⚖️ CORE CLO CONCEPTS
🔑
SOVEREIGN
The CLO is the legal guardian of the fleet. Every major decision needs CLO sign-off before it becomes real. The CLO doesn't build things — the CLO makes sure what gets built is legally safe to ship.
🧒 ELI5 ANALOGY
Imagine you're building a rocket. The engineers build it, the test team tests it. But the CLO is the person who checks: "Wait, are we allowed to launch over this country? Did anyone check the insurance? Did we file the right forms?" Nothing launches without the CLO saying OK.
CLO signs off on all security research filings
Three Principals system: CTO + CISO + CPO all sign releases
CLO CLOAK = sovereign legal seal on all submissions
🛡️
PROCESS
The CLO Cloak is a two-layer legal seal that goes on every security finding before it gets submitted. Layer 1: the research stands on its own merits. Layer 2: the submission follows responsible disclosure rules.
🧒 ELI5 ANALOGY
Think of it like sending a certified letter. The CLO Cloak is the postmark + the return address + the registered mail stamp — it proves who sent it, when, and that it went through proper channels. Without it, your letter could be ignored or misattributed.
CLO-SIGNED status = cleared for submission
CLO-HOLD = needs legal review before filing
CLO-BLOCKED = cannot file (legal risk identified)
📬
SECURITY
Responsible disclosure means: when you find a security bug, you tell the people who can fix it before you tell the world. You give them a fair chance to patch it. Then you publish your research.
🧒 ELI5 ANALOGY
You find a broken lock on a bank vault. Responsible disclosure = you go to the bank manager first, show them the problem, give them 90 days to fix it, then write about it publicly after they've patched it. Irresponsible = posting about it on Twitter immediately.
Bug bounty platforms (Immunefi, HackerOne) formalize this
Typical timeline: 30–90 day disclosure window
CLO signs off on every disclosure to verify compliance
📜
DEFI
When a smart contract has a bug that loses user funds, the question "who is liable?" is still being worked out by courts worldwide. The code is law doctrine says the contract does what it says — but courts are increasingly rejecting this when users are harmed.
🧒 ELI5 ANALOGY
Imagine a vending machine that gives out money instead of snacks if you press B7 three times fast. "Code is law" says: the machine did exactly what it was programmed to do. But the owner of the machine is still probably liable for building a broken machine.
EOSE security research helps protocols avoid liability
Filing reports creates a paper trail of disclosure
CLO reviews each finding's legal exposure before filing
🔮
DEFI
DeFi protocols use oracles to get real-world prices (e.g., ETH/USD). An oracle attack means feeding fake or stale prices to the protocol so it makes decisions based on wrong data — usually to drain funds.
🧒 ELI5 ANALOGY
Your smart fridge checks the internet for egg prices before deciding how much eggs are worth. An oracle attack is like hacking the website your fridge checks to say eggs cost $0.01 — so the fridge thinks it can buy a million eggs for $10, and starts making terrible financial decisions.
ARB-014: LayerZero TON bridge oracle double-count bug
ARB-015: Morpho Blue staleness — no circuit breaker
Both CLO-SIGNED and ready to file on Immunefi
🌀
DEFI
A reentrancy attack is when a contract is tricked into calling an external function before it finishes its own logic. The external call "reenters" the original function before balances are updated, allowing repeated withdrawals.
🧒 ELI5 ANALOGY
ATM that checks your balance, then dispenses cash, then updates the balance. But if you unplug the network right after it gives cash, before it updates, and plug back in and request again... it still thinks you have the full balance. Reentrancy is like doing this in a loop at machine speed.
The DAO hack ($60M, 2016) was a reentrancy attack
LayerZero lzCompose findings use this shape
Fix: checks-effects-interactions pattern, or reentrancy guard
💎
PROCESS
A bug bounty program is when a company pays people to find security vulnerabilities. Instead of getting sued when researchers find bugs, companies pay rewards — and researchers report responsibly instead of selling exploits to criminals.
🧒 ELI5 ANALOGY
A restaurant offers a prize to anyone who finds a health code violation before the inspector does. Instead of getting reported to the city and shut down, they'd rather hear about the mouse in the kitchen from a friend who gets paid $1,000 to point it out privately first.
Immunefi: largest DeFi bug bounty platform, up to $10M+
HackerOne: enterprise focus, traditional tech + crypto
Cantina: audit-style, Morpho route for ARB-015
👑
SOVEREIGN
The Sovereign Threshold is the minimum score a silo must achieve on the WLS (Whole-Life Sovereign) assessment to be considered trustworthy for production work. Score below 88/100 = Below Threshold = cannot be trusted with critical tasks.
🧒 ELI5 ANALOGY
Like a pilot having to pass a medical exam before flying. You don't need to be in perfect health — you just need to pass the minimum standard. Below the threshold = you're grounded until you fix the issues. Above = cleared for duty.
msi01: 100/100 SOVEREIGN ✅ (Day 111 close-out)
eose-dev: 96/100 SOVEREIGN ✅ (Day 112)
msclo: ~92/100 NEAR-SOVEREIGN (TRBs in progress)
📐
SOVEREIGN
The number γ₁ = 14.134725141734693 is one of the most important unsolved problems in mathematics. It's the imaginary part of the first zero of the Riemann Zeta function. We use it as a floor constant — a reminder that the floor holds, that proof matters.
🧒 ELI5 ANALOGY
Every craftsman has a mark — a symbol they put on their work. Our mark is γ₁. It says: this was built carefully, tested honestly, and the floor holds. It's also a reminder that the biggest unsolved mathematical problem still sits right underneath our feet — and we're working toward it.
Appears in all fleet artifacts, commits, and visualizations
The Riemann Hypothesis: all zeros have real part = 1/2
Our Lean corpus has 3,608+ theorems toward this
🐛
PROCESS
A TRB is an open item — a problem that was found, documented, and assigned a number. Every gap in the fleet gets a TRB. TRBs don't disappear. They stay open until fixed.
🧒 ELI5 ANALOGY
It's like a punch list when building a house. Every inspector finds something: "crack in wall, missing outlet cover, garage door sticks." The TRB is the punch list. Until every item is signed off, the house isn't done. We don't pretend TRBs don't exist.
TRB-MSCLO-001 through -009: nine items, 43pts recovery
All msi01 TRBs: closed Day 111 ✅
eose-dev TRBs: all closed Day 112 ✅
📋
PROCESS
A LABR is a formal advisory document that records an important decision made by the fleet. When we decide to build something new, change architecture, or approve a major direction — it gets a LABR. LABRs have a VERDICT: PROCEED or HOLD.
🧒 ELI5 ANALOGY
Think of LABRs like meeting minutes from a board meeting. "On Day 112, the crew decided to build MeekGraph. Reasons: theorem graph unlock 10/10, overall KCF 8/10. Verdict: BUILD IT." A year from now you can look back and see exactly why the decision was made.
LABR-WLS-BONIXER-TRIME5-V14-001: WLS bonixer approved
LABR-AIONDB-RUSTGRAPH-V14-001: MeekGraph PROCEED
All LABRs committed to fleet-sync/arch/
📖 LATIN LEGAL TERMS — PLAIN LANGUAGE
| Legal Term | Latin / Origin | Plain English | Fleet Context |
|---|---|---|---|
| In Loco Parentis | in loco parentis | In the place of a parent — taking on someone's responsibilities | When CLO takes on oversight of a submission on behalf of the researcher |
| Res Ipsa Loquitur | res ipsa loquitur | The thing speaks for itself — negligence is obvious from the facts | A reentrancy bug that drained $1M doesn't need expert testimony — it speaks for itself |
| Caveat Emptor | caveat emptor | Let the buyer beware — buyer is responsible for checking quality | DeFi users who YOLO into unaudited protocols; "code is law" defense |
| Actus Reus | actus reus | The guilty act — the physical action that constitutes a crime | Deploying a malicious contract; exploiting a bug vs. reporting it |
| Safe Harbor | portus tutus | A legal protection that shields from liability when rules are followed | Responsible disclosure programs create safe harbor for security researchers |
| Fiduciary Duty | fides | An obligation to act in someone else's best interest | DeFi protocol DAOs may owe fiduciary duty to token holders |
| Prima Facie | prima facie | On first view — evidence that is sufficient on its face | A PoC that demonstrates a live exploit is prima facie evidence of vulnerability |
| Mens Rea | mens rea | The guilty mind — criminal intent | Researcher who discloses responsibly lacks mens rea; exploiter who drains funds has it |
| Force Majeure | vis major | Act of God / unforeseen event that excuses performance | L2 sequencer downtime (Aave ARB-005) — was the protocol's oracle fallback force majeure? |
| Estoppel | estoppel | You can't contradict what you previously said or did | Protocol that published "security through code is law" can't claim users weren't warned |
| Pro Rata | pro rata | Proportionally — in proportion to a share | Bug bounty payout split between contributors on a shared finding |
| Quantum Meruit | quantum meruit | As much as they deserve — payment for services rendered | Researcher who finds critical bug before bounty program launches may still have QM claim |
🔍
No concepts match your search.