@CorpusCoreHQ profile picture
corpus.core @CorpusCoreHQ

colibri.stateless - A stateless, proof-based ultra-light client that runs anywhere - mobile, IoT, browser - so wallets and apps never have to trust RPCs

Joined January 2025
  • Tweets 927
  • Following 1,125
  • Followers 122
287 Photos and videos
Pinned Tweet
corpus.core
@CorpusCoreHQ
May 12
Last week we hosted a twitter space with @ChrJentzsch and @griffgreen to talk about the impact of TheDAO. During the conversation, @simon_jentzsch explained how @thedaofund relates to our project and emphasized the importance of RPCs in Web3 security!
3:53
5
328
corpus.core retweeted
John James@JohnJames____
Jun 10
Replying to @SCBuergel @Rabby_io
Why does absolutely every crypto company seem to use Sentry. They seem to just dump loads of sensitive data into it. Jesus a Sentry exploit would be insane for this industry.
8
11
195
11,474
corpus.core retweeted
Sebastian Bürgel
@SCBuergel
Jun 10
There's no one wallet that suits everyone, it really depends on what you need But you should have access to all the information to make an informed decision and @walletbeat gives you exactly that Find your wallet: beta.walletbeat.eth.limo

7
7
58
15,172
The best financial analysis of the KelpDAO aftermath came from @yasche_ His conclusion: "The hole is being filled. Whether the lesson sticks is the question that will shape the next DeFi chapter." One month later: the financial hole is mostly filled. The architectural hole hasn't been touched. #KelpDAO #DeFi x.com/yasche_/status/2051305…

Yassine C.
@yasche_
May 4
x.com/i/article/205122733957…
1
1
more replies
The lesson that should stick: the KelpDAO exploit didn't require a smart contract vulnerability, a governance failure, or a malicious insider. It required one compromised data source in a system that trusted rather than verified. That assumption — that source-chain state can be established by trusted off-chain attestation — is present in every major cross-chain bridge architecture in production today. UNC4899 found it once. The surface is still open.
1
1
We wrote the longer version: why the response, while fast and largely correct, doesn't address the structural problem. And what would. paragraph.com/@jorkleo.eth/t… #DeFi #Web3Security #BridgeSecurity

The Code Was Fine. That's the Problem.

On April 18, 2026, $292M drained from KelpDAO in 80 minutes. The code was perfect. The contracts worked as designed. The real problem: every major cross-chain bridge trusts its data sources—and that...

paragraph.com
1
Messari's rsETH report contains a number that deserves more attention than it got: Over 42% of assets on L2 rollups with more than $100M in TVS rely on trust assumptions that sit outside the rollup's standard security model. @MessariCrypto #rsETH #Ethereum That's not a KelpDAO problem. That's a structural condition of the current DeFi stack.
1
4
more replies
The two most active DeFi L2s — @Arbitrum and @Base — have 47% and 41% of their respective TVS sitting on trust assumptions outside their standard security model. That's not a criticism of those platforms. It's a description of the current state of cross-chain infrastructure. The tools for cryptographic verification at scale are still being built. The attack surface isn't waiting for the tools to catch up.
1
We wrote about why this is a structural problem — not a configuration problem — and what it would actually take to close the gap. paragraph.com/@jorkleo.eth/t… #DeFi #BridgeSecurity #TrustlessVerification

The Code Was Fine. That's the Problem.

On April 18, 2026, $292M drained from KelpDAO in 80 minutes. The code was perfect. The contracts worked as designed. The real problem: every major cross-chain bridge trusts its data sources—and that...

paragraph.com
Chainalysis called it a "trust-layer failure." Not a code failure. Not a governance failure. A failure in the layer that sits between the contracts and the data they read. "At the transaction level, every step of the exploit was indistinguishable from normal bridge activity. The validator's signature was valid. The message format was valid. The release function behaved exactly as designed." @chainalysis #KelpDAO #rsETH
1
5
more replies
Chainalysis recommends cross-referencing RPC responses across multiple independent gateways and treating mismatches as attack signals. That's the right operational instinct. But it still assumes the defense is redundant trust, more intermediaries whose responses you compare. Cryptographic proof flips the model: instead of trusting multiple sources and hoping they agree, you verify the claim directly against the chain's own consensus. The proof checks out or it doesn't.
1
The distinction between redundant trust and cryptographic verification is the central argument in our KelpDAO post-mortem. One month on: the financial hole is being filled. The architectural hole is not. paragraph.com/@jorkleo.eth/t… #DeFi #BridgeSecurity #Ethereum

The Code Was Fine. That's the Problem.

On April 18, 2026, $292M drained from KelpDAO in 80 minutes. The code was perfect. The contracts worked as designed. The real problem: every major cross-chain bridge trusts its data sources—and that...

paragraph.com
OpenZeppelin's postmortem on the KelpDAO exploit opens with a striking finding: "The smart contracts were correct. The code was clean. The system failed operationally." $292M stolen. Zero bugs. That sentence should end the debate about whether smart contract audits are sufficient for bridge security. @openzeppelin #KelpDAO #BridgeSecurity
1
9
more replies
OpenZeppelin draws a clean line between code risk and operational risk. We'd extend that line one layer further: between trust-based architecture and cryptographic verification. More DVNs reduce operational risk. They don't eliminate the structural assumption; that source-chain state can be established by trusted off-chain intermediaries at all. As long as that assumption holds, the attack surface UNC4899 exploited on April 18 remains open for the next variation.
1
We wrote the longer version of this argument — why all the proposed fixes leave the fundamental architecture intact, and what a structural solution would actually require. paragraph.com/@jorkleo.eth/t… #DeFi #Web3Security #TrustlessVerification

The Code Was Fine. That's the Problem.

On April 18, 2026, $292M drained from KelpDAO in 80 minutes. The code was perfect. The contracts worked as designed. The real problem: every major cross-chain bridge trusts its data sources—and that...

paragraph.com
corpus.core retweeted
jorkleo.eth@JorkLeonhardt
Jun 4
The Code Was Fine. That's the Problem. Read our Post-Mortem of the Kelp-DAO Incident. paragraph.com/@jorkleo.eth/t…

The Code Was Fine. That's the Problem.

On April 18, 2026, $292M drained from KelpDAO in 80 minutes. The code was perfect. The contracts worked as designed. The real problem: every major cross-chain bridge trusts its data sources—and that...

paragraph.com
1
1
32
corpus.core retweeted
Simon Jentzsch
@simon_jentzsch
Jun 2
Replying to @gnosispay
2/2 Normally, stateless verification forces you to run eth_createAccessList first to know what to prove. The problem? It leaks your entire call message to the RPC. To fix this in privacy mode, I bypassed the access list entirely: 1. Run the local EVM blindly first and track SLOAD calls. 2. Serve from local cache, or dynamically fetch missing state via eth_getProof. 3. Once it clears the EVM, verify all proofs at the very end. To close the last metadata leak, @oblivious_labs handles the eth_getProof request inside a TEE, building the proof via ORAM so access patterns stay hidden. Full cryptographic security absolute privacy without trusting a centralized node. Check out the repository here: github.com/corpus-core/colib… github.com/obliviouslabs/obl…

GitHub - corpus-core/colibri-stateless: the c4 monorepo

the c4 monorepo . Contribute to corpus-core/colibri-stateless development by creating an account on GitHub.

github.com
3
7
115
Load more