M5 attestation hook failure during catastrophic event; multi-sig signer compromise

During a force-majeure ecological loss qualifying for a buffer pool draw, the registry's attestor key is unavailable or compromised, so notifyInvalidation cannot be delivered to affected property DAOs' M5 modules. Separately, the methodology guardian multi-sig is compromised, and an attacker uses guardian veto power to block all governance proposals during a critical period.

Scenario

Cost / impact

Attestor key unavailability creates distribution double-counting risk and leaves buyers holding invalid credits without notice for 30+ days. Guardian multi-sig compromise paralyzes any DAO depending on methodology-guardian clearance — if the freeze coincides with a succession event or management plan update, the DAO may be operationally paralyzed indefinitely.

Prevention

Registry-layer notification operates independently of the M5 on-chain route; buyers are notified via email and public registry update within 30 days regardless of M5 status. Methodology guardian multi-sig requires 3-of-5 threshold with documented key rotation procedures, designated alternates, and M2.8 limiting guardian veto scope to prevent total freeze.

Mitigation

Emergency key rotation procedure per M5.8 (current 30-day delay flagged as needing an emergency-path shortcut for force-majeure events specifically). Foundation-level escalation off-chain; emergency convening to re-establish multi-sig quorum from backup keyholders.

Residual risk

Moderate for attestor key compromise; real but bounded for guardian multi-sig compromise. The 30-day delay on emergency key rotation is an architectural gap flagged as a Q-modules-emergency open question requiring resolution before production deployment.