Attack A-5 · phase-9 · spec-refinement
Methodology archive integrity attack via M4 chain-of-versions manipulation
An adversary with write access to one of the three archives substitutes a modified methodology document that changes reference values in a way that reduces ECI scores for a specific property, making existing credits appear over-issued and triggering methodology error invalidation. Members voting on the ratification proposal may vote on content whose hash matches the compromised version.
Scenario
An adversary with write access to one of the three archives substitutes a modified methodology document that changes reference values in a way that reduces ECI scores for a specific property, making existing credits appear over-issued and triggering methodology error invalidation. Members voting on the ratification proposal may vote on content whose hash matches the compromised version.
Mechanism
M4's priorVersionHash chain integrity check only verifies that the new version's prior hash matches the previous version's content hash — it does not verify that content at the IPFS URI matches the hash. If an archive is compromised and content at the URI is replaced before a ratification vote, members may vote on a proposal whose contentHash matches compromised content.
Mitigation
M4's storageUri should reference at least two independent content-addressed stores simultaneously. Ratification governance should require multiple parties to independently verify hash-to-content integrity before casting votes. Foundation's triple-archive commitment should include a quarterly hash-verification audit.
Residual risk
Medium. Content-addressed storage makes substitution detectable after the fact, but governance races could exploit the window between submission and ratification.