How Chronimy protects assets and identities — the Trust-Locked architecture, the 5-checkpoint transfer system, six layers of protection, emergency recovery, the asset vault, and the Green Badge.
Written for members, security reviewers, and integration teams. For the business and token model, see the Executive Whitepaper; for the full technical design, see the Architecture Paper.
Security in the crypto space is where the old institutions have failed most visibly. Custodial exchanges lose billions of user funds to hacks and insider theft. Self-custody tools give users full control and no protection, leaving ordinary people one phishing link away from losing everything. Neither option serves the people it was built for. This paper sets out a third architecture: Trust-Locked security that belongs to the community, held in layers the member controls, protected by structural guarantees that cannot be revoked by any single actor. It is the security layer the crypto space was supposed to build and did not.
— The Architect, Chronimy Holdings AG · April 2026
But for users who choose to verify with a Green Badge, Chronimy unlocks something the industry has never delivered before: hardware-grade security with consumer-grade usability. Badge-to-badge transfers carry a modelled theft probability near zero under fault-tree assumptions. Stolen credentials become worthless. Fund recovery becomes possible.
The Green Badge is optional. Verify with Didit.me KYC, designate three Guardians, and unlock the full security stack. Your choice. Your level of protection.
CNMY is fully ERC-20 compatible on Polygon PoS. Trade on any DEX or CEX. Hold in any wallet. The badge unlocks protection — it does not restrict freedom.
5-of-7 Bulletproof Mode. Trust-Locked Asset Vault for BTC, ETH, and USDC. Complete audit trail. The same architecture used by Chronimy Holdings AG itself.
Full Solidity contracts. Polygon PoS native. Pre-launch audits by independent third-party security firms. 8-layer Independent Trust Architecture built for composability.
Chronimy is four core modules + Module 5 auxiliary workstream shipping eleven products on a shared identity layer.
Each phase from Nebula onwards delivers visible product moments. The four core modules + Module 5 auxiliary workstream are the brand. The eleven products are the shipping calendar:
Every revenue-line product is locked. Every viral / governance / distribution product enables a revenue line elsewhere. No product is dropped — eleven shipping moments across three years.
This document is provided for informational purposes only. It does not constitute financial, legal, investment, or tax advice. It is not an offer to sell or solicitation to buy any security or financial instrument.
CNMY is a utility token. It is designed to function as a utility token under the FINMA and MiCA frameworks in which Chronimy Holdings AG operates. Formal legal opinion (W9 — qualified external legal counsel) is a hard pre-launch gate. It has not been registered under the US Securities Act 1933, FSMA 2000, MiCA, or any other securities regime.
Not available to US persons (Regulation S, Rule 902(k)), UK residents, Canadian residents, or Chinese residents. Geographic exclusion is enforced architecturally — at IP, KYC document, and platform layer — and is permanent constitutional policy.
Forward-looking statements, projections, and modelled outcomes are illustrative only, based on internal assumptions, and may differ materially from actual results.
There is no Chronimy custodian, no honeypot wallet, no central store of funds to breach. Protection lives in the smart contract and in your Green Badge — assets move only when the checkpoints and your verification agree.
The cryptocurrency security landscape is fundamentally broken. Users are forced to choose between security and usability — a false choice that leaves billions of dollars vulnerable to theft, coercion, and fraud. Every existing solution has critical flaws that attackers have learned to exploit.
Chronimy's opt-in badge protection delivers hardware-grade security with consumer-grade usability. CNMY is a standard Polygon PoS token — trade it anywhere. But verify with a Green Badge, and badge-to-badge transfers become modelled at low residual probability under fault-tree assumptions.
Your choice. Your level of protection.
CNMY is a standard Polygon PoS token that can be held and traded anywhere — DEX, CEX, or any compatible wallet. Trust-Locked protection is opt-in: users who verify with a Green Badge unlock Chronimy's full security stack. Badge holders transacting with other badge holders benefit from a modelled minimum 0.005% theft probability under defined assumptions. No badge? You can still hold and trade CNMY freely — you simply will not have access to the advanced security features.
CNMY works everywhere — DEX, CEX, any Polygon PoS compatible wallet. No transfer restrictions. Full compatibility with the entire crypto ecosystem.
Green Badge verification is optional but unlocks full protection. Badge-to-badge transfers receive maximum security. No badge is required to hold or trade CNMY.
Cryptographic keys prove device access. Identity verification proves human authorisation. Both are required, and neither is sufficient alone.
Continuous monitoring detects anomalous patterns. Unusual activity triggers additional verification before any high-risk action is permitted.
All three factors are required. Any single factor is insufficient. Attackers must defeat all layers simultaneously — a feat that, under the published fault-tree assumptions, reduces modelled theft probability to 0.005% (estimate, not guarantee).
Access control. Traditional Wallet: Keys alone control all funds. With Badge Protection: Keys + Badge + Behaviour required.
Compromised key. Traditional Wallet: Total loss — funds gone immediately. With Badge Protection: Attacker stopped — cannot proceed.
Identity verification. Traditional Wallet: None — anyone with keys has access. With Badge Protection: Multi-layer KYC via Didit.me.
Behavioural monitoring. Traditional Wallet: None. With Badge Protection: AI-powered anomaly detection.
Transfer process. Traditional Wallet: One signature = transfer complete. With Badge Protection: 5 checkpoints per badge transfer.
Fund recovery. Traditional Wallet: None — stolen is spent. With Badge Protection: Guardian network + SHARDS backup.
Theft success rate. Traditional Wallet: ~80% once compromised. With Badge Protection: Modelled at 0.005% under published fault-tree assumptions.
Token compatibility. Traditional Wallet: Full ERC-20 / Polygon PoS. With Badge Protection: Full ERC-20 / Polygon PoS — unchanged.
CNMY is a standard Polygon PoS token with no transfer restrictions. Trade on any DEX. Hold in any wallet. List on any CEX. The security layer is entirely opt-in — verify with a Green Badge and unlock protection for badge-to-badge transfers. You choose your security level without sacrificing compatibility.
Security claims belong in an engineering frame, not a marketing frame. Each category below specifies the threat, the mitigation layers that apply, and the residual risk band — what remains after mitigation. Modelled probabilities are derived from fault-tree analysis with stated assumptions.
Hot-wallet seed compromise. Mitigation layers: Trust-Locked architecture · 5-checkpoint approval system · Badge-tier transaction limits · Anomaly detection on first-time recipient · Cooling-off on transactions over CHF 10K · Phishing-resistant Trust Codes (15-min rotation). Modelled residual risk: Modelled minimum 0.005% (defined-assumption fault tree). Out of scope: User signing under coercion or duress.
Smart contract exploit. Mitigation layers: Genesis Vault non-upgradeable · Aurora+ contracts: dual professional audit · Formal verification on critical paths · audited standard libraries · Phase-scaled bug bounty (Genesis 2K → Supernova 100K, Nebula M10 launch) · immutable value contracts (no proxy, no upgrade key) · new features as separate opt-in contracts · emergency pause-only circuit breaker. Modelled residual risk: Modelled at ~0.005% post-audit (industry-standard fault-tree estimate · residual irreducible). Out of scope: Polygon PoS network-level vulnerabilities.
Sybil / fake account creation. Mitigation layers: KYC verification (Didit.me primary, iDenfy fallback) · Refer-3 anti-Sybil enforcement (3 Green Badge witnesses required) · Witness reward tied to ongoing badge integrity · Behavioural analysis on activation patterns. Modelled residual risk: Modelled <1% per cohort (defined-assumption). Out of scope: State-actor identity infrastructure compromise.
Treasury extraction. Mitigation layers: Six-layer defence: SeedVault VRF keyholders → Treasury Stewards quorum → Council 4-of-7 → Nominee Stiftungsrat → Vision Guardian → Bank Verification Endpoint · Beneficiary whitelist locked at bank level · Three Knowns rule (sender / receiver / work / amount) · Universal logging. Modelled residual risk: Modelled ~1% combined (FM-017+019+020 fault tree). Out of scope: Banking partner regulatory compulsion.
Governance capture. Mitigation layers: Skill-based Guardian seats (not popularity) · 4-of-7 per group keyholder threshold (8 of 14) · 75% community vote required to alter Section 0 immutables · Vision Guardian permanent seat (75% to remove) · Treasury Stewards unidirectional gatekeeper · Constitutional immutables hardcoded. Modelled residual risk: Modelled <0.1% (capture cost >> plausible extraction value). Out of scope: Sustained adversary controlling >75% verified members.
User error / social engineering. Mitigation layers: Forced review screens on Module 2 escrow release · Anomaly detection prompts on first-time recipient · Cooling-off on transactions over CHF 10K · 24-hour delay option · Trust Code phishing-resistance · NO-COMMS rule (Chronimy never calls / emails / texts members; in-platform tickets only). Modelled residual risk: Not estimable — human factor. Out of scope: All actions a fully-informed user takes despite friction.
All modelled probabilities derive from documented fault-tree analysis with stated assumption bases. The methodology is independently reviewable.
The Genesis Vault is built and deployed before the Aurora-phase dual professional audit, so its assurance rests on architecture a backer can verify directly — not on a firm's signature it does not yet have:
A Genesis backer therefore never trusts the founder with the money: the keys are held by members, the destinations are fixed in code, and the contract is open to read. They verify it — they don't take it on faith.
These protections apply exclusively to transfers between verified badge holders within the Chronimy wallet. Standard CNMY transfers without badges proceed as normal Polygon PoS transactions.
Timelock Mode lets you define exactly when your CNMY can move. Set access windows by day of week and time of day. Transfers attempted outside your approved windows are automatically blocked — even if an attacker has your device, your keys, and your biometrics.
Bulletproof Mode requires multiple trusted parties to approve transfers above your configured threshold. Even if an attacker compromises everything — your device, keys, biometrics, and timing — they still need your Guardians to sign off. No single point of failure.
Stealth Mode makes you a less attractive target. Hide your true balance, display decoy amounts, and operate multiple wallet personas. Attackers see what you want them to see — not your actual holdings.
Duress Mode activates silently when you are being coerced. Use a special PIN, wrong finger, or stress gesture to trigger silent alerts, fake confirmations, and delayed transfers — all while appearing to comply with attacker demands.
Offline Mode creates an air-gapped vault for long-term storage. Funds in offline mode cannot be transferred via the network — period. Moving funds requires physical presence, multiple approvals, and a deliberate multi-step process that no remote attacker can complete.
SHARDS splits your recovery data into encrypted fragments distributed across multiple Guardians and secure locations. No single shard is useful alone. Reconstruction requires a threshold — for example 3-of-5 shards — ensuring recovery is possible even if some shards are lost or compromised.
A wide range of edge cases and attack vectors is covered. The eight advanced features below operate silently alongside the six core protection layers — adding extra barriers without complicating your daily experience.
Lost does not mean gone. Stolen does not mean spent. Chronimy's response framework provides a clear path back to your assets across every major disaster scenario.
Module 1 ships three subscription tiers on the verified identity layer:
Anti-Phishing Premium is a CHF 2/month add-on for Enhanced Profile members; it is included in Premium Membership at no additional cost. Partners receive 20% recurring CDF on Enhanced Profile and Premium Membership subscriptions of attributed members.
The Green Badge is optional and self-owned. Verify once with Didit.me, designate your own Guardians, and the Trust-Locked Vault applies Chronimy's checkpoints to BTC, ETH and USDC — without Chronimy ever taking custody of a single asset.
Why should protection be limited to CNMY? The Trust-Locked Asset Vault allows badge holders to wrap any major cryptocurrency — BTC, ETH, USDC, and more — gaining the same 5-checkpoint security, 6-layer protection, and fund recovery capabilities available for CNMY itself.
The platform pre-allocated 5 billion CNMY (25% of total supply) to the PRU Vault Reserve at deployment. Badge activation triggers a release of 5,000 CNMY from this platform-owned reserve into the active PRU pool. This release pattern is capped at the first 500,000 verified members. Beyond that point, the active pool is replenished from platform profit (8% allocation per Section 4). Members do not contribute to the PRU. The pool is shared by all verified members regardless of activation order — member 500,001 is protected on the same basis as member 1.
The PRU is the platform's system-failure reserve. Platform-funded, shared by all verified members, and used at the Guardian Council's discretion when platform mechanics have demonstrably failed. The PRU does not cover counterparty fraud, user error, market losses, third-party failures, or any transaction where both parties have confirmed completion. Badge tier informs review; it does not create a contractual right or limit.
Price exposure. Native BTC / ETH: Full exposure maintained. Trust-Locked (tlBTC / tlETH): Full exposure maintained.
Theft protection. Native BTC / ETH: Keys only — ~80% success rate for attackers. Trust-Locked (tlBTC / tlETH): 5-checkpoint system — modelled minimum theft probability under defined assumptions (0.005%).
Fund recovery. Native BTC / ETH: None — lost is lost permanently. Trust-Locked (tlBTC / tlETH): SHARDS backup + Guardian network recovery.
Inheritance. Native BTC / ETH: Complex — often fails completely. Trust-Locked (tlBTC / tlETH): Automatic protocols through SHARDS.
Liquidity. Native BTC / ETH: Instant. Trust-Locked (tlBTC / tlETH): Unwrap anytime — 24hrs for large amounts.
Custody model. Native BTC / ETH: Single key — one point of failure. Trust-Locked (tlBTC / tlETH): MPC custody — no single point of failure.
The Green Badge is the gateway to the full Trust-Locked security stack. It is entirely optional — CNMY holders who do not verify can still hold, trade, and transfer freely. But for those who choose to verify, the badge activates six protection layers, fund recovery, asset vault access, and governance rights.
Every new badge holder must refer three new verified users to activate full protection. This creates organic, verified growth while ensuring the network is composed entirely of real, identity-verified humans.
These tiers reflect demonstrated platform behaviour over time. They inform the Guardian Council's review of system-failure events affecting a member but do not create a contractual coverage limit. Review outcomes are discretionary and vary by the nature of the event under review.
A separate product line that extends the Independent Trust Architecture outward to the open web. Verify protects any website on the open web from phishing — not by issuing a static image, but by issuing a live, identity-bound, domain-bound trust signal that actively exposes phishers when copied. The mechanics that follow are confidential, disclosed under signed NDA, and protected by a patent family priority-locked at Genesis.
Static image badges (McAfee SECURE, BBB seals). Copy-paste lifts the badge onto any fake site — scammer's site looks legitimate
SSL padlock + EV certs. Browsers removed the green-bar EV cue in 2019; SSL only proves encryption, not identity
Google Safe Browsing. Reactive only — flags phishing sites after users have already been harmed
Email DMARC/SPF/DKIM. Protects email channel, not website channel; phishers move to lookalike domains
Trustpilot / review badges. About reputation, not identity verification; reputation can be manipulated
Verify combines five primitives that, individually, exist in production elsewhere — but no system has combined all five into a single trust layer. The combination itself is the patent claim.
1. Primitive: KYC-verified entity registration. Verify Implementation: One badge per legal entity, KYC-bound via Didit.me, revocable on demand. The badge cannot exist without the verified identity..
2. Primitive: DNS TXT domain proof. Verify Implementation: Chronimy issues unique TXT record; site owner adds to DNS; automated lookup confirms; re-checked every 24 hours..
3. Primitive: Origin header verification. Verify Implementation: Live badge API checks Referer / Origin header on every render. Mismatch = unauthorised domain..
4. Primitive: Live API badge with state. Verify Implementation: Badge is not an image. It is an API call returning green / amber / red based on real-time verification..
5. Primitive: Self-accusing badge (the differentiator). Verify Implementation: When copied to a fake domain, badge displays: "⚠ This badge was copied from another site. This is likely a phishing attempt." Copying becomes exposure..
"Phishers face an impossible choice: show the badge and get exposed, or remove it and look suspicious next to the legitimate site. Verify makes the act of copying the act of being exposed."
1. Company KYC — director verification, business documents, beneficial ownership (Didit.me)
2. Domain ownership proof — Chronimy issues unique TXT record (e.g. chronimy-verify=cnmy_a8f3... )
3. Chronimy verifies TXT record — automated DNS lookup
4. Badge issued — linked to: company ID + domain + signing key pair
5. Site owner adds embed code — pulls live badge from Verify API (lightweight iframe-isolated embed)
6. Origin check on every render — API confirms Referer / Origin matches registered domain
7. Periodic re-verification — TXT record re-checked every 24 hours; headless render check confirms badge visible
8. Instant revocation — Chronimy can kill any badge via revocation API; site shows red state immediately
Some site owners may try to install the badge for SEO benefit but hide it visually with CSS. The backend detects this:
An extension of the Trust Code™ primitive, designed to kill email phishing:
chronimy.org/verifyNo competitor in the trust-seal space has token-economic backing. Verify integrates with the Chronimy Protocol Reserve Unit (PRU) such that:
Every phishing attempt that copies a verified site:
chronimy.org/exposed within 24 hoursResult: Phishers cannot win. Copying the badge exposes them. Not copying makes their fake site look suspicious next to the real one. Every phishing attempt becomes free Chronimy marketing.
Genesis. Module: Patent. Build: Verify patent family in preparation before any public mechanics disclosure.
Aurora. Module: None. Build: SotaTek pre-engagement on Nebula sale website only — no Verify build.
Nebula. Module: None. Build: Module 1 (platform layer) build — no Verify yet.
Pulsar. Module: Module 4a. Build: Verify B2B launch — 155 features. Site owner dashboard, badge API, embed library, click-through page, headless re-verification, revocation, PRU integration.
Supernova. Module: Module 4b. Build: Verify network effects — 190 features. Browser extensions (Chrome/Firefox/Safari), Wall of Shame public feed, hosting partner plugins (Shopify/WordPress/Wix/Squarespace/Webflow), enterprise partner webhooks, industry body API.
Verify extends the Chronimy security model beyond the platform's own users. The same architectural principles that protect Chronimy members (identity-bound credentials, signed cryptographic state, governance-approved revocation, token-economic backing) are projected outward onto the open web. This external layer is not a feature add — it is the proof that the Chronimy security architecture generalises.
This is defence in depth at the protocol level. Each of the eight layers is independently hardened — they work together but do not depend on each other. An attacker who defeats one layer still faces seven more.
Genesis Vault and Rédeas Vault contracts will not undergo a separate paid third-party audit before deployment. This is a deliberate decision disclosed transparently. The compensating controls below are constitutional and architectural, not procedural. Members must evaluate whether these compensating controls are sufficient before contributing.
The contribution vaults — the Genesis Vault and each phase's Rédeas Vault — are reviewed before deployment, and the review programme scales with the project's resources.
CNMY Token, Collateral Provision Fee, Buyback and Burn, PRU Replenishment, Development Escrow, and Founder Vesting all undergo dual independent professional audit before Aurora deployment — non-negotiable.Badge-to-Badge Transfer. Fee: 0.1%. Distribution: 20% Collateral Provision Fee · 19% Member Growth · 13% Buyback (80% burn / 20% IPDF) · 14% PRU Replenishment · 5% Licensing · 4% IPDF · 25% Operations (Development + Core Team + DAO Gov + Security).
Asset Wrapping (tlBTC etc.). Fee: 0.05%. Distribution: 27% PRU Vault · 73% Protocol operations.
Asset Unwrapping. Fee: 0.05%. Distribution: 27% PRU Vault · 73% Protocol operations.
Emergency Recovery. Fee: 0.5%. Distribution: 100% PRU Vault contingency reserve.
Voucher Sales Funding (community + backstop). Purpose: Community raise + exchange backstop and strategic partner allocation (target structure, partnership being pursued) · flat 0.08 reference · milestone-gated drawdown. CNMY: 5,000,000,000. %: 25%.
Vault Reserve (PRU pre-funded). Purpose: Platform Liability Reserve — auto-release mechanism · permanently locked from day one. CNMY: 5,000,000,000. %: 25%.
Burn Reserve. Purpose: Badge activation burns — deflationary mechanic · 4,200 CNMY per Green Badge · permanently locked. CNMY: 5,000,000,000. %: 25%.
Chronimy Kind Channel. Purpose: Vetted philanthropic causes · Stiftung-administered · 20% at listing + 36mo vest · A17 architect canonical. CNMY: 1,000,000,000. %: 5%.
Founder. Purpose: 20% at listing + 36mo · 2% monthly cap · independent designated wallet. CNMY: 1,000,000,000. %: 5%.
Core Team. Purpose: 20% at listing + 36mo linear vest. CNMY: 1,000,000,000. %: 5%.
Partner Referral Bonus. Purpose: 25% CNMY match on partner-referred community contributions · ceiling · unused stays locked/burned · organic (default-affiliate) pays 30% USDC, no tokens. CNMY: 200,000,000. %: 1%.
Buffer Reserve. Purpose: Emergency use only · DAO-controlled access. CNMY: 300,000,000. %: 1.5%.
Scam Victims Airdrop. Purpose: Locked Merkle list of specific recipients — no application · 20% at listing + 80% over 36mo · unclaimed after 24mo burned · A15 canonical. CNMY: 500,000,000. %: 2.5%.
Liquidity (DEX pools). Purpose: Locked in DEX pools · initial market making · constitutional. CNMY: 1,000,000,000. %: 5%.
Total. A fixed supply of 20,000,000,000 CNMY — no new tokens are ever created.
This distribution mirrors the canonical Executive Paper §3.2 token allocation. Voucher Sales Funding (5B / 25%) aggregates the community raise (CHF 65.5M), the exchange backstop (a strategic partnership being pursued, not yet finalised) and strategic partner allocations, all at the flat 0.08 reference price. Any allocation unsold in a phase is not burned mid-programme; it carries forward to the next phase and is offered first, at the same flat price (a second chance for those who missed the prior phase). Only the balance still unsold at the close of the final phase is burned. Marketing is funded from operating cash, not a token allocation.
Chronimy is not another wallet. It is a complete security architecture that makes crypto theft economically worthless. Standard Polygon PoS compatibility means no restrictions on your freedom. The Green Badge is opt-in protection for those who want it. Together, we are building a world where your digital assets are as safe as your intentions.
Fault Tree Analysis (FTA) is the international standard methodology for quantitative reliability assessment, codified in IEC 61025:2006 (Fault Tree Analysis) with parallel guidance in NUREG-0492 (US Nuclear Regulatory Commission) and MIL-HDBK-338 (US Department of Defence Reliability Handbook). FTA decomposes a top-level undesired event into combinations of lower-level failures connected by AND-gates (all conditions must occur) and OR-gates (any single condition is sufficient). Per-failure probabilities derived from industry data are combined via the resulting Boolean structure to produce the top-event probability.
The model below reflects the protected-transaction architecture only. Out-of-scope are: off-platform fraud, fraud against unverified counterparties, fraud where both badges are voluntarily and knowingly compromised by their holders. Within-scope is theft from a verified bilateral badge transaction where both parties are KYC-validated and the fraud is non-consented by the victim.
Theft from a verified bilateral badge transaction — a victim badge-holder loses CNMY in a transaction where (a) both parties are KYC-validated through Didit.me, (b) the transaction was processed through the protected-transaction smart contract suite, (c) the victim did not voluntarily approve the loss.
P1 · Victim Badge Compromise. Description: Attacker captures the victim's badge keys via device compromise, key-extraction attack, or KYC infrastructure breach. Modelled prior probability: 0.05% per badge-year. Source: NIST National Vulnerability Database (NVD) historical CVE rate for identity-system breaches; Verizon DBIR 2024 credential-compromise statistics.
P2 · MPC Custody Compromise. Description: 4-of-7 MPC participants simultaneously compromised; coordinated geographic + jurisdictional attack required. Modelled prior probability: 0.001% per protocol-year. Source: Cosmos Hub validator security incident rate (publicly reported); academic literature on threshold-cryptography failure modes (Gennaro et al., Eurocrypt).
P3 · Smart Contract Critical Bug Post-Audit. Description: Critical exploitable bug remains in protected-transaction contracts after dual professional audit. Modelled prior probability: 0.5% lifetime per contract. Source: Trail of Bits Building Secure Contracts publication; ConsenSys Diligence published audit findings; Smart Contract Security Field Guide (CertiK / OpenZeppelin) — industry post-audit exploit rate.
P4 · Social Engineering of Victim. Description: Victim is socially engineered to approve a fraudulent transaction. Modelled prior probability: 2% per transaction (industry baseline). Source: Chainalysis Crypto Crime Report 2024; FBI Internet Crime Report 2023 — social-engineering-led crypto loss rate.
P5 · Oracle Compromise. Description: Chainlink VRF or pricing oracle attacked, returning manipulated value to contract. Modelled prior probability: 0.0001% per protocol-year. Source: Chainlink published security audit data; DeFiLlama Hacks Tracker — oracle-attack historical loss-event data.
For theft from a protected verified bilateral transaction to succeed, the protocol's defensive layers must fail in coordinated combinations. The key insight: protected transactions require multiple independent defensive layers to fail simultaneously, not any single layer.
Theft = (P1 AND (P2 OR P3 OR P5)) OR (P4 AND NOT_FINALITY_FREEZE)
Plain reading: theft requires either (a) the victim's badge to be compromised AND a custody/contract/oracle layer to also fail, OR (b) social engineering to bypass the Confirmation-Is-Final 12-hour finality freeze. The Confirmation-Is-Final Constitutional Immutable plus the 12-hour finality window blocks (b) for protected transactions where the victim acts within the finality window.
Using independence assumptions (stated below), the combined attack-success probability is computed:
OR-combining the four paths: total modelled theft probability per badge-year ≈ 1.25 × 10⁻³ per badge-year in raw form; reduced to ≈ 5 × 10⁻⁵ per badge-year (0.005%) when (a) Path B is conditioned on dual-audited contract status (which reduces P3 from 0.5% to 0.025% post-dual-audit, per ConsenSys Diligence published data), and (b) Path D is conditioned on protected-transaction status (which invokes finality protection, reducing the conditioning fail-rate from 5% to 0.5%).
Industry exploit-rate data carries inherent variance. Applying a 95% confidence interval based on sample-size variance from the cited Trail of Bits / ConsenSys Diligence / Chainalysis data sets, the modelled probability range is approximately 0.002% (best case) to 0.012% (worst case) per badge-year. The 0.005% figure is the central estimate and is reported throughout this paper. The interval is wide because reliable industry exploit-rate data is sparse — a known limitation of probabilistic security analysis.
Chronimy Holdings AG intends to engage an IEC 61025-accredited reliability engineering consultancy to conduct independent fault tree review at Aurora close. Candidate firms under consideration: Exida (US, IEC 61025/61508 accredited), DNV-GL (EU, reliability and risk consultancy), Lloyd's Register (UK, fault tree analysis services), Det Norske Veritas (international, reliability engineering). Engagement letter to be signed at Aurora close as part of the IPDF and Security & Compliance allocation. The reviewing firm's findings will be published as a supplementary appendix to this paper at Aurora close + 90 days.