Risk & coverage

Ground rules

Coverage and risk controls never weaken the law of the rail. No EMT, no funds (Trade). Must-fund before shipping (top-up after Pre-Ship EMT). One-Claim (atomic reserve→finalize). Locked EDSD → Unlocked EDSD only on proof. 50% of every protocol fee burns in EDM at release/settle/retire (never discounted). EDSD is platform-bound; off-platform cash-out only after schedule completion. Coverage can front timing, liquidity, or operational risk; it never fabricates proof or pays without it.

1. Risk taxonomy

• Market risk: Collateral price drops (Energy/Carbon NFTs)

• Funding risk: Buyer misses must-fund top-up ahead of a milestone

• Performance risk: Gate fails (evidence mismatch, quality/quantity variance) → no payout

• Oracle/DA risk: Stale marks; blob posting/fetch lag

• Operational risk: Attestor latency, key issues, revocation after pass

• Tail liquidity risk: Thin buckets during collateral liquidation

• Legal/compliance: Mirror/registry revokes; sanctions/KYC failures

What we never insure: paying without proof, re-writing history, or bypassing One-Claim.

2. Coverage primitives

• Payment Assurance Pool (Trade — must-fund gaps): Triggered when a stage is ready (EMT PASS) but PENDING_FUNDS persists past SLA (e.g., T+24h). Pool fronts the slice (up to a governed cap per order/lane), takes Tier-1 receivable priority, and recovers automatically when buyer funds. Small assurance fee and late interest are charged to buyer; per-order and per-buyer caps apply; only after Pre-Ship EMT; auto-off if defaults rise. Trucks don’t wait on wires; cash still waits on proof.

• Liquidation Backstop (Collateral loans — tail risk): Triggered if collateral liquidation fails to clear within time/price bounds after Dutch/OB attempts. Backstop takes residual at floor−ε, repays debt, collects liquidation penalty (funds pool), and re-lists tokens. Treasury-half allocation (bounded) plus penalties and kicker fees fund the pool; per-bucket utilization caps; enable/disable per bucket; zero rehypothecation. Lenders are made whole without forcing Trade cashflows.

• Parametric Covers (optional, lane-specific): Evidence-driven payouts that follow PoV and never alter burns. Cold-chain band pays if temperature logs prove out-of-range (Merkle-proven, OEM/Inspector attest). Delay/demurrage pays when port/terminal timestamps breach SLAs. Re-inspection covers cost of 2nd PSI for minor correctables. All parametrics price per lane, debit EDSD at award, and credit EDSD at settlement; they don’t change protocol fees or burns.

3. Loss waterfalls

Collateral liquidation:

1. Debt plus accrued interest → lending pool

2. Penalty percentage → Backstop/Insurance pool (kicker fee paid from here)

3. Costs → capped ops/gas

4. Surplus → borrower (EDSD)

No protocol burn here. Burns occur only when collateral later settles or retires in Tokens.

EMT receivable (must-fund gap): If Assurance Pool fronts, it becomes Tier-1 in the Release waterfall; recovers principal plus fee from the slice on payout. If stage cancels before proof, RA/Assurance unwind; no on-rail loss (off-rail remedies per MPA).

4. Funding & pricing

• Backstop/Insurance pool: treasury-half allocation (bounded), liquidation penalties, Dutch-kick fees; optionally, a thin premium on collateral loans

• Assurance Pool: small per-order assurance fee plus late-interest on must-fund breaches; optional treasury-half seed

• Parametric covers: explicit premiums at award, priced per lane/severity history

• None of the above touch the burn half; burns remain programmatic at settle/release

5. Controls & caps

• Utilization caps per pool, per lane/bucket

• Per-buyer must-fund cap (exposure across open orders)

• Per-borrower/bucket LTV and HF thresholds (see Collateral & Liquidations)

• Disable buckets when oracles stale; raise LTV haircuts for aging vintages

• Pause parametric cover for a lane if false-trigger rates exceed bounds (resume only via governance)

6. Operating playbooks

• Must-fund missed: Status → PENDING_FUNDS; notify buyer; if SLA breached and pool enabled, Assurance fronts; receivable priority flips to pool; recover on funding.

• Collateral under water: Margin call 24–48h; if uncured, Dutch plus OB sweep; if residual, Backstop takes lot; waterfall repays; surplus to borrower.

• Cold-chain breach: Fail → run variance schedule or parametric payout; corrective EMT or replacement; burn occurs on final release/settle as usual.

• Registry/mirror revoke: Freeze downstream; no liquidation; replacement mirror posted ≤ 48h; resume.

7. APIs & events

• Admin: POST /v1/defi/pools/assurance/enable { lane, caps, fees } POST /v1/defi/pools/backstop/enable { buckets[], caps, penalty_bp }

• Runtime: defi.assurance.fronted { order_id, stage, amount } defi.assurance.recovered { order_id, stage, amount } defi.liq.started / filled / closed (see Liquidations) defi.parametric.triggered { case_id, cover_id, payout }

8. KPIs

• Assurance cure p95 ≤ 48h; fronted-then-recovered rate ≥ 95%

• Liquidation loss rate (principal) 0; time-to-fill p95 ≤ 6h (per lot)

• Pool utilization within caps; backstop take rate ≤ 10% (auctions clearing)

• Parametric false-positive rate ≤ 1%; payout SLA ≤ 24h after trigger proofs

• No brake violations (money never moved before proof)

9. Governance knobs

• Assurance Pool: enable per lane, caps, fee/late-interest, SLA thresholds; auto-front rules

• Backstop: penalty percentage, lot caps, decay/floor settings, RFQ allowlists, pool sizing

• Parametrics: eligible statements (temp band, delay windows), payout tables, acceptable attesting roles

• Oracle windows and LTV grids (Collateral); HF thresholds and cure windows (Liquidations)

• Never votable: bypass PoV/One-Claim; release Trade cash without EMT; discount the 50% burn; bridge EDSD; reuse pledged tokens

Plain recap