MEDISINE — KCF Press Engine

🧱

MELIBRIX — KCF Brick Store

20 BRICKS

■ Generic (10) ■ Protocol-specific (10) ■ Confirmed surface

KCF-SEC-013 · Wormhole · 🔥 HOT

Rate Limit Cascade

"Cross-chain rate limits cannot be cascaded or bypassed at hook layer"

L4L5

WH-S13 💎 WH-S01

✅ CONFIRMED: NTT #859 open — hook skipped on queued path

KCF-SEC-014 · Wormhole · 🔥 HOT

Governance VAA Replay

"Governance VAAs cannot be replayed or cause stale cross-chain effects"

L5L7L8

WH-S14 🏰 WH-S06

⚠ EigenLayer population cascade pattern — NTT #394 open

KCF-SEC-017 · Wormhole

Anomaly Detection Coverage

"Flow Cancel cannot release anomalous transfers before review"

L5L6

WH-S04b

⚠ WP-0014 explicitly documents risky interaction

KCF-SEC-015 · Wormhole

NTT Peer Registration Integrity

"Peer switch cannot create digest collision window"

L2L8

WH-S15

KCF-SEC-019 · Wormhole

Transfer Verifier Coverage

"EVM transfer verification covers all token types strictly"

L1L2

WH-S04

⚠ heuristic-only confirmed WP-0014

KCF-SEC-020 · Wormhole

Accountant Reconciliation

"Accountant state converges — AR detection covers all NTT paths"

L4L5

WH-S03 WH-S09

KCF-SEC-016 · Wormhole

Race Window

"Mode transitions cannot be raced to cancel in-flight transfers"

L6L8

WH-S05

── Generic Controls ──

KCF-SEC-001 · Generic

Access Control

"Only authorized actors can trigger state changes"

L5L6

GAP-AC-1

KCF-SEC-002 · Generic

Input Validation

"All cross-chain inputs are strictly validated"

L1L2

WH-S04

KCF-SEC-007 · Generic

Data Integrity

"Cross-chain state cannot diverge silently"

L4L5

WH-S03

KCF-SEC-009 · Generic

Rate Limiting

"Rate limits apply consistently across all transfer paths"

L4L5

WH-S01

KCF-SEC-010 · Generic

Privilege Escalation

"Governance decisions require sufficient quorum"

WH-S02

🫙

ADELIC POUCHES (γ₁-stamped)

SEALED

EVT-WH-S13-L4_METABOLISM

💎 DIAMOND — hook bypass on queued path

bower=0.922 sorry=0 SEC-REPORT-ARB-013 STAGE-6

EVT-WH-S14-L5_REGULATION

🏰 FORTRESS — timestamp drift double-vote

bower=0.826 sorry=1 close: test chain finality

EVT-WH-S04b-L6_BEHAVIOR

✅ ADMIT — Flow Cancel anomalous release

bower=0.784 sorry=1 close: read WP-0007

EVT-WH-S09-L4_METABOLISM

🟡 WATCH — AR detection 3-step bypass

bower=0.740 sorry=3 close: code verification

💎

SURFACE DOCKET — 12 surfaces · 4 sources

1 DIAMOND · 1 FORTRESS

WH-S13

NTT #859

0.922

💎 DIAMOND
sorry=0

_handleAdditionalPayload silently skipped on rate-limited EVM path

L4+L6 · WH-I04 · KCF-013 · ✅ SEC-REPORT-ARB-013 FILED

WH-S14

NTT #394

0.826

🏰 FORTRESS
sorry=1

Cross-chain timestamp drift → double vote in multigov

L5+L6 · WH-I06 · KCF-014 · next: test chain finality drift

WH-S01

KCF-013

0.818

✅ ADMIT
sorry=2

NTT rate limiter path splitting

L4+L6 · WH-I09 · next: verify _transferChecks() split

WH-S06

KCF-012

0.796

✅ ADMIT
sorry=2

wormchain governance VAA replay cross-chain

L5 · WH-I06 · next: check chainId in governance VAA payload

WH-S16

NTT #268

0.792

✅ ADMIT
sorry=1

Amount overflow on untrim at receiver (decimal mismatch)

L4 · WH-I04 · next: decimal mismatch test harness

WH-S04b

WP-0014

0.784

✅ ADMIT
sorry=1

Flow Cancel releases anomalous transfers before review

L6 · WH-I03 · next: read WP-0007 Governor

WH-S02

KCF-010

0.782

🟡 WATCH
sorry=3

multigov cross-chain voting weight discrepancy

L5 · WH-I06 · next: clone multigov/ HubVotePool

WH-S03

WP-0011

0.744

🟡 WATCH
sorry=2

Accountant balance divergence via reorg

L1+L4 · WH-I08 · next: test reorg handling

WH-S09

WP-0011

0.740

🟡 WATCH
sorry=3

NTT AutoRelayer detection chain bypass (3-step)

L4+L6 · WH-I08 · next: read accountant contract.rs

WH-S04

WP-0014

0.724

🟡 WATCH
sorry=2

EVM Transfer Verifier heuristic-only (rebasing tokens)

L1+L2 · WH-I10 · design choice = attack surface

🔓

META-UNLOCKS — KCF as Discovery Engine

7 UNLOCKS

META-UNLOCK 1

Controls create angles, not compliance

Every control is a promise. Every promise has a failure mode. Every failure mode is a candidate bounty surface. KCF doubled from 10→20 and immediately produced 5 new angles.

"you took the most corporate-sounding object imaginable and made it spit out Wormhole bounty surfaces like a caffeinated auditor with a graph knife."

META-UNLOCK 2

Whitepapers are uncompiled vulnerability grammar

WP-0014 → KCF-017 → WH-S04b. WP-0011 → KCF-020 → WH-S09. Docs incriminate themselves when read through control lenses.

"code tells you what can happen. Whitepapers accidentally tell you what the authors are afraid of."

META-UNLOCK 3

Protocol-specific controls unlock what generic ones miss

KCF-SEC-011 through 020 are Wormhole organs. VAAs, guardians, NTT, Flow Cancel, governance messages — these have no generic control equivalent. Specialization generated all 5 new angles.

"generic controls looked at Wormhole and saw a bridge. Wormhole-specific KCFs saw a nervous system with replayable governance impulses."

META-UNLOCK 4

"Known risky interaction" is bounty fuel, not a dismissal

WP-0014 literally says "this interaction is risky." That is a map. Known risk + bypass path + impact = filing. The protocol handed us WH-S04b.

"the protocol documentation apparently points at the trapdoor and says: please be careful around this trapdoor."

META-UNLOCK 5

Detection chains are surface factories

Any A→B→C detection chain creates: bypass A, bypass B, bypass C, race A/B, parser gap, state mismatch, fail-open path. WH-S09 = 3-step chain = 3 bypass candidates minimum.

"every three-step detection chain is three doors, two timing gaps, and one parser goblin asking to be fed."

META-UNLOCK 6

Cross-domain shape reuse works

EigenLayer operator cascade → Wormhole governance VAA cascade. Same skeleton: single authoritative signal → replicated across population → correlated impact. Shapes migrate.

"EigenLayer taught you population infection. KCF-SEC-014 says governance messages can be infectious too."

META-UNLOCK 7

MEDISINE closes the blank-page gap

ME-COLI gives organs. KCF gives control promises. MEDISINE presses them together. blank-page bounty research is dead twice.

"the protocol has nowhere left to hide politely."

📐

THEOREM CANDIDATES (Joffe-Math)

4 CANDIDATES

THM-KCF-013 · Cross-Chain Rate Limit Cascade

Rate Limit Hook Propagation Theorem

If cross-chain transfer flow is rate-limited per path, and a hook function is defined on the direct path but not on the queued-completion path, then any rate-limited transfer bypasses the hook — and the permissionless completion function amplifies this into a full access control gap for hook-dependent invariants.

Conditions: NTT deployment · _handleAdditionalPayload override · inbound rate limiting enabled · Confirmed: NTT #859

THM-KCF-014 · Governance VAA Replay

Governance Cascade Theorem

If governance VAAs are replay-protected only by local domain state, and cross-domain execution state can diverge between source and destination chains, then stale or repeated governance effects may persist unless payload, domain, and sequence are globally bound and verified.

Conditions: wormchain governance · VAA payload inspection needed · Partial: chainId field presence unknown

THM-KCF-013B · Timestamp Drift Voting

Cross-Chain Vote Snapshot Drift Theorem

If governance voting weight is calculated from timestamp snapshots, and source chain timestamp is not included in the transfer wire format, then timestamp drift between source and destination chains creates a window where a voter may cast votes based on a future or past balance state — enabling double-vote or weight-amplification under specific finality conditions.

Conditions: multigov · voting weight snapshots · slow-finality source chain · Issue #394 open

THM-KCF-017 · Anomalous Transfer Release

Flow Cancel Anomaly Escape Theorem

If anomalous transfers are held in a governed delay queue, and Flow Cancel is enabled on the same chain, then small anomalous transfers co-queued with normal transfers may be released early through the cancel path, before the anomaly review window expires.

Conditions: governed chain · Flow Cancel enabled · small anomalous transfer · WP-0014 documented

🎨

VIZASL PROOFS — 15 available

15 PROOFS

VIZASL-WH-01

NTT Call Graph

WH-S13

call_graph · execution_path · hook_coverage

VIZASL-WH-02

Rate Limit State Machine

WH-S01+S13

rate_limit_flow · state_machine

VIZASL-WH-03

Timestamp Drift Timeline

WH-S14

timeline · chain_time_drift · double_vote

VIZASL-WH-04

VAA Payload Anatomy

WH-S06

vaa_payload · chain_id_field · replay

VIZASL-WH-05

AR Detection Chain

WH-S09

detection_chain · payload_parse · emitter

VIZASL-WH-06

Flow Cancel Queue

WH-S04b

queue_state · flow_cancel · anomalous

VIZASL-WH-07

Amount Trim Overflow

WH-S16

amount_trimming · decimal_mismatch

VIZASL-WH-08

Peer Switch Digest Space

WH-S15

digest_components · frontrun · seq_reset

VIZASL-WH-09

Mode Switch Race

WH-S05

mode_state · race_window

VIZASL-WH-10

BOWER Pentagon

ALL

bower · radar_chart

VIZASL-WH-11

ME-COLI Heatmap

ALL

layer_heat · severity

VIZASL-WH-12

Accountant Balance Flow

WH-S03

balance_state · reorg · divergence

VIZASL-WH-13

Adelic Pouch Chain

ALL

adelic_chain · gamma1_stamp

VIZASL-WH-14

Rebasing Token Verifier

WH-S04

token_balance · rebase_delta

VIZASL-WH-15

Guardian Quorum Web

WH-A01

quorum · concentration

📋

LABR DECISIONS — MEDISINE arc

4 NEW

LABR-078 · Day 98

MEDISINE Engine Architecture — KCF as discovery engine

KCF controls = MELIBRIX bricks. Each brick pressed against a ME-COLI layer produces failure modes. BOWER scores residue. MEDISINE = the press + the sponge + the adelic seal. Controls are no longer compliance — they are bounty lenses.

DECIDED · Day 98

LABR-079 · Day 98

MELIBRIX Brick Schema v1

Brick = {id, name, promise, failure_modes, me_coli_layers, protocol_instance, surfaces_generated, bower_boost_rules, theorem_candidate, last_pressed, residue[]}. h=h+ validator: hydration state per brick. Dry brick = no surfaces extracted yet.

DECIDED · Day 98

LABR-080 · Day 98

KCF Press — Protocol Application Standard

Press sequence: HYDRATE → PRESS → SQUEEZE → FILTER → SPONGE → SEAL. BOWER boost triggers: documented risky interaction (+), protocol-specific control (+), reproducible test harness (+), public evidence (+). Penalty: behavior intended and bounded (-), not observable (-), speculative only (-).

DECIDED · Day 98

LABR-081 · Day 98

Adelic Pouch h=h+ Validation Gate

Each sealed pouch carries: event_id, layer, operation, gamma1, bower, sorry_count, shape, source, day, floor_delta. h=h+ means: the pouch hydration entropy equals the compression entropy — nothing is lost in sealing. Pouch validates before SEC-REPORT-ARB can be filed.

DECIDED · Day 98