Skip to content

Catastrophic Failure Modes

What Can Go Catastrophically Wrong

  1. governance approves malicious implementation and executes it.
  2. role-admin custody compromise silently reassigns critical roles.
  3. controller or deposit upgrades remove or weaken fail-closed checks.
  4. oracle pipeline corruption feeds fabricated finalized observations.
  5. reserve assumptions fail at scale and settlement cannot maintain expected protection behavior.
  6. operations team misses critical queue during timelock and cannot cancel in time.

Severity Notes

All six are protocol-critical because they can alter custody safety or payout correctness at system scale.

Prevention Priorities

  • governance role separation and monitoring
  • release artifact provenance
  • incident drills for cancellation and freeze paths
  • independent risk/receipt feed validation