Attack A-9 · phase-9 · spec-refinement
Tier 1 multi-sig signer compromise during Year 0–18 gap
In a Tier 1 deployment, the wrapper LLC's multi-sig treasury (2-of-3 signer threshold) is compromised — one or more signers' keys obtained by an adversary — during the Year 0–18 gap when neither the Foundation nor its oversight mechanisms are operational. Compromise of 2 signers in a 2-of-3 configuration is sufficient for a complete treasury drain.
Scenario
In a Tier 1 deployment, the wrapper LLC's multi-sig treasury (2-of-3 signer threshold) is compromised — one or more signers' keys obtained by an adversary — during the Year 0–18 gap when neither the Foundation nor its oversight mechanisms are operational. Compromise of 2 signers in a 2-of-3 configuration is sufficient for a complete treasury drain.
Mechanism
Tier 1 implementation relies on multi-sig for all economic functions. In 2-of-3 multi-sig, compromise of 2 signers is sufficient for complete treasury drain. Tier 1 lacks the M2 time-delay and guardian-veto protections that Tier 2 has, making Tier 1 treasury more vulnerable than Tier 2 during the gap period when Foundation oversight is absent.
Mitigation
Tier 1 multi-sig configurations should use 3-of-5 rather than 2-of-3 for any treasury holding more than a defined threshold. Hardware wallet (not cloud-custodial) requirements above that threshold. Mandatory annual signer-verification audit (confirm each signer holds their key and is KYC-current) as part of operating agreement.
Residual risk
Medium. Standard custody risk made acute by phase-9 gap-period analysis — Foundation oversight is absent during exactly the period when first deployments are most vulnerable.