Trust model

What “trust” means on EDMA

We minimize what you have to believe. Ethereum PoS anchors ordering and data availability; PoV + EMTs decide admissibility; contracts hold funds as Locked EDSD until proof flips them to Unlocked EDSD; and One-Claim blocks duplicate evidence. The result is a rail where you trust facts and mechanisms—not promises.

The minimum you must trust

• Ethereum PoS (L1): You rely on Ethereum to finalize batches and store blob data. If the L1 is canonical after the challenge window, your L2 history is economically final. What you verify: batches/blobs on L1, state roots, burn tx hashes.

• L2 Sequencer (liveness, not correctness): You rely on the sequencer for ordering in seconds. It can’t force money to move early because PoV/EMT brakes live in contracts. Backstops: L1 forced inclusion and permissionless exits after the window.

• Attestors (evidence independence): You rely on independent roles (inspector, terminal/carrier, DC/3PL, registry/oracle) to attest facts. We reduce trust by requiring role-diverse quorum, publishing SLAs, rotating keys, and revoking or slashing for misconduct (where bonded). What you verify: attestor signatures, PoV hash equality, revocation lists, SLA dashboards.

• Treasury handling of Locked EDSD: While money is locked, ~75% sits in short-dated T-bills and ~25% in cash. You trust the stated ladder; we publish Proof-of-Reserves, a daily summary, and bank/custodian attestations anchored to L1. What you verify: PoR hashes, daily reserve tables, burn/fee ledger.

• Governance bounds (EDM holders): You trust that parameter changes are bounded, timelocked, and visible. Foundations (below) are not vote-tunable. What you verify: proposal text, on-chain vote, 72h timelock, Explorer diffs.

What is not a matter of trust

• No EMT, no funds. A slice never flips Locked → Unlocked EDSD without the stage passing.

• One-Claim. Duplicate evidence cannot finalize anywhere on EDMA.

• Must-fund before shipping. After Pre-Ship EMT, remaining milestones are funded as Locked EDSD before pickup/forwarder/BL.

• 50% burn of each protocol fee. Burn happens in EDM at the moment of release/settlement; hashes are public.

• Off-platform cash-out only at completion. A seller cannot withdraw off-platform mid-schedule; Unlocked EDSD can pay EDMA invoices instantly.

These are contract rules, not policy. No governance vote or sequencer choice can bypass them.

Trust boundaries by surface

Trade (milestones)

• Inputs you trust: attested PSI/COA, BL + seal photo/number, customs EDI, DC receipt & QA, temperature logs.

• Controls: PoV checklist per gate, role-diverse quorum, EMT mint on pass, Locked/Unlocked EDSD flip, narrow freezes on fail/revocation, variance math in the MPA.

• What you verify: proof page (hashes, roles, EMT id), fee line and burn hash, One-Claim reference.

Tokens (settlements/retirements)

• Inputs you trust: verified unit metadata (method/region/serial), attestor/registry feeds.

• Controls: PoV badge on listing, One-Claim serial, 4% protocol fee at settlement, 50% EDM burn.

• What you verify: listing proof, settlement receipt, burn hash, retirement pack.

Treasury/Reserves

• Inputs you trust: bank/custodian statements, T-bill ladder.

• Controls: Proof-of-Reserves with L1-anchored hashes, daily reserve summary, alerting on Reserve mismatch / Buffer low.

• What you verify: PoR files, L1 blob references, treasury interest lines in the ledger.

Sequencer

• Inputs you trust: none for admissibility.

• Controls: forced inclusion, status pages, failover, inclusion lists for critical calls (EMT/release/exit).

• What you verify: block timestamps, batch cadence, inbox depth, inclusion events in Explorer.

Residual risks

• Coordinated evidence fraud. Fence: independent quorum + rotation, random re-inspection, revocation with narrow freezes, dispute SLAs, slashing/ban for bonded roles.

• Censorship / sequencer outage. Fence: L1 forced inclusion, permissionless exits after window, multi-operator roadmap.

• Data unavailability (blobs). Fence: rollup won’t finalize without blobs; off-chain vault redundancy; re-hydration by hash.

• Jurisdictional freeze / bank outage. Fence: money remains Locked EDSD; on-rail accounting continues; withdrawals wait; PoR lets you reconcile exposures.

• Extreme L1 event. Fence: challenge window buys time; gates can pause; Locked EDSD preserves funds; exits resume when canonicality returns.

Incentives

• Attestors earn from the treasury half by SLA/role weight; misses reduce rewards; bad behavior is slashed or banned.

• Suppliers earn faster cash by clean documents and temperature/QA discipline; funded-on-proof lets ops run without loans.

• Buyers earn tighter tiers with on-time top-ups and low false-block rates; liquidity improves without sacrificing safety.

• EDM holders benefit from usage → fees → 50% burns while staking draws only from the treasury half.

What you can verify (and where)

• Receipts & proof pages: gate/listing id, PoV hash, EMT id, fee, burn hash, Locked/Unlocked EDSD deltas.

• Explorer: vote diffs, batch cadence, inclusion events, reserve ladders, attestor SLAs.

• L1 (Ethereum): blobs/batches, burn transactions, PoR anchors.

• APIs/Webhooks: …milestone.passed, …release.posted, …settlement.posted, fee.burn.posted, treasury.interest.accrued.

Operator checklist

• Keep checklists plain in the MPA; train teams to capture exactly those files.

• Watch Pending Funds and review windows; fund before shipping; block only for real mismatches.

• Use funded-on-proof for carriers/SGS/warehouses; expect auto-settlement on pass.

• Reconcile burn hashes and PoR in monthly closes; auditors can replay the chain from blobs.

• Expect narrow freezes, not system stops; exceptions are checklist-driven, not email fights.

Plain recap