Security-Capital Surfaces
A Type 6 Presence Adjudication System is never secured by procedure alone.
It may have committees, proofs, challenge windows, durable publication, and explicit rules. All of these matter. But if the system ultimately relies on economically exposed actors to adjudicate claims, defend outcomes, or challenge misconduct, then its security is shaped not only by formal design, but by capital.
That is the subject of this page.
The phrase security-capital surface refers to the boundary between what a system can safely adjudicate and what its economically exposed structure can actually defend. It is a way of asking, in concrete terms:
how much consequence can this system safely bear before dishonest behavior becomes rational?
This is one of the central questions for Type 6 PAS design. A system may appear orderly, cryptographically sophisticated, and procedurally complete while remaining economically weak. If the rewards from corrupting an outcome exceed the credible losses for those who would need to collude, then the security of the system is thinner than its surface presentation suggests.
That does not mean capital is everything. But it does mean that for Type 6 systems, capital exposure is part of the architecture of trust, finality, and adjudication.
Why Capital Matters
A Type 6 PAS differs from older forms of presence adjudication because it does not rely solely on a recognized authority to define the result. Instead, it often relies on verifiers, challengers, publishers, or related actors whose credibility comes partly from the fact that they are exposed to incentives and penalties.
This is an important shift.
- In a court, legitimacy may derive from institutional authority.
- In a platform, control may derive from operational ownership.
- In a Type 6 system, credibility often depends on whether economically relevant actors have enough to lose from misbehavior.
That means security cannot be discussed only in terms of formal process. It must also be discussed in terms of exposed downside.
If dishonest adjudication could produce gains larger than the credible penalty for being caught, then the architecture is undercapitalized relative to the consequences it is being asked to govern.
Security Is Always Relative to Stakes
No adjudication system is secure in the abstract.
It is only secure relative to:
- the value of the outcomes it governs
- the incentives faced by potential attackers
- the cost of collusion
- the chance of detection
- the speed and effectiveness of challenge
- the severity and credibility of penalty
This is especially important for presence systems because the direct on-system value may not reflect the real-world value riding on the claim.
A small on-chain fee may be attached to a presence claim that determines a much larger insurance outcome, logistics release, regulatory consequence, access right, or contractual settlement.
So the relevant security question is not:
how much value sits inside the protocol?
It is:
how much value depends on this adjudication outcome, and what would it take to corrupt it?
That wider consequence surface is what makes security-capital analysis essential.
What a Security-Capital Surface Is
A security-capital surface is the effective frontier at which a system’s economically exposed structure remains credible relative to the value and attack incentives associated with the claims it adjudicates.
Put more simply, it describes the range within which the system’s capital-backed deterrence is still stronger than the gains from corruption.
This surface is shaped by several factors:
- how much stake or bonded capital is genuinely slashable
- how quickly dishonest gains can be realized
- whether the relevant actors can externalize losses
- whether watchers are incentivized strongly enough to challenge
- how visible misconduct is
- how long the dispute window remains open
- whether governance can quietly neutralize penalties
- whether real-world value exceeds protocol-visible value by a large margin
A system with a shallow security-capital surface can still function. It simply cannot safely govern high-consequence outcomes.
That is not necessarily a failure. Many systems are designed for lower-stakes domains. The danger arises when the system presents itself as secure for use cases that exceed the capital discipline actually available.
The Difference Between Nominal and Effective Security
One of the most important distinctions here is between nominal security and effective security.
Nominal security is what the system appears to have on paper:
- total stake bonded
- advertised slashing rules
- committee thresholds
- published dispute processes
- formal challenge rights
Effective security is what remains after realistic attack conditions are considered.
For example:
- not all nominal stake may be meaningfully slashable
- some participants may be closely aligned or controlled by the same actor
- stake may be borrowed, insured, or externally hedged
- governance may be able to soften penalties
- watcher participation may be sparse
- hidden off-system value may make corruption more attractive than it appears
- adjudicators may gain more from collusion than they fear from punishment
This means a system’s visible bonded capital is only the beginning of the analysis. The deeper question is what portion of that capital is truly exposed to credible loss under realistic conditions.
That is the capital that actually secures the system.
Security Depends on Detection, Not Just Penalty
Capital-backed deterrence only works if misconduct can be detected in time and proven in a way that triggers the relevant penalties.
This is why security-capital surfaces are inseparable from dispute architecture.
A system may advertise large slashable stakes, but if:
- dishonest claims are difficult to observe
- challengers are poorly incentivized
- evidence is too hidden to support timely dispute
- challenge windows are too short
- adjudicator misconduct is hard to attribute
then the capital may remain mostly decorative.
The real security of the system is therefore a product of both:
- penalty magnitude
- penalty realizability
An uncollectable penalty is not strong deterrence. It is only symbolic.
The Basic Security Envelope
A useful design intuition is that every Type 6 PAS has a practical security envelope.
This envelope describes the class of claims and consequences the system can adjudicate without making profitable corruption too easy.
Inside the envelope:
- honest behavior is more attractive than dishonest collusion
- disputes can realistically correct bad outcomes
- the relevant capital is large enough and exposed enough to deter attack
- finality remains credible
Outside the envelope:
- the rewards from corruption may exceed the credible downside
- watchers may not be sufficiently motivated
- collusion may become rational
- finality may be only performative
This concept is useful because it encourages disciplined system design. Not every PAS must aim for the largest possible envelope. But every serious PAS should know roughly where its envelope lies.
What Expands or Shrinks the Surface
Several design choices affect the strength of a system’s security-capital surface.
More Meaningfully Exposed Capital
The most obvious factor is the amount of capital that can genuinely be lost through dishonest participation.
But what matters is not gross bonded capital. It is the portion that is:
- actually at risk
- rapidly slashable
- not easily shielded or externalized
- distributed across actors whose failure is not perfectly correlated
Meaningful capital expands the security surface. Decorative capital does not.
Better Challenger Economics
A system with strong watcher incentives is often much stronger than a system with nominally larger bonded capital but weak dispute incentives.
This is because challengeable systems do not need to prevent every bad act in advance. They need bad acts to be visible, contestable, and punishable often enough that corruption remains unattractive.
Watcher economics therefore belongs inside the security-capital analysis, not outside it.
Better Claim Boundedness
Bounded claims can sometimes improve security because they make adjudication and challenge more legible. If claims are too vague, too broad, or too context-dependent, then dishonest outcomes become harder to detect and punish.
A more disciplined claim model can therefore expand the effective security surface even without increasing nominal stake.
Better Finality Design
If finality arrives too quickly, dishonest outcomes may become hard to reverse before dispute can operate.
If finality arrives too slowly, honest actors may not find participation worthwhile.
The finality model therefore affects the security-capital surface by shaping how long the system has to detect and punish bad outcomes before reliance hardens.
Better Governance Constraint
A system may appear well-capitalized and well-slashed on paper, yet remain weak if governance can quietly alter challenge rules, soften penalties, exempt favored actors, or otherwise interfere with enforcement.
Governance constraint therefore strengthens the security-capital surface by making penalties more credible.
Hidden Value and Off-Protocol Incentives
One of the hardest problems in this area is that the value secured by a PAS may be much larger than the value visible inside it.
This is especially true for presence systems.
A corrupt presence adjudication may release goods, trigger insurance, unlock a milestone payment, alter legal posture, or satisfy a compliance condition. The on-system fees associated with that claim may be tiny compared with the off-system value at stake.
This means attack incentives can come from outside the protocol entirely.
A verifier may collude not for protocol-native rewards, but for some external payment.
A challenger may stay silent not because it is irrational on-chain, but because it is compromised off-chain.
A committee may accept a bad claim because the real economic stake is elsewhere.
This is why Type 6 PAS cannot be evaluated purely in token-internal terms. Their security-capital surfaces must be analyzed relative to the full consequence environment in which the claims operate.
Security-Capital Surfaces and Use-Case Discipline
A mature system should not treat all use cases as equivalent.
Different presence claims expose the system to different incentive environments. A low-stakes event attendance proof is not the same as a high-value logistics release. A soft reputation signal is not the same as a legally consequential compliance outcome.
This implies that a good Type 6 PAS may need:
- claim classes
- risk tiers
- differentiated security requirements
- different finality thresholds
- caps on consequence exposure
- parameter scaling by claim type
This is not a weakness. It is evidence of design maturity.
A system that pretends the same security model covers every kind of consequence equally is usually not taking its own incentive structure seriously enough.
Evaluating a Security-Capital Surface
A Type 6 PAS should be judged by questions such as these:
| Dimension | Question |
|---|---|
| Exposed capital | How much capital is genuinely slashable or otherwise at risk? |
| Concentration | How correlated is control over that capital? |
| Detection quality | How likely is dishonest adjudication to be observed in time? |
| Challenge economics | Are challengers paid enough and empowered enough to act? |
| Attack latency | Can dishonest gains be realized before penalties land? |
| Off-system value | How large are the external incentives to corrupt outcomes? |
| Governance interference | Can governance weaken penalties or shield actors? |
| Claim boundedness | Are claims legible enough that bad outcomes can be challenged clearly? |
| Finality discipline | Does the finality model preserve time for economically meaningful correction? |
| Use-case fit | Is the system being asked to secure more consequence than its capital can defend? |
These questions do not produce a single universal number. But they do help reveal whether the system’s stated security posture is credible.
What a Good Security-Capital Surface Looks Like
A good security-capital surface is not one that claims infinite security. It is one that knows what it can defend and why.
In practical terms, that often means:
- economically exposed actors face real downside
- that downside is difficult to evade
- challenger incentives are strong enough to keep disputes alive
- claim structures make bad outcomes observable
- finality leaves enough room for correction
- governance cannot casually neutralize discipline
- use cases are matched to the real security envelope
- the system does not pretend that nominal bonded value equals real secured value
This is a demanding standard. But it is also what distinguishes serious cryptoeconomic design from decorative staking.
Why This Matters for the Rest of the Design Space
Security-capital surfaces connect directly to almost aspect in the Design Space.
They depend on trust models because trust determines whose capital is actually securing whom.
They depend on proof architecture because poor proof structure makes dishonesty harder to detect and therefore weakens deterrence.
They depend on privacy / verifiability design because hidden evidence can make challenge more difficult, while overexposure may make challenge easier but privacy worse.
They depend on finality surfaces because punishment and correction require time and procedural room to operate before reliance hardens.
They depend on dispute design because dispute is how capital-backed discipline is actually exercised.
They depend on governance because governance often determines whether the capital discipline remains credible in practice.
That is why this page belongs near the center of the Design Space section. It exposes one of the most important truths about Type 6 PAS:
their credibility depends not only on what they can verify, but on what they can economically defend.
Conclusion
A Type 6 Presence Adjudication System is secure only within the range of consequences its economically exposed structure can credibly discipline.
That range is its security-capital surface.
To design such a system seriously is therefore to ask not only whether claims can be proven, verified, and finalized, but whether dishonest adjudication remains irrational at the stakes that matter.
That is a harder question than most systems first admit.
But it is also the right question. Because in a system where presence claims may trigger payments, permissions, liabilities, or institutional outcomes, the real measure of security is not procedural elegance alone.
It is whether the architecture can bear the consequence it invites others to place upon it.