How TenzaOne is building defensible, AI-era integrity into the climate-credit pipeline — from the sensor on the project site to the contract on chain. A forward-looking Phase 2 position covering threat posture, DePIN attestation, contract assurance, infrastructure controls, AI-era defences, and the build roadmap.
Phase 2 · Living Document · v1.1.1A climate-credit platform sits at the intersection of three traditionally distinct threat domains: physical infrastructure (sensors, gateways, substation telemetry), smart-contract finance (token treasuries, on-chain marketplaces, governance), and data-integrity systems (MRV pipelines, registry attestation). Each has its own decade-old playbook. What changed in April 2026 is the public arrival of chained-weakness AI — Anthropic's Mythos and its peers don't scan for known bugs; they simulate adversaries, exploring how protocols interact and combining small weaknesses into real-world exploits.
For DeFi this rotated the threat thesis. Audit budgets historically went into smart-contract code; Mythos's distinctive capability is finding the infrastructure paths between contracts — key-management systems, signing services, bridges, oracle networks, and the cryptographic glue connecting them. As Paul Vijender, head of security at Gauntlet, put it: "The bigger risks sit in infrastructure… I'm less concerned about smart-contract exploits and more focused on AI-assisted attacks against the human and infrastructure layers."
For climate-credit infrastructure the same rotation applies, but with extra surface: physical sensors, calibration services, gateway connectivity, and the off-chain MRV pipeline are all "infrastructure between" surfaces that traditional smart-contract audits don't touch.
Both happened this month, and both prefigure the threats the position addresses:
Web infra provider Vercel disclosed a breach this month. Trace: a compromised Google Workspace connection through the third-party AI tool Context.ai, used by an employee. Customer API keys may have been exposed; crypto projects rotated credentials and reviewed code. Lesson: the AI-tool supply chain is now a primary attack vector — not only the AI we run, but the AI tools our staff and vendors run.
An attacker minted $1B of bridged Polkadot tokens on Ethereum by exploiting how cross-chain messages were verified. Lesson: bridges and oracles are the high-value seam between protocols; a verification flaw in the seam is a contagion event, not a local bug. As Vijender put it, "a minor vulnerability in one protocol can become a critical exploit vector with contagion potential across the ecosystem."
Same tonne sold twice across registries; credits issued without a verifiable measurement chain. Unique to climate finance — and the threat that ends platforms.
Remote climate-project sensors are a physical attack surface. Replay attacks, calibration drift, intentionally-falsified readings, and firmware swap are all in scope.
Reentrancy, overflow, access-control gaps, oracle manipulation, flash-loan-leveraged governance attacks. The Mythos shift: small weaknesses combined across composable systems — "multi-step exploit chains that historically only get discovered after money is lost" (Vijender, Gauntlet).
Per Vijender, the second AI-discovered category: "infrastructure-layer vulnerabilities that traditional audits never touch." Key-management systems, signing services, bridge verification, oracle composition. The Hyperbridge $1B exploit lives here.
Compromised npm/PyPI packages, malicious upstream commits, build-pipeline injection, SBOM gaps — AND now AI-tool supply chains: an employee's third-party AI assistant becomes the breach path (Vercel/Context.ai pattern).
Quadratic voting helps but is not immune to coordinated capture. Sybil attacks, flash-loan vote inflation, off-chain coercion, delegate misalignment.
Long-lived contracts holding decade-scale carbon assets must plan for a post-quantum cryptographic migration before retirement events become unsigned-able.
Per Stani Kulechov (Aave Labs): "The Mythos paper shows that AI can uncover old bugs that were previously deprioritised." Smaller vulnerabilities — once dismissed as low-impact — are now recombinable into larger attacks. Triage thresholds need rethinking.
Every credit TenzaOne lists traces back to a measurement — a sensor reading, a flow meter, a satellite pass. If the data at the edge is wrong, no amount of on-chain assurance saves the credit. DePIN integrity is the foundation; everything else is downstream protection of an already-trustworthy signal.
Phase 2 establishes a defensible chain of custody from physical sensor to on-chain anchor, with verifiable attestation at every hop.
TPM / Secure Element on every sensor. Non-cloneable device identity bound at provisioning. Identity is what signs every reading at source.
Every device boots only signed firmware. Remote attestation publishes the firmware hash on every check-in — tampered firmware reveals itself before the next reading.
Each reading signed at source by the device key. Signature travels with the data through every hop — gateway, broker, registry, on-chain anchor — and is verified at each.
Every measurement-bearing sensor has a calibration certificate signed by the calibration lab. Certificates form a chain anchored on-chain. Stale or unverifiable calibrations downgrade the data tier automatically.
Seal sensors, accelerometers, ambient-light witnesses. Unexpected events emit a tamper attestation immediately — readings during a tamper window are flagged or rejected.
No single network path. LoRaWAN + cellular + satellite fallback, with time-bound store-and-forward at the gateway. Loss-of-connectivity is an expected mode, not a failure mode.
Raw signed sensor data + the calculation methodology + the firmware hash = a fully reproducible credit count. No magic in the middle. This is the integrity-first promise.
Already implemented in the AI VCS Assessment. Tier 1 = direct cryptographically-attested sensor; Tier 4 = unverified self-report. Credit pricing reflects evidence tier.
Audit-once is no longer enough. Every critical contract goes through layered review before mainnet, and stays under continuous review afterwards.
The treasury, the redemption flow, and any contract enforcing supply conservation get formally verified properties (Certora / K Framework / Halmos). Conservation is a theorem, not a test.
Two independent audit firms with no shared partners. Each gets the same scope and findings are reconciled. Reports published.
Multiple frontier models — including Mythos-class — run in adversarial mode against the contract suite, with explicit jailbreaks for "find economic exploits" and "find access-control bypasses". Findings feed back into formal-verification properties.
Compiler version pinned, dependency tree hashed, deploy artifact signed. Anyone can recompile and verify the on-chain bytecode matches the audited source.
Outflow rate caps per block, per epoch, per actor. Anomalous activity triggers automatic pause. No single block can drain the treasury, regardless of exploit class.
Each project's tokens live in their own proxy with their own upgrade key, so a bug in one asset can't drain another. Blast radius scoped by design.
Every upgrade goes through a public timelock, a 5-of-9 multi-sig, and a 72-hour DAO veto window. No unilateral upgrade authority exists.
Security-token issuances enforce whitelists, jurisdiction restrictions, and transfer rules at the contract level. Compliance is on-chain, not a frontend honour-system.
Top-tier bounty escalating with treasury size, extending to off-chain components (oracles, gateways). Quarterly payout reports published.
Every deployed contract has its source on a public mirror with the SBOM (software bill of materials) showing every dependency, version, and audit status.
Off-chain keys are the most-attacked surface in any crypto-adjacent platform. The TenzaOne posture, already partially expressed in the DAO governance Settlement & Custody panel, hardens further in Phase 2.
All treasury-signing keys live in FIPS 140-2 Level 3 HSMs. No raw key material exits the device. Operator access via dual-control + MFA + key-ceremony logging.
Hot operations use threshold MPC; no single node holds a complete key. Compromise of one node yields nothing.
The bulk of platform reserves live in air-gapped cold storage, geographically distributed, requiring physical key ceremonies to move. Slow by design.
Users can hold their own keys, bring their own wallet, and operate without trusting the platform with custody. Platform-custody is a convenience, never a requirement.
Service-to-service authentication via mutual TLS. No implicit-trust subnets. Every request authenticated, every actor identified.
No long-lived AWS keys. Every access is role-scoped, time-bounded, audit-logged. Standing access revoked on rotation.
Production hosts immutable. Deploys are signed artifacts pushed via CI; no human SSH into production. All change goes through review.
Continuous monitoring of treasury outflow, user-balance deltas, login geographies, and admin actions. Surveillance personnel separated from P&L (constitutional principle).
Backups in multiple regions, restore drills run monthly — not just verified to exist. Time-to-restore is a tracked metric.
A documented IR playbook, 24/7 oncall, and a public commitment to publishing blameless post-mortems within 14 days of any user-impacting incident.
Coindesk's coverage of Anthropic's Mythos (April 2026) crystallised what serious DeFi security teams had been preparing for. Mythos doesn't just scan for known bugs — it simulates adversaries, exploring how protocols interact and chaining small weaknesses into real exploits. Banks (JP Morgan), exchanges (Coinbase, Binance reportedly approached Anthropic) and DeFi protocols are now treating this as the new baseline, not an outlier.
Two industry voices set the frame:
Per Vijender (Gauntlet): "To defend against offensive AI, we will need to take an AI-centric approach where speed and continuous adaptation are essential." That means continuous auditing on every commit, real-time simulation against the live system, and the operating assumption that breaches will happen.
Aave's posture (Kulechov): AI in workflows for simulation and code review alongside human auditors. TenzaOne adopts the same model. AI catches multi-step chains and infrastructure-layer issues; humans catch what models systematically miss (intent, novel design risks, governance edge cases).
Critical properties (supply conservation, access boundaries, upgrade authority, bridge-message integrity) re-verified on every commit. CI fails if a property weakens. Audit becomes a state, not an event.
We use the same class of model an attacker would — in adversarial mode against our own code and infrastructure paths, before deployment. Special focus on the chained-weakness paths Mythos highlighted: bridges, oracles, key services, third-party integrations.
Per Kulechov: "The Mythos paper shows that AI can uncover old bugs that were previously deprioritised." Small bugs are recombination fuel. We retire the "low-impact" triage tier; every finding gets a chained-exploit-potential review before it's parked.
Compute-speed attacks need fast settlement paths. Per-block, per-epoch, per-actor velocity caps + circuit breakers deny the largest economic outcomes even when the exploit itself bypasses every other layer. Belt against any audit miss.
Anything we hide, an adversarial AI eventually re-derives. Openness lets the wider community find issues first; defenders gain more from public scrutiny than attackers gain from public knowledge.
TenzaOne's AI agents (10-Agent Assessment, Verification Coach, Profiler) are advisory only. No AI signs treasury operations, approves contract upgrades, or executes governance proposals.
The AI tools our staff and vendors run are now part of our attack surface. Approved-AI-tool list maintained. SSO + scoped tokens for any third-party AI integration. Code-review tooling that touches secrets goes through an additional review tier.
Bug-bounty programme explicitly accepts AI-discovered vulnerabilities — including chained, multi-protocol findings that span our bridges/oracles/key services. The bug is the bug, regardless of who or what found it.
Phase 2 inherits a meaningful base from earlier work — the integrity-first DAO constitution, the surveillance principle (independence rule), evidence-tier scoring on every assessment, and the off-chain DAO Treasury (virtual escrow with paired-entry conservation).
Commitments TenzaOne can be held to as Phase 2 unfolds: