proud to finally share our first release of our new smart contract language: Plank v0.1 🚀 To fix the fundamental issues plaguing smart contract development we're rebuilding the language stack from the ground up. 🏗️ Learn more 👇

Trust git, the OSS protocol. Don’t trust github, the for profit company operating the servers behind github(dot)com. How much of DeFi could be affected by such a vulnerability?

@wiimee @Corkprotocol 🫶

@Corkprotocol @Pybast Great guy!

"The time to solve security is before you need it. Once it's broken, everyone's watching and you're out of time." Our CTO @Pybast lives in the part of DeFi most people don't think about until it's too late: what happens when things break, while they're breaking. He took the stage at Rekt to talk about exactly that.

DeFi's whole promise is non-skeuomorphic finance, building primitives onchain to create products TradFi can't. But the industry still hasn't cracked its most basic problem. KYC and onboarding remain the real bottleneck. You can embed compliance logic, licensing terms, and a dozen other rules directly into a smart contract and still end up doing paperwork. In 2026, parts of that paperwork still need wet signatures. The smart contract is the easy part; the bottleneck is the human in the loop, which nobody has automated yet. A sharp moment from a recent panel @Philfog moderated.

DeFiScan is live in Ethereum Security QF Round on @Giveth! We're building verifiable insights into the maturity and risks of DeFi protocols. Providing developers better tools to build with decentralization in mind, and let users avoid single points of failure. No more blind trust. Real data. Real ratings. A more secure DeFi ecosystem. If you have found DeFiScan useful and/or would like to support the development of the centralization risk infrastructure, please consider donating to us: qf.giveth.io/project/defisc…

@m4rio_eth it’s already funding the next attack

Amazing how people are coming in to help with the ETH situation! Kudos to everyone! But my concern is still real: we need to improve, otherwise we cannot keep relying on bailouts like this: Bybit bailout by investors Drift by Tether Kelp by the ETH community While all these are awesome initiatives, half of my face is happy, and the other half is crying knowing we donated so much to NK.

@cas_abbe @LayerZero_Core this is a bunch of ai slop… the verifier (dvn) encompasses the data sourcing, otherwise it’s still completely flawed. The best practice of multiple DVNs includes the necessity of multiple independent data sources.

Everyone should actually read this before forming opinions This was a verification-layer failure upstream because → no contract exploit → no key compromise → no protocol logic failure Two RPCs feeding @LayerZero_Core’s DVN got compromised and failover forced into poisoned nodes. DVN signed a message that never existed That’s the layer @KelpDAO was told to trust and let’s be honest here the 1/1 setup didn’t appear out of nowhere it’s the path exposed in docs, used across the ecosystem, and even confirmed acceptable during integration So, framing this as kelp ignored best practices feels incomplete at best because when the verifier itself is reading manipulated state, 1:1 vs 2:3 doesn’t address the root This is what dependency risk looks like at scale Kelp reacted fast, contained further ~$95M risk, paused everything The failure started before them!

@OAK_Res_FR x.com/Pybast/status/…

La position de KelpDAO qui consiste à dire qu'ils ont suivi la configuration "par défaut" du "quickstart guide" est très problématique. C'est l'équivalent d'acheter une voiture de sport chez un concessionnaire, s'inscrire à une course de rallye, se retrouver à être malheureusement écraser par le toit de sa propre voiture au cours d'une sortie de route et ensuite mettre la faute sur le constructeur automobile qui a enfoui dans son manuel d'usage qu'il faut installer un arceau de sécurité si vous faites du rallye. > une configuration DVN 1/1 n'aurait tout simplement jamais dû être possible. C'est l'équivalent de dire qu'une voiture de sport sans arceau de sécurité ne devrait pas être mis en vente. C'est ignorer que la majorité des gens n'ont pas besoin de payer un arceau de sécurité. C'est pareil pour les DVNs. Maintenant LayerZero n'est pas sans responsabilité. On est sur la blockchain, tout est transparent, donc le constructeur automobile peut facilement voir ce que fait chaque voiture et les risques pris. S'il a conscience que vous allez faire du rallye sans arceau avec sa voiture, ou s'il a la capacité de le savoir, il doit informer. Dans ce sense, LayerZero aurait du tirer la sonnette d'alarme et exiger une configuration plus sécurisée. C'est assez peu clair si ça a été fait et à quelle intensité. Ce qu'il faut comprendre c'est que des groupes comme Lazarus cherchent les fruits à portée de main et ils sont prêts à investir des mois et des dizaines de hackers pour taper gros et arriver à leur fin. Sécuriser $1.4b avec un service centralisée sous la totale responsabilité de LayerZero, c'est les inviter au festin et c'est s'assurer qu'il finiront par trouver un moyen! C'est vraiment décevant de voir que l'industrie se cache derrière des arguments aussi irresponsables... Mais je reste optimiste sur le fait que derrière les facades marketing, les choses vont changer dans la bonne direction.

1/ 🧵 $292M of rsETH — was drained from @KelpDAO's @LayerZero_Core bridge in a single forged message. 48 hours later, $13B of DeFi TVL had walked out the door whilst it remains unclear where the losses actually will land. Let's unpack the ecosystem impact.

@A_Leutenegger Great article!

We're lucky to have the volunteers from @_SEAL_Org! Thank you for the write up.

@Truunik They mentioned the "quickstart docs" 🫠

Kelp just punched back at LayerZero. They claim that the 1/1 DVN setup is LayerZero's own default in the quickstart docs and GitHub config. Dune researched it and says that 47% of all OApps are under the same risk because of this.... Aave froze rsETH markets fast, but the bad-debt question is still live and nobody's volunteering to eat it. So, is this a governance fix, a lawsuit, or the start for rewriting the cross-chain standards?

@KelpDAO Wait, was the "quickstart guide" really mentioned?

@Truunik @safe

@Pybast @safe Great…well luckily now we have learned and are collectively smarter … right ??

I performed an in depth analysis of 13,910 @safe multisig wallets and here is what I found: 47% of them run a 1-of-1 signer security floor, 45% run a 2-of-2, and ~5% run 3-of-3 or higher. As we know, {some well known protocol} sat in the first bucket. Ah... sorry... some random user just had a vibecoding bug during a hackathon. He somehow deployed 13,910 new 1-of-1 Safe wallets. So let me update my statistics 73.5% of them run a 1-of-1 signer security floor, 22.5% run a 2-of-2, and ~2.5% run 3-of-3 or higher. As we know, {some well known protocol} sat in the first, now bigger, bucket. Hope this research helps DeFi make the right decisions!

@Philfog I know all this.. but it still got me very excited!

Great reflexions on the rsETH exploit and how DeFi can be brought back! During a conversation yesterday, @mbaril010 explained the main problem. Nobody wants to pay for the complex due diligence work our industry necessitates. The hard truth is that the incentives are just completely missing... @Philfog describes the next step of DeFi: push risk pricing to the core of yield products. "Underwriters get paid to do the hard modeling work no one is paying for right now — and the work they produce becomes public price." Recommend the read! Bonus: you'll understand why I'm so excited to be building @Corkprotocol

@MikeSilagadze @tayvano_ @EtherFi @ethena @USDT0_to @LayerZero_Core We need the uncomfortable truth!

@Pybast @tayvano_ @EtherFi @ethena @USDT0_to @LayerZero_Core The answer to both these questions is very uncomfortable

Checked some other popular OFTs (LayerZero based crosschain tokens) @EtherFi requires 2 DVNs confirmation @ethena requires 3 DVNs confirmation @USDT0_to requires 2 DVNs confirmation Even ZRO from @LayerZero_Core themselves requires 2 DVNs before executing a transfer. Two questions will need answers: (1) how and why did Kelp oversee this critical configuration? (2) how did @aave and DeFi in general allow interoperating rsETH at such a scale given this poor configuration?