1. The Gap

The coordination problem. Consider a woman alone in a city at 2 a.m. Someone is following her. She has no way to reach anyone who both can and will help. The police emergency line gives her a queue position and an estimated response time of forty minutes. The nearest hospital is seven kilometres away. She has a smartphone, a data connection, and Bitcoin in a self-custodial wallet. She has no protection, no recourse, and no one coming.

This scenario is not hypothetical. It describes a genuine structural gap in the built environment of virtually every city on earth. The gap is not technological: the same device she carries in her hand connects her to food delivery, ride-hailing, instant messaging, and global financial markets in seconds. The gap is not monetary: she can send value anywhere in the world in minutes, at trivial cost. The gap is coordination: she cannot translate her signal of need into physical action by another human being who is nearby, capable, and willing.

Every coordination gap of this kind eventually gets filled by technology. Before Uber, you could not translate a smartphone signal into a physical car arriving at your door. Before Airbnb, you could not translate a profile and a payment into a room key. Before Bitaid, you cannot translate an authenticated emergency signal into a trained human being moving toward you with liability coverage, dispute resolution, and guaranteed payment. The question is not whether the gap persists. The question is who fills it, and on what terms.

Who fills the gap today. In most jurisdictions, the answer is a state monopoly: police, ambulance, fire, coastguard. Each is funded by taxation, staffed by employees, and managed by hierarchy. The arrangement works well enough that it is rarely questioned. But the state provider has predictable failure modes: absenteeism, underfunding, jurisdictional gaps, prioritisation conflicts, legal liability avoidance, politicised resource allocation, and the structural inability to price marginal cost at the point of service.

The state provider does not compete. Where it underperforms, there is no exit. Where it fails catastrophically, as in Hurricane Katrina, the 2011 London riots, or the collapse of municipal police forces in cities like Detroit and Chicago, there is no fallback. Private security firms exist in wealthy jurisdictions, but they are gatekept by licensing cartels, union capture, and liability frameworks that make them affordable only to corporations and the very rich. The vast majority of the world's population has no meaningful access to professional emergency response.

Private provision in the shadow of the state. Where state provision has failed or never arrived, private actors step in. In South Africa, private security guards outnumber police officers by roughly three to one. In Brazil, militias and criminal gangs control territory not because the state is absent but because the state is incompetent, and residents prefer any protection to none. In rural India, caste-based protection networks fill the vacuum left by distant police stations. In American inner cities, neighbourhood watches and church-based patrols operate where police response times exceed thirty minutes.

These private arrangements are not optimal. They are fragmented, unaccountable, legally ambiguous, and often captured by the same violent actors they nominally protect against. But they exist for a reason: the demand for physical security is non-negotiable. People will find a way to meet it. The question is whether technology can make that meeting more humane, more accountable, and more accessible than the current alternatives.

The preconditions are now present. Three technologies, matured in the last decade, make a decentralised alternative structurally possible for the first time: Bitcoin, for trustless value transfer and conditional escrow; Tor and I2P, for anonymous peer discovery and censorship-resistant gossip; and smartphones with cryptographic signing hardware, for authenticated identity, real-time geolocation, and tamper-evident evidence capture. None of these technologies was designed for emergency response. Together they compose a coordination layer that no single entity controls, no government can shut down, and no attacker can capture by capital alone.

Bitaid is that composition. It is not a company, a token, or a blockchain. It is a protocol: a set of rules for how strangers with no prior relationship can summon, pay, verify, and adjudicate emergency response using only the tools they already carry and the Bitcoin they already hold.

2. The Core Insight

Proof of ₿ond + Labor. The protocol is built on a single mechanism that solves six interlocking problems simultaneously. The bond is refundable personal collateral — an escrow locked in a conditional Bitcoin script at registration and returned intact on honest use, forfeited only on confirmed misuse. It prices entry into every role and makes bad faith costly without taxing honest participants. The labor is an earned record of demonstrated human effort across real case history, weighted by calibration coherence and discounted by temporal seasoning — influence that cannot be purchased, only accumulated over irreplaceable calendar time.

Neither component is sufficient alone. A bond without labor can be overwhelmed by capital: a wealthy attacker buys many seats, posts large bonds, and hopes to outspend the defense. Labor without a bond has no forfeiture mechanism and no entry cost: a Sybil farm manufactures case history and coherence scores from fake incidents, achieving influence without ever risking capital. Together they are Sybil-resistant in the same structural sense as Bitcoin’s proof of work — the cost to attack is real, non-transferable, and compounds against the attacker.

The bond is anti-staking. In proof-of-stake systems, the staked token earns yield, grants governance rights, and appreciates with network value. The incentive is to hold and accumulate. In Bitaid, the bond is the opposite: it earns no yield, grants no governance, and carries only downside. The incentive is to post the minimum required for the role you want, use it honestly, and get it back. The bond is not an investment; it is a ticket. This inverts the economics of participation: the protocol taxes entry but not operation, making it expensive to acquire many seats and cheap to maintain one.

The labor is human proof of work. Bitcoin’s proof of work makes chain reorganisations prohibitively expensive through irreplaceable energy expenditure. PoB+L does the same with two different inputs. Capital locked in bonds is the economic energy — non-transferable while posted, forfeited on misuse, compounding against attackers who acquire more seats. Accumulated labor is the proof of work done — influence earned through real case history and calibration compliance over calendar time that no amount of capital can accelerate.

The temporal seasoning requirement means a newly created account’s coherence history is down-weighted until ninety days of real participation have elapsed: labor_score × min(1, days / 90). Two thirds of every jury panel must be drawn from labor-qualified accounts. Capital alone cannot buy that majority. In that precise sense PoB+L is a human proof of work, denominated in irreplaceable economic energy and demonstrated labour rather than in joules.

Zero-cost-till-need. Participation in the protocol carries no standing cost. There is no subscription, no monthly retainer, no membership fee. The caller posts a bond only at the moment of incident registration — and that bond is fully refundable on honest use. The only costs actually incurred are: the bounty (payment for responder attendance and action, which is voluntary and negotiable via the three-tier offer), BCAEN archival fees (only if footage is recorded and stored), and jury fees (only if a dispute is escalated to arbitration).

If a caller experiences no incident, they pay nothing. If a responder never accepts an alert, they earn nothing and lose nothing beyond the opportunity cost of their bonded capital, which remains under their control. This model opens emergency response to a population that could never sustain a private security retainer or insurance premium: the uninsured, the under-protected, and the informally employed who lack institutional safety nets. The cost barrier is not at the door; it is at the point of actual need.

The Human Labor Ledger. Every application event that changes protocol state — a verdict, a bond post, a labor score update, a pool slot opening — is a signed message anchored to a specific Bitcoin transaction or block height. State is computed deterministically by replaying the ordered event log. Any node given the same anchored event log computes identical state. Lagging nodes receive events out of order, verify each against its Bitcoin anchor, and converge on identical state after the fact — the same way a Bitcoin node in initial block download converges on the canonical UTXO set without coordinating with any peer beforehand.

The result is not merely a bookkeeping convenience. It is the protocol’s core output: an auditable record of demonstrated human coordination inscribed on Bitcoin, secured by inherited Nakamoto consensus. Every case, every rating, every calibration coherence score, every temporal seasoning milestone, every bounty earned. The bond prevents spam; the labor prevents Sybil; the ledger makes the whole system legible. No separate blockchain. No separate consensus. No native token.

What the Ledger is not. It is not a reputation system in the conventional sense. The protocol distinguishes between labor — objective demonstrated effort recorded on the Human Labor Ledger (case count, calibration coherence, temporal seasoning, bounty earnings) — and reputation — the emergent market signal derived from that labor (insurer clean ratios, responder standing, juror track records). The protocol weights labor; the market prices reputation. This separation prevents the feedback loops that corrupt conventional reputation systems, where high reputation begets more reputation independent of actual performance.

Cell-scoped labor. A responder’s labor score is not global. Case count, calibration coherence, bounty earnings, and temporal seasoning are each recorded per H3 cell. Labor earned in one cell does not automatically transfer weight in a different cell. A responder with extensive labor history in one geographic context begins at the floor weight when operating in a different cell. This closes the remote-farming attack: a Sybil operation cannot manufacture case history in a deserted cell and exercise that weight in a high-value urban dispute, because the labor does not migrate with the identity.

3. The Market

Each tier prices a different behaviour. Together they constitute the first price system for emergency response.

The three-tier offer. When a caller presses the panic button, they broadcast not merely a cry for help but an economic package: the incident deposit, which signals credibility and funds forfeiture in case of misuse; the bounty, an appearance payment compensating responders for showing up regardless of outcome; and the outcome reward, the largest amount, released by the jury on verified result — suspect detained, caller evacuated, medical aid delivered. Each tier is optional above the first; each adds competitive signal for professional responders.

Responders sort incoming alerts by the full economic package — stake credibility, bounty size, outcome reward, and labor credentials — not by queue position. A flood of minimum-stake noise does not outbid a serious bounty-and-reward package. As the network professionalises, callers who offer no bounty or conditional reward find fewer professional responders accepting their alerts — not because the protocol blocks them, but because professional responders price their time and risk against the full economic offer. The protocol routes alerts and lets the market clear. No authority determines priorities.

The three tiers together produce the first market price signals for passive emergency response — not the pre-arranged bilateral market for private guards or contracted security firms, where the price is set before any emergency exists and the service is delivered regardless of whether an incident occurs, but a real-time spot market where strangers with no prior relationship bid to respond to an unknown caller at an unknown location, with payment conditional on showing up and performing. That market has not existed before, not because no one thought of it, but because it required trustless conditional payment and pseudonymous coordination that no prior technology made possible.

Offer-linked integrity. For high-value alerts, the protocol makes an explicit pairing: no responder should profit more from cheating on an incident than they stand to lose when cheating is proven. At alert construction, the packet carries recommended minimum bond and labor credentials that every node computes identically from the posted economics. On large bounties, the median bond among attendees cannot be dragged down by floor-minimum identities; the offer size sets the comparison baseline. Clients may warn when a large reward is paired with a weak credibility signal. Under alert floods, operators and insurers tighten thresholds — the expected equilibrium, not an emergency patch.

Insurer-backed integrity. On high-value alerts, the recommended minimum bond and labor credentials increasingly assume an insurer buffer as baseline. The protocol strips the buffer before scoring, but the market does not strip it before responding. A caller posting a large outcome reward with a minimal personal bond and no insurer buffer sends a weaker credibility signal than a caller posting the same reward backed by a substantial insurer buffer — not because the protocol weights the extra capital, but because responders and jurors observe the insurer’s clean ratio and price the risk differential. The buffer is the market’s proxy for “someone else with capital at risk has already reviewed this participant.”

The insurance flywheel. Insurers compete not only on subscriber pricing but on the bounty and outcome reward levels they fund. Higher offers attract better-equipped professional responders. Better responders achieve better outcomes. Better outcomes justify higher premiums. Higher premiums fund larger offers. The flywheel compounds at every tier.

This is the opposite of every dynamic in monopoly public safety provision, where budget growth tracks failure rather than success. A police force that prevents more crime receives no additional funding signal from that prevention. An insurer that prevents claims profits directly from that prevention. The incentive structures are structurally different, and the outcomes follow.

The pseudo-default equilibrium. Over time, the flywheel produces a self-reinforcing legitimacy gradient. Cells with mature insurer participation exhibit higher average bounty levels, better responder quality, and lower incident severity — because the insurer’s profit depends on prevention. The insurer buffer is opt-in and carries zero protocol weight, yet market dynamics predict it will become a de facto participation standard. The mechanism is the flywheel in reverse: an insurer who rigorously vets subscribers and maintains a clean slashing record attracts more business; the additional premium volume funds larger buffers and broader coverage; the larger buffers attract more professional responders, who produce better outcomes; better outcomes reduce claims, freeing more capital for sponsorship. The result is not protocol coercion but market gravity — the honest signal becomes so economically dominant that uninsured bare accounts, while always permitted, find themselves at a competitive disadvantage in high-value cells. The protocol remains permissionless; the market simply prices the risk of not being insured out of serious participation.

Security firms as natural responders. Existing licensed security companies are the natural supply side of the responder market. They already possess the training, equipment, legal counsel, and local deployment infrastructure that the protocol requires. For them, Bitaid is not competition but a demand-discovery layer — a way to monetise idle capacity during quiet periods and accept incident-specific calls that legacy retainer economics would make unprofitable. The three-tier offer prices each dispatch before any responder moves; the escrow guarantees payment conditional on attendance and outcome; the insurance flywheel extends coverage to a population of uninsured and under-protected citizens who could never sustain a full-time retainer. A security firm brings capital, professionalism, and legal infrastructure; the protocol brings trustless coordination, dispute resolution, and a spot market for emergencies.

Alarm systems and IoT as demand-side anchors. The impersonal caller model opens a market potentially larger than individual panic-button users: every monitored home, commercial building, warehouse, and industrial facility becomes a protocol participant. Existing alarm companies already operate monitoring centres, sensor networks, and subscriber relationships. By integrating Bitaid as their dispatch backend, these companies replace or supplement traditional police-monitored alarm contracts with a trustless responder network that guarantees payment, provides richer evidence, and operates where institutional response has failed. The alarm company operates the Bitaid-registered device; the property owner’s insurance may fund the deposit and bounty; the responder receives continuous video, sensor telemetry, and pre-incident footage rather than a single panic press.

Zero-cost-till-need as distribution amplifier. The flywheel compounds faster because the protocol imposes no standing cost on participation. An uninsured citizen who could never justify a monthly security retainer can register a Bitaid identity, post no bond until their first incident, and pay only for the response they actually receive. The insurer-backed buffer extends this to higher-value cells: a subscriber pays nothing until they need the service, at which point the insurer’s pooled capital guarantees responder attendance. The result is a market that captures demand from the vast population of under-protected citizens who existing security and insurance models exclude entirely — not by subsidising them, but by eliminating the cost of participation when no emergency exists. The flywheel turns that latent demand into actuarial data, and the actuarial data into better, cheaper coverage for everyone.

4. The Trust Model

A jury that loses money for being wrong is a jury with skin in the game.

The closed pool. The jury pool is closed by default. Slots open only on natural turnover — voluntary exit, inactivity ejection, bond forfeiture — or on a sustained demand signal: 432 consecutive blocks (~72 hours) of non-zero queue, after price-out ejection has removed all underfunded cases. Entry is decided by coherence competition: applicants review ten historical calibration cases, pay a market-priced non-refundable participation fee to BCAEN archival nodes, and lock a scaled intention bond in escrow. Highest scorer wins. Capital cannot guarantee entry; work determines selection.

At genesis, when the calibration library holds fewer than 100 verified cases, two fallback tracks operate: Track B, where a current juror with 50+ cases and 90% lifetime coherence may issue a signed invitation; and Track C, a weighted lottery for applicants who post a scaled intention bond. Track C retires once the library reaches 100 cases. The pool then operates exclusively on Track A coherence competition — governance-free, adversarially robust, self-funding via BCAEN participation fees.

Calibration coherence. A juror’s calibration coherence score is the ratio of cases in which their vote aligned with the weighted majority verdict to the total cases they have participated in, expressed as a percentage. Formally: coherence = (majority_aligned_votes / total_cases) × 100. The score is computed over the juror’s full case history and is not windowed — early incoherent votes persist indefinitely, making coherence a genuinely hard metric to recover once degraded.

Why 80%. The 80% threshold is the approximate economic break-even point given the asymmetric penalty band. A juror who wins 4 of 5 cases (80% coherence) and faces the average 3× penalty on their single loss earns net positive: 4 wins at full rate minus 1 loss at 3× cost yields a small surplus. At exactly 80% with the maximum 4× penalty, the juror breaks even; with the minimum 2× penalty, they are comfortably profitable. Below 80%, even a 2× penalty produces net losses. The threshold converts the penalty band into an implicit quality standard without requiring administrative enforcement.

Asymmetric penalty. Incoherent jurors are not merely down-weighted. They are fined. The penalty scales with how isolated their dissent was: penalty = 2 + 2 × ((1/3 − p) / (1/3 − 1/n)) where p is the proportion voting with the juror and n is panel size, capped at 4×. A lone dissenter on a 15-person panel pays roughly 4× what a coherent juror earns. Two dissenters pay ~3×. Three on a 15-person panel pay ~2.3×. The penalty pool subsidises the appeal that overturned the bad verdict; any remainder is redistributed to coherent jurors. The coherent jurors earn more when bad votes are detected. This is the central incentive alignment: honest jurors profit from catching dishonest ones.

Retroactive fraud detection. Fabricated incident chains are surfaced automatically by statistical dissent across calibration queue reviews at a 40% threshold. Every fake case enters the calibration queue. Every fake case may later be reviewed. The farm cannot predict which cases or when. Forfeiture funds the review panel at normal case rates; remainder flows to the BCAEN redundancy subsidy pool. A single corrupt juror costs the network nothing to detect and removes capital from the attacker while strengthening the evidence infrastructure. The system is not merely robust to fraud; it is anti-fragile to it.

The cost of asymmetric warfare. In Bitcoin, a malicious entity who wants to halt the network can spam millions of micro-transactions to fill block space. Fees skyrocket; the network becomes temporarily expensive for average users. But the network does not break — it dynamically prices the attacker out. The attacker is forced to burn real capital just to temporarily inconvenience the system. Eventually the treasury drains, the mempool clears, and fees normalise.

Bitaid’s jury pool induces the same economic exhaustion. The sunk cost: a cartel must pay non-refundable Bitcoin entry fees — participation fees to BCAEN archival nodes, intention bonds in escrow — for every fake identity. The dynamic defense: as the cartel floods the pool, calibration competition intensifies and entry costs scale automatically — exactly like Bitcoin transaction fees rising during congestion. The bleed: the cartel must sustain this capital burn for months without return, because the 90-day temporal seasoning requirement means no fresh account can qualify for a labor-qualified jury seat regardless of how many fake cases it manufactured. The burnout: the moment the cartel stops paying, their fake nodes are either randomly selected for retroactive review and their bonds slashed, or their influence is diluted by the broader honest pool. The attack collapses under its own financial weight.

Anti-fragility in action. The most elegant property of this game theory is that a sustained cartel attack actually makes the network stronger. When a cartel artificially pumps entry fees and jury yields by flooding the network with capital and activity, they broadcast a massive price signal to the global market. Honest, highly capitalised actors — Bitcoin whales, professional security firms, insurers in other jurisdictions — see the elevated yields, pay the entry costs, and deploy their own honest nodes to capture the profit. The attacker is forced to subsidise the honest network. Their burnt capital is redistributed as yield to honest participants, funding the very security budget that ultimately neutralises them. The system self-corrects by turning the attacker’s wealth into network defense — the same way Bitcoin’s difficulty adjustment turns attacker hash power into additional chain security.

Premium jury market. The configurable quality settings create a tiered service market for adjudication with no precedent in dispute resolution systems. Three independent levers — coherence threshold, open seat fraction, bond minimum — produce three genuine quality tiers before the graduated decay brings the market back to default. A party who values rapid, high-confidence resolution pays for elevated coherence and capital requirements; a party with a simpler dispute accepts the default. The market clears the quality-fee trade-off without administrative pricing. The graduated bond decay ensures the market does not deadlock: even a very high configured minimum relaxes through two intermediate steps before resetting, giving premium jurors multiple opportunities to capture elevated fees without forcing the requesting party to restart the escrow entirely.

Fee market robustness. Three properties make the fee market structurally resistant to manipulation. First, the fee market affects only the arbitration tier — emergency coordination continues regardless of jury fee levels. A caller in physical danger still receives responders; only the dispute-resolution path experiences delay. Second, sustained fee manipulation requires exponential capital burn: the dual-trigger compounding (+12.5% per close, +6.25% every 18 blocks) produces fee growth that dwarfs any plausible strategic benefit within days. The cost resembles the chessboard rice problem: one grain on the first square, doubled on each subsequent square; by the eighteenth square the pile already exceeds the entire harvest. Third, even at peak congestion — fees at 4× base, queue backed up for 72 hours — the protocol still resolves disputes in days, not the months or years of conventional civil or criminal proceedings. The natural floor is juror opportunity cost; the effective ceiling is attacker willingness to fund compounding waste against a system that remains faster than the state alternative even when delayed.

Priority fee. Any party to a dispute may attach an optional priority fee to their case in the jury queue, paid from the operational reserve to the reviewing jurors upon resolution. The fee does not affect juror selection, panel composition, or verdict weighting; it affects only the order in which cases are assigned to available jurors. A Sybil caller who tips a fake case pays more to attract additional judicial attention to a case that will be reviewed anyway — the priority fee raises rather than lowers the cost of attack. For legitimate parties, the priority fee functions as express review: faster resolution of the same quality adjudication. Jurors earn more for reviewing tipped cases, creating stronger incentive to clear the queue when priority fees are active.

5. The Bootstrapping

A network with no history is a network no one trusts. The question is not whether the cold-start is hard. The question is who gets paid to build the history.

Insurers as cell venture capitalists. An insurer who backs callers in a brand-new cell with zero case history is taking pure risk with no actuarial data. The insurer effectively subsidises the cell’s bootstrapping: their pooled capital guarantees responder attendance on the first incidents, building the calibration library through real cases that generate the coherence scores the cell needs to reach 100 verified cases and activate Track A. In return, the insurer captures the early subscriber base before competitors enter.

Once the library crosses 100 cases, the insurer has genuine actuarial data to price their buffers correctly; as the cell matures and incident rates stabilise, the insurer’s clean ratio becomes the dominant market signal and their early-mover advantage compounds through the insurance flywheel. The cold start is not a protocol defect — it is an economic opportunity that rewards insurers willing to absorb initial uncertainty, exactly as venture capital absorbs early-stage risk to capture mature-market returns.

Security firms as founding supply. Existing security companies already possess the licensing, legal counsel, physical equipment, and local deployment that the protocol requires. For them, Bitaid is not a competitor — it is an open-source tool to monetise idle capacity and capture an untapped market of uninsured or under-protected citizens. The tax-free insurance primitive — staking deposits in conditional escrows — lets these firms scale their clientele radically after an emergency triggers payment, with much less concern about whether a dispatch is economically justified: the three-tier offer prices the call before any responder moves. A security firm with excess capacity during quiet periods can register as a bonded responder, accept alerts that match their capabilities and equipment, and earn bounties plus outcome rewards on incidents they would have passed on under legacy retainer economics.

Alarm systems as demand anchors. The impersonal caller model opens a market potentially larger than individual panic-button users: every monitored home, commercial building, warehouse, and industrial facility becomes a protocol participant. For the protocol, alarm systems are ideal early callers: they produce high-signal alerts with strong evidence, their triggers are sensor-verified (reducing false incident rates), and their operators have strong incentives to maintain clean deposit histories because their business depends on responder trust. A city block where every building runs a Bitaid-integrated alarm system creates a dense, high-fidelity alert environment that attracts professional responders and accelerates calibration library growth.

Genesis deployment. Early deployment assumes local, niche, Bitcoin-literate adopters — small cells, curated roles, thin calibration library. That is intentional cold start, not production-at-scale parameters. Track C (weighted lottery) provides jury slots when the library is thin; Track B (invitation from proven jurors) accelerates pool growth; Track A (coherence competition) activates once the library crosses 100 cases. The risk of corrupt genesis infiltration is structurally lower than in any conventional private club: high stakes, niche personalised vetting of non-ideologically corrupt early jurors, and self-selection through skin-in-the-game filter out incompatible participants naturally.

External calibration cases. During genesis bootstrapping when the protocol-native calibration library is thin, externally sourced real-world incident footage — public bodycam releases, CCTV records, verified news footage of security or police interventions with clear outcomes — may supplement the native case pool. Ground truth is established through expert panel review (invited security professionals, medical responders, legal experts voting under the same commit-reveal mechanism) or through multi-source consensus combining official reports and public analysis.

The calibration question is not “what did the jury decide?” but “did the responder’s presence produce real, documented evidence, and did the intervention achieve the outcome the incident category requires?” — the same two predicates the protocol’s attending vote and jury tier already evaluate: presence (was the responder there, did they document effectively) and outcome (was the threat addressed, aid provided, trespasser removed, violent actor de-escalated). External cases are phased out or down-weighted as protocol-native cases accumulate. The specific visual library selection, contextual annotation standard, and expert panel composition are implementation decisions not yet finalised.

Sponsorship as web of trust. Any caller with a clean deposit history may extend their deposit as coverage for invited callers. If any covered invitee triggers a misuse ruling, the covering deposit is claimed and all dependents lose coverage simultaneously — a powerful incentive to vet invitees carefully. Professional security firms, community organisations, and insurers can onboard subscribers at scale using sponsorship, solving the cold-start problem without any protocol-level intervention.

6. The Promise

Inherited Nakamoto consensus. The Human Labor Ledger inherits Nakamoto consensus, not BCAEN. Every application event that changes protocol state — a verdict, a bond post, a labor score update, a pool slot opening — is a signed message anchored to a specific Bitcoin transaction or block height. State is computed deterministically by replaying the ordered event log. Any node given the same anchored event log computes identical state. Lagging nodes receive events out of order, verify each against its Bitcoin anchor, and converge on identical state after the fact. This is not a sidechain, not a rollup, not a federated peg. It is inherited Nakamoto consensus: the same finality that makes Bitcoin transaction history unforgeable makes the Human Labor Ledger unforgeable. No new token. No new consensus mechanism.

BCAEN is a separate concern: a content-addressed storage network with its own economic incentives, not a blockchain. It does not need its own consensus because it does not order transactions; it stores chunks and proves availability. Ordering comes from Bitcoin anchors; data integrity comes from content addressing; economic sustainability comes from upload fees, stream fees, and availability-challenge payments, supplemented by the BCAEN redundancy subsidy pool fed by forfeiture events. BCAEN is a database with cryptographically verifiable integrity and market-priced storage, not a ledger with global state.

Uncensorable evidence. The Bitaid Content-Addressed Evidence Network — BCAEN — ensures that footage and metadata is committed and distributed across economically incentivised archival nodes before suppression is possible. When a responder accepts an alert, their camera streams directly to BCAEN. The SHA-256 hash of each chunk is broadcast over gossip before upload completes. Any verifier can confirm that the footage they retrieve matches the hash that was propagated. Suppression would require compromising all archival nodes that hold the content simultaneously — a coordination problem that scales with the redundancy of the network.

Archival nodes bid for storage slots at incident creation, host evidence during the retention window, and respond to cryptographic availability challenges to prove continued hosting. Payment is released from incident escrow via automated script execution on passed challenges. Failed challenges forfeit bond proportionally. The evidence layer is financed by three revenue streams: upload and stream fees paid by callers and responders (primary), availability-challenge payments from incident escrows (steady), and the BCAEN redundancy subsidy pool fed by forfeiture events (bootstrap and ramp-up capital). The result is an evidence layer whose baseline capacity is funded not by a central allocator but by a market for storage supplemented by the protocol’s own penalty mechanism redirecting attacker capital into infrastructure that honest participants need.

Permissionless by design. Bitaid does not ask permission and does not require institutional cooperation. It is designed to work regardless. The protocol is open-source. The specification is public. The reference implementation is in progress. No company owns it. No foundation controls it. No token confers governance rights. The bond is anti-staking: it earns no yield, grants no votes, and carries only downside. There is nothing to capture because there is nothing to control.

Sound, trustless, and auditable money. Sound collateral requires sound, trustless, and auditable money. Gold is sound money by the standard of costly production and fixed supply. But gold fails the trustlessness test: physical custody requires vaults, guards, auditors, and custodians — a chain of trusted intermediaries that the protocol cannot afford. Bitcoin provides six additional properties beyond sound money: programmability (conditional scripts with deterministic spending paths); auditability (any node verifies UTXO, script, balance; no auditor needed); settlement finality (confirmed = irreversible; court cannot freeze, regulator cannot seize); censorship resistance (no gatekeeper can block a valid transaction); teleportability (value moves over communication channels, not physical transport); and permissionless access (keypair + network connection; no bank, no ID, no jurisdiction). Gold cannot be programmed; fiat requires banking infrastructure that introduces trusted intermediaries; neither is teleportable. The protocol requires not just sound money but scriptable, trustless, teleportable sound money — money whose rules execute without human intervention and whose units move at the speed of information. Only Bitcoin combines all of these.

Failure modes and resilience. Commercial abuse inside the protocol is designed to be negative-sum for attackers: misuse rulings forfeit bonds and deposits to honest participants, and local acceptance thresholds rise under flood pressure. That is not monetary-layer failure — escrows and scripts do not change; attackers pay into the network. Remaining tail risk sits with insurers (mispricing, over-commitment, correlated loss), off-protocol and familiar. Nation-state pressure targets physical operators and endpoints, not ledger rewrites; responders price that risk or exit. The protocol does not propose to replace public safety institutions. It does not need to. If the mechanism works, human capital migrates on its own — through the oldest mechanism in economics: people go where the work is better compensated, better structured, and more meaningful.

7. Extended Capabilities

The same infrastructure that routes security responders routes anything that requires fast, trusted, paid human response.

Medical emergencies. Bitaid is not a medical dispatch service, but the same coordination infrastructure that routes security responders routes first aid responders. A caller in cardiac arrest triggers the same alert mechanism as a caller being mugged. The alert card displays the caller’s self-reported medical information if configured. Responders with medical training may filter alerts by type. The outcome reward for a medical incident may be configured to release on verified stabilisation — creating a market for rapid medical response that no public system currently provides.

The medical application is not a separate protocol. It is the same escrow, the same three-tier offer, the same jury tier, the same BCAEN evidence layer, with different condition strings (“stabilise cardiac arrest” rather than “detain trespasser”). An insurer who backs a subscriber pool of elderly cardiac patients prices the risk differently than an insurer backing a pool of warehouse security, but the infrastructure is identical. The flywheel compounds the same way: better medical responders produce better outcomes, better outcomes reduce claims, reduced claims free capital for larger buffers.

Community safety intelligence. Aggregated incident data — stripped of identifying information — constitutes a real-time community safety signal. Dense incident clusters indicate areas of elevated risk. Persistent low-stake alerts in specific areas may indicate systematic troll activity or genuine local crime patterns. The protocol surfaces this intelligence to responders as a grid cell risk score — an advisory signal only, with no automated routing consequence.

This intelligence is valuable to insurers (who price coverage by cell), to security firms (who allocate responder capacity by demand), and to property owners (who make location decisions based on safety data). The signal is not manufactured by a central analytics department; it emerges from the protocol’s own operation — every alert, every response, every verdict, every forfeiture produces data that no entity can suppress because it is anchored to Bitcoin and replicated across the BCAEN network. Community safety intelligence is not a feature the protocol implements; it is a byproduct of the protocol existing.

8. Conclusion

Bitaid does not propose to replace public safety institutions. It does not need to. If the protocol works — if better incentives produce better outcomes, if adoption snowballs through the insurance flywheel, if professional responders find a real market where none existed before — human capital will migrate on its own. Not through conflict, not through political victory, not through the dismantling of anything. Through the oldest mechanism in economics: people go where the work is better compensated, better structured, and more meaningful. A responder who earns real income, builds a verifiable reputation, and operates under rules they can read and verify has a better career than one ranked by party affinity and sanctioned for using reasonable means. The transition, if it comes, will be gradual, voluntary, and entirely peaceful — a non-kinetic redistribution of human capital toward real demand, driven by the price signals that monopoly provision has always suppressed.^[14]

Every component of the protocol is independently motivated. The incident deposit is motivated by the need to make troll alerts expensive. The bounty is motivated by the need to compensate presence. The outcome reward is motivated by the need to price intervention. The jury tier is motivated by the need to resolve disputes without courts. The BCAEN is motivated by the need for evidence that cannot be suppressed. The insurance primitive is motivated by the need to make the system accessible to people who cannot self-fund a meaningful stake.

None of these components requires trust in any central party. Each is enforced by Bitcoin script, by game-theoretic incentive alignment, or by cryptographic proof. Together they constitute a coordination system that can function in the gap between crime and institutional response — a gap that has always existed and is widening.

In 1998, Wei Dai published b-money^[30] — a proposal for a trustless, anonymous electronic cash system with no central authority. It was never implemented. Nakamoto cited it as reference [1] in the Bitcoin whitepaper. The idea did the work that the implementation could not yet do: it articulated the problem clearly enough, and planted it in the right minds, that a decade later someone built the thing that changed everything.

The problem is stated, the architecture is open, and criticism is invited. If Bitaid ships and works, the market for civil security begins its correction. If it seeds something better — a cleaner implementation, a stronger cryptographic foundation, a more elegant economic model — that outcome is equally welcome. The goal was never credit. It was the displacement. The reference implementation is in progress; review and collaboration are welcome.

The protocol is open. No rights reserved. The monopoly is not abolished — it is rendered marginal by something that works better.

This document continues. What follows is the full technical specification — the bond system in cryptographic detail, the five network roles, the evidence layer, the arbitration mechanism, the payment protocol, the privacy and security model, the complete Austrian theoretical foundations, and every protocol parameter at genesis. Readers who arrived here through the argument and wish to audit the engineering should proceed to Track 2 (§9 Original Contributions). Readers satisfied with the design rationale may stop here; the specification does not change the conclusion, it only makes it verifiable.

Each specification section opens with a mode signal indicating its purpose. Readers interested in the design rationale may skip to the next narrative section. The specification defines requirements and invariants; the reference implementation selects specific libraries, wire formats, and optimisation parameters.

Protocol Architecture Overview

Visual reference — the full system at a glance before specification detail

The following diagram presents the complete Bitaid participant architecture: the hardware layer, the protocol software stack (AidCore), the five network roles, the bond types that credential each role, and the external entities that interact with the system. This is not a formal specification — it is a visual guide intended to anchor the detailed sections that follow. All colour-coded elements are explained in the specification track (§10 Bond System, §11 Network Roles, §12 Network Architecture, §13 Evidence Layer).

How to read this diagram. Vertical columns show layers: Hardware at left, Protocol Software, Role, Bond Type, and External Wallets above. Arrows show data flow and dependency. Coloured boxes denote role-specific components (amber = caller, coral = responder, blue = jury, green = archival, yellow = shared). Dashed borders indicate opt-in or external components. The insurer market (bottom right) provides optional buffers to all roles via dashed lines.

9. Original Contributions

Enumeration of novel contributions relative to prior art

Bitaid is built on proven primitives — Bitcoin scripting, Tor (alerts and gossip), I2P or equivalent high-bandwidth anonymous transport (BCAEN uploads and retrievals), Kademlia DHT, content addressing, commit-reveal voting, submarine swaps, and EIP-1559-style fee adjustment — none of which it invented. The following are original contributions:

Proof of ₿ond + Labor — a named Sybil-resistance primitive combining refundable Bitcoin collateral with demonstrated human effort. The bond is anti-staking: it earns no yield, grants no governance, and carries only downside. The labor is an earned record of irreplaceable human effort across real case history, weighted by calibration coherence and discounted by temporal seasoning. Produces a Human Labor Ledger: an auditable record of demonstrated coordination inscribed on Bitcoin, secured by inherited Nakamoto consensus without a separate token or consensus mechanism.

Three-tier economic offer — incident deposit, bounty, and outcome reward as simultaneous real-time spot market price signals for passive emergency response. No precedent exists for this structure applied to real-world incident coordination by strangers with no prior relationship.

Bitcoin-anchored state machine — application-layer state computed deterministically from a Bitcoin-anchored event log, inheriting Nakamoto consensus for ordering and finality without running a separate proof of work, validator set, or consensus protocol. Any node replays the anchored event log from BCAEN and arrives at identical state independently. Bitaid does not implement Nakamoto consensus — it inherits it.

Closed jury pool with merit-based entry — the jury pool is closed by default; slots open only on natural turnover or sustained demand signal (72-hour non-zero queue). Entry is decided by coherence competition: applicants review 10 historical calibration cases, pay a market-priced non-refundable participation fee to BCAEN archival nodes, and lock a scaled intention bond in escrow. Highest scorer wins. Capital cannot guarantee entry; work determines selection. Governance-free, adversarially robust, self-funding via BCAEN participation fees.

Actuarial insurer reserve with encumbrance tracking — a line of cover for incident deposits with real-time encumbrance propagated over gossip, distinguishing real from potential exposure. Opt-in insurer buffers extend to responder, jury, and archival bonds — seized before personal capital on forfeiture, carrying zero protocol weight.

BCAEN archival market — decentralised content-addressed storage with two archival classes: Class A (incident footage custody, paid from incident escrow via Elements script on availability challenge) and Class B (Bitcoin-anchored application state records, retained indefinitely by operators, paid via Lightning micropayments from bootstrapping nodes). Payment flows from the same conditional Bitcoin escrow that governs the incident itself; the SHA-256 hash is broadcast over gossip before upload completes, making suppression structurally impossible; and availability challenges serve a dual purpose as evidence chain-of-custody proofs.

Configurable jury quality market — three independently adjustable panel parameters — coherence threshold (80%–99%), open seat fraction (0–⅓), and minimum jury bond (0.1 BTC–uncapped) — embedded at escrow construction, enabling a tiered premium service market for adjudication quality. The ⅔ labor-qualified invariant is non-configurable; all three settings can only raise the Sybil defence. The bond minimum decays gradually if the panel cannot fill (×0.70 at 144 blocks, ×0.70 at 288 blocks, full default reset at 432 blocks).

Passive retroactive fraud detection — fabricated incident chains are surfaced automatically by statistical dissent across calibration queue reviews at a 40% threshold. No individual submitter required. Forfeiture funds the review panel at normal case rates; remainder subsidises BCAEN redundancy via 90-day drip release.

Event-driven jury fee market — dual-trigger: +12.5% per case close when queue > 0, −12.5% per case close when queue = 0, plus +6.25% every 18 blocks (~3h) while queue > 0. Price-out ejection after 36-block grace window removes underfunded cases, preserving queue depth as a clean demand signal. No protocol floor. Priority fee: voluntary express review, both parties, pro-juror, pro-speed.

Cell-scoped labor — responder labor scores recorded per H3 cell, preventing remote-farming attacks without requiring global coordination. Labor earned is labor earned where it was demonstrated.

Bond withdrawal delay — 90-day hold from last case close, extended by any active retroactive review. Ensures malicious juror bonds remain present for forfeiture. Early release path available via juror-requested audit at normal case fee.

Offer-linked integrity — large bounty and outcome rewards imply minimum responder personal bond and labor credentials before floor bounty share or merit weight; the alert packet carries recommended gates every node computes identically.

Labor quota with temporal seasoning — two thirds of every jury panel must hold verified case history; seasoning discounts rapidly accumulated records; cohort correlation detection penalises coordinated voting blocs.

Zero-cost-till-need participation model — no subscription, no standing retainer, no membership fee. Costs incurred only when an actual incident occurs. Opens emergency response to the uninsured and under-protected who could never sustain private security or insurance premiums.

10. The Bond System

Specification — bond types, entry floors, escrow scripts, spending paths, insurer buffers, forfeiture flows

Attack surface codes (C2.1, C4.1, etc.) in this section refer to entries in the companion Threat Vector Map, which enumerates all identified attack surfaces across 8 categories and their protocol mitigations.

Without skin in the game, every alert is free to fake. Without programmable money, skin in the game cannot be enforced without trust. Bitaid's bond system creates legible offer and demand signals that did not previously exist. A caller staking real capital expresses the severity of their situation. A bounty prices the value of rapid presence. An outcome reward prices the value of actual intervention. Together they constitute the first market price signals for passive emergency response — not the pre-arranged bilateral market for private guards, but a real-time spot market where strangers bid to respond to unscheduled incidents by unknown callers, conditional on attendance and outcome.

10.1 Bond Types

Every bond in the protocol lives in its own independent conditional escrow. Each uses the same dual-backend architecture: an Elements script on Liquid for standard stakes, or a P2WSH script on Bitcoin L1 for institutional-scale capital. Bond types differ in who posts them and what triggers forfeiture, but the script architecture is identical across every escrow.

Caller bonds — three tiers, each independent:

1. Deposit — the refundable good-faith deposit. Proves the incident is real. Returned intact on honest use, forfeited on confirmed misuse. + insurer buffer opt-in.

2. Bounty — an optional appearance payment compensating responders for showing up and documenting, regardless of outcome. Prices the value of presence. + insurer buffer opt-in.

3. Outcome reward — an optional escrow released by the jury on verified outcome. Prices the value of the problem being solved. + insurer buffer opt-in.

Each tier prices a different behaviour: the deposit prices honesty, the bounty prices presence, the reward prices intervention. Responders sort incoming alerts by the full economic package — stake credibility, bounty size, outcome reward, labor credentials — not by queue position.

Responder bond — backs the responder's skin in the game on every incident attended. Forfeited on confirmed misuse or bad-faith arbitration. Fully reserved; no fractional reserve on the base deposit. + insurer buffer opt-in.

Jury bond — dedicated arbitration deposit, minimum 0.1 BTC. Required to sit on panels. Lost at a penalty rate between 2× and 4× on incoherent votes, scaling with dissent isolation and appeal tier. + insurer buffer opt-in.

Archival bond — posted by BCAEN storage operators. Forfeited proportionally on corrupted or unavailable records. Scales linearly with declared capacity. + insurer buffer opt-in.

Direct capital always outweighs insured capital in protocol scoring. Insurer buffers are fully disclosed — users are responsible for what they contract.

10.2 Entry Floors by Role

Each role has its own entry floor, calibrated to the responsibility it assumes. The floors are deliberately asymmetric.

Caller deposit floor — 5,000 satoshis at genesis. Approximately $0.50 at $10,000 per BTC, rising to $5 at $100,000 per BTC. Low enough that any participant with genuine need can register; high enough that bulk false-alarm campaigns face real cumulative cost. The floor follows a deterministic 20% annual nominal deflation from Bitaid's application-layer genesis block height — calibrated to roughly offset Bitcoin's historical appreciation range of 10–30% per year, keeping the fiat-equivalent caller floor approximately stable. Computed independently by every Core from block height alone. No oracle, no governance, no trust required.

Responder bond floor — 0.01 BTC at genesis. Approximately $1,000 at $100,000 per BTC. The responder physically intervenes, uses force where the legal framework of citizen arrest applies, and is exposed to civil and criminal liability as well as BCAEN-documented misuse rulings. This floor closes the attack surfaces in C2.1 (phantom attendance), C2.2 (vote collusion), and C2.4 (excessive-force intervention). Unlike the caller floor, the responder bond carries no deflation schedule. As Bitcoin appreciates, the fiat-equivalent cost rises — passively filtering toward professionalisation on the supply side. Individual responders at genesis are joined over time by insured firms and security companies for whom a larger bond is a normal operating cost. The protocol never needs a governance vote to raise professional standards; Bitcoin appreciation does it automatically.

Jury bond floor — minimum 0.1 BTC, fixed. Ten times the responder floor. The jury decides outcome reward releases and contested arbitration — their verdict moves the largest sums, and incoherent votes are penalised at 2× to 4×. The pool is closed by default; entry is via merit-based coherence competition rather than open-market bond posting — this is the primary defence against capital-flood attacks on jury selection (C4.1). The entry mechanism works in conjunction with the reputation quota, temporal seasoning, and cohort correlation detection described in §14.3.

Archival bond floor — 0.005 BTC base, scaling with declared capacity. Half the responder floor at genesis. Bond size sets the node's floor bid in the slot auction; declared capacity above the minimum scales the bond linearly. Forfeiture is proportional to failed availability challenges. This floor closes C6.2 (availability fraud) and C6.5 (slot collusion). Carries no deflation schedule.

The ratios are deliberate: caller at 5,000 sat, responder at 0.01 BTC (2,000×), jury at 0.1 BTC (20,000×), archival at 0.005 BTC (1,000×). Entry cost tracks the liability the role assumes.

10.3 The Incident Deposit and Partitioned Escrow

At registration the caller commits a Bitcoin deposit locked in a P2WSH conditional script. The script has three spending paths: cooperative release (both parties sign, incident resolves without dispute); verdict release (jury pool produces an aggregate FROST signature authorising transfer); and CLTV timelock return to the caller's recovery address after timeout if no responder accepts and no dispute is raised.

The exact Taproot leaf structure uses three leaves: OP_IF ... OP_CHECKSIG (cooperative path, 2-of-2 between caller and responder), OP_IF ... OP_CSV ... OP_CHECKSIG (verdict path, requiring the jury pool aggregate public key plus a relative timelock of 6 blocks to allow for appeal filing), and OP_CLTV ... OP_CHECKSIG (timeout return, using the caller's recovery key with an absolute CLTV of 288 blocks). The jury-path script additionally commits to the exact forfeiture destination addresses so that a verdict cannot redirect funds to arbitrary outputs. A Liquid Elements variant uses the same leaf structure with confidential amounts.

Zero-cost-till-need. Participation carries no standing cost. No subscription, no monthly retainer, no membership fee. The caller posts a bond at incident registration and it is fully refundable on honest use. The only non-recoverable costs are the bounty (voluntary payment for responder attendance), BCAEN archival fees (only if footage is recorded), and jury fees (only if a dispute is escalated). If a caller experiences no incident, they pay nothing. If a responder never accepts an alert, they earn nothing and lose nothing beyond opportunity cost. This model opens emergency response to the uninsured and under-protected who could never sustain a private security retainer or insurance premium.

Partitioned escrow. The deposit is partitioned into two non-commingled portions: a collateral partition (pure forfeiture capital, never consumed by fees, seized in full on misuse) and an operational reserve (funds jury fees, archival slot payments, and bounty distributions). The operational reserve is spent first via CLTV or cooperative paths for service costs; the collateral partition is released only to the caller (honest return), to attending responders (misuse seizure), or to the jury resolution escrow (disputed outcome). This separation prevents a Sybil attacker from paying escalating jury fees out of their own penalty pool, ensuring the full deterrent remains present for seizure.

Two-phase escrow. Because attending responders are unknown at subscription time, the incident capital involves a two-phase structure. At subscription, the caller constructs two live escrows. The first holds the incident deposit — returned on honest close, seized on misuse. The second holds the bounty and outcome reward pool. Because eventual recipients cannot be pre-committed before any incident fires, this second escrow releases not directly to responder addresses but to a secondary distribution escrow whose address is deterministically derivable from the attending responders' registered pubkeys and the incident record hash once the incident occurs. Any node can verify that a proposed distribution escrow address is protocol-compliant before the primary spending transaction is finalised.

10.4 Offer-Linked Integrity

For high-value alerts, the protocol makes an explicit pairing: no responder should profit more from cheating on an incident than they stand to lose when cheating is proven. At alert construction, the packet carries recommended minimum bond and labor credentials that every node computes identically from the posted economics. On large bounties, the median bond among attendees cannot be dragged down by floor-minimum identities; the offer size sets the comparison baseline.

Insurer-backed integrity. On high-value alerts, the recommended minimum bond and labor credentials increasingly assume an insurer buffer as baseline. The protocol strips the buffer before scoring, but the market does not strip it before responding. A caller posting a large outcome reward with a minimal personal bond and no insurer buffer sends a weaker credibility signal than a caller posting the same reward backed by a substantial insurer buffer — not because the protocol weights the extra capital, but because responders and jurors observe the insurer's clean ratio and price the risk differential. The buffer is the market's proxy for “someone else with capital at risk has already reviewed this participant.”

10.5 Insurer Buffer Mechanics

At bond registration time the insurer posts a second UTXO into the same escrow alongside the participant's personal bond UTXO. Both UTXOs are locked by identical forfeiture conditions — jury verdict or attending-vote outcome. When a verdict triggers forfeiture, the protocol assembles a spending transaction with the insurer UTXO as Input 0 and the personal bond UTXO as Input 1. The jury pool reviews this exact transaction template and produces an aggregate FROST signature with SIGHASH_ALL, which cryptographically commits to the precise input ordering. Any attempt to reorder inputs invalidates the signature. The script validates only the signature against the committed pool key; input ordering is enforced by the sighash commitment. This mechanism is identical on Liquid and Bitcoin L1.

Insurer track record as market signal. Every buffer seizure is recorded on the Bitcoin-anchored event log. Nodes compute an insurer clean_ratio — the proportion of backed identities never slashed, discounted by temporal seasoning. This ratio is gossip-propagated and advisory only; the protocol does not weight it in jury selection or bond calculation. However, responder nodes and juror panels may reference it as a soft filter. An insurer with a 99% clean ratio signals rigorous vetting; an insurer with repeated slashes sees market preference degrade across all remaining subscribers in real time. A single bad actor poisons the insurer's entire pool.

The buffer is never a substitute for the personal deposit. Every participant must post 100% of the protocol floor from their own capital. The buffer sits above this floor, extending indemnification without creating fractional-reserve fragility.

Bitcoin-denominated bonds: volatility as structural advantage. Bitcoin-denominated bonds are not a volatility liability for insurers; they are a structural advantage that no fiat-denominated competitor can replicate. The “risk” of BTC volatility is only a risk for fiat-native institutions trying to denominate everything in dollars. For a Bitcoin-native insurer, the volatility is the return. Post-halving bull runs appreciate bond capital 3–10× in fiat terms. Even a severe 70% bear market drawdown following that run typically leaves the insurer with 1–3× their original fiat capital — a return that traditional insurers holding fiat reserves at 3–4% annual yield would need decades to match. The insurer who holds BTC through the cycle outperforms every traditional insurance investment model by default.

Optional neutral positioning. A more conservative insurer may take a delta-neutral position during the post-bull bear year: hold BTC for bond posting, run a proportional short via perps, futures, or Discreet Log Contracts. The short pays on BTC decline, preserving fiat-equivalent buffer value. This is tactical, not structural — the base case (hodl through the cycle) already wins. The short is simply a way to take some chips off the table during the predictable post-halving downtrend without liquidating the underlying Bitcoin.

Bitcoin treasury companies as natural insurers. Companies with large Bitcoin treasuries — firms that have already made the strategic decision to hold BTC as a reserve asset — are the natural archetype for the Bitaid insurer market. They already hold the capital. They already accept the volatility. Deploying a portion of standing holdings as insurance buffers converts idle treasury into a revenue-generating business line through actuarial leverage rather than financial leverage. No additional BTC need be acquired; no rehypothecation risk is introduced; the bonds are returned when subscribers exit. The insurer earns premium income, builds a clean ratio reputation, and captures the early-mover advantage in an emerging market — all while the underlying BTC position appreciates through the halving cycle. It is treasury strategy with an operational cash flow attached.

10.6 Forfeiture Flows

All forfeiture events route through a consistent framework. Panel fees are always paid first at normal case rate. Remainder follows type-specific rules:

Caller misuse (troll alerts confirmed by attending vote): seized deposit distributed to attending responders pro-rata by merit weight. The stake that induced them to attend on false pretences becomes their payment.

Responder misuse (harmful intervention, phantom attendance): panel fees first; remainder indemnifies the harmed party per jury verdict. If no identifiable victim, remainder enters the dispute resolution fund.

Juror misconduct (corrupt juror expelled by 80% supermajority): panel fees first; remainder flows 100% to the BCAEN redundancy subsidy pool (90-day drip). The corrupt juror's bond does not enrich the panel that ruled on them. The panel earns only its standard fee.

Retroactive chain fraud (fabricated incidents): panel paid at normal rate; remainder enters BCAEN pool (90-day drip).

Archival failure (failed availability challenges): funds replacement slot costs; remainder enters BCAEN pool.

Sponsorship cascade (sponsor deposit seized on invitee misuse): enters the dispute resolution fund.

No forfeiture event directly enriches the jurors who ruled on it beyond their normal per-case fee. This closes the captured-panel attack.

11. Network Roles

Specification — the five participant types, their bonds, their economics, and their operational requirements

11.1 Caller

The person in danger presses one button. Nothing else is required of them.

At registration the caller commits their incident deposit, configures their optional bounty and outcome reward, calibrates their panic trigger, and designates a recovery address — a Bitcoin address to receive the deposit return in the event of incapacitation. The stake is already in place before any incident occurs.

The panic trigger activates immediately on press. Pre-trigger buffering — a configurable rolling window of up to 60 seconds — captures the moments before the button is pressed as well as after. A 911 call (or local equivalent) is an opt-in feature, off by default. Regardless of whether a 911-equivalent call was placed, an audio transcript of the incident can be attached to the post-incident report as a supplementary evidence track, stored in BCAEN alongside the video footage, and subject to the same access-consent model.

Feel Unsafe mode. Records a local pre-trigger buffer on the device only — no live stream, no BCAEN upload, no gossip load until full panic. On panic, upload, hash gossip, escrow encumbrance, and responder economics activate together. Registration stake and operator relay thresholds still apply to any path that reaches the network. Misuse rules on confirmed false incidents apply after full alert the same as any caller. Because Feel Unsafe recordings begin locally and are not hash-gossiped until full panic, the chain-of-custody proof is marginally weaker than a full alert. The protocol addresses this through timestamp chaining: the panic-triggered BCAEN upload includes the full local buffer as a contiguous stream with no gaps, and the upload hash commits to the entire recording including the pre-panic segment. A verifier can confirm that the pre-panic footage was recorded continuously and has not been tampered with. For the highest-stakes cases, the requesting party may configure escrow settings to require a full alert path rather than Feel Unsafe.

Impersonal callers: alarm systems and automated monitors. A caller need not be a person. A home security system, a commercial alarm panel, an industrial sensor array, or any automated monitoring device can register as a caller identity and trigger alerts autonomously when its sensors detect intrusion, fire, medical emergency, or any configured threat condition. The protocol mechanics are identical: the device posts an incident deposit, broadcasts an alert packet with GPS and cell coordinates, streams evidence to BCAEN, and funds responder bounties from its escrow.

The difference is the quality of the evidence: an automated caller produces a richer BCAEN report than a human caller typically can — continuous video feed from multiple angles, sensor telemetry (motion, heat, sound, glass-break), and pre-incident footage that may span minutes or hours rather than seconds. This richer evidence enables more targeted responder intervention: a responder reviewing BCAEN footage from a monitored premises sees exactly what triggered the alert, where the threat is located, and whether it is still active before they arrive.

For commercial and industrial applications, the automated caller model enables direct integration with existing alarm infrastructure: the alarm company operates the Bitaid-registered device as part of its monitoring service, the property owner’s insurance policy may fund the incident deposit and bounty as a covered benefit, and the responder receives better intelligence than a simple panic button could ever provide. The alarm company brings the infrastructure; the protocol brings the trustless dispatch, payment, and dispute resolution.

Caller identity is held encrypted locally and never transmitted in plaintext. Full identity disclosure is caller-initiated only: the caller signs a disclosure transaction authorising release to specific parties. For impersonal callers, disclosure is configured at registration by the device operator — property address and contact details are pre-authorised for release to attending responders, since a building cannot choose to disclose mid-incident.

11.2 Responder

The most capable people for this work are already trained. They just have no market to sell into.

The responder physically attends incidents. The role requires a higher minimum bond than the caller, a paired Core daemon, and recording hardware. The responder earns income through the three-tier economic offer and builds a labor record that compounds over time.

The alert card shows the full three-tier economic offer — bond amount as credibility signal, bounty as appearance payment, outcome reward and its condition if configured — alongside pre-trigger footage if available, caller attestation status, and the count of other responders who have already accepted. The outcome reward is displayed prominently as the primary competitive signal for professionals. Passing on any alert carries no penalty.

Professional security firms as responders. Existing licensed security companies are the natural supply side of the responder market. They already possess the training, equipment, legal counsel, and local deployment infrastructure that the protocol requires. For them, Bitaid is not competition but a demand-discovery layer — a way to monetise idle capacity during quiet periods and accept incident-specific calls that legacy retainer economics would make unprofitable. A security firm brings capital, professionalism, and legal infrastructure; the protocol brings trustless coordination, dispute resolution, and a spot market for emergencies. See section 5 (The Bootstrapping) for the full cold-start analysis.

The responder’s personal bond must be fully reserved — no fractional reserve on the base deposit. An opt-in insurer buffer may supplement it, disclosed to all parties, carrying zero weight in protocol scoring, and seized before personal capital on any forfeiture event. Recording hardware — a paired body camera or drone — connects to the companion app via Bluetooth or USB-C and streams footage directly to BCAEN on incident acceptance.

BCAEN upload and hosting costs for responder-originated evidence are funded initially by the responder’s own capital at upload time. This ensures footage lands in the archival network the moment an incident is accepted, before any dispute can arise about settlement. At case close, these upload costs are reimbursed from the caller’s deposit escrow as part of standard settlement. If the caller successfully disputes the outcome, the upload costs remain the responder’s loss. This aligns incentives precisely: responders only upload material they would stand behind under adversarial review.

Citizen arrest legal framework. The right of a private citizen to detain someone witnessed committing a serious offence predates professional policing by centuries and exists in most jurisdictions worldwide. Responders operate within this legal framework, which is navigated entrepreneurially rather than prescribed: viable tactics emerge through practice, insurer underwriting requirements, and jury precedent, analogous to how private security firms in adversarial legal environments (e.g., Spanish des-okupa operations) develop creative non-confrontational methods within legal bounds. The protocol surfaces jurisdiction-specific legal reference to the responder’s companion app based on grid cell location; these references are advisory only, and the protocol assumes no liability for responder conduct.

11.3 Relay Node

Every AidCore daemon relays by default. There is no separate relay role, no forwarding fee market, and no protocol-level payment for packet routing. A caller who runs their own Core to avoid connecting to third-party infrastructure is simply a self-sovereign participant. A responder relays. An archival node relays. A jury node relays. All of them relay because that is what AidCore nodes do — it is the baseline cost of network membership, not a monetised service.

The network enforces its own liveness through dead-end scoring. Cores that observe a peer failing to propagate alerts attest to that failure over gossip; accumulated dead-end attestations reduce that peer’s priority in routing tables and eventually lead to exclusion. The thresholds are: dead-end ratio above 0.3 over the most recent 200 attestations triggers deprioritisation; above 0.6 triggers exclusion. Both use a rolling window, so nodes that recover honest propagation behaviour recover their routing position over time. Because relaying nodes post no relay bond, there is nothing to slash — dead-end scoring carries no forfeiture component. What it carries is routing consequence: a node that accumulates dead-end attestations sees reduced network presence, fewer alerts routed through it, and diminished peer connectivity. Nodes that want good routing position maintain honest propagation behaviour. Nodes that do not care about routing position are, by that fact, not useful to the network and the network responds accordingly.

11.4 Jury Node

A jury that loses money for being wrong is a jury with skin in the game.

The jury node is an AidCore daemon operator who has posted a jury bond of at least 0.1 BTC. Jury nodes are selected to adjudicate contested incidents and to release outcome rewards on verified outcomes. Eligibility requires passing a retro-testing threshold — at least 80% agreement with consensus outcomes across a minimum of 10 prior cases — and a 30-day time-lock prevents rapid re-entry after bond forfeiture.

Jury nodes may specialise in subcourt categories — medical, property, detention — and cases are preferentially routed to matching subcourts. An opt-in insurer buffer may supplement the jury bond, seized before personal capital on forfeiture, carrying zero weight in scoring. The full jury mechanism is specified in section 14 (Arbitration Mechanism).

Bond withdrawal. 90-day mandatory delay from last case close. During the window the bond remains encumbered and subject to forfeiture if retroactive review validates against any case the juror participated in. Early release via juror-requested audit at normal case fee. Minimum 30-day floor even if all cases audited and cleared. This is the mechanism that gives retroactive fraud detection real teeth: a malicious juror cannot corrupt a verdict and immediately exit with their capital.

Staleness handling. Maintaining a current anchored event log is mandatory for jury nodes, though not necessarily the full history from genesis. A pruned window covering the operational period is sufficient. Staleness is self-correcting: a lagging jury node that proposes a stale panel composition has its proposal rejected by peers with more current state. The rejection carries a reference to the specific anchored event the lagging node is missing; the node fetches that event, verifies its Bitcoin anchor, updates its state, and resubmits. No bond is forfeited for being temporarily out of sync. Staleness causes failed proposals and brief participation delay, both proportionate and recoverable.

Premium tier eligibility. Jury nodes that accumulate 50+ cases with lifetime coherence of 90%+ and 180+ days seasoning qualify for the upper band of the configurable coherence range. No separate registration required. Nodes with bonds above the 0.1 BTC floor are automatically eligible for cases specifying higher bond minimums. Higher-bond nodes find themselves in smaller but more exclusive eligible pools for premium cases, earning higher market-clearing fees.

Jury node operators who retain the full event log from genesis may register as BCAEN Class B state record nodes, earning Lightning micropayments per chunk served to bootstrapping nodes — a complementary revenue stream on data they already hold at negligible marginal cost.

11.5 Archival Node

The archival node is an AidCore daemon operator who has posted an archival bond and declared storage capacity. Archival nodes operate in two distinct classes. Class A nodes bid for BCAEN storage slots at incident creation, host footage and evidence chunks during the retention window, and respond to cryptographic availability challenges to prove continued hosting. Payment is released from incident escrow via automated Elements script execution on passed challenges. Bond is forfeited proportionally on failed challenges or corrupted records. Class B nodes retain the full Bitcoin-anchored application event log from genesis and serve it to bootstrapping nodes for Lightning micropayments; these are typically jury or responder operators who already maintain the event log as part of their operational role.

The storage required scales with incident volume and footage quality. A Raspberry Pi with an attached SSD meets the minimum specification for standard-definition footage. Archival nodes may selectively bid for incident types and quality tiers. An opt-in insurer buffer may supplement the archival bond, seized before personal capital on forfeiture, carrying zero weight in scoring. The full archival mechanism is specified in section 13 (Evidence Layer).

12. Network Architecture

Specification — transport, discovery, gossip topology, Bitcoin anchoring

The Bitaid Core is a headless daemon running on a Raspberry Pi, server, or VPS. It maintains all network state: DHT participation, Tor circuits for alerts and gossip, high-bandwidth transport circuits for BCAEN uploads and retrievals, deposit credentials, grid cell registration, alert validation, and all cryptographic operations. It exposes a local API via Tor Hidden Service. The Core never holds signing authority — the user’s device retains the keypair and signs locally.

The Bitaid Mobile companion app is a thin client handling only GPS, camera, UI, and notifications. Two registration profiles exist: the caller profile (stake configuration, panic button, Feel Unsafe mode, rating UI) and the responder profile (Core pairing, alert reception, recording hardware configuration). A caller in crisis never encounters responder configuration screens.

Node discovery. Kademlia-based DHT adapted to operate over Tor Hidden Services. Each node has a persistent DHT identity derived from its keypair. Bootstrap nodes are hardcoded but replaceable via configuration. The DHT layer handles node discovery only; alert routing uses the geofenced gossip layer.

Grid cell system. H3 hexagonal cells at resolution 7 (~5 km edge length). Alerts propagate to the same cell and all 6 adjacent hexagons. In low-density areas (fewer than 5 active Cores in the 7-cell ring), propagation expands to the next ring. Cell membership is deterministic from GPS coordinates.

Geofenced gossip. Alerts propagate only to Cores in the same cell and adjacent cells — bounding propagation to the geographic area where response is possible. Dead-end scoring propagates through the same layer: Cores that observe no onward propagation from a peer attest to that observation. Ratio above 0.3 over 200 attestations triggers deprioritisation; above 0.6 triggers exclusion. Rolling window, recoverable.

Bitcoin-anchored event log. Every application event is a signed message carrying: version, type, timestamp (Bitcoin block height), payload, sender pubkey, and signature. Gossip messages use CBOR canonical encoding. The message ID is the hash of (sender_pubkey, timestamp, payload_hash). Validation requires: signature verifies, timestamp within drift of local block height, type-specific payload well-formed, sender has unspent bond UTXO. Lagging nodes converge after the fact by fetching missing events and verifying their Bitcoin anchors. Anchor verification defaults to 3-of-5 named explorer consensus; operators may substitute a local full node.

13. Evidence Layer (BCAEN)

Specification — recording, upload, archival classes, slot auctions, availability challenges

Recording and upload. On incident acceptance, the responder’s camera streams footage in real time to the nearest BCAEN ingestion node. The stream is chunked at 256 KB intervals. Each chunk is hashed immediately; the hash is broadcast over gossip before the upload completes. This ordering — hash first, upload second — is the suppression resistance mechanism: any verifier can confirm that the content they retrieve matches the hash that was publicly propagated. Suppression would require compromising all archival nodes holding the content simultaneously.

Class A: Incident footage custody. Archival nodes bid for storage slots at incident creation. Bond size and declared capacity set the node’s floor bid price in slot auctions. Nodes that win slots host footage and evidence chunks during the retention window and respond to cryptographic availability challenges to prove continued hosting. Payment is released from incident escrow via automated Elements script execution on passed challenges. Bond is forfeited proportionally on failed challenges or corrupted records. Class A revenue is incident-variable.

Availability challenges. Every 144 blocks (~2.4 hours on Liquid), the protocol issues a cryptographic challenge to each archival node holding active slots. The challenge requires the node to produce a proof of possession: a Merkle path from a randomly selected chunk to the root hash committed at upload time. The node has 12 blocks to respond. A failed challenge triggers proportional bond forfeiture: the node loses a fraction of their bond equal to the fraction of challenged slots they failed to prove. Three consecutive failures on any slot trigger full forfeiture of that slot’s bond share and immediate slot revocation. The slot re-auctions to replacement nodes.

Class B: Application state records. Retains the full Bitcoin-anchored application event log from genesis and serves it to bootstrapping nodes for Lightning micropayments. Class B nodes are typically jury or responder operators who already maintain the event log as part of their operational role. Class B revenue is steady: bootstrapping nodes need the event log continuously, and Lightning micropayments provide regular income for data the operator already holds at negligible marginal cost. A Class B operator who also runs Class A has their fixed storage costs amortised across both revenue streams.

Integrated archival economics. Class A and Class B are not independent revenue streams — they form a unified economic system. A Class A-only operator with insufficient slot volume may find operation uneconomical without the Class B subsidy — which is exactly why juror misconduct forfeiture and retroactive chain fraud forfeiture flow to the BCAEN redundancy subsidy pool, subsidising archival capacity that incident-variable revenue alone cannot sustain. The result is a globally distributed evidence layer whose baseline capacity is funded not by a central allocator but by the protocol’s own penalty mechanism redirecting attacker capital into infrastructure that honest participants need.

Suppression resistance quantified. At incident close, the final chunk hash is anchored to Bitcoin via an OP_RETURN transaction containing the Merkle root of all chunk hashes. This produces a timestamped, globally replicated commitment that cannot be altered without rewriting the Bitcoin chain from that block forward. To suppress evidence, an attacker must simultaneously compromise: (1) the responder’s local device before upload completes, (2) the ingestion node receiving the stream, (3) all archival nodes that won slots in the auction, (4) the Bitcoin chain from the anchor block forward, and (5) the gossip network where chunk hashes were broadcast. Each layer is independent; compromising any subset leaves the remaining layers intact. The security is the conjunction of all five, not the disjunction.

Feel Unsafe evidentiary status. Feel Unsafe recordings begin with a local buffer and are not hash-gossiped until full panic, so the chain-of-custody proof is marginally weaker than a full alert. The protocol addresses this through timestamp chaining: the panic-triggered BCAEN upload includes the full local buffer as a contiguous stream with no gaps, and the upload hash commits to the entire recording including the pre-panic segment. A verifier can confirm that the pre-panic footage was recorded continuously and has not been tampered with between local capture and network upload. This is admissible under the same cryptographic evidence standard as any BCAEN recording, with the caveat that the pre-panic segment has a slightly weaker non-repudiation guarantee because the hash was not gossiped in real time.

14. Arbitration Mechanism

Specification — attending vote, jury pool, coherence competition, penalty scaling, appeals, fee market

Attack surface codes in this section refer to entries in the companion Threat Vector Map.

Bitaid arbitration is a two-tier structure. The first tier — attending-only voting — resolves incident validity and bounty release among parties who were physically present. The second tier — the independent jury — governs outcome reward release and disputes that attending parties cannot resolve. Precedence is strict: the attending vote resolves all matters in scope unless any bonded party files escalation within 48 hours, at which point the entire dispute moves to the jury tier. Partial escalation is not permitted; the jury inherits the full incident record and issues a single binding verdict across all escrows.

14.1 Attending-Only Vote

Each attendee submits a signed outcome assessment weighted by their merit score:

weight = sqrt(stake_ratio) × (0.1 + labor_factor × bounty_factor)

The stake_ratio uses personal capital only; insurer buffer is excluded. The 0.1 floor ensures new responders with no history are not silenced. The square root compression prevents capital dominance while preserving meaningful stake differentiation. If the attending vote produces 80% supermajority, the outcome reward releases and the case closes. If not, the case enters the jury queue.

This tier closes a critical attack vector: without it, a caller could refuse to cooperate and wait for the CLTV timelock to reclaim their deposit, obtaining response services for free. The attending-only vote lets responders who attended, documented, and acted collectively assert the outcome regardless of caller cooperation. When the attending verdict confirms caller misuse — a troll alert, fabricated incident, or bad-faith non-cooperation — the incident deposit is seized and distributed to attending responders pro-rata by merit weight as compensation for wasted presence.

Sybil fast-track via responder report. If responders accept an alert, attend, and find no real incident, they report it as fake through the attending vote. The case is flagged SYBIL_SUSPECT and bypasses the standard fee queue for priority review within 24 blocks. A lightweight 3-juror panel examines BCAEN evidence; if confirmed fake, the caller deposit is seized immediately and the caller identity is banned. Other cases from the same caller pattern (same UTXO cluster, same GPS spoofing signature) are auto-flagged for batch review. The people with the most skin in the game — responders who wasted time and fuel — are the first line of fraud detection.

14.2 Jury Eligibility and Selection

A jury that loses money for being wrong is a jury with skin in the game.

Jury nodes must post a jury bond of at least 0.1 BTC. Eligibility requires passing a retro-testing threshold: at least 80% agreement with consensus outcomes across a minimum of 10 prior cases. A 30-day time-lock prevents rapid re-entry after bond forfeiture.

Calibration coherence defined. A juror's calibration coherence score is the ratio of cases in which their vote aligned with the weighted majority verdict to the total cases they have participated in, expressed as a percentage. Cases where the juror abstained do not count toward either numerator or denominator. The score is computed over the juror's full case history and is not windowed — early incoherent votes persist indefinitely, making coherence genuinely hard to recover once degraded. This is by design: a juror who accumulates a large clean history and then begins voting incoherently sees their score decline slowly, giving the calibration queue time to detect the shift before the juror falls below threshold.

Why 80%. The threshold is not arbitrary — it is the economic break-even point given the asymmetric penalty band. A juror who wins 4 of 5 cases (80% coherence) and faces the average 3× penalty on their single loss earns net positive: 4 wins at full rate minus 1 loss at 3× cost yields a small surplus. At exactly 80% with the maximum 4× penalty, the juror breaks even; with the minimum 2× penalty, they are comfortably profitable. Below 80%, even a 2× penalty produces net losses. The threshold functions as a rational-participation filter: a juror whose coherence has fallen below 80% is losing money by continuing to serve.

Configurable jury quality. Either disputing party may embed three independent quality settings in the escrow at construction time: coherence threshold (default 80%, configurable 80%–99%), open seat fraction (default ⅓, configurable to 0), and minimum jury bond (default 0.1 BTC, configurable upward, uncapped). The ⅔ labor-qualified invariant is non-configurable; all three settings can only raise the Sybil defence. The fee differential above standard is paid ad hoc by the requesting party from their own capital. The bond minimum decays gradually if the panel cannot fill: ×0.70 at 144 blocks, ×0.70 at 288 blocks, full reset at 432 blocks. Coherence threshold and open seat fraction snap to defaults at 432 blocks. These settings create a tiered premium service market for adjudication quality with no precedent in dispute resolution.

14.3 Pool Closure and Merit-Based Entry

The jury pool is closed to new entrants by default. The pool size target is the rolling median of the active juror count over the last 200 case-event windows. When the current count meets or exceeds the target, no bond can be posted to join. This structural closure is the primary Sybil defence: it is not merely more expensive to attack, it is structurally impossible to guarantee attack progress regardless of capital available.

A slot opens under two conditions. Natural turnover: when a juror voluntarily exits, is ejected for inactivity, or has their bond forfeited, the slot opens immediately. Demand undersupply: when the queue has been continuously non-zero for 432 consecutive blocks (~72 hours) despite fee rises, and all queued cases are verified fundable at the prevailing fee (price-out ejection having removed underfunded cases), the protocol concludes the pool is genuinely undersized and opens one slot. If the queue clears before 432 blocks, no slot opens — the fee mechanism was sufficient.

When a slot opens, entry operates on a three-track system:

Track A — Coherence competition (primary track, library ≥ 100 cases). Applicants submit three things within a 48-hour window: (1) a non-refundable participation fee paid directly to BCAEN archival nodes for case retrieval — market-priced by bid/ask; (2) an intention bond of 0.1 BTC scaled upward by applicant count as 0.1 BTC × n^0.3, automatically returned to losers; (3) independent review of 10 calibration cases scored against established consensus. Highest coherence scorer wins. The participation fee is the key anti-Sybil cost: a farm flooding the competition with 1,000 identities pays 1,000 market-priced BCAEN fees, and each identity must independently score well. An attacker who genuinely outscores honest applicants has, in practice, become a calibrated honest juror. The participation fee revenue funds permanent calibration case hosting.

Track B — Invitation (fast path, all phases). A current juror with 50+ cases and 90% lifetime coherence may issue one signed invitation at a time. The invitee skips competition, posts 0.1 BTC directly, and enters the calibration queue. The inviting juror stakes their reputation: if the invitee votes incoherently within their first 30 cases, the inviter's coherence score takes a proportional penalty. Capital cannot manufacture a legitimate invitation.

Track C — Weighted lottery (genesis fallback, library < 100 cases). Applicants submit a scaled intention bond; one winner is selected by weighted lottery proportional to bond, capped at 3× minimum. Track C retires as Track A becomes available.

Probation. When a slot opens on sustained queue signal, the winning applicant's bond is locked with provisional status for their first 30 cases. During probation: their votes are recorded but do not contribute to calibration consensus until the window closes; if any case is later flagged by retroactive review (40% dissent), their full bond is seized and they are expelled; if the window closes with no flags, they graduate to normal status. This creates a detention period for queue-pushed entrants without penalising honest randoms.

Inactive juror replacement. A juror is flagged inactive when they decline or fail to respond to more than 80% of panel assignments over the most recent 30 case-event windows (minimum 5 cases to avoid false positives). Confirmed by supermajority of peer attestations, the juror's eligibility is suspended and their slot opens. The bond is not forfeited — inactivity is not misconduct. Replacement only fires when rolling average queue depth over 30 windows is above zero.

14.4 Blind Voting and Asymmetric Penalty

Jurors vote using a commit-reveal scheme: hash(vote, salt, jury_pubkey) is broadcast in the commit phase; the preimage is revealed in the reveal phase. This prevents jurors from observing each other's votes before committing. Late reveals are treated as abstentions — no penalty, no reward.

Asymmetric penalty. Incoherent minority jurors forfeit a portion of their bond. The penalty multiplier ranges from 2× to 4× depending on panel size n and minority proportion p (clamped between 1/n and 1/3):

penalty = 2 + 2 × ((1/3 − p) / (1/3 − 1/n))   capped at 4×

This yields a continuous, intuitive surface. For a 3-juror panel with one dissenter (p = 1/3): exactly 2× — reasonable disagreement is possible. For a 15-juror panel with a single dissenter (p = 1/15): 4× — a tiny minority against overwhelming consensus, a strong signal of corruption. Voting "insufficient evidence" carries no safe harbour; it is treated as a vote like any other, forcing jurors to engage with the evidence rather than abstain strategically.

Appeal subsidy. The penalty pool does not distribute immediately. It is locked into an appeal escrow. If an appeal is filed, the escrow funds the next round's jury fees — partially or fully — reducing the appellant's cost. The subsidy is zero when the prior tier was unanimous: the appellant bears full cost when the verdict was already uncontested. The subsidy only materialises when there was genuine disagreement, which is exactly when escalation is most legitimate. Incoherent jurors subsidise the reconsideration of their own error.

14.5 Appeal Scaling

Appeals trigger progressively larger panels: 3 jurors at first instance, 7 on first appeal, 15 on second, 31 on third and final. Each tier has a 48-hour escalation window. Appeal fee: market-clearing jury fee + 25% base surcharge per tier, paid ad hoc by appellant. Panel fees always paid first at normal case rate; surplus feeds the penalty pool for coherent jurors. The 31-juror final panel requires 80% supermajority for any outcome modification.

Frivolous appeals are self-deterring: a party that lost a unanimous 3-juror verdict receives no subsidy and faces a 7-juror panel whose dissenters — if any — will be penalised more harshly. Genuine recourse is preserved; manufactured escalation is expensive.

14.6 Fee Market

The jury fee operates on a dual-trigger adjustment adapted from EIP-1559, extended with a time-based congestion trigger:

Event trigger (each case close): queue > 0 → fee × 1.125; queue = 0 → fee × 0.875
Time trigger (every 18 blocks, ~3h): queue > 0 → fee × 1.0625; queue = 0 → no change
Slot-open trigger: 432 consecutive blocks with queue > 0 → one pool slot opens

The asymmetry is deliberate. During congestion both triggers fire simultaneously; the fee falls only on successful case closes where the queue clears. By 72 hours of continuous congestion the fee reaches approximately 4× its starting level. If elevated fees attract enough juror participation to clear the queue, both triggers stop rising and the fee drifts back down. There is no protocol-imposed fee floor.

Fee market robustness. Three properties make the fee market structurally resistant to manipulation. First, it affects only the arbitration tier — emergency coordination (alerts, responder dispatch, BCAEN evidence commitment, bounty payment) continues regardless of jury fee levels. A caller in physical danger still receives responders; only dispute resolution experiences delay. Second, sustained manipulation requires exponential capital burn: the dual-trigger compounding produces fee growth that dwarfs any plausible strategic benefit within days. The cost resembles the chessboard rice problem: one grain on the first square, doubled on each subsequent square; by the eighteenth square the pile already exceeds the entire harvest. Third, even at peak congestion — fees at 4× base, queue backed up for 72 hours — the protocol still resolves disputes in days, not the months or years of conventional proceedings.

Priority fee. Any party may attach an optional priority fee to their case, paid from the operational reserve to jurors upon resolution. The fee affects only queue order; it does not influence juror selection, panel composition, or verdict weighting. A Sybil caller who tips a fake case pays more to attract additional judicial attention to a case that will be reviewed anyway. For legitimate parties, it functions as express review. Both sides may bid independently.

The cost of asymmetric warfare. A malicious entity spamming the queue must pay non-refundable entry fees for every fake identity. As the flood intensifies, calibration competition escalates and entry costs scale automatically — exactly like Bitcoin transaction fees during congestion. The cartel must sustain this capital burn for months, because the 90-day temporal seasoning requirement means no fresh account can qualify for a labor-qualified jury seat. The moment the cartel stops paying, their fake nodes face retroactive review and bond slashing. The attack collapses under its own financial weight.

Anti-fragility in action. A sustained cartel attack actually makes the network stronger. The attacker broadcasts a massive price signal: elevated yields attract honest, highly capitalised actors who deploy nodes to capture the profit. The attacker is forced to subsidise the honest network. Their burnt capital is redistributed as yield to honest participants, funding the very security budget that neutralises them — the same way Bitcoin's difficulty adjustment turns attacker hash power into additional chain security.

14.7 Price-Out Ejection

Queue depth is only meaningful if every case can afford resolution at the prevailing fee. A case whose deposit cannot cover the current jury fee inflates apparent demand without being serviceable. A Sybil attacker could exploit this by posting many low-deposit cases, letting fees rise past their coverage, and manufacturing queue depth to trigger slot openings without funding real trials.

The price-out mechanism closes this. At each time trigger interval, the protocol evaluates each queued case: if current_fee × min_panel_size > caller_available_deposit, the case enters a 36-block grace window. If the caller tops up, the case stays; if not, it is removed from queue, deposit returned minus incurred costs, and the case falls to the CLTV timelock path. The 432-block slot-opening trigger fires only on genuine unresolvable demand. A Sybil attacker manufacturing queue depth must continuously top up deposits as fees rise — by hour 72 at 4× base fee, each case must carry 4× its original deposit or it is ejected.

Responder legitimacy as queue weight. A case's queue position is weighted not only by fee level but by the aggregate responder legitimacy of attending parties: sum(responder_reputation × responder_stake) / count. Cases with high-legitimacy professional responder attendance receive priority; cases with no responder acceptance are deprioritised. The market sorts serious incidents above suspected noise without administrative judgment. The queue is two-dimensional: fee level signals caller commitment; responder legitimacy signals incident reality.

14.8 Forfeiture Framework

All forfeiture events route through a consistent framework. Panel fees are paid first at normal case rate; remainder follows type-specific rules:

Caller misuse (troll alerts confirmed by attending vote): seized deposit distributed to attending responders pro-rata by merit weight. The stake that induced them to attend on false pretences becomes their payment.

Responder misuse (harmful intervention, phantom attendance): panel fees first; remainder indemnifies the harmed party per jury verdict. If no identifiable victim, remainder enters the dispute resolution fund.

Juror misconduct (corrupt juror expelled by retroactive review, 80% supermajority): panel fees first; remainder flows 100% to the BCAEN redundancy subsidy pool (90-day drip release). The corrupt juror's bond does not enrich the panel that ruled on them. The panel earns only its standard fee. The pool funds subsidised archival deployment in low-density cells, subsidised storage for thin-capital callers, and higher redundancy guarantees network-wide.

Retroactive chain fraud (fabricated incidents, corrupt verdict chains): panel paid at normal rate; remainder enters BCAEN redundancy subsidy pool, drip-released over 90 days. Elevated archival node yield attracts new nodes; the attacker's capital strengthens the evidence infrastructure that detected them.

Archival failure (failed availability challenges): forfeiture funds replacement slot costs; remainder enters BCAEN pool.

Sponsorship cascade (sponsor deposit seized on invitee misuse): enters the dispute resolution fund, covering appeal subsidies generated by the invitee chain.

No forfeiture event directly enriches the jurors who ruled on it beyond their normal per-case fee. This closes the captured-panel attack: a majority that falsely condemns honest participants cannot extract seized bonds as a reward.

14.9 Bond Withdrawal and Exit

A juror initiates withdrawal by broadcasting a signed exit declaration. A mandatory 90-day hold begins from the close of the juror's most recent case. During the hold: the bond remains encumbered and subject to forfeiture; new case assignments cease immediately; if retroactive review opens against any case, the hold extends for the duration of that review; multiple reviews stack — the bond releases only after all resolve. A juror with a clean history exits at day 90 with full bond returned. A juror who participated in corrupt verdicts faces forfeiture on each confirmed case before any remainder releases.

Early release path. A juror may request retroactive audit of their case history before the 90-day hold expires. Each audit convenes a panel on a specific case; the juror pays the panel fee. If the panel clears the case, that case exits the hold. If all cases are cleared before day 90, the hold releases early, subject to a minimum 30-day floor. This lets legitimate jurors with large histories exit faster by actively demonstrating cleanliness; malicious jurors requesting audits of corrupt cases accelerate their own exposure.

The 90-day hold closes the "good reputation hiding collusion" attack. A juror with years of clean scores and two corrupt verdicts faces forfeiture on exactly those two cases. The clean history does not offset the corrupt ones; it merely confirms that the remaining cases are clean. A malicious juror cannot corrupt a verdict and immediately exit with their capital.

14.10 Economic Security

Pricing inversion. A classical bid-ask price market for jury seats is structurally fatal: adversaries bid low to maximise seat acquisition, honest jurors with real opportunity costs cannot compete, and the pool fills with the cheapest bidder — reliably the most malicious. The solution is to invert the incentive: jurors get paid for being right, but lose substantially more for being wrong. Coherent jurors earn their per-case fee; incoherent jurors forfeit between 2× and 4× their bond stake depending on dissent isolation and appeal tier. The only rational juror is one confident they can vote with the honest majority, which means having enough real case history and honest standing to predict where that majority will land. The asymmetry is the actual deterrent.

Closed pool with demand-signalled entry. The jury pool is closed by default with a target size equal to the rolling median of active jurors over 200 case-event windows. Slots do not open on capital availability; they open on two objective demand signals only: natural turnover (exit, ejection, forfeiture) and sustained genuine demand (72 hours of continuous non-zero queue after price-out ejection removes underfunded cases). The bond floor is fixed at 0.1 BTC minimum — not dynamically adjusted. Entry is via coherence competition, not bond size. An attacker flooding the pool with capital finds no slots to purchase; they can only participate in a coherence competition where demonstrated work, not wealth, determines selection. The mechanism is governance-free and adversarially robust: an attacker who genuinely outscores honest applicants on calibration cases has, in practice, become a calibrated honest juror.

Simpler alternatives and why they fail. Staked random sampling with long lockup and severe slashing — no reputation, no seasoning, no cohort detection — immediately runs into the 50% control problem: an attacker with more than half the pool by bond weight wins every vote, and the bond floor required to make that acquisition astronomically expensive also excludes every participant who is not already wealthy. You trade mechanism complexity for access exclusion and still do not solve capital capture. Delegating arbitration to a small fixed federation is not an alternative — it is already the formal arbitration path (see §14.11), available to parties who want it. The protocol does not compete with simplicity; it offers trustless coordination as the default and institutional arbitration as the opt-in.

14.11 Formal Arbitration Path

For parties in pre-existing commercial relationships — an insurer and subscriber, a security firm and client, a property manager and tenant — a voluntary formal arbitration path adds a federation multisig spending path to the escrow at construction time. The federation consists of credentialed AidCore nodes operated by a recognised arbitration body (ICC, LCIA, UNCITRAL, or equivalent).^[26][27] The arbitration body adjudicates off-protocol using the BCAEN evidence as documentary record. This path is only available when all relevant parties share a pre-existing institutional relationship including a recognised arbitration clause.

The federation’s N-of-M pubkeys are embedded as a fourth Taproot spending path at escrow construction, alongside the cooperative, verdict, and timeout paths. The chosen institution adjudicates using the same BCAEN evidence the protocol produced, operating under its own independent international jurisdiction rather than under any state’s domestic courts. A state actor attempting to corrupt a verdict governed by international commercial arbitration law, enforced through multilateral treaty frameworks, and backed by on-chain evidence distributed before anyone could suppress it faces a fundamentally different and far more complex attack surface than the protocol layer alone presents.

The two systems are complementary. The protocol provides trustless coordination and tamper-proof evidence at speed; the formal arbitration layer provides institutional and legal weight that no on-chain mechanism can replicate. For insurer-subscriber disputes, security firm contracts, and commercially structured relationships where both parties agree in advance on a neutral arbitration venue, this is the correct choice. The protocol does not compete with formal arbitration; it offers it as the appropriate escalation for parties who want it.

Nation-state threat model. The on-chain arbitration layers above are calibrated for the realistic threat: opportunistic capital floods, patient reputation farming, coordinated but commercially-motivated adversaries. For disputes where a nation-state actor is a plausible threat — high-value commercial relationships, politically sensitive incidents, cross-border institutional parties — the formal arbitration path is the appropriate escalation. The complexity of the on-chain mechanism is not incidental; each layer — bond floor, reputation quota, temporal seasoning, cohort detection, sponsored bonds, retroactive fraud bounties — is a response to an attack the previous layer did not fully close. The result is a mechanism that may work, but that no single person, including its authors, can fully reason about from first principles. That is not a failure of design. It is an honest acknowledgement of the attack surface. Where that uncertainty is unacceptable, formal arbitration provides an alternative with centuries of institutional precedent and treaty enforcement.

15. Payment Protocol

Specification — Liquid, Boltz, Elements scripts, Lightning, institutional path

Bitaid operates a dual-chain architecture: Liquid for standard stakes and Lightning for micropayments, with Bitcoin L1 for institutional-scale capital. Chain selection is not a design preference; it is a consequence of the payment pattern each role generates.

15.1 Liquid and Elements Scripts

Standard stakes — caller deposits below 1 BTC, responder bonds, jury bonds, archival bonds — operate on Liquid, a Bitcoin sidechain with confidential transactions, native asset support, and 1-minute block times. The faster block time matters for arbitration: a jury verdict that releases an outcome reward should not require waiting an hour for Bitcoin confirmation. The confidential transaction support matters for privacy: the amount in a bond escrow is not visible to external observers analysing the chain.

Elements scripts handle the conditional payment flow. The script has three spending paths, each encoded as a separate Taproot leaf:

Leaf 1 — Cooperative release. OP_IF ... OP_CHECKSIG requiring 2-of-2 signatures from caller and responder. Activated when both parties agree the incident resolved satisfactorily. No jury involvement, no fee market interaction, no delay. The simplest and most common path.

Leaf 2 — Verdict release. OP_IF ... OP_CSV 6 ... OP_CHECKSIG requiring the jury pool aggregate public key plus a 6-block relative timelock. The 6-block delay allows any bonded party to file an appeal before the funds move. The jury path script commits to exact forfeiture destination addresses, preventing a verdict from redirecting funds to arbitrary outputs. This is the path through which asymmetric penalties, forfeiture flows, and appeal subsidies execute.

Leaf 3 — Timeout return. OP_CLTV 288 ... OP_CHECKSIG using the caller’s recovery key with a 288-block absolute CLTV (~48 hours on Liquid). If no responder accepts the alert and no dispute is raised, the deposit returns to the caller. This path prevents capital from being locked indefinitely on unaccepted alerts.

The three-leaf structure means the cooperative path is always available and cost-minimal; the verdict path is available when parties disagree; the timeout path is the safety net. No custodian is required to select between them — the script enforces the conditions natively.

15.2 Boltz Submarine Swaps

A Boltz submarine swap backend handles on-the-fly conversion between Bitcoin, Liquid, and Lightning. This is critical for responder and juror UX: a responder who wants to receive payment in Lightning for instant access does not need the caller to post a Lightning invoice. The caller posts the bond in Liquid (or Bitcoin L1 for large amounts); the swap backend converts to Lightning at resolution time. The responder designates their preferred receiving chain at registration; the protocol handles conversion transparently.

The swap is atomic: either the conversion completes and the responder receives funds on their preferred chain, or it fails and funds revert to the escrow for retry. There is no counterparty risk beyond the swap backend itself, which operates as a market maker with publicly auditable reserves. A compromised swap backend cannot steal escrow funds — it can only fail to execute the conversion, in which case funds remain in the escrow and the parties can retry or route through an alternative backend.

15.3 Lightning Integration

Lightning is used for payment patterns that require high frequency and low value: Class B archival micropayments (per-chunk retrieval fees paid by bootstrapping nodes), third-party Core connection fees (paid by thin clients to full Cores for routing and validation services), and BCAEN retrieval fees (paid by jurors and auditors pulling evidence for review). Lightning is not used for: incident escrow (amounts are too large for channel capacity and require on-chain finality), jury fees (require conditional release via script, not preimage revelation), or bond posting (requires on-chain locking visible to all nodes for validation).

The separation is deliberate. Lightning excels at micropayments where trustless finality is less critical than speed and cost. On-chain settlement excels at large-value transfers where finality is paramount. Bitaid uses each for what it does best.

15.4 Institutional Path (Bitcoin L1)

Institutional stakes — bonds above 1 BTC, typically posted by security firms, insurers, or high-net-worth individuals — operate on Bitcoin L1 with standard P2WSH scripts. The same three-leaf Taproot structure applies, but the jury pool aggregate public key is a Musig2 aggregation of individual juror pubkeys rather than a FROST threshold key. The threshold is 80% of the panel: for a 15-juror panel, 12 jurors must sign.

FROST signing produces a single Schnorr signature that validates against the aggregated public key. The signature commits to the exact transaction template via SIGHASH_ALL, preventing any modification of outputs, input ordering, or fee after signing begins. This is the same enforcement mechanism used for insurer buffer ordering: any attempt to reorder inputs or redirect outputs invalidates the signature.

The institutional path exists because large bond holders may prefer the settlement finality and auditability of Bitcoin L1 over the convenience of Liquid. The protocol does not preference one chain over the other; both are fully supported and interoperable through Boltz swaps.

16. Privacy & Security

Specification — caller anonymity, responder exposure, device security, state resistance

Attack surface codes in this section refer to entries in the companion Threat Vector Map.

16.1 Caller Privacy

Caller identity is held encrypted locally and never transmitted in plaintext. The alert contains a pseudonymous identifier derived from the deposit UTXO — sufficient to verify bond validity without revealing identity. Full identity disclosure is caller-initiated only: if the caller chooses to disclose to attending responders or to a legal authority, they sign a disclosure transaction. The protocol does not automatically disclose caller identity to any party, including law enforcement.

Location is revealed in two stages. Initial alert propagation carries only the grid cell identifier (~5 km precision). Precise GPS coordinates are embedded in signed alert packets and shared only with responders who have explicitly accepted the alert — never broadcast to the full cell. The companion app never transmits raw GPS coordinates to any server. All location data is routed only over Tor.

Feel Unsafe mode provides the strongest privacy guarantee: recording is local-only with no network activity until full panic. No live stream, no BCAEN upload, no gossip load, no metadata leakage. On panic, the full buffered footage uploads with timestamp chaining that commits the pre-panic segment to the same cryptographic evidence standard as the post-panic footage. There is no KYC, no registration database, no identity verification, no phone number required, no email address collected.

BCAEN privacy properties. Footage uploaded to BCAEN is content-addressed: the retrieval key is the hash of the content itself. There is no index, no search, no directory. An attacker who knows a content hash can retrieve the corresponding footage; an attacker who does not know the hash cannot enumerate stored content. The hash is gossiped at upload time, so all nodes in the propagation cell learn it, but nodes outside the cell do not. This creates a natural geographic privacy boundary: footage is retrievable by anyone with the hash, but the hash is only known to participants in the incident cell. Jurors reviewing cases receive the hash through the jury assignment protocol, not through public indexing.

16.2 Responder Privacy

Responder identity follows the same pseudonymity model. The responder’s Core keypair is the only persistent identifier. Earnings are received to a Lightning or Liquid address designated at registration — not linked to any real-world identity by the protocol. Responders who choose to build public market standing may voluntarily link their pseudonymous identity to a verifiable credential, but this is never required.

Responders operate pseudonymously but with higher exposure than callers: they physically attend incidents and their body camera footage is archived on BCAEN. The responder’s Core runs on a dedicated device separate from their personal phone. The responder’s bond UTXO is not linked to their identity by any protocol mechanism, but physical attendance creates correlation risk that responders manage through operational discipline.

The critical distinction is between alert-layer anonymity and footage-layer correlation risk. At the alert layer, the responder is a pseudonymous keypair accepting an encrypted alert over Tor — no IP exposure, no identity linkage. At the footage layer, the responder’s body camera captures their presence at a specific location at a specific time, and that footage is hashed, gossiped, and archived. The footage does not identify the responder (no name, no credential, no biometric), but it creates a physical presence record that correlates with the pseudonymous identity that accepted the alert. A responder who accepts many alerts in the same cell builds a physical presence pattern that could theoretically be correlated with other data sources. This is not a protocol vulnerability; it is an inherent property of physical response work. Responders manage it the same way journalists manage source protection: dedicated devices, operational compartmentalisation, and awareness that physical presence is the one layer cryptography cannot protect.

Correlation attack analysis. A state-level adversary with access to cellular tower records, CCTV footage, and financial transaction data could theoretically correlate a responder’s pseudonymous identity with their real identity by matching physical presence patterns. The protocol mitigates this through: (1) pseudonymous keypairs with no linkage to phone numbers or financial accounts, (2) Tor routing obscuring IP addresses, (3) Lightning micropayments creating no on-chain transaction graph, (4) cell-based alert propagation limiting geographic exposure to ~5 km radius, and (5) the option for responders to use multiple pseudonymous identities across different cells. A responder who rotates pseudonyms every 30 cases and operates in multiple cells produces no single identity with enough physical presence data to correlate. This is operational discipline, not protocol enforcement — the protocol provides the tools; the responder uses them.

16.3 Device Security

The companion app stores the private key in the device secure enclave (iOS Keychain / Android Keystore). The key never leaves the enclave; all signing operations happen inside. Biometric authentication (Face ID / fingerprint) gates alert creation and high-value operations. The recovery key is a 12-word BIP39 seed generated at registration, displayed once, and stored by the user offline.

The Core daemon never holds signing keys — all signing occurs on the user’s device. A compromised Core cannot forge signatures or redirect funds. The Core maintains network state (DHT, gossip, BCAEN connections) but all transaction signing requires the private key that lives only on the user’s device. If the Core is compromised, the attacker learns network topology and gossip contents but cannot spend bonds, cannot create alerts, and cannot sign verdicts.

GPS spoofing mitigation. Multiple independent recorders at the same scene with consistent GPS metadata make coordinated spoofing expensive. A single responder could spoof their location, but spoofing the location of three independent responders plus the caller while producing consistent BCAEN footage is a qualitatively harder attack. Hardware attestation — GPS modules with cryptographic signing, tamper-evident body cameras — is a market-driven response. Insurers who require attested hardware for buffer coverage create economic pressure toward adoption without protocol-level enforcement. The protocol does not mandate attestation; the market prices the risk differential between attested and unattested responders. Over time, high-value alerts will increasingly attract attested responders because insurers competing on clean ratio will demand attestation as a condition of buffer coverage, and callers posting large bounties will prefer responders whose hardware is attested.

16.4 State Resistance

The protocol is designed to remain functional under adversarial state conditions. Tor routing obscures participant IP addresses for alert and gossip traffic. BCAEN uploads and retrievals are routed over a high-bandwidth anonymous transport (I2P or equivalent) that has no exit node architecture, removing the exit node surveillance surface that Tor retains. DHT-based discovery has no central bootstrap dependency — bootstrap nodes are hardcoded but replaceable via configuration, and the DHT itself continues to function as long as any subset of nodes remains connected.

On-chain bonds cannot be seized without compromising the participant’s private key. There is no intermediary holding funds that can be court-ordered to freeze. The protocol does not maintain any server infrastructure that can be subpoenaed for logs, raided for hardware, or shut down by court order. There is no company, no foundation, no CEO, no board of directors, no registered address. The reference implementation is open-source; the specification is public; the rules are enforced by Bitcoin script and game theory, not by any entity that can be threatened, bribed, or captured.

Relay operators and responder firms are independent businesses in their respective jurisdictions. A state can regulate or prohibit a specific operator within its territory, but it cannot prohibit the protocol itself because the protocol has no jurisdictional presence. It is a set of rules and a reference implementation, not a legal entity. The same structural property that makes BitTorrent resistant to copyright enforcement makes Bitaid resistant to jurisdictional prohibition: the protocol specification is speech, the reference implementation is speech, and the network is a decentralised peer-to-peer graph with no centre to attack.

Jurisdiction shopping for relay operators. Because relay operators are independent businesses, they naturally gravitate toward jurisdictions with favourable regulatory environments. A relay operator in a jurisdiction that prohibits Bitaid can simply relocate their servers to a jurisdiction that does not. The protocol has no dependency on any specific operator; if one exits, the DHT routes around them. Over time, the network of relay operators will concentrate in jurisdictions with strong free-speech protections, strong property-rights enforcement, and weak regulatory capture — not because the protocol enforces this, but because market selection favours operators in jurisdictions where they are least likely to be shut down. This is the same mechanism that concentrated Bitcoin mining in jurisdictions with cheap, stranded energy: market participants follow the economic incentives, and the protocol does not care where they are.

17. Theoretical Foundations

Philosophical backbone — why the mechanism is structurally sound, not merely technically clever

The Austrian School proved why monopoly public safety must fail. Bitaid is what you build when you accept those proofs and stop trying to reform the monopoly. The following sections rank the theoretical foundations by their load-bearing importance to the protocol architecture. The first three are structural: remove any one and the design collapses. The next five are reinforcing: they make the mechanism more robust, more honest, and harder to capture. The final two are supplementary: they explain why the design choices are recognisable instances of broader principles. None are decorative.

B.1 The Economic Calculation Problem in Public Safety — Foundation 1 of 10 (Load-bearing)

Without prices, rational calculation is impossible. Full stop. Mises did not say this was difficult or inconvenient. He said it was impossible — a logical category error, not a practical shortcoming. Ludwig von Mises demonstrated in Socialism (1922)^[32] and Human Action (1949)^[33] that rational economic calculation is impossible without market prices. Applied to public safety: how many officers should patrol a given block? Bureaucratic allocation cannot answer this — no price mechanism communicates the relevant information. Bitaid resolves this by introducing three price signals that emerge from voluntary interaction: the incident deposit, the bounty, and the outcome reward. Together they constitute a nascent price system for emergency response services — the first in which demand is expressed through voluntary capital commitment rather than bureaucratic allocation.

B.2 The Knowledge Problem and Decentralised Coordination — Foundation 2 of 10 (Load-bearing)

The information needed to respond is local, ephemeral, and unavailable to any central authority. Friedrich A. Hayek’s 1945 essay “The Use of Knowledge in Society”^[12] established that information required for economic coordination is dispersed, local, and tacit. A crime in progress is precisely this kind of knowledge: known immediately and with certainty by the victim, becoming stale within minutes. Centralised emergency dispatch introduces a communication bottleneck that destroys the time-value of this information. Bitaid is a decentralised telecommunications protocol for local, ephemeral knowledge — the alert reaches nearest available responders directly, without routing through a dispatch centre. The same principle governs the per-node acceptance threshold mechanism: each operator’s threshold encodes local information about what constitutes meaningful skin-in-the-game, information no central parameter setter could hold.

B.3 Private Defense and the Market for Security — Foundation 3 of 10 (Load-bearing)

The monopoly on security is not a feature of civilisation. It is a contingent historical arrangement that has been treated as inevitable because no technology existed to route around it.

Murray N. Rothbard’s analysis in For a New Liberty (1973)^[34] describes how private defense arrangements could function through voluntary contractual relationships rather than coercive monopoly. Bitaid is the protocol layer on which such arrangements can emerge.

Hans-Hermann Hoppe’s “The Private Production of Defense” (1998/2003)^[35] develops the architecture in more detail: competing insurance companies as the natural providers of security services, with actuarial incentives to genuinely prevent harm rather than benefit from its recurrence. The insurer’s profit is maximised precisely when its subscriber base experiences minimal loss events — the inverse of monopoly public safety provision, where budget growth tracks failure rather than success. Bitaid’s insurance flywheel (§3, §10.5) is a direct on-chain implementation of this architecture: insurers competing on premium pricing and on the bounty and outcome reward levels they fund, with the prevention of incidents reducing the claims they would otherwise pay against life and property policies.

Hoppe’s Democracy: The God That Failed (2001)^[36] identifies two further structural problems that the protocol turns into features. First, democratic public safety is systematically biased: politicians optimise for metrics measurable before the next election, producing over-enforcement of victimless offences and under-response to victim crimes. Bitaid’s incident deposit mechanism corrects this at the demand side — caller capital, not electoral calendar, determines what receives response. The demand side is sovereign. Second, time preference: institutions that reward long horizons and impose real cost on rapid exit produce better outcomes than those that allow instant entry and instant liquidation. The protocol’s temporal seasoning requirement and jury bond withdrawal delay (§14.9) encode this logic in mechanism. You cannot buy a reputation and immediately cash it out. You cannot corrupt a verdict and vanish. Time is on the side of honesty.

On market concentration and decentralisation. Decentralisation in Bitaid is measured by permissionless entry and exit, not by equal market share. A dominant insurer or responder firm that achieves scale through superior service is not a protocol failure; it is information revealing market structure. State coercion — licensing barriers, regulatory capture, subsidies to preferred entrants — creates illegitimate monopolies. Market-winning concentration, where any competitor may enter and challenge the incumbent, is legitimate and optimal at that time. The protocol enforces this through open bond posting, gossip-verifiable reserve ratios, and the fork mechanism (§12): no administrative gatekeeper can prevent entry or protect incumbents.

The polycentric-law tradition — David Friedman’s The Machinery of Freedom (1973)^[22] on competing legal systems — frames Bitaid’s two-tier arbitration design (§14.1, §14.5): on-chain attending vote and independent jury for default cases, with an opt-in formal arbitration path for parties in pre-existing commercial relationships. No single adjudicatory monopoly is assumed; the market determines which mechanism resolves which class of dispute.

If a state moves to prohibit Bitaid, it demonstrates that it regards itself as a market competitor rather than a neutral provider of justice — the prohibition is evidence of the monopoly’s defensive interest.

B.4 Entrepreneurial Alertness and the Responder Function — Foundation 4 of 10

The market discovers who can best serve a need. No bureaucracy can do this in advance.

Israel M. Kirzner’s Competition and Entrepreneurship (1973)^[15] defines the entrepreneur as an agent alert to unexploited profit opportunities. The responder in the Bitaid network functions as a Kirznerian entrepreneur: they observe a local alert with a bounty, assess their proximity and capability, and act to close the gap between unserved demand for safety and available supply of response capacity. Jesús Huerta de Soto’s work on dynamic efficiency^[48] extends this to tacit knowledge — the kind that cannot be centralised or priced by a bureaucratic system. A veteran who knows how to de-escalate a knife confrontation without force, a former paramedic who carries a trauma kit, a trained martial artist who can restrain an aggressor proportionately — these are capabilities the formal system cannot route demand to because it has no price mechanism for doing so. Bitaid transforms this distributed, tacit capability into productive action through the bounty mechanism: the market routes demand to whoever can best serve it, not to whoever the dispatch algorithm assigns.

B.5 The Juridical Distinction Between Deposit and Insurance — Foundation 5 of 10

Sound insurance is not fractional-reserve banking. The juridical distinction is the whole argument.

Jesús Huerta de Soto’s Money, Bank Credit, and Economic Cycles (1998/2006)^[37] develops the juridical foundations distinguishing deposit contracts (irregular deposits requiring 100% availability) from loan contracts and from insurance contracts (where actuarial pooling against contingent events is the contract’s defining feature, not a violation of it). His critique of fractional-reserve banking targets the specific case where a deposit contract is performed as a loan contract — a juridical category error that manufactures phantom money substitutes. Insurance contracts fall outside this critique entirely.

Bitaid’s bond architecture (§10.1, §10.3) enforces full reservation at the script level. Every bond, whether personal or insurer-backed, is a UTXO locked in a conditional escrow with deterministic spending paths. There is no fractional reserve.

A personal bond and an insurer buffer are identical in form. Both are UTXOs. Both are seized on forfeiture. Both are fully reserved on-chain. The difference is in deployment pattern, not deposit structure. A personal bond backs one identity with one-for-one capital. An insurer buffer backs many identities by posting many UTXOs into many escrows simultaneously — actuarially confident because emergencies are sequential, not simultaneous, for any single backed identity.

The FROST signature from the jury pool or attending responders materialises the outcome. It selects which spending path activates per incident, consuming the buffer where misuse occurred while leaving other encumbrances intact. The script handles the selection natively; the insurer does not rely on an accounting layer to track exposure.

The zero protocol weight applies to scoring only. The buffer is stripped before computing jury selection, merit weight, or labor qualification. Relay operators and responder nodes may subjectively factor insurer backing into their own acceptance thresholds — treating a substantial buffer as a signal that someone with capital already vetted this participant. This is opt-in and operator-specific, not protocol-mandated. The market may price the risk differential; the protocol does not.

The actuarial multiplication happens where it belongs: at the insurer’s balance sheet, not at the deposit contract. The protocol enforces identical cryptographic treatment on both; the juridical tradition’s deposit-insurance distinction is preserved not by different script structures but by the same script structure applied to different risk deployments.

B.6 The Monetary Foundation of the Stake — Foundation 6 of 10

Sound collateral requires sound, trustless, and auditable money. No other asset qualifies.

Gold is sound money by the standard of costly production and fixed supply. But gold fails the trustlessness test: physical custody requires vaults, guards, auditors, and custodians — a chain of trusted intermediaries that the protocol cannot afford. Carl Menger’s analysis of the origin of money (1871,^[39] 1892^[40]) established that money emerges spontaneously as the most saleable good. Saifedean Ammous, applying this tradition directly to Bitcoin in The Bitcoin Standard (2018)^[42], states the principle plainly: “For something to assume a monetary role, it has to be costly to produce, otherwise the temptation to make money on the cheap will destroy the wealth of the savers.” Bitcoin’s proof-of-work mechanism makes its production provably costly and its supply schedule provably fixed.

For Bitaid’s bond mechanism, sound money is necessary but not sufficient. Four additional properties are required. Programmability: the bond lives in a conditional Bitcoin script with multiple deterministic spending paths — cooperative release, verdict release, CLTV timelock. No custodian is needed to enforce the conditions; the script enforces them natively. Gold cannot be programmed; fiat requires banking infrastructure that introduces trusted intermediaries. Auditability: any node can verify that a bond UTXO exists on-chain, that it is unspent, and that its script conditions match the protocol specification. No auditor, no vault inspection, no counterparty trust. Settlement finality: once a bond transaction is confirmed, it cannot be reversed by any authority. The deterrent value of a bond that can be frozen by a court order or seized by a banking regulator is a deterrent in name only. Permissionless access: anyone with internet access can acquire Bitcoin and post a bond. No bank account, no identification, no jurisdiction, no minimum wealth threshold beyond what the protocol itself sets. Gold requires physical possession; fiat requires institutional access. Bitcoin requires only a keypair and a network connection.

A bond denominated in an inflatable currency is a bond whose deterrent value can be silently eroded by whoever controls that currency’s supply. A bond denominated in Bitcoin cannot be debased by any institution, any government, or any protocol change. But the deeper point is that a bond denominated in a non-programmable asset is a bond that cannot enforce its own conditions. The protocol requires not just sound money but scriptable sound money — money whose rules execute without human intervention. Only Bitcoin combines both.

Eugen von Böhm-Bawerk’s theory of capital and interest (1884)^[41] frames the bond in terms of time preference. The caller who locks capital in escrow demonstrates a low time preference: willingness to forgo immediate use of that capital to secure the future benefit of a credible commitment. Responders who invest time building reputation through the rating system demonstrate the same. The protocol rewards low time preference and filters out high-time-preference actors.

B.7 Robust Institutions and Spontaneous Order — Foundation 7 of 10

The best institutions do not require good actors. They produce good outcomes regardless.

Peter Boettke’s work on robust political economy^[43] analyses institutions that function well not because they assume benevolent actors, but because they align individual incentives with socially beneficial outcomes regardless of actor motivation. Bitaid is a robust institution: it does not require responders to be altruistic, callers to be honest, or arbitrators to be wise. F.A. Hayek’s concept of spontaneous order (Law, Legislation and Liberty, 1973)^[13] describes the emergence of complex, beneficial social arrangements from local actions of individuals following simple rules, without central design. Bitaid’s network is a spontaneous order: no authority decides which responders attend which incidents. These outcomes emerge from voluntary interactions of staked participants following the protocol’s incentive rules. The order is not designed. It arises.

B.8 The Roundabout Continuation — Foundation 8 of 10

If money can be taken from the state, so can the rest. The strategy is not reform. It is replacement by superior alternative.

In a 1984 interview with the Cato Institute,^[45] Friedrich Hayek offered what has become the most cited remark in the Bitcoin tradition:

“I don’t believe we shall ever have a good money again before we take the thing out of the hands of government. That is, we can’t take them violently out of the hands of government. All we can do is by some sly roundabout way introduce something that they can’t stop.”

The intuition is strategic, not theoretical: state monopolies are not undone by argument or by direct contest; they are undone by quietly building an alternative that is sufficiently better and sufficiently distributed that suppression becomes either technically impossible or politically too costly to attempt. Hayek had imagined this for money, anticipating denationalised currency in Denationalisation of Money (1976)^[44] while doubting the political path remained open. The cypherpunk movement — Tim May’s Crypto Anarchist Manifesto (1988)^[46], Eric Hughes’s A Cypherpunk’s Manifesto (1993)^[47] with its operative thesis “cypherpunks write code” — formalised the missing tactic: cryptography as the substrate on which the roundabout could actually be built. Bitcoin made the strategy real.

What was true of money is structurally true of every domain where the state operates as a monopoly provider. Money is one such monopoly; security is another; adjudication a third; archival evidence a fourth; identity a fifth. The Hayekian strategy generalises: where a state monopoly delivers a service the market would deliver better, the path forward is neither armed contest nor political persuasion but the construction of a permissionless protocol that performs the service so credibly that ordinary people prefer it. The state retains nominal jurisdiction; the actual coordination migrates elsewhere. The monopoly is not abolished — it is rendered marginal.

Bitaid is the continuation of this strategy applied to public safety. The protocol does not lobby for police reform, propose a constitutional amendment, or contest the state’s claim to a monopoly on the legitimate use of force. It builds an alternative coordination layer for emergency response — denominated in money the state cannot debase, settled through escrows the state cannot freeze, witnessed by evidence the state cannot suppress, and adjudicated by mechanisms the state cannot capture. If it works, it works regardless of whether any state recognises it. If it does not work, no state had to be persuaded of anything. The roundabout is the whole strategy.

This is the cypherpunk thesis at full extension: the role of technology in a world of state monopolies is not to argue against the monopolies but to render them irrelevant by competing with them at the protocol layer. Bitcoin removed the monetary monopoly from the conversation. Bitaid attempts the same removal for the public-safety monopoly. The pattern is general; the targets are many; the method is the same.

B.9 Trust Minimisation as Design Principle — Foundation 9 of 10 (Supplementary)

Nick Szabo’s concept of trust minimisation^[29] is the design principle underlying every escrow script, every blind vote, every hash-before-upload ordering. The protocol does not eliminate trust; it makes trust unnecessary in the specific places where trust has historically been exploited. The jury pool replaces trust in judicial institutions with game-theoretic incentive alignment. The escrow scripts replace trust in payment intermediaries with cryptographic enforcement. The BCAEN replaces trust in evidence custodians with content addressing and availability challenges.

B.10 The Productivity of Violence — Foundation 10 of 10 (Supplementary)

Mancur Olson’s distinction between roving and stationary bandits^[38] explains why the protocol’s insurance flywheel works: stationary protectors (insurers with ongoing subscriber relationships) have incentives to prevent incidents, while roving predators (one-time attackers) cannot sustain operations against a bonded, pseudonymous, globally distributed network. The flywheel converts the stationary bandit dynamic from a threat to a feature: insurers profit from prevention, not from post-incident payment.

18. Appendix A — Protocol Parameter Reference

All protocol parameters at genesis

Parameters marked deflating follow the 20% annual nominal schedule computed from Bitaid’s application-layer genesis block height. Parameters marked calibrated are set at genesis and adjustable only through the governance-free fork mechanism (§12).

Bonds & Floors

Entry cost tracks the liability each role assumes. A caller risks their deposit against a misuse ruling. A responder risks their bond against misuse and bad-faith arbitration, with their physical conduct on camera and subject to jury review. A juror risks between 2× and 4× their bond against incoherent votes. An archival node risks proportional forfeiture against failed availability challenges. The ratios are deliberate: caller at 5,000 sat, responder at 0.01 BTC (2,000×), jury at 0.1 BTC (20,000×), archival at 0.005 BTC (1,000×). The caller floor deflates at 20% annually to preserve accessibility regardless of Bitcoin’s price trajectory; service-provider floors carry no deflation schedule, so Bitcoin appreciation passively filters toward professionalisation on the supply side.

Jury Pool Entry

The pool is closed by default with a target size equal to the rolling median of active jurors over 200 case-event windows. Slots open only on natural turnover (exit, ejection, forfeiture) or sustained demand signal (72 hours of non-zero queue after price-out ejection). Entry operates on three tracks depending on calibration library maturity. Track A (coherence competition, library ≥ 100 cases) requires applicants to review 10 calibration cases, pay a non-refundable BCAEN participation fee, and lock a scaled intention bond. Track B (invitation) lets proven jurors vouch for candidates. Track C (weighted lottery) is a genesis-only fallback. The 100-case threshold for Track A activation balances the need for a meaningful calibration library against the risk of prolonged lottery-based entry during genesis.

Jury Mechanism

The ⅔ labor-qualified invariant is the core Sybil defence at the panel level: it guarantees that no panel can be majority-Sybil regardless of how many fake identities enter the pool. The 80% coherence threshold is the economic break-even point given the 2×–4× asymmetric penalty band. Configurable quality settings (coherence threshold, open seat fraction, bond minimum) create a tiered premium service market for adjudication quality. The bond minimum decays at ×0.70 per 144-block interval to prevent deadlock when high settings cannot fill a panel.

Fee Market

The dual-trigger mechanism adapts EIP-1559 with a time-based congestion trigger that fires even when no cases are closing. The asymmetry is deliberate: fees rise from both case closes and time during congestion, but fall only on successful case clears. By 72 hours of continuous congestion the fee reaches approximately 4× its starting level. There is no protocol-imposed floor; the market clears wherever supply and demand meet. The 36-block price-out grace window ensures queue depth signals are clean: every case in the queue at block H is fundable at fee(H).

Forfeiture Flows

All forfeiture events route through a consistent framework: panel fees first at normal case rate, then type-specific remainder destinations. No forfeiture event enriches the ruling panel beyond their standard per-case fee — this closes the captured-panel attack where a majority might falsely condemn honest participants to extract seized bonds. The 10% protocol reserve share drawn from all jury fees funds appeals, emergency allocations, and protocol development without requiring a separate funding mechanism.

Network & Routing

Dead-end scoring enforces liveness without a relay bond: nodes that fail to propagate see reduced routing priority and eventual exclusion. The thresholds (0.3 for deprioritisation, 0.6 for exclusion) use rolling windows so recovery is possible. Grid cells at H3 resolution 7 (~5 km) balance geographic precision against propagation overhead.

Evidence (BCAEN)

Chunk size at 256 KB provides standard-definition footage intervals. The 90-day BCAEN subsidy drip period releases retroactive forfeiture gradually to avoid market shock while attracting new archival nodes through temporarily elevated yields.

Parameter	Value	Unit	Section	Notes
BONDS & FLOORS
Caller deposit floor	5,000	satoshis	§10.2	Deflating; offsets Bitcoin appreciation 10–30%/yr
Responder bond floor	0.01	BTC	§10.2	Fixed in BTC terms; rises in fiat as Bitcoin appreciates
Jury bond floor (minimum)	0.1	BTC	§10.2, §14.3	Fixed minimum; entry via merit competition; Track C lottery genesis only
Archival bond floor	0.005	BTC	§10.2	Base minimum; scales linearly with declared capacity
Caller floor deflation rate	20%	per year nominal	§10.2	Calibrated; offsets Bitcoin historical appreciation 10–30%/yr
Bond lock window (winner)	48	hours	§14.3	Failure passes slot to next highest scorer
JURY POOL ENTRY
Pool target size window	200	case-event windows	§14.3	Rolling median of active juror count; pool closes at target
Undersupply queue threshold	72	hours continuous non-zero queue	§14.3	Triggers one slot opening; resets if queue clears first
Calibration library threshold (Track A)	100	verified cases	§14.3	Below: Track C lottery. At or above: Track A coherence competition
Participation fee (Track A)	Market bid/ask	BTC, non-refundable	§14.3	Paid to BCAEN archival node. Funds indefinite calibration case hosting
Intention bond scaling	0.1 BTC × n^0.3	n = applicant count	§14.3	Refunded to losers; winner excess above 0.1 BTC refunded at lock
Competition window (Track A)	48	hours	§14.3	Cases reviewed, scores submitted; highest coherence wins
Cases per competition set	10	calibration cases	§14.3	Selected from BCAEN library; scored against established consensus
Invitation issuer threshold (Track B)	50 cases, 90% coherence	lifetime	§14.3	One outstanding invitation at a time; inviter coherence penalty on invitee misconduct
Lottery weight cap (Track C)	3×	minimum bond	§14.3	Genesis fallback only; retires when calibration library ≥ 100 cases
Inactivity flag threshold	> 80%	declined over 30 windows, min. 5 cases	§14.3	Bond retained; slot opens. Fires only when avg queue depth > 0
JURY MECHANISM
Labor-qualified panel share	⅜ minimum	of panel	§14.2	Protocol invariant — cannot be reduced by any configuration
Labor-qualified threshold (coherence)	80% (default)	lifetime coherence	§14.2	Minimum 10 cases required. Configurable 80%–99% at escrow construction
Open seat fraction	⅓ (default)	of panel	§14.2	Configurable to 0 at escrow construction. Cannot exceed ⅓
Quality config fallback window	72	hours	§14.2	Uncleared non-default config resets to 80% / ⅓ defaults automatically
Quality config fee	Market-clearing differential	ad hoc, requesting party	§14.2	Not drawn from shared escrow; paid from requesting party's own capital
Minimum jury bond (custom)	0.1 BTC (default)	BTC	§14.2	Configurable upward, uncapped. Filters eligible pool by bond size
Bond minimum decay rate	×0.70	per 144-block interval	§14.2	At 144 blocks (~day 1) and 288 blocks (~day 2). Floor: max(result, 0.1 BTC)
Seasoning ramp	90	days	§14.2	labor_score × min(1, days/90)
Penalty range	2× – 4×	bond	§14.4	Scales with dissent isolation and appeal tier
Appeal panel sizes	3 / 7 / 15 / 31	jurors	§14.5	Tier 1 / Appeal 1 / Appeal 2 / Appeal 3 (final)
Escalation window	48	hours	§14 intro	After attending-only verdict; escalates entire dispute
Re-entry lock after forfeiture	30	days	§14.2	After bond forfeiture before re-registration
Bond withdrawal delay	90	days	§14.9	From last case close; extended by active retroactive review
Early release minimum floor	30	days	§14.9	Minimum hold even if all cases audited and cleared
FEE MARKET
Fee event adjustment	±12.5%	per case close	§14.6	+12.5% if queue > 0 after close; −12.5% if queue = 0 after close
Fee time adjustment	+6.25%	every 18 blocks (~3h)	§14.6	Fires only while queue > 0; no downward time trigger
Slot-open queue trigger	432	consecutive blocks (~72h)	§14.6	All cases in queue must be fundable at prevailing fee
Price-out grace window	36	blocks (~6h)	§14.7	Top up deposit or case removed; deposit returned minus incurred costs
Genesis starting fee	TBD	BTC	§14.6	Calibrated genesis parameter; not a permanent constraint
Priority fee	Voluntary, non-refundable	either party	§14.6	Affects queue order only; does not affect juror selection
FORFEITURE FLOWS
Retroactive review dissent threshold	40% flag / 80% confirm	flag rate / confirmation supermajority	§14.6	Triggers automatic re-review; no individual submitter
All forfeiture: trial costs first	Normal case rate	panel fees	§14.8	Panel never enriched beyond normal per-case fee
Caller misuse remainder	Attending responders	pro-rata by merit weight	§14.8	Compensation for wasted presence on false alert
Responder misuse remainder	Harmed party	caller / competing responder / split	§14.8	Jury verdict specifies recipient; no victim → dispute fund
Retroactive chain fraud remainder	BCAEN subsidy pool	90-day drip	§14.8	Attracts new archival nodes; they stay for normal economics
Archival failure remainder	Replacement slot costs → BCAEN pool	then 90-day drip	§14.8	Directly funds replacement node onboarding first
Malicious content remainder	BCAEN subsidy pool	90-day drip	§14.8	Removal costs zero; stake funds network growth
Sponsorship cascade remainder	Dispute resolution fund	appeal subsidies + attending costs	§14.8	Sponsor's capital covers disputes their invitees generated
Protocol reserve share	10%	of all jury fees	§14.8	Funds appeals, emergency allocations, protocol development
NETWORK & ROUTING
Dead-end deprioritisation threshold	> 0.3	ratio / 200 attestations	§11.3	Rolling window; recoverable
Dead-end exclusion threshold	> 0.6	ratio / 200 attestations	§11.3	Rolling window; recoverable
Anchor verification default	3 of 5	independent explorers	§12.1	mempool.space, blockstream.info, btcscan.org, blockchair.com, blockchain.info; operator may substitute full node
Grid cell size	~5	km (H3 res 7)	§11.3	Alerts propagate to same cell + 6 adjacent hexagons
EVIDENCE (BCAEN)
Chunk size	256	KB	§13	Standard-definition footage intervals
BCAEN subsidy drip period	90	days	§14.8	Retroactive forfeiture releases; gradual to avoid market shock
Pre-trigger buffer	up to 60	seconds	§10.1	Configurable rolling window; Feel Unsafe local-only until panic
Offer-linked deterrence factor	2×	max wrongful gain	§10.4	Personal bond must exceed twice worst-case capture from incident escrows
Bounty floor split	70/30	guaranteed / variable	§14.1	70% pro-rata by merit weight; 30% equal split among all attendees
Merit weight formula	sqrt(stake_ratio) × (0.1 + labor_factor × bounty_factor)	unitless	§14.1	stake_ratio capped at 3×; 0.1 floor for new responders

References

Threat Vector Map Close ✕

Protocol-layer outcomes. Failed commercial abuse typically forfeits bonds to honest participants and raises local acceptance thresholds. This is not chain re-org or rule change. Tail risk: insurer mispricing (off-protocol). Nation-state: formal arbitration (§14.11), not protocol capture alone.