Attack A-8 · phase-9 · architectural-tension
Successor-trustee captures the buffer pool during Landseed PBC failure
Landseed PBC fails in Year 1 before Foundation formation. The named successor trustee — who takes over the registry account holding buffer credits — disputes Foundation formation or the Foundation's claim to the pool, and refuses to transfer it to an emergency-formed Foundation. No clear dispute-resolution path is specified in the architecture.
Scenario
Landseed PBC fails in Year 1 before Foundation formation. The named successor trustee — who takes over the registry account holding buffer credits — disputes Foundation formation or the Foundation's claim to the pool, and refuses to transfer it to an emergency-formed Foundation. No clear dispute-resolution path is specified in the architecture.
Mechanism
Buffer pool spec states the successor trustee is 'named at architecture launch' and 'emergency Foundation formation accelerated' would follow. But if the trustee disputes Foundation formation or the Foundation's claim to the pool, there is no specified dispute-resolution path. The trust instrument's specific terms — including conditions under which the Foundation supersedes the trustee — are not yet specified.
Mitigation
Trust instrument must include explicit 'Foundation supersession clause' making the Foundation, upon IRS determination, the automatic successor beneficiary without trustee consent. Trustee's discretion narrowly bounded to caretaking functions (maintaining accounts, publishing reports) with no authority to retire, transfer, or dispose of buffer credits without Foundation or court order.
Residual risk
Medium. Trustee capture is a real governance attack; mitigation is dependent on the as-yet-undrafted trust instrument.