# Risk and Failure Modes

Real-world asset tokenisation introduces risks that do not exist in purely on-chain systems. These risks span legal, operational, technical, and governance domains. The protocol does not attempt to eliminate all risk; instead, it is designed to **identify, isolate, and contain failure** so that issues are visible and do not cascade silently.

This section outlines the primary risk categories and how the system responds when assumptions fail.

***

#### Risk Categorization Framework

Risks are grouped by where failure originates.

| Risk Category    | Origin                                 |
| ---------------- | -------------------------------------- |
| Asset Risk       | Off-chain asset performance            |
| Legal Risk       | Regulatory or contractual issues       |
| Operational Risk | Custody, reporting, or process failure |
| Attestation Risk | Incorrect or missing attestations      |
| Protocol Risk    | Smart contract or logic failure        |
| Governance Risk  | Decision delay or miscoordination      |

This categorization allows targeted mitigation rather than blanket responses.

***

#### Asset-Level Risk

Asset risk arises from the underlying real-world asset itself.

Examples include:

* default or impairment
* loss of value
* maturity mismatch
* counterparty insolvency

These risks **cannot be resolved on-chain**. The protocol responds by:

* reflecting asset state changes explicitly
* preventing silent continuation
* enabling restriction or settlement pathways

Tokenisation does not transform asset quality; it makes asset risk **observable**.

***

#### Legal and Regulatory Risk

Legal risk includes:

* changes in regulatory status
* enforceability challenges
* jurisdictional conflicts

When legal risk materializes:

* transfers may be restricted
* issuance may be halted
* governance escalation is triggered

The protocol prioritizes **legal safety over liquidity**.

***

#### Operational Risk

Operational failures include:

* custodian outages
* missed reporting deadlines
* process breakdowns

Operational risk is mitigated by:

* role separation
* redundancy where possible
* explicit attestation requirements

Failure to operate does not grant additional authority. It results in **reduced protocol activity**, not discretionary overrides.

***

#### Attestation Failure

Attestations are structured trust inputs and therefore a major risk surface.

Failure modes include:

* missing attestations
* conflicting attestations
* provably false statements

Protocol responses include:

* freezing issuance or transfers
* flagging asset state as uncertain
* escalation to governance

Attestation silence is treated as a signal, not ignored.

***

#### Protocol-Level Risk

Protocol risk includes:

* smart contract vulnerabilities
* logic errors in rule enforcement
* upgrade or configuration errors

Mitigations include:

* formal audits
* conservative upgrade processes
* isolation between assets

A protocol failure should affect **as little state as possible**.

***

#### Governance Failure

Governance may fail due to:

* delayed decision-making
* conflicting stakeholder incentives
* legal uncertainty

The system assumes governance may be slow or indecisive.

As a result:

* emergency actions are time-bound
* unresolved issues default to restriction
* assets can enter a frozen or protective state

Inaction leads to **containment**, not unchecked operation.

***

#### Failure Containment Strategy

The protocol follows a clear hierarchy when failures occur:

```
Detect
   ↓
Restrict
   ↓
Escalate
   ↓
Resolve or Settle
```

This ensures:

* early detection
* limited blast radius
* explicit resolution paths

Continuation without clarity is never the default.

***

#### Risk Interaction and Compounding

Some failures compound.

Example:

* attestation failure + governance delay
* legal dispute + liquidity stress

The protocol responds to compounding risk by:

* tightening restrictions
* increasing disclosure requirements
* prioritizing capital protection

Risk escalation is **explicit and visible**, not implicit.

***

#### What the Protocol Does *Not* Protect Against

To avoid false assumptions, the protocol does not protect against:

* asset value loss
* legal unenforceability
* macroeconomic events
* bad investment decisions

It protects against **opaque failure**, not poor outcomes.

***

#### Risk Transparency

All risk-relevant events are:

* recorded on-chain
* timestamped
* attributable

Participants can observe:

* when assumptions break
* how the system responds
* what actions are taken

This enables independent risk assessment rather than blind trust.

***

#### Risk and Failure Modes Summary

| Aspect              | Approach                |
| ------------------- | ----------------------- |
| Risk identification | Explicit categorization |
| Detection           | Attestations + rules    |
| Default response    | Restriction             |
| Escalation          | Governance              |
| Goal                | Containment, not denial |

***

#### Why This Matters

Most RWA failures are made worse by:

* delayed disclosure
* silent continuation
* discretionary intervention

This model avoids those outcomes by:

* making failure visible
* enforcing defensive defaults
* prioritizing long-term integrity

The system is designed to **fail clearly, not quietly**.