TL;DR
Earlier designs in the state-synchronization economy addressed predictable risk. The 4-way fee split (45% nodes, 25% operations, 15% insurance, 15% development) cut node operators’ systematic risk by roughly 73%, and the sustainability engine built a pool that survives 7.6 years even at zero fee revenue. But the remaining 27%, the unpredictable tail risk, demands a different kind of design. This study fixes the operating rules of the staking insurance pool. The central finding is blunt: a reserve collateralized by the very asset it protects cannot stop that asset’s collapse. A pool filled only with OZ falls apart at the exact moment OZ does. To solve this correlated-reserve problem we split the emergency tranche into a non-correlated asset, align the protection priority of live sessions to the sync-degree hierarchy, and define the emergency transfer rules between three pools (rewards, insurance, Security Reserve) along with the path to decentralization. Insurance is not prevention; it is survival under the unpredictable.
Introduction: Beyond the 73%
The earlier studies in our work on the state-synchronization economy stood on the premise that the system operates within an expected range. The Service Revenue Foundation cut node risk by 73% through a 4-way revenue split; the Reward Pool Sustainability Engine mathematically guaranteed 7.6 years of pool survival via an exponential decay function; and the Node Compensation Framework designed the three-layer function that delivers that pool down to the individual node. All three addressed the statistical average of normal operation, and within that range they hold.
The problem arises in the tail, not the average. On March 12, 2020, MakerDAO‘s liquidation auction was a mechanism that worked flawlessly under normal conditions. Then ether fell roughly 43% in a few hours, the network congested, the keeper bots meant to bid in the auctions could not get their transactions through, and collateral was carried off with zero-DAI bids. Around $8.3 million of collateral left essentially for free, and the system fell millions of dollars into undercollateralization [1]. The design did not fail in the normal case. The absence of a design for the abnormal was the essence of the failure.
This study fills that absence. It covers the capitalization size and funding of the staking insurance pool, response protocols by black-swan type, the scenario of a security collapse mid-session, emergency compensation in the regime of an extreme token price decline, the criteria for transfers among three pools, and the Security Reserve’s path to decentralization. The starting point is a humble recognition. Black swans are, by definition, unpredictable. What we can design is not a system that predicts them but one that, when they hit, survives small rather than collapsing.
Part I. Capitalizing the Staking Insurance Pool
1.1 An Insurance Pool Is a Flow, Not a Pre-Allocation
The node incentive pool and the insurance pool have fundamentally different capital structures. The node incentive pool is pre-allocated at a fixed size at genesis (28.5% of total supply, 2.85B OZ, under the current token allocation) and drawn down by a decay function. The staking insurance pool, by contrast, is filled by a flow that arrives over time. Under the 4-way split fixed by the Service Revenue Foundation, 15% of oracle fees flow to the insurance pool; under the immediate-distribution rule of Slashing Mathematics, 50% of slashing proceeds are added; and under the unused-credit handling defined by Token Flow Mechanics, 30% of month-end unused credit flows in (after three months, any unused remainder converts in full to the insurance pool).
A flow-based structure has one weakness. It is empty at the start. Right after mainnet launch the pool effectively begins at zero, but a black swan does not wait for the system to mature. The pool therefore needs both a target size and a bootstrap source.
1.2 What to Size It Against: Stake, Not Protected Value
To set the staking insurance pool’s target size, we first have to decide what to peg it to. The intuitive move is to scale it to the value of the assets being protected. But the familiar metric, TVL (Total Value Locked), is the wrong yardstick from the outset. TVL counts the entire locked value, much of which is static assets the oracle never touches. The value the oracle actually engages is the one we define separately, TVO (Total Value Oraclized), the sum of value that depends on state synchronization. Yet even TVO overstates the basis for insurance. Nodes do not custody assets; they synchronize state, and the atomicity of the BVC pattern plus selective disclosure structurally block theft or loss of the asset itself. So what a node failure inflicts on TVO is not a loss of value but a temporary synchronization gap, and its cost is bounded by recovery and handoff cost, not asset value.
In short, TVO measures “how much value depends on us” (dependency and market size), while the insurance size must measure “how much a single failure costs” (exposure). The two are different questions, and the answer to the second scales with staked value, not protected assets. What must be restored after a node failure is the security guarantee and the cushioning of node operators, and both move with the size of stake rather than the value of protected assets. Defining the target as a quantity of OZ also lets it scale automatically with network growth and spares it from chasing a dollar target through periods of volatility.
$$I^*(k) = \tau_I \cdot S_{\text{total}}(k) \tag{1}$$
Here \(I^*(k)\) is the insurance reserve target for Phase \(k\) (in OZ), \(S_{\text{total}}(k)\) is the total stake at Phase \(k\) (in OZ), and \(\tau_I\) is the target coverage ratio.
We set \(\tau_I = 0.15\). The rationale is alignment with the BFT threshold. The Byzantine tolerance fixed by Economic Security Requirements is \(\beta = 0.33\) (\(f < n/3\)). The insurance pool need not cover slashing events themselves, because slashing is self-funding: 50% of its proceeds recycle back into the pool. What the pool is actually responsible for is the part slashing fails to recover, namely compensation for the honest injured party and restoration of the security threshold. The exposure a single near-threshold disturbance leaves on the honest side is on the order of half the BFT limit, and as a buffer able to absorb that for one event we take \(\tau_I = 0.15\) (15% of stake). That this value coincides with insurance’s share of the 4-way split (15%) is a coincidence, but it lends an impression of design consistency.
The per-Phase targets, on an \(S_{\min}\) basis, are as follows. Phase 1 is \(0.15 \times 200\text{M} = 30\text{M}\) OZ, Phase 2 is \(0.15 \times 500\text{M} = 75\text{M}\) OZ, and Phase 3 is \(0.15 \times 1{,}000\text{M} = 150\text{M}\) OZ.
1.3 Bootstrap and Target Bands
Accumulating 30M OZ from flow alone would take years. Early Phase 1 insurance inflow is estimated at $100K to $150K per year, so reaching the 30M OZ target (about $1.35M at $0.045) takes four to six years. If a black swan hits in the meantime, the pool is empty. Therefore, at mainnet the Foundation Treasury bootstraps the insurance pool to the Phase 1 target size. The seed contribution is 30M OZ, which is 3% of the Foundation Treasury (1.0B OZ). The transferred tokens are recorded in a traceable form and used to support the credibility of regulatory self-certification.
After bootstrap, the pool operates in three bands according to its fill level relative to target.
| Band | Fill level | Operating rule |
|---|---|---|
| Critical | Below 50% of target | Investment tranche (10%) paused, all inflow retained in reserve, governance trigger for additional Foundation top-up |
| Building | 50–100% of target | Normal operation, investment tranche active |
| Surplus | Above 100% of target | Excess inflow recycled to the Sustainability Reserve (\(\alpha_{\text{recycle}} = 0.5\)) |
The Surplus-band recycling makes concrete the fee-recycling mechanism the Reward Pool Sustainability Engine left open. That study proposed the recycle relation \(P_{\text{reserve}}'(y) = P_{\text{reserve}}(y) + \alpha_{\text{recycle}} \cdot F(y) \cdot 0.15\) with \(\alpha_{\text{recycle}} = 0.5\), while deferring the precise activation condition to be fixed together with insurance-pool sizing. This study supplies that condition. Recycling fires only when the insurance pool has entered the Surplus band, that is, only after insurance is sufficiently capitalized. Drawing funds into the Reserve while insurance is underfunded never happens.
Part II. The Correlated-Reserve Problem
2.1 The Same Asset Cannot Insure Against Its Own Collapse
Defining the target of equation (1) in OZ has the advantage of auto-tracking network scale, but it leaves a fatal blind spot at the same time. A reserve filled with OZ collapses together with OZ at the moment its price collapses.
Consider it concretely. Suppose the Phase 1 target is 30M OZ, held entirely in OZ, about $1.35M at $0.045. Now the token falls 98% to $0.001. As the sensitivity analysis in the Node Compensation Framework showed, an existing operator’s block-reward APY drops to about 7%, near the survival threshold (6%). At precisely that moment the node operator needs dollar-denominated cushioning. Yet at the same moment the pool’s dollar value also evaporates 98%, from $1.35M to roughly $27K. At exactly the moment a node needs protection most, the insurance pool’s dollar firepower has vanished too. When the reserve is fully correlated with what it insures, it is not a hedge.
This is not hypothetical but a repeatedly observed failure. MakerDAO added the stablecoin USDC to its collateral pool right after Black Thursday, an expensive lesson that a volatile asset correlated with one’s own system cannot absorb a collapse on its own [1]. Aave reached the same place. Since 2020 the Safety Module‘s backstop had consisted of the governance token AAVE and its LP token, and in practice slashing never once fired even through bad-debt events [2]. Umbrella, launched in June 2025, redesigned this structure to move the backstop onto interest-bearing stablecoin bases such as aUSDC and aUSDT and switched to automatic slashing on a shortfall [2]. Two major protocols converged independently on the same conclusion. The core of a reserve must be filled with an asset that is non-correlated with what it protects.
The moment the correlated-reserve problem became undeniable: a reserve filled with the same asset it protects.
2.2 Splitting the Emergency Tranche into a Non-Correlated Asset
This study refines the three-way use of the insurance pool defined by the Service Revenue Foundation (direct compensation 70%, emergency 20%, investment 10%) on the asset-composition side.
- Direct compensation tranche (70%): cushions nodes during the structural-loss regime of normal operation (5–8% of all sessions). May be held in OZ.
- Emergency tranche (20%): for black-swan absorption. Held in a non-correlated asset (stablecoins). The only part that keeps its dollar value when the OZ price collapses.
- Investment tranche (10%): pool growth. Held in diversified assets, paused in the Critical band.
The crux is the emergency tranche’s asset composition. At bootstrap, the emergency 20% (6M OZ at Phase 1, about $270K) is converted to and held in stablecoins. Because this part is non-correlated with the OZ price, $270K of dollar firepower is preserved even if the token collapses 98%. At the Phase 3 target (150M OZ) the emergency tranche becomes 30M OZ, a stablecoin buffer of roughly $1.35M.
This decision carries trade-offs worth admitting honestly. First, converting OZ to stablecoins reduces OZ circulation and buying pressure by that amount, a slight downward effect on the token velocity discussed in Token Flow Mechanics. Second, it introduces the counterparty and de-peg risk of the stablecoins themselves. Yet for the insurance reserve of a regulatory-compliance infrastructure, the ability to pay at the moment of need takes priority over token-circulation optimization. A reserve filled only with a volatile asset looks fine in calm times and is empty in a crisis. This priority is not up for negotiation.
Figure 1: Insurance Pool Funding, Tranche Structure, and the Correlated-Reserve Fix
Part III. Black-Swan Taxonomy and Response Protocols
A black swan is not a single event but a bundle of shocks of different kinds. This study sorts them into three types and defines a response ladder for each. First a clarification: ordinary regulatory actions (FREEZE, SEIZE, and the like) are not black swans but normal operation that the D-quencer handles deterministically. A black swan denotes a system-level shock in which that operation itself is threatened.
3.1 Market Collapse: Three Regimes of a Price Shock
A token price decline pressures the security threshold and node-survival APY at the same time. Taking the sensitivity analysis of the Node Compensation Framework as a baseline, we split the response into three regimes.
- Mild (down to roughly −89%): APY still far above the survival line (about 37%). No insurance intervention, monitoring only.
- Severe (roughly −89% to −98%): APY approaches the survival line (6%). The direct-compensation tranche engages node cushioning to hold the survival APY.
- Extreme (beyond roughly −98%): APY falls below the survival line. The emergency compensation protocol fires (3.2 below).
3.2 Emergency Compensation in the Extreme-Decline Regime
The Node Compensation Framework carried its threshold analysis as far as a roughly −98% drawdown, where APY approaches the survival line at about 7%, and explicitly handed the emergency protocol for the regime below to follow-up research. This study designs that regime.
We identify two stress regimes by drawdown depth rather than by a pinned price. The first, around a −98% drawdown, is where an existing operator’s block-reward APY (in dollar value) approaches the 6% survival line. The second, deeper than roughly −99%, is where a node’s annual block-reward dollar value no longer covers even operating cost ($8,000/year). Both lie far deeper than the −95% line earlier work treated as a warning level. Emergency compensation operates in this regime.
- Stablecoin cushioning activates: if the price enters this deep-decline regime with no sign of recovery, the emergency (stablecoin) tranche pays dollar-denominated compensation to node operators to hold survival-equivalent rewards. Even as OZ-denominated rewards collapse, the stablecoin tranche keeps its dollar value, so this compensation actually works (the resolution of 2.1’s correlated-reserve problem bears fruit here).
- Cap and term: compensation cannot exceed the emergency tranche size and runs only for a limited window. It is a backstop that buys time, not a permanent lifeline or a guarantee; if the price does not recover within that window, the system transitions to a smaller equilibrium.
- Concurrent node reduction: the node reduction allowed by the Reward Pool Sustainability Engine‘s Red Alert (minimum 20 nodes) runs in parallel to cut total cushioning demand. Fewer nodes, lower TVL, narrower service scope, but a graceful degradation into a sustainable form.
The core principle is that emergency compensation is a device to buy time, not a permanent lifeline. The token-price recovery mechanism itself is outside this study’s scope and is deferred to separate research.
3.3 Mass Node Exit
When nodes exit en masse at once, two things are threatened simultaneously: handoff cost spikes, and the remaining stake can break the security threshold.
Here the 21-day unbonding period fixed by Oracle Session Security works as the key buffer. Because stake withdrawal takes 21 days, an instantaneous exit is structurally impossible, and the system is given a 21-day window to respond. During that window, (1) handoff cost is absorbed by the insurance pool’s direct-compensation tranche, (2) if the remaining \(S_{\text{total}}\) is detected to risk breaking the \(\beta\) requirement, new session assignment is suspended, and (3) retention and fresh entry are reinforced through the Activity weight and the new-node onboarding weight (1.2x).
3.4 Delegated-Stake Mass Exit and Validator S_min Recovery
Slashing Mathematics fixed delegated-stake slashing as a stake-proportional split, but it left the scenario in which a Validator node’s total stake falls below \(S_{\min}\) (10M OZ) due to mass Delegator exit. This study defines the recovery procedure.
First we introduce a Validator self-stake floor. A Validator that wants to receive delegation must keep its own stake at or above 20% of \(S_{\min}\) (2M OZ). This binds a minimum of the Validator’s own capital, so that even if Delegators leave in full (up to 80%), the Validator’s own share remains as a foundation.
- Delegator withdrawal request → 21-day unbonding begins.
- The system computes the Validator’s projected \(S_{\text{total}}\) after unbonding ends.
- If projected \(S_{\text{total}} < S_{\min}\), the Validator is notified, with a grace window (the 21-day unbonding period).
- Validator options: (a) increase own stake, (b) attract new delegation, (c) accept deactivation.
- If \(S_{\text{total}} < S_{\min}\) at the close of the window, the Validator is deactivated. This is not slashing. A Delegator’s voluntary withdrawal is not the Validator’s fault and is not a penalty event. That node’s sessions are reassigned and the handoff cost is borne by the insurance pool.
- Cascade prevention: a healthy Validator that absorbs the reassigned sessions receives a reward at the onboarding-weight level to ease the absorption burden.
Strictly separating deactivation from slashing is the crux. Penalizing a voluntary delegation withdrawal would chill delegation itself, which would harm pool stability further.
3.5 Regulatory Shock
A system-level regulatory shock differs from an individual regulatory action. It is the case where one jurisdiction bans tokenized assets or demands a large-scale forced transfer. The insurance pool’s emergency tranche covers the migration and restructuring cost. Notably, the decentralized-control path itself acts as insurance against regulatory-capture risk, which Part VI takes up.
Part IV. Session Protection Priority
4.1 When a Live Session Drops Below Threshold
So far we have addressed shocks to the system as a whole. Now we descend to a more microscopic problem: a specific live Oracle Session whose effective security drops below threshold mid-session. If the stake value of the assigned node crashes or that node is slashed, \(s(t) < s_{\text{threshold}}\) can occur in the middle of a session. Oracle Session Security defined session security as the time integral of a security function, but it left open the response at the moment the integral falls below threshold.
A natural question follows. If there are not enough resources to save every session at once, what do we protect first?
Working through which sessions to save first when resources run short: protection priority falls straight out of the sync degree.
4.2 Protection Priority Follows the Sync Degree
The answer is already in the Sync Degree Hierarchy. The synchronization strength an asset requires should be exactly its session’s protection priority, because the higher the degree, the less inconsistency it can tolerate.
- \(S_3\) (atomic state binding, highest priority): regulatory-action assets, derivative exercise, and so on. Assets that by definition cannot reach an intermediate state. Never force-terminable mid-session.
- \(S_2\) (bidirectional coupling): periodic coupon bonds, KYC-linked securities. Protected, but safe migration is possible.
- \(S_1\) (unidirectional observation): price-tracking tokens. Low security sensitivity.
- \(S_0\) (static): no synchronization needed. Not a protection target.
The mechanism branches by degree. For \(S_3\) and \(S_2\) sessions, the insurance pool posts a temporary emergency security bond. The emergency tranche temporarily props up that session’s security threshold, bridging until the session migrates safely to another healthy node. Because \(S_3\) cannot be force-terminated mid-binding, this security-bond bridge becomes a core use of the insurance pool. The intermediate state in which only one domain is frozen under a regulatory freeze order must, by definition, be unreachable, and the insurance pool pays the cost of keeping that impossibility intact even during a crisis.
For \(S_1\) and \(S_0\) sessions, forced termination at the last consistent state is allowed. Because the BVC pattern guarantees the absence of an intermediate state, the session closes safely at its last committed consistent state and the asset reverts to \(S_0\) (state registration only, no active synchronization). The user is notified and may resume with a new session afterward.
This design places insurance-pool resources first where inconsistency is least tolerable. Because session protection priority coincides exactly with the sync-degree hierarchy, resource allocation in a crisis is derived from the structural requirement of the asset rather than from arbitrary judgment.
s(t) < s_threshold — a node’s stake crashes or it is slashed during a live Oracle Session.Figure 2: Session Protection Priority Under Security Collapse, Ordered by Sync Degree
Part V. Inter-Pool Emergency Transfers
5.1 Three Pools, Three Branches of Flow
Oraclizer has three pools involved in crisis response, and their roles are strictly separated: the node incentive pool (2.85B OZ, block rewards), the insurance pool (flow-based, node cushioning and black swans), and the Security Reserve Pool (1.2B OZ, team-operated-node backing and decentralization). The Reward Pool Sustainability Engine fixed the insurance pool → Reserve transfer (up to 30%) at the node incentive pool’s Red Alert, and the Node Compensation Framework left the emergency-transfer criteria between the reward pool and the insurance pool as a governance decision. This study defines those criteria as a matrix.
5.2 The Transfer Matrix
| From | To | Trigger | Cap | Approval |
|---|---|---|---|---|
| Insurance pool (emergency tranche) | Sustainability Reserve | Node incentive pool Red Alert (<3% remaining) | 30% of emergency tranche | Governance |
| Foundation Treasury | Insurance pool | Insurance pool Critical (<50% of target) | Governance-set size | Governance |
| Insurance pool (Surplus) | Sustainability Reserve | Insurance pool Surplus (>100% of target) | Inflow under \(\alpha_{\text{recycle}} = 0.5\) | Automatic (parameter) |
The three flows answer different emergencies. The first row is the path where insurance lends a lifeline when the node incentive pool is depleting, preserving the earlier study’s decision. The second row is the path where the Foundation props up the insurance pool when it is imperiled. The third row is the path that returns surplus to the Reserve when insurance is over-capitalized, opposite in direction to the first two in that it fires at a moment of abundance, not crisis.
The design principle is that emergency transfers should be exceptional events. We deliberately left out a direct path from the node incentive pool into insurance. The node incentive pool exists for the node-reward runway, and pulling funds from it would shake the 7.6-year survival guarantee. The natural source of insurance top-ups should be the Foundation/Ecosystem Treasury, not the node incentive pool.
Part VI. The Security Reserve and the Path to Decentralization
6.1 The Security Reserve Is Not Insurance
The Security Reserve Pool (12% of total supply, 1.2B OZ) is often confused with the insurance pool but serves an entirely different purpose. If the insurance pool handles crisis absorption, the Security Reserve handles stake backing for team-operated nodes during bootstrap and funding for the path to decentralization. This pool is physically isolated, cannot be used for other purposes, and is enforced in code.
At mainnet, 1.1% (110M OZ) is minted for the 11 Phase 1 team-operated nodes (10M OZ each). The decentralization path fixed by Oracle Session Security shrinks the team-operated share from Phase 1’s 55% (11/20) to Phase 2’s 40% and Phase 3’s 33% or below. This study makes the reduction trigger concrete.
6.2 Reduction Trigger and Unstaking Recovery
The share reduction at each step is decided by governance vote only when three conditions hold simultaneously.
- External application queue ≥ reduction target: enough verified external nodes are secured to replace team nodes.
- External nodes pass probation: new external nodes operate for 6 epochs (the same as the onboarding-weight window) with no L3-or-higher slashing.
- Post-mix security threshold holds: under the new external/team composition, \(\beta \cdot S_{\text{total}} \cdot p \cdot \theta > V_{\text{protected}} \cdot \gamma + C_{\text{operational}}\) holds.
The reduction from Phase 2 to Phase 3 (40% → 33%) adds the condition Nakamoto Coefficient \(\geq N_{\min}\) (10–20).
When the team reduces its node count, the released stake (\(S_{\min}\), 10M OZ per node) is not burned but recovered into the Security Reserve contract. This recovered amount can be redeployed by the team as a backstop if external nodes exit, and ultimately transfers to the DAO Treasury at M-Cert. The reason for recovery rather than burning is clear. Decentralization must be reversible. Permanently erasing the team’s backstop capacity while the external-node ecosystem is still fragile would turn a temporary external exit straight into a security collapse.
6.3 The Decentralization Criterion and the Meaning of ≤33%
To declare decentralization “achieved,” three conditions must hold at once: team-operated node share ≤33%, Nakamoto Coefficient \(\geq N_{\min}\), and at least one Phase elapsed in an external-majority state.
Here 33% is not arbitrary. It aligns with the Byzantine limit of BFT safety, \(\beta = 0.33\). If the team operates fewer than 33% of nodes, the team alone cannot form a Byzantine quorum and therefore cannot violate BFT safety. In other words, 33% or below is the point at which the team loses unilateral authority over consensus safety.
This point matters regulatorily as well. The CLARITY Act (H.R. 3633), passed by the U.S. House in 2025, requires as one of the four conditions of a mature blockchain system that it “not be under the control of any single person or group” [3]. Token-holding control is handled by token-allocation design, but the operational dimension of distributed control, that no single operator can unilaterally control validation and sequencing, is exactly what this node-operation decentralization path satisfies, as a qualitative requirement. The Security Reserve’s ≤33% target is a single design that satisfies both network health and regulatory maturity at once.
When decentralization is achieved, the Security Reserve’s residual 10.9% (1,090M OZ) transfers to the DAO Treasury (use restricted to the SR’s purpose). This transfer forms part of the M-Cert (Maturity Certification) milestone.
6.4 A Short Note: Pool-Size Re-Calibration
The node incentive pool addressed in this study was adjusted from 3.0B OZ (30%) at the time of the earlier two studies to the current 2.85B OZ (28.5%). This is part of a tokenomics adjustment to meet the distributed-control requirement described above, moving 1.5 percentage points of node incentives to other distributed pools. The decay function’s initial value was scaled down proportionally as well, with \(R_0\) adjusted from 600M to 570M OZ; because the pool size and \(R_0\) were scaled down together, the 7.6-year zero-revenue survival guarantee is preserved unchanged. This study’s insurance and recovery design operates on top of these adjusted figures.
trigger: node pool RED ALERT (<3%) · cap 30% of emergency tranche · governance
trigger: Insurance CRITICAL (<50% of target) · governance
trigger: Insurance SURPLUS (>100%) · α_recycle = 0.5 · automatic
direct path intentionally excluded (protects the 7.6-year runway)
Figure 3: Inter-Pool Transfer Topology and the Decentralization Endpoint
Part VII. Synthesis and Open Questions
7.1 Confirmed Parameters
| Parameter | Value | Rationale |
|---|---|---|
| Insurance reserve target \(I^*(k)\) | \(\tau_I \cdot S_{\text{total}}(k)\), \(\tau_I = 0.15\) | Absorbs exposure on the order of half the BFT limit |
| Per-Phase target | 30M / 75M / 150M OZ | 15% of total stake on an S_min basis |
| Insurance tranche composition | Direct 70% / Emergency 20% / Investment 10% | Emergency tranche held in stablecoins |
| Foundation bootstrap seed | 30M OZ (mainnet) | Meets the Phase 1 target immediately |
| Target bands | <50% Critical / 50–100% Building / >100% Surplus | Operation by fill level |
| Surplus recycling | \(\alpha_{\text{recycle}} = 0.5\) | Activation condition for the earlier study’s recycle relation |
| Deep-decline survival regime | roughly −98% drawdown or beyond | Block-reward APY approaches the survival line |
| Deeper-decline regime | beyond roughly −99% | Block reward falls below operating cost |
| Emergency compensation | Capped by emergency tranche; time-limited backstop (not a guarantee) | Buys time, not a permanent lifeline |
| Session protection priority | By sync degree (\(S_3 > S_2 > S_1 > S_0\)) | Aligned to the degree hierarchy |
| \(S_3\)/\(S_2\) mechanism | Temporary security bond (insurance) | Bridge until safe migration |
| \(S_1\)/\(S_0\) mechanism | Forced termination at last consistent state | BVC guarantees no intermediate state |
| Validator self-stake floor | 20% of \(S_{\min}\) (2M OZ) | Condition for receiving delegation |
| Delegator-exit grace window | 21 days (unbonding) | Deactivation (not slashing) |
| Security Reserve reduction trigger | Three conditions at once | Queue + probation + threshold |
| Unstaking recovery | Into the Reserve contract (not burned) | Reversible decentralization |
| Decentralization criterion | ≤33% + Nakamoto \(\geq N_{\min}\) + 1 Phase | Aligned to \(\beta = 0.33\) |
7.2 Questions Deferred to Follow-Up Research
As an SSOT, this study has fixed everything resolvable within its scope. The following are out of scope and handed to follow-up research.
- Simulating and stress-testing the insurance and recovery mechanisms this study designed, under multi-crisis scenarios. If this study is the definition of the mechanism, verifying that it actually holds at the extreme is a separate study.
- Quantitative modeling of the counterparty/de-peg risk of the stablecoin emergency tranche, and a diversification policy.
- The design of the token-price recovery mechanism itself.
- A comprehensive sensitivity analysis among the insurance parameters (\(\tau_I\), band boundaries, \(\alpha_{\text{recycle}}\)) and other economic parameters (the security adjustment coefficient \(\alpha\), VRF correction, and so on).
Conclusion
If the earlier three studies designed the average of normal operation, this study addressed the outside of that average, the unpredictable 27%.
There are three core results.
First, we fixed the capitalization rules of the staking insurance pool. The target size is pegged to 15% of total stake rather than to protected-asset value (TVL or TVO) (\(\tau_I = 0.15\)), bootstrapped with a 30M OZ Foundation seed, and operated in three bands (Critical/Building/Surplus) by fill level. The Surplus-band recycling fills in the earlier study’s unfinished mechanism.
Second, we identified and solved the correlated-reserve problem. A reserve collateralized by itself cannot stop that asset’s collapse. A pool filled only with OZ falls apart at the very moment OZ does. We pre-empted in the design the lesson MakerDAO and Aave learned expensively, by splitting the emergency tranche into stablecoins. The core of a reserve must be non-correlated with what it insures.
Third, we aligned crisis-time resource allocation to the sync degree. Session protection priority is derived from the structural requirement of the asset, not from arbitrary judgment. \(S_3\) sessions are held up to the end by the insurance pool’s security bond, and \(S_1\)/\(S_0\) sessions are closed safely at the last consistent state. By the same principle we defined the emergency-transfer matrix among the three pools and the ≤33% decentralization criterion (aligned to \(\beta\)).
The starting point of all this design was humility. We cannot predict black swans. What we can do is build the system so that, when one hits, it chooses graceful degradation over catastrophic failure. If the 73% risk reduction was a promise for calm times, the design for the remaining 27% is a promise for the crisis. And the promise of a crisis can be kept only when it has been capitalized in advance, held in non-correlated assets, and prioritized by degree.
The next question follows naturally. Does a mechanism designed this way hold up in actual extreme scenarios? That verification is the work of simulation and stress testing, which we carry into follow-up research. Readers who want the foundations this study builds on can revisit the Economy research domain and the Oraclizer core architecture, or the implementation notes in our documentation.
References
- [1] CoinDesk. (2020). MakerDAO Adds USDC as DeFi Collateral Following ‘Black Thursday’ Chaos. https://www.coindesk.com/tech/2020/03/17/makerdao-adds-usdc-as-defi-collateral-following-black-thursday-chaos
- [2] Aave. (2025). Umbrella: Staking-based Risk Management. https://aave.com/help/umbrella/umbrella
- [3] U.S. Congress. (2025). H.R. 3633, Digital Asset Market Clarity Act of 2025. https://www.congress.gov/bill/119th-congress/house-bill/3633/text
- [4] Bowers, N.L., et al. (1997). Actuarial Mathematics. Society of Actuaries.
- [5] Cosmos Hub Documentation. (2023). Validator Rewards, Commissions, and Slashing. https://hub.cosmos.network/main/validators/validator-faq.html
- [6] Nexus Mutual. (2024). Capital Pool and Minimum Capital Requirement. https://docs.nexusmutual.io/protocol/capital-pool/
