Attestors

What can go wrong (and what can’t)

Attestors turn evidence into signatures the PoV Gate can count. The real risks are bad or late attestations, key problems, or coordinated misreporting. None of these can force money to move early—the brakes live in contracts: PoV PASS → EMT → Locked→Unlocked EDSD → fee → 50% burn. Without PASS, no EMT; without EMT, no funds.

Risk surface (plain language)

Latency / availability: An attestor is slow or offline; gates miss their windows.
Accuracy drift: Reports mismatch facts (wrong seal, wrong lot list, sloppy QA, temperature gaps).
Collusion / conflict of interest: Multiple roles sign to push a bad dossier through.
Key issues: Lost/compromised keys; unannounced subcontracting; improper custody.
Revocation abuse: After-the-fact withdrawals used to renegotiate instead of correct.
Role capture: A single provider becomes “too critical” to fail for a lane.

The guardrails already in place

Attestor Registry: Onboarding (KYB, scope, insurance), role allowlists, schema allowlists, active keys (HSM/MPC recommended).
Quorum diversity: Gates require independent roles (e.g., TERMINAL/CARRIER + INSPECTOR); one role cannot pass alone.
Freshness windows: Old signatures don’t count; schemas set explicit TTLs.
Equality on bytes: All counted signatures bind to the same PoV hash (canonical JSON + file digests). File or order drift fails equality.
Revocation = narrow freeze: If a counted attestation is withdrawn, only downstream slices pause; paid slices stay paid; corrective paths are append-only.
Rotation & SLAs: Roles rotate keys; SLA targets (latency/accuracy/uptime) feed rewards and penalties.
Bonds & penalties: Bonded roles can be slashed for fraud; repeated SLA failures → suspension/ban.
Random re-inspection: Governance can mandate periodic sampling (e.g., 5% of lots) by a neutral.

How we detect, respond, recover

Detect: Gate returns clear codes: E_SEAL_MISMATCH, E_LOT_LIST_MISMATCH, E_TEMP_OUT_OF_RANGE, E_QUORUM_MISSING, E_STALE_ATTEST. SLA dashboards show latency/uptime per role; Explorer flags revocation rate and false-pass/fail indicators. Webhooks: pov.gate.fail, pov.attestation.revoked, pov.attestor.suspended.
Respond: Exceptions (B5) open a Dispute Pack (checklist, files+hashes, timeline, variance math). For latency/availability, the UI offers fallback quorum templates. For accuracy issues, ops fix or re-inspect; for cold-chain, include Merkle proofs for the affected segments.
Recover: On pass, a corrective EMT mints; downstream releases resume. Suspension/ban applies if SLA/fraud thresholds are hit; rewards drop to zero during suspension; bonds are slashed for fraud.

Business impact matrix (at a glance)

Failure

What you feel

What doesn’t change

What to do

Attestor down / slow

Gate waits; review clock runs

No PASS, no EMT, no funds

Use fallback quorum; re-route to alternate; open case if window at risk

Wrong seal / lot / QA

Gate fails with reason

Funds stay Locked

Upload corrected doc or re-inspect; apply variance if allowed

Cold-chain drift

Gate fails (E_TEMP_OUT_OF_RANGE)

Funds stay Locked

Provide proofs per band; variance or replacement per MPA

Key compromise

New attestations ignored

Historic passes valid; only downstream slices freeze

Rotate keys; Registry marks old as REVOKED; resume with new key

Revocation after pass

Only future slices pause

Paid slices stay paid

Correct/replace; lineage records both entries

KPIs & thresholds (so governance can act on facts)

Attestation latency (p50/p95): target per role (e.g., INSPECTOR ≤ 12h; TERMINAL/CARRIER ≤ 4h).
Uptime: ≥ 99.5% monthly per role.
Revocation rate: < 1% of counted attestations per quarter (lane-specific).
False-pass / false-fail: as detected by re-inspection (target < 0.2%).
Re-inspection hit rate: samples that needed correction (< 3%).
Cold-chain compliance: % intervals in band (target ≥ 99%), gaps fully proven.

Explorer publishes these per role and per lane; rewards/penalties derive from them.

Governance knobs (bounded, not brakes)

Add/suspend/ban attestors; rotate keys; set SLA targets, rotation cadence, reward weights.
Set bond sizes for bonded roles and penalty bands.
Approve fallback quorums and their time limits.
Set re-inspection rates and choose neutral panels.
Publish allowlists for funded-on-proof recipients (carriers/SGS/warehouses).

They cannot vote to pass a gate without quorum/freshness/equality, to reuse evidence (break One-Claim), to ship before top-up, or to discount the 50% burn.

Hardening techniques we use (and you should expect)

Device/sensor binding: Temperature logs signed by device keys; circuit IDs tied to lanes.
Geo/EXIF checks: Photo evidence optionally includes EXIF/geo hints; mismatches flag E_SEAL_MISMATCH_EXIF.
Merkle roots: Big logs (temp) committed as roots; segment proofs required at PoV time.
Canonical bytes: PoV only counts signatures on sha256(canonical_json_bytes)—no PDF-name tricks.
Conflict scans: One-Claim set is checked globally to block reuse across routes/registries.

Operator checklist (balanced prose + bullets)

Submit complete dossiers; ensure all counted signatures bind to the same PoV hash.
Watch the SLA badge; if a role trends slow, switch to an approved alternate early.
For cold-chain, keep device keys and inclusion proofs ready; don’t wait for a dispute to assemble logs.
If a revocation hits, fix / re-inspect / replace—paid slices remain paid; only future ones pause.
Report sustained anomalies; governance looks at KPIs and rotates/penalizes with public proof.

Plain recap

Attestor risk is about latency and accuracy, not changing the law. The Registry + PoV Gate enforce roles, freshness, equality on bytes, and quorum; One-Claim blocks duplicates; Revocation freezes narrowly; fallback quorums and re-inspection keep lanes moving. Rewards track SLAs; fraud is slashed and banned. Through it all, the settlement rhythm doesn’t blink: facts first → PASS → EMT → Locked→Unlocked EDSD → fee → 50% burn—or the money waits. No EMT, no funds.

PreviousSequencer NextGarbage-in

Last updated 17 hours ago