Security & Fraud Prevention

Purpose. Keep junk out and make reversals cheap and visible. Under Proof of Verification (PoV), nothing mints or settles unless (1) a governed attestor quorum verifies the same evidence, and (2) a global One-Claim ledger confirms the evidence hasn’t been used elsewhere. If uncertainty exists, the default is no mint / no settle.

Threat model (what we defend against)

Duplicate claims / double counting of the same batch or milestone
Garbage evidence (non-canonical, tampered, ambiguous)
Attestor failure or collusion (role drift, negligence)
Post-issuance invalidation (revokes, expired proofs)
Abuse at the edge (spoofed meters, replayed files)
Contract-level exploits (reentrancy, unbounded loops)

Defense-in-depth (controls that bite)

1) PoV Gate (quorum • equality • exclusivity)

Quorum: N-of-M verifications with role diversity; AUDITOR required by default.
Equality: all counted verifications reference the same evidenceHash and batch/window.
Exclusivity: route-agnostic claimId can finalize once network-wide via the One-Claim Ledger.
Fail-safe: on any mismatch or revocation → revert (no mint/settle).

2) Attestor program (governed, measurable)

Registry: role allowlists (METER_OP, AUDITOR, GRID, INSPECTOR…) with enable/disable and a public QuorumSpec.
Independence & rotation: caps on correlated exposure; rotation schedules; public KPIs.
Keys: HSM/threshold signing recommended; incident runbooks; ban/slash policy (de-list from Registry).

3) Evidence canonicalization (hash what’s real)

Strict JSON: sorted keys, minified, fixed units (Wh), fixed types.
Hash: evidenceHash = SHA-256(canonical_json); device/operator signs the payload or source files.
Why: the same reality → the same hash; pretty-print tricks don’t pass Gate equality checks.

4) Edge integrity & anomaly detection

Device identity & signed windows (no overlapping windows).
Replay protection using batch/window IDs + nonces.
Anomaly detection to flag duplicates/unrealistic readings before attestations count.

5) Revocation that actually bites

First-class revocation: if a counted verification is revoked/expired and quorum drops, dependent assets become flagged/frozen/burned per policy until rectified.
Append-only rectification: new verifications can restore quorum; contracts emit PoVRectified. History is never rewritten.

6) Monitors & circuit breakers (SLA-bound)

PoV Feed watches EAS revocations/expiry/role changes; flags affected claimIds on-chain within < 24h SLA.
Circuit breakers can pause mints/settles on feed divergence or governance events (timelocked)

7) Contract hygiene

No reentrancy on settle paths; finalize exclusivity after checks.
Bounded loops (cap verification array lengths); cached decodes for batches.
No auto-swap: contracts never convert other assets to EDM; if payer lacks EDM, settle reverts.
Fee/burn enforcement is on-chain (50% burn, 50% treasury)

8) Privacy by design

On-chain: only hashes/IDs/links—no PII.
Off-chain: artifacts in controlled stores (S3/IPFS/partner vaults) with signed URLs.
Selective disclosure / zk (optional): prove eligibility (e.g., “age > 18”) without leaking raw data.

9) Auditability & transparency

Anchoring: evidence → attestations → proof → settlement/retirement anchored to Ethereum (L1).
Events & explorer: PoVPassed, PoVFlagged, PoVRectified, Finalized (One-Claim) indexed by subgraph; public explorer surfaces quorum, roles, flags, and lineage.

Where DID fits (optional, not the gate)

We don’t require DID for PoV to work. If used, DIDs/VCs can improve onboarding & role assignment (e.g., proving a metering operator’s accreditation). Admissibility still comes from attestations + One-Claim, not from identity alone.

Example on-chain hooks (flag & pause)

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;

abstract contract PoVFlaggable {
    mapping(bytes32 => bool) public flagged; // claimId -> flagged
    event PoVFlagged(bytes32 indexed claimId);
    event PoVRectified(bytes32 indexed claimId);

    function _flag(bytes32 claimId) internal {
        flagged[claimId] = true; emit PoVFlagged(claimId);
    }
    function _rectify(bytes32 claimId) internal {
        flagged[claimId] = false; emit PoVRectified(claimId);
    }
}

abstract contract CircuitBreaker {
    bool public paused;
    event Paused(); event Unpaused();
    modifier notPaused() { require(!paused, "PAUSED"); _; }
    function _pause() internal { paused = true; emit Paused(); }
    function _unpause() internal { paused = false; emit Unpaused(); }
}

Use PoVFlaggable in EnergyNFT/CarbonCreditNFT/EMT to freeze transfer/settlement for affected items. Use CircuitBreaker in Gate/Settlement paths to halt during incidents.

What we don’t do (on purpose)

We do not rely on token staking for consensus security (that’s Ethereum PoS).
We do not accept unverifiable “paper” evidence; everything must canonicalize and hash.
We do not allow the same evidence to appear in multiple markets (One-Claim prevents it).
We do not tax low-value proofs; proof mints/conversions are gas-only on Base. Fees apply only at settlement in EDM (Energy/Carbon 4%, Trade 0.5%/milestone with caps; 50% burned).

Operator checklist (quick)

Enforce QuorumSpec (≥2 verifications, AUDITOR required, ≥2 distinct roles).
Verify equality of evidence (evidenceHash + window) in Gate.
Reserve/finalize One-Claim atomically in the same tx.
Subscribe to PoV Feed; flag within <24h; support rectification flow.
Keep settlement EDM-only; proofs gas-only; never auto-swap.
Anchor lineage to L1; publish policy & fee contracts; timelocked governance.

Bottom line: Security in EDMA isn’t a slogan. It’s quorum + equality + exclusivity, enforced in code, with fast revocation, visible flags, and immutable lineage—while keeping proofs cheap and charging only where value actually settles.

Last updated 2 months ago