Economic Security Model
last updated: 2026-02-27
This chapter summarizes the economic security & adversarial model of Scintilla Locate in handbook form. The normative technical appendix remains the deeper reference (and is included verbatim below under “Reference Appendix”).
The self-sizing exposure envelope
The protocol enforces a self-sizing economic security envelope that limits how much value can be simultaneously at risk.
Core constraint
(n + 1) * E_per <= E_max
Where:
- n = number of accepted claims already in the round
- E_per = per-claim exposure (bond + reward cap)
- E_max = effective security budget for the round
Effective security budget
E_max = S_effective / M_assurance
- S_effective = vesting-weighted active stake
- M_assurance = assurance multiplier (safety margin, e.g., 2–5×)
What this accomplishes
- Automatic throttling: when exposure would exceed the budget, the next claim is rejected.
- No insolvency event: the protocol never accepts more exposure than its security budget.
- Capital-weighted growth: throughput scales as stake deepens.
- Economic composability: bounties and caps can be reasoned about relative to security budget.
Engineering implications
Any change that touches:
- bond sizing
- reward caps
- claim acceptance rules
- committee thresholds
- dispute windows
- slashing mechanics
must be reviewed as a change to exposure dynamics and must pass the Risk Gate.
Reference Appendix (verbatim source)
Scintilla Locate
Technical Appendix — Economic Security & Adversarial Model
Version: 1.0 Date: 2026-02-12
1. Purpose
This appendix formalizes:
- The economic security model
- The self-sizing exposure envelope
- Adversarial threat assumptions
- Dispute mechanics
- Capital requirements modeling
- Failure mode analysis
This document is designed for:
- Auditors
- Protocol engineers
- Governance participants
- Security reviewers
2. Threat Model
Scintilla Locate assumes:
- Dishonest provers (spoofed GNSS, replay attacks, falsified commitments)
- Dishonest challengers (griefing, false accusations)
- Colluding verifiers
- Stake concentration attempts
- Bribery attempts
- Watcher exploitation
- Economic overload attacks (exposure flooding)
The protocol must remain economically rational under these conditions.
3. Economic Security Envelope
Core constraint:
(n + 1) × E_per ≤ E_max
Where:
n = number of accepted claims E_per = per-claim exposure (bond + reward cap) E_max = effective security budget / assurance multiplier
3.1 Effective Security Budget
Let:
S_total = total active stake S_effective = stake weighted by vesting factor M_assurance = assurance multiplier (≥ 1)
Then:
E_max = S_effective / M_assurance
Assurance multiplier reflects safety margin (e.g., 2–5×).
Example:
If: S_effective = $5,000,000 M_assurance = 4
Then: E_max = $1,250,000
Total exposure cannot exceed $1.25M.
3.2 Exposure Per Claim
E_per = Bond + Reward_cap
Example:
Bond = $50,000
Reward_cap = $10,000
E_per = $60,000
If E_max = $1,250,000:
Maximum concurrent claims:
floor(1,250,000 / 60,000) = 20 claims
The 21st claim is rejected.
This creates automatic rate throttling.
4. Dynamic Throttling Model
Exposure control operates in real-time.
At claim submission:
If (n + 1) × E_per > E_max
→ Claim rejected.
This ensures:
- No systemic overexposure
- No economic insolvency event
- Capital-weighted scaling
Growth only occurs as stake deepens.
5. Slashing & Bribery Resistance
Assume:
V = value attacker seeks to fraudulently unlock
C = cost of bribing sufficient verifiers
S_slash = slashing exposure for malicious participation
To be secure:
C + S_slash > V
Where:
C depends on:
- Committee size
- Required majority threshold
- Individual stake weights
Slashing must exceed rational bribery threshold.
5.1 Committee Threshold Model
Let:
k = committee size
t = minimum collusion threshold (e.g., ⅔ majority)
Bribery must control ≥ t validators.
Expected bribe cost:
C ≈ sum(stake_weight_i × risk_adjusted_bribe_premium)
Slashing must exceed expected bribe upside.
6. Dispute Lifecycle
- Claim submission
- Initial optimistic acceptance
- Challenge window opens
- Watcher challenge (optional)
- Committee review
- Resolution
- Slashing (if necessary)
- NFT issuance or bond forfeiture
Key requirement:
Dispute outcomes must be:
- Deterministic
- Economically proportional
- Calm and transparent
7. Capital Requirement Modeling
To support annual settlement of X:
Let:
X = annual settlement volume
A = average contract value
C = average concurrent claims
D = average settlement duration (days)
Then:
C ≈ (X / A) × (D / 365)
Required stake:
S_required ≥ M_assurance × (C × E_per)
Example:
Annual settlement X = $100M
Average contract A = $100k
Average duration D = 7 days
Assurance multiplier = 4
Contracts/year = 100M / 100k = 1000
Concurrent ≈ 1000 × (7/365) ≈ 19
If E_per = $120k:
Exposure ≈ 19 × 120k ≈ $2.28M
Required stake ≈ 4 × 2.28M ≈ $9.12M
Stake depth requirement ≈ $9–10M.
8. Failure Modes
- Stake concentration → governance capture risk
- Under-slashing → bribery incentive
- Over-slashing → validator exit
- ZK soundness bug → catastrophic trust loss
- Exposure miscalculation → insolvency risk
- Regulatory classification as escrow operator
Mitigation:
- Conservative parameter initialization
- Independent audits
- Public modeling transparency
- Phased contract size growth
9. Security Milestones
Before scaling:
- $1M cumulative bonded value
- At least one dispute resolved correctly
- No unjust loss events
- Stake > 5× concurrent exposure
- External security audit
Before $100M annual settlement:
- Formal adversarial simulation
- Parameter governance ratified
- Stake concentration < 30% top 3
10. Long-Term Security Philosophy
Security is not static.
It scales with:
- Stake depth
- Reputation
- Audit maturity
- Governance clarity
- Public dispute history
The protocol must evolve conservatively.
Capital-weighted enforcement is the moat.
End of Technical Appendix