№ 04 · Silo

Architecture.

silos · defense-in-depth · edge

Shared liquidity is shared contagion. We refuse to inherit either.

The single most expensive design choice the first generation of DeFi protocols made was to share. Shared collateral books across chains. Shared receipt tokens across protocols. Shared bridge dependencies across the entire stack. When any one node in the mesh failed, the failure travelled at the speed of an oracle update.

On 20 April 2026, $13 billion of total value locked drained out of DeFi inside 48 hours, beginning with an exploit at KelpDAO's restaking layer. The exploit itself was technically narrow. The damage was architectural. CoinDesk, 20 Apr 2026

ımyo begins from the opposite assumption: isolation is the security primitive. Liquidity is siloed by chain. Collateral books are siloed by tier. Bridges are not in the trust path. Edge defence is layered onto each silo independently. A failure on one of these surfaces is a failure on that surface alone.

№ 04-A

Two L1 silos. Zero shared collateral.

sui · ethereum

Sui silo.

The Sui deployment is written in Move, using Sui's object-oriented model and Programmable Transaction Blocks (PTBs) for atomic, multi-step intents. A 5× leverage loop, a delta-neutral hedge, or a collateral migration executes in a single block with deterministic finality. "Hot potato" flash-loan patterns guarantee that capital cannot leave the protocol uncovered. The Sui silo holds its own collateral and its own liability book; the Ethereum silo cannot draw on it.

Ethereum silo.

The Ethereum deployment is in Solidity and integrates natively with ERC-4337 Account Abstraction. Institutional users can enforce the "four-eyes principle" (2-of-N signatures), per-transaction spending limits, and corporate governance policies at the smart-contract level rather than relying on an external custodian's controls. Deep ETH-native liquidity, oracle redundancy, and DTCC-compatible settlement messaging round out the venue. The Ethereum silo holds its own collateral and its own liability book; the Sui silo cannot draw on it.

The non-sharing rule.

There is no cross-silo collateral, no cross-silo IOU, no synthetic representation of one silo's positions inside the other. A user with deposits on both chains has two independent positions, in two independent silos, with two independent risk surfaces. The only thing the two silos share is the AI Sentinel Swarm that monitors them — a read-only oversight layer that cannot itself act on user funds.

№ 04-B

Defence in depth: the Cloudflare edge.

edge · waf · workers · dnssec

The blockchain is the settlement layer, not the only attack surface. Every transaction begins as an HTTPS request, every front-running attempt begins as a packet, every credential-stuffing run begins at the login form. ımyo places the entire perimeter behind Cloudflare and treats the edge as a first-class part of the protocol.

  • Cloudflare Pages and Workers. Frontend and intent-routing layer deployed to Cloudflare's edge — sub-second latency anywhere on earth, zero origin exposure.
  • WAF and L7 DDoS protection. Hardened against the specific attack classes that have plagued DeFi front-ends — credential stuffing, bot-driven liquidation front-running, RPC abuse.
  • DNSSEC-backed nameserver integrity. Domains managed on Cloudflare DNS with DNSSEC, eliminating the BGP-/registrar-hijack class of front-end takeover that has cost the industry hundreds of millions.
  • Workers AI for edge anomaly detection. Select Sentinel logic runs at the edge, examining transaction intent before it reaches the chain — sub-second detection windows.

The edge is not a marketing layer. It is the equivalent of the perimeter firewall at a Tier-1 bank, brought into a protocol that previously had none.

№ 04-C

The Guardian: a 7-of-11 multisig the AI can veto.

governance · attestation

Multisig governance is necessary but not sufficient. Eleven competent signers can still collectively make the wrong call inside the narrow window between an exploit's first transaction and its contagion. ımyo's Guardian therefore requires both human consensus and AI attestation for emergency action.

An emergency pause or risk-parameter veto requires:

1. Human quorum
7 of 11 named signers across geographies and disciplines (security, treasury, legal, oracles).
2. AI attestation
A cryptographic proof from the Sentinel Swarm, generated inside a Trusted Execution Environment, that a genuine anomaly exists.
3. On-chain timelock
A short, public timelock between attestation and execution, during which any signer may withdraw consent.

Either the AI alone or the multisig alone is insufficient. The combination is what we mean by verifiable governance.

№ 04-D

T+0 institutional reporting API.

sap · oracle · taxbit

Every position, every margin call, every interest accrual, every liquidation is exposed through a real-time, audit-ready API. The data path runs through Cloudflare Workers KV at the edge, feeding directly into the systems institutional finance and tax teams already operate: SAP, Oracle Financials, TaxBit, ERP-side reporting pipelines, and internal data warehouses.

The settlement primitive is T+0. The reporting primitive is also T+0. The audit primitive — see continuous AI audit — is continuous. The whole stack speaks the same temporal vocabulary.

№ 04-E

Why this is not another fork of Aave.

comparison

The contrast with the dominant legacy lending model is not philosophical, it is structural. The table is short on purpose.

Legacy lending · reactive

Periodic audits.

Interconnected liquidity. Reactive governance. Crypto-native collateral. Manual UX.

ımyo · proactive

Continuous AI auditing.

Siloed liquidity. Predictive risk modelling. Tiered RWA + under-collateralised credit. Intent-based UX. Cloudflare edge.

№ 04-F

Read next.

deeper