docs: catastrophic failure pre-mortem and multi-chain feasibility analysis

[jeremylongshore]

Summary

• Comprehensive pre-mortem analysis of the IRSB ecosystem produced from 3 parallel hostile security audits (on-chain contracts, off-chain services, economic/governance vectors)
• 83 unique findings across 8 categories, code-verified against deployed Solidity source
• Identifies 5 project killers with attack narratives and remediation priorities
• Includes multi-chain architecture recommendation (hub-and-spoke) and infinite lifecycle assessment

Key Findings

4 CRITICAL-zone findings (risk score >= 15):

1. Bond-to-volume ratio enables rational fraud — 0.1 ETH bond protects unlimited volume
2. x402-irsb private key held in plaintext memory
3. Agent prompt injection vulnerability (length-only guard)
4. No timelock on Safe multisig operations

Findings breakdown:

Category	Count
Smart Contract (PM-SC-)	40
Economic (PM-EC-)	5
Governance (PM-GV-)	4
Off-chain (PM-OF-)	7
Package/SDK (PM-PK-)	8
Agent (PM-AG-)	6
Multi-chain (PM-MC-)	10
Lifecycle (PM-LF-)	6

Deliverable

Single document: protocol/000-docs/039-AA-AUDT-pre-mortem-analysis.md (1,258 lines)

8 parts:

1. Executive summary: Top 5 project killers
2. Technical findings catalog (62 on-chain + 16 off-chain)
3. Economic attack scenarios with code-verified parameters
4. Governance & regulatory risks (Howey, OFAC, MiCA)
5. Multi-chain feasibility (10 challenges, 3 architecture options)
6. Infinite lifecycle requirements (6 decay vectors)
7. 4-phase remediation roadmap (pre-mainnet through governance)
8. Risk matrix (likelihood x impact scoring for all 83 findings)

Test plan

• Document renders correctly as markdown
• All finding IDs internally consistent (cross-referenced in risk matrix)
• Remediation roadmap items map back to specific findings
• No contract source changes — document only
• Filed in protocol/000-docs/ with proper naming convention (039-AA-AUDT)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added comprehensive pre-mortem security analysis document covering smart contracts, economic models, governance, and cross-chain architecture risks.
  • Catalogues 83 findings with severity classifications, attack scenarios, and impact assessments.
  • Includes phased remediation roadmap and detailed risk matrix for systematic risk management.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a comprehensive pre-mortem security analysis document for the IRSB protocol, detailing 83 findings across smart contracts, economic models, governance, cross-chain architecture, and lifecycle risks. Includes executive summary, attack scenarios, severity levels, and a phased remediation roadmap.

Changes

Cohort / File(s)	Summary
Security Analysis Documentation 000-docs/039-AA-AUDT-pre-mortem-analysis.md	Comprehensive pre-mortem security analysis for IRSB protocol with 83 distinct findings, executive summary, technical findings across multiple domains, economic attack scenarios, governance and regulatory risks, multi-chain feasibility assessment, lifecycle considerations, phased remediation roadmap (Phase 0–4), risk matrix, and methodology appendix.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Through protocol paths and chains we bound,
Security findings eighty-three we've found!
Pre-mortem whispers guard the way,
With remediation plans to save the day,
hop-hop 🌟 Let's harden what we've built,
No risks remain, no fear, no guilt!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a comprehensive pre-mortem analysis document covering catastrophic failure scenarios and multi-chain feasibility assessment.
Description check	✅ Passed	The PR description is comprehensive and well-structured, providing executive summary, key findings, detailed breakdown of 83 findings across 8 categories, deliverable specifications, and test plan verification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/pre-mortem-analysis

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @jeremylongshore, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a critical new documentation asset: a comprehensive pre-mortem analysis for the IRSB protocol. This document meticulously details 83 unique findings across various categories, including smart contract vulnerabilities, economic attack vectors, governance risks, and multi-chain challenges. It identifies five existential threats to the protocol and proposes a structured, multi-phase remediation roadmap to address these issues, ultimately aiming to enhance the protocol's security, economic stability, and long-term decentralization.

Highlights

• Comprehensive Pre-Mortem Analysis: A detailed pre-mortem analysis of the IRSB ecosystem was conducted, encompassing on-chain contracts, off-chain services, and economic/governance vectors, resulting in 83 unique findings.
• Identification of Project Killers: Five critical 'project killers' were identified, each with attack narratives and prioritized remediation strategies, highlighting systemic failure modes.
• Critical Security Findings: Four critical-zone findings were uncovered: an exploitable bond-to-volume ratio, plaintext storage of a private key, an agent prompt injection vulnerability, and the absence of a timelock on Safe multisig operations.
• Multi-Chain Feasibility and Roadmap: The analysis includes a multi-chain architecture recommendation (hub-and-spoke) and an infinite lifecycle assessment, alongside a phased remediation roadmap spanning pre-mainnet to long-term governance.

Changelog

• 000-docs/039-AA-AUDT-pre-mortem-analysis.md
  • Added a new document detailing a comprehensive pre-mortem analysis of the IRSB protocol, including security, economic, governance, and multi-chain feasibility findings.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive pre-mortem analysis document. The document is exceptionally detailed and identifies numerous critical risks and architectural issues. My review focuses on ensuring the internal consistency of the document and its alignment with the provided codebase. I've identified a couple of potential inaccuracies in the findings that should be addressed to ensure the document's correctness.

[gemini-code-assist]

The finding PM-PK-004 states that GraphQL queries are constructed with string interpolation, which could lead to injection vulnerabilities. On reviewing protocol/sdk/src/api/walletApi.ts, the implementation appears to use parameterized queries via the graphql-request library (e.g., this.client.request(QUERY, { variables })). This is a standard practice that prevents GraphQL injection. The assessment in this finding may be incorrect as the code does not seem to use string interpolation for queries.

[gemini-code-assist]

The "V2 Arbitration" row in this table states that the Challenger receives 0% of the slash. However, the referenced code in OptimisticDisputeModule.sol (lines 251-274, specifically line 262) shows that the userShare (70%) is paid to dispute.challenger. The table should likely show 70% for the Challenger to accurately reflect the code's behavior. This inaccuracy could affect the analysis of economic incentives.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@000-docs/039-AA-AUDT-pre-mortem-analysis.md`:
- Around line 917-928: Update the remediation/prioritization in the document to
mark PM-LF-003 as a high-priority roadmap item: explicitly add a prioritized
implementation path to introduce a protocol fee on receipt finalization (in
addition to current slash-based revenue referenced at Types.sol:141 and
OptimisticDisputeModule.sol:36), describe the fee mechanics and rollout options
(e.g., flat vs. percentage, opt-in subscription tier for premium features), and
move the fee proposal to top of the remediation list with clear owner/next-steps
and timeline to address the infinite-lifecycle risk.

🧹 Nitpick comments (2)

000-docs/039-AA-AUDT-pre-mortem-analysis.md (2)

24-167: Excellent executive summary with actionable threat analysis.

The five project killers are well-articulated with clear attack narratives and impact assessments. The code evidence strengthens credibility significantly.

However, since this PR only adds documentation without contract changes, be aware that:

• Specific line number references (e.g., "SolverRegistry.sol:18") will become stale as contracts evolve
• Claims about "verified against deployed Solidity source code" (line 26) cannot be validated within this PR's scope

💡 Recommendation: Make references more resilient to code changes

Consider supplementing exact line numbers with function/constant names that are more stable:

-**Code Evidence:** `MINIMUM_BOND = 0.1 ether` (SolverRegistry.sol:18)
+**Code Evidence:** `MINIMUM_BOND = 0.1 ether` (SolverRegistry.sol, constant declaration in contract)

This maintains specificity while reducing maintenance burden when line numbers shift.

Based on learnings, the timelock issue (Killer 2) correctly identifies that multisig governance improvement is pending, and the cross-chain analysis (Killer 4) aligns with IRSB's stated goal of becoming a cross-protocol standard.

---

839-852: Add language identifier to fenced code block for proper rendering.

The ASCII diagram illustrating the hub-and-spoke architecture is helpful, but the fenced code block should specify a language identifier for proper syntax highlighting and rendering across different markdown viewers.

✨ Suggested improvement

-```
+```text
                    ┌──────────────────────┐
                    │   L1 Canonical Hub   │

This ensures consistent rendering and satisfies markdown linters.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Critical insight: revenue model creates perverse incentive paradox.

PM-LF-003 identifies a fundamental economic tension:

"A healthy protocol has few disputes. If IRSB works well, disputes are rare, and treasury revenue approaches zero."

This is a profound observation that connects protocol health to financial sustainability. The current model (treasury receives percentage of slashes) creates a paradox where successful operation undermines funding for maintenance and development.

The suggested remediation (protocol fee on receipt finalization, not just slashes) would align economic incentives correctly. This finding deserves prioritization in the roadmap.

The economic sustainability gap poses a threat to infinite lifecycle viability, as protocols without self-sustaining revenue eventually depend on external funding that may not persist.

🤖 Prompt for AI Agents

In `@000-docs/039-AA-AUDT-pre-mortem-analysis.md` around lines 917 - 928, Update
the remediation/prioritization in the document to mark PM-LF-003 as a
high-priority roadmap item: explicitly add a prioritized implementation path to
introduce a protocol fee on receipt finalization (in addition to current
slash-based revenue referenced at Types.sol:141 and
OptimisticDisputeModule.sol:36), describe the fee mechanics and rollout options
(e.g., flat vs. percentage, opt-in subscription tier for premium features), and
move the fee proposal to top of the remediation list with clear owner/next-steps
and timeline to address the infinite-lifecycle risk.