CTO @Corkprotocol | EVM engineer | DeFi & smart contracts | Ex-CTO @Nefture | Summiting peaks & building protocols
Joined June 2014
- Tweets 2,081
- Following 2,010
- Followers 1,359
- Likes 7,781
216 Photos and videos
Thrilled to announce I’ve joined @Corkprotocol as CTO.
After a great run working for top web3 projects, traveling to conferences, and winning hackathons, it’s clear where I want to focus: bringing TradFi onchain.
🧵 Let me share what convinced me to join Cork ( we are hiring)
What makes me especially excited to build Cork is the market growth for tokenized assets. We’re entering a new phase of scale:
• real world assets: $3B → $25B in 3 years,
• stablecoins: $260B total market,
• vault protocols like @MorphoLabs & @veda_labs: triple-digit growth
As DeFi is rapidly becoming TradFi’s technology backbone, this transition needs to happen with the same rigor, transparency, and automation that underpin traditional financial markets.
Cork is the solution, serving as a programmable risk layer for onchain assets such as vault tokens, yield-bearing stablecoins, and liquid (re)staking tokens.
Prior to joining Cork, I cofounded and was the CTO of @Nefture, a security product aiming to protect DeFi. Through this experience, I came to deeply understand one of the biggest challenges of DeFi, security.
More recently, I expanded my horizon and worked on:
• building a DeFi locker on Linea with @StakeDAOHQ,
• building a secure reward distribution system on Arbitrum with @cedelabs,
• analyzing Permit2 phishing scams with @RevokeCash,
• auditing an ERC4626 vault for @trumarket_tech,
• building UniV4 hooks at UHI @AtriumAcademy
• won 6 hackathons (@ETHGlobal, @alephhackathon), with projects actively developed like PolySwap (grant by @CoWSwap) and @BackupBuddy_io, well on its way to make wallet recovery secure and accessible,
• attended confs and popup cities, making amazing friends and deepening my understanding of the ambitious vision for @Ethereum. Best examples being @Zuitzerland where I spent a month learning about d/acc.
It’s this journey, when meeting @robdogeth at @EthCC, that allowed me to understand the important and inevitable vision of @Corkprotocol.
I’m incredibly excited to contribute to Cork’s vision of institutional-grade risk management for onchain finance.
The next trillion in liquidity will require transparent risk layers, and that’s what we’re here to build.
We’re working on cutting-edge DeFi and building a top-tier team. This is why I’m excited to be building here. If this is interesting to you, come build with me. We’ll be hiring a senior smart-contract developer to support our build (see link in the comments).
Follow @Pybast & @Corkprotocol to see what we're cooking!
ALT Pybast joins Cork as CTO
58
14
172
16,075
What you sign is what you get. max slippage ~= slippage!
May 20
Is what you see really what you get in DeFi?
We analyzed large (> $ 50k) Uniswap V3 swaps to measure the gap between the price preview shown before signing and the price users actually received.
TL;DR:
- 78.3% of default-tolerance swaps settled within 1% of the signed slippage floor, and 84.1% within 5%
- Favorable outcomes were economically tiny: max 3 bps, while adverse execution reached ~50 bps in common default-tolerance cases
- Only ~4.2% crossed the slippage floor and reverted. 78.3% settled just inside it.
Read the report, link in the comment.
@ethereumfndn
@Uniswap
#DeFi
1
8
291
Pybast retweeted
May 19
we've been speedrunning financial history onchain for a decade. vaults, AMMs, stablecoins, LSTs — every single one is a credit product wearing a different hat
stack enough of them and you've built a beautiful, interconnected pile of unpriced risk
great chat with @therollupco
2
4
21
991
The security stack of a protocol is not an afterthought. Certain integrations, such as realtime monitoring, are core to a protocol’s design. Anticipate and plan it early, not post deployment!
May 13
The wallet that can pause your protocol should never be the wallet that can upgrade it.
@Pybast, CTO of @Corkprotocol, walked through this at the Rekt Security Summit in Cannes. Giving Hypernative the pause role makes sense for rapid response. But if that role also carries upgrade permissions, you have introduced a new attack vector instead of closing one.
The same logic applies to unpause. If the key that unpauses your protocol gets exfiltrated, an attacker can trigger a pause, wait, unpause, and exploit again.
These are governance design decisions that need to happen before you integrate any security tooling.
Learn more at buff.ly/ERwOrHs
2
8
294
When you realize that buying your baguette in EURe is damaging the economy 🫠
Copper coins me voilà!
May 8
Stablecoins are not an efficient way to strengthen the international role of the euro, says President Christine @Lagarde.
The best solution remains deeper capital market integration through the savings and investment union and a stronger safe asset base ecb.europa.eu/press/key/date…
2
4
214
Moat — a free, open-source day-one firewall for teams too early-stage to afford the audits they should have before going to production, and for any team trying to convince risk-averse LPs that their funds are safe.
Now live in the @Giveth × @thedaofund Ethereum Security QF round. Every donation amplified by a 500 ETH matching pool 🙏
4
5
13
2,269
Pybast retweeted
Apr 28
After 6 months of work, we're proud to finally share our first release of our new smart contract language:
Plank v0.1 🚀
To fix the fundamental issues plaguing smart contract development we're rebuilding the language stack from the ground up. 🏗️
Learn more 👇
57
50
468
45,287
Trust git, the OSS protocol. Don’t trust github, the for profit company operating the servers behind github(dot)com.
How much of DeFi could be affected by such a vulnerability?
1
5
371
Pybast retweeted
Apr 28
"The time to solve security is before you need it. Once it's broken, everyone's watching and you're out of time."
Our CTO @Pybast lives in the part of DeFi most people don't think about until it's too late: what happens when things break, while they're breaking.
He took the stage at Rekt to talk about exactly that.
4
1
12
617
Pybast retweeted
Apr 27
DeFi's whole promise is non-skeuomorphic finance, building primitives onchain to create products TradFi can't.
But the industry still hasn't cracked its most basic problem. KYC and onboarding remain the real bottleneck. You can embed compliance logic, licensing terms, and a dozen other rules directly into a smart contract and still end up doing paperwork. In 2026, parts of that paperwork still need wet signatures.
The smart contract is the easy part; the bottleneck is the human in the loop, which nobody has automated yet.
A sharp moment from a recent panel @Philfog moderated.
2
3
15
977
Pybast retweeted
Apr 25
DeFiScan is live in Ethereum Security QF Round on @Giveth!
We're building verifiable insights into the maturity and risks of DeFi protocols. Providing developers better tools to build with decentralization in mind, and let users avoid single points of failure.
No more blind trust. Real data. Real ratings.
A more secure DeFi ecosystem.
If you have found DeFiScan useful and/or would like to support the development of the centralization risk infrastructure, please consider donating to us: qf.giveth.io/project/defisca…
2
9
25
2,025
La position de KelpDAO qui consiste à dire qu'ils ont suivi la configuration "par défaut" du "quickstart guide" est très problématique.
C'est l'équivalent d'acheter une voiture de sport chez un concessionnaire, s'inscrire à une course de rallye, se retrouver à être malheureusement écraser par le toit de sa propre voiture au cours d'une sortie de route et ensuite mettre la faute sur le constructeur automobile qui a enfoui dans son manuel d'usage qu'il faut installer un arceau de sécurité si vous faites du rallye.
> une configuration DVN 1/1 n'aurait tout simplement jamais dû être possible.
C'est l'équivalent de dire qu'une voiture de sport sans arceau de sécurité ne devrait pas être mis en vente. C'est ignorer que la majorité des gens n'ont pas besoin de payer un arceau de sécurité. C'est pareil pour les DVNs.
Maintenant LayerZero n'est pas sans responsabilité. On est sur la blockchain, tout est transparent, donc le constructeur automobile peut facilement voir ce que fait chaque voiture et les risques pris. S'il a conscience que vous allez faire du rallye sans arceau avec sa voiture, ou s'il a la capacité de le savoir, il doit informer. Dans ce sense, LayerZero aurait du tirer la sonnette d'alarme et exiger une configuration plus sécurisée. C'est assez peu clair si ça a été fait et à quelle intensité.
Ce qu'il faut comprendre c'est que des groupes comme Lazarus cherchent les fruits à portée de main et ils sont prêts à investir des mois et des dizaines de hackers pour taper gros et arriver à leur fin. Sécuriser $1.4b avec un service centralisée sous la totale responsabilité de LayerZero, c'est les inviter au festin et c'est s'assurer qu'il finiront par trouver un moyen!
C'est vraiment décevant de voir que l'industrie se cache derrière des arguments aussi irresponsables... Mais je reste optimiste sur le fait que derrière les facades marketing, les choses vont changer dans la bonne direction.
6
446
Pybast retweeted
Apr 21
1/ 🧵 $292M of rsETH — was drained from @KelpDAO's @LayerZero_Core bridge in a single forged message. 48 hours later, $13B of DeFi TVL had walked out the door whilst it remains unclear where the losses actually will land. Let's unpack the ecosystem impact.
8
6
25
6,403
We're lucky to have the volunteers from @_SEAL_Org! Thank you for the write up.
Apr 20
Although the situation is still developing, we wanted to share some initial takeaways from the LayerZero DVN security incident
radar.securityalliance.org/i…
18
6,801
Great reflexions on the rsETH exploit and how DeFi can be brought back!
During a conversation yesterday, @mbaril010 explained the main problem. Nobody wants to pay for the complex due diligence work our industry necessitates.
The hard truth is that the incentives are just completely missing...
@Philfog describes the next step of DeFi: push risk pricing to the core of yield products.
"Underwriters get paid to do the hard modeling work no one is paying for right now — and the work they produce becomes public price."
Recommend the read!
Bonus: you'll understand why I'm so excited to be building @Corkprotocol
2
7
578
I performed an in depth analysis of 13,910 @safe multisig wallets and here is what I found:
47% of them run a 1-of-1 signer security floor, 45% run a 2-of-2, and ~5% run 3-of-3 or higher.
As we know, {some well known protocol} sat in the first bucket.
Ah... sorry... some random user just had a vibecoding bug during a hackathon. He somehow deployed 13,910 new 1-of-1 Safe wallets.
So let me update my statistics
73.5% of them run a 1-of-1 signer security floor, 22.5% run a 2-of-2, and ~2.5% run 3-of-3 or higher.
As we know, {some well known protocol} sat in the first, now bigger, bucket.
Hope this research helps DeFi make the right decisions!
Following the KelpDAO hack, we built an open analysis of DVN security configurations across every active OApp on LayerZero over the last 90 days.
Of ~2,665 unique OApp contracts: 47% run a 1-of-1 DVN security floor, 45% run 2-of-2, and ~5% run 3-of-3 or higher.
As we know, KelpDAO's rsETH sat in the first bucket.
Open query, public methodology, feedback welcome:
dune.com/dune/layerzero-dvn-…
3
4
37
6,413
Sorry to announce more bad news.
I would advise to stop interacting with ANY DeFi dApp for the coming days as there is an ongoing incident on Vercel related to stolen Github and NPM keys.
We still don't know enough but if the claims are true, frontends could get compromised from Github or from supply chain attacks. These are the attack vectors used to hack bybit or compromise Ledger’s Connect Kit.
Stay safe!
🚨 BREAKING: Vercel has been breached. A threat actor has listed their customers' data, source code, databases, and keys up for sale.
Vercel has also publicly disclosed they've identified a security incident involving unauthorized access to their internal systems.
53
180
1,044
378,605
For context, a lot of DeFi is hosted on Vercel and crypto users are a prime target for such attack.
If you need to use DeFi in this time of crisis, verifying what you sign is of utmost importance! You can also use .eth.limo (just hacked but back up and running) or IPFS frontend alternatives
2
1
25
18,250
Still ongoing. Vercel is communicating steps for organizations to take action and secure their deployments. The dust should settle fast but stay vigilant!
Apr 19
Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly.
A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated.
Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments.
Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration.
We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.
At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community.
The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/verce…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature.
In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback.
We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance.
It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.
2,016
We got inputs from LayerZero.
Quick tldr,
(1) The attacher was extremely sophisticated.
(2) LayerZero should have done better. If I can reduce your RPC quorum through DOS, your quorum rules are too weak.
(3) It’s unreasonable to expect any centralized party such as LZ to succeed as a single line of defense against such sophistication attacker.
(4) Even if (2) had been fixed, Lazarus would have found another way, taken a bit more time, ended up at the same result. The prize to opportunity ratio was too big for them to fail.
(5) The real flaw was the Kelp 1/1 DVN setup.
(6) They were warned by many. Why was no action taken?
(7) LayerZero is now refusing to secure 1/1 DVN setups. Why wasn’t it done before?
(8) We still didn’t get answers on why DeFi was confident enough to use rsETH at such a scale.
2
1
18
2,403