@ballkidz/defifa 0.0.12 → 0.0.13

package/CRYPTO_ECON.tex

@@ -28,7 +28,7 @@
 
 \title{\textbf{Cryptoeconomics of Defifa}}
 \author{Claude Opus 4.6 (Anthropic) in coordination with Jango from the Defifa Team.\\[4pt]
-\small This analysis was generated by Claude Opus 4.6 based on its study of the Defifa V5 codebase\\
+\small This analysis was generated by Claude Opus 4.6 based on its study of the Defifa V6 codebase\\
 \small and the \href{https://cryptoeconlab.com/paper/pub-0?paper=https\%253A\%252F\%252Fstorage.googleapis.com\%252Fcel-public-resources\%252FRevnet-Whitepaper.pdf}{Revnet Whitepaper} by CryptoEconLab.}
 \date{March 2026}
 
@@ -37,7 +37,9 @@
 \maketitle
 
 \begin{abstract}
-Defifa is a prediction-game protocol built on Juicebox V5 that transforms NFT minting into a parimutuel wagering mechanism with governance-ratified outcomes. Players purchase ERC-721 game pieces representing competing tiers (teams, candidates, outcomes), forming a shared treasury. After the event concludes, a decentralized attestation process ratifies a scorecard that assigns weights to each tier, redistributing the treasury proportionally. This paper formalizes the cryptoeconomic mechanics of Defifa games: the prize distribution formula, the attestation governance model, the fee extraction pipeline, the protocol-token incentive layer, and the rational actor strategies that emerge. We derive solvency guarantees, characterize equilibrium behavior under various participation profiles, analyze the game-theoretic properties of the scorecard ratification process, and identify the parameter regimes that maximize game integrity and participant welfare.
+Defifa is a prediction-game protocol built on Juicebox V6 that transforms NFT minting into a parimutuel wagering mechanism with governance-ratified outcomes. Players purchase ERC-721 game pieces representing competing tiers (teams, candidates, outcomes), forming a shared treasury. After the event concludes, a decentralized attestation process ratifies a scorecard that assigns weights to each tier, redistributing the treasury proportionally. This paper formalizes the cryptoeconomic mechanics of Defifa games: the prize distribution formula, the attestation governance model, the fee extraction pipeline, the protocol-token incentive layer, and the rational actor strategies that emerge. We derive solvency guarantees, characterize equilibrium behavior under various participation profiles, analyze the game-theoretic properties of the scorecard ratification process, and identify the parameter regimes that maximize game integrity and participant welfare.
+
+Throughout, we illustrate the mechanics with a running example: a \textbf{FIFA World Cup game with 32 tiers}---one per national team---priced at 0.01~ETH each.
 \end{abstract}
 
 \tableofcontents
@@ -49,9 +51,11 @@ Defifa is a prediction-game protocol built on Juicebox V5 that transforms NFT mi
 
 \subsection{What is Defifa?}
 
-Defifa is a prediction-game protocol that transforms the act of purchasing an NFT into a wager on the outcome of a real-world event. It is deployed using the Juicebox V5 protocol and governed by a combination of immutable smart-contract rules and a minimal, time-bounded governance process for outcome resolution.
+Defifa is a prediction-game protocol that transforms the act of purchasing an NFT into a wager on the outcome of a real-world event. It is deployed using the Juicebox V6 protocol and governed by a combination of immutable smart-contract rules and a minimal, time-bounded governance process for outcome resolution.
+
+A Defifa game is a \emph{tokenized parimutuel pool}: money goes in via NFT purchases, forming a shared pot; after the event concludes, a governance process assigns weights to each tier (team, outcome, candidate), and the pot is distributed proportionally. The game pieces are ERC-721 tokens organized into tiers, where each tier represents a distinct prediction. The purchase price is uniform across all tiers---enforced at the protocol level---and the payout is determined by post-event scorecard ratification.
 
-A Defifa game is a \emph{tokenized parimutuel pool}: money goes in via NFT purchases, forming a shared pot; after the event concludes, a governance process assigns weights to each tier (team, outcome, candidate), and the pot is distributed proportionally. The game pieces are ERC-721 tokens organized into tiers, where each tier represents a distinct prediction. The purchase price of a tier token is fixed at game creation, and the payout is determined by post-event scorecard ratification.
+\textbf{Running example: World Cup 2026.} Imagine a Defifa game for the FIFA World Cup with 32 tiers---one for each national team---priced at 0.01~ETH each. Argentina is Tier~1, France is Tier~2, Brazil is Tier~3, \ldots, and Saudi Arabia is Tier~32. Anyone can mint NFTs for the team they believe will win (or perform well), and after the tournament, a scorecard assigns weights reflecting the actual results.
 
 Defifa games are:
 \begin{itemize}[nosep]
@@ -64,25 +68,31 @@ Defifa games are:
 \subsection{How a Defifa Game Works (at a glance)}
 
 \begin{enumerate}[nosep]
-    \item \textbf{Mint (pot formation).} During the mint phase, anyone can purchase NFTs representing tiers. Each NFT has a fixed price denominated in the game's base asset (e.g., ETH). All payments flow into a shared treasury---the \emph{pot}. Players may delegate their attestation power to a chosen delegate at mint time.
+    \item \textbf{Mint (pot formation).} During the mint phase, anyone can purchase NFTs representing tiers at the game's uniform price. All payments flow into a shared treasury---the \emph{pot}. Players may delegate their attestation power to a chosen delegate at mint time.
 
     \item \textbf{Refund (optional exit window).} If configured, a refund phase follows minting. During this period, players may burn their NFTs to reclaim the original mint price, allowing a risk-free exit for those who change their minds. No new mints are accepted.
 
-    \item \textbf{Score (outcome resolution).} Once the real-world event concludes, anyone may propose a \emph{scorecard}---a vector of weights summing to $W_{\text{total}} = 10^{18}$---assigning each tier its share of the pot. NFT holders attest to the scorecard they believe reflects the correct outcome. Once a scorecard achieves quorum, it can be ratified.
+    \item \textbf{Score (outcome resolution).} Once the real-world event concludes, anyone may propose a \emph{scorecard}---a vector of weights summing to $W_{\text{total}} = 10^{18}$---assigning each tier its share of the pot. NFT holders attest to the scorecard they believe reflects the correct outcome. Once a scorecard achieves quorum, it can be ratified. Scorecard submission is restricted to the SCORING phase---no pre-scoring submissions are allowed.
+
+    \item \textbf{Complete (prize distribution).} After ratification, protocol fees are extracted, and the remaining pot is available for claims. Each NFT holder burns their token to receive their proportional share, plus any accrued protocol tokens (\$DEFIFA and \$NANA).
 
-    \item \textbf{Complete (prize distribution).} After ratification, protocol fees are extracted, and the remaining pot is available for claims. Each NFT holder burns their token to receive their proportional share, plus any accrued protocol tokens (\$DEFIFA and \$BASE\_\allowbreak{}PROTOCOL).
+    \item \textbf{No contest (safety fallback).} If the game fails to attract sufficient participation or the scorecard is not ratified within the configured timeout, the game enters a NO\_CONTEST state where all players can reclaim their original mint prices.
 \end{enumerate}
 
+\textbf{World Cup example.} The World Cup game mints for 30 days before the tournament. Fans buy Argentina NFTs, France NFTs, etc. After the final, someone submits a scorecard: the champion's tier gets 40\% of the weight, the runner-up gets 20\%, semifinalists get 10\% each, and quarterfinalists share the remaining 20\%. Holders attest, the scorecard is ratified, fees are extracted, and holders of the champion's NFTs receive their proportional share of a now-concentrated prize pool.
+
 \subsection{The Design Parameters}
 
 A Defifa game is fully specified at deployment by a parameter tuple:
 \begin{equation}
-\mathcal{G} = \left( \{T_i\}_{i=1}^{N}, \; t_{\text{mint}}, \; t_{\text{refund}}, \; t_{\text{start}}, \; \phi_{\text{defifa}}, \; \phi_{\text{base}}, \; \mathcal{S}, \; \tau_{\text{attest}}, \; \tau_{\text{grace}} \right)
+\mathcal{G} = \left( \{T_i\}_{i=1}^{N}, \; p, \; t_{\text{mint}}, \; t_{\text{refund}}, \; t_{\text{start}}, \; \phi_{\text{defifa}}, \; \phi_{\text{base}}, \; \mathcal{S}, \; \tau_{\text{attest}}, \; \tau_{\text{grace}}, \; m_{\text{min}}, \; \tau_{\text{timeout}} \right)
 \end{equation}
 
 Where:
 \begin{enumerate}[nosep]
-    \item \textbf{Tier configuration} $\{T_i\}_{i=1}^{N}$: For each of the $N$ tiers, a fixed price $p_i$, an optional reserved rate $\rho_i$, and a reserved-token beneficiary address. The initial supply per tier is set to $999{,}999{,}999$ (effectively unlimited).
+    \item \textbf{Tier configuration} $\{T_i\}_{i=1}^{N}$: For each of the $N$ tiers (maximum~128), an optional reserved rate $\rho_i$, a reserved-token beneficiary address, a name, and an optional IPFS URI. The initial supply per tier is set to $999{,}999{,}999$ (effectively unlimited).
+
+    \item \textbf{Uniform tier price} ($p$): A single fixed price applied to all tiers, denominated in the game's base asset. Uniform pricing is enforced at the protocol level via the \texttt{tierPrice} parameter, ensuring that price-based voting power is equal across tiers.
 
     \item \textbf{Mint period duration} ($t_{\text{mint}}$): How long the minting window stays open, in seconds.
 
@@ -92,16 +102,20 @@ Where:
 
     \item \textbf{Defifa fee divisor} ($\phi_{\text{defifa}}$): The fraction $1/\phi_{\text{defifa}}$ of the pot sent to the Defifa protocol project. Default: $\phi_{\text{defifa}} = 20$ (5\%).
 
-    \item \textbf{Base protocol fee divisor} ($\phi_{\text{base}}$): The fraction $1/\phi_{\text{base}}$ of the pot sent to the base protocol project. Default: $\phi_{\text{base}} = 20$ (5\%).
+    \item \textbf{Base protocol fee divisor} ($\phi_{\text{base}}$): The fraction $1/\phi_{\text{base}}$ of the pot sent to the base protocol (NANA) project. Default: $\phi_{\text{base}} = 40$ (2.5\%).
 
     \item \textbf{Splits} ($\mathcal{S}$): Additional payout splits configured at deployment (e.g., for game organizers, charities).
 
-    \item \textbf{Attestation start time} ($\tau_{\text{attest}}$): Delay before attestation voting opens on a submitted scorecard.
+    \item \textbf{Attestation start time} ($\tau_{\text{attest}}$): The earliest time at which attestation voting opens on submitted scorecards.
+
+    \item \textbf{Attestation grace period} ($\tau_{\text{grace}}$): Minimum duration attestations must remain open after $\tau_{\text{attest}}$. Protocol-enforced minimum: 1~day.
 
-    \item \textbf{Attestation grace period} ($\tau_{\text{grace}}$): Duration of the attestation voting window.
+    \item \textbf{Minimum participation} ($m_{\text{min}}$): The minimum treasury balance required for the game to proceed to scoring. If the balance is below this threshold when SCORING would begin, the game enters NO\_CONTEST. Set to~0 to disable.
+
+    \item \textbf{Scorecard timeout} ($\tau_{\text{timeout}}$): The maximum time (in seconds) after the scoring phase begins for a scorecard to be ratified. If exceeded without ratification, the game enters NO\_CONTEST. Set to~0 to disable.
 \end{enumerate}
 
-Once set, the tuple $\mathcal{G}$ is immutable. Phase transitions occur automatically by timestamp, with the scoring phase having infinite duration (duration $= 0$) until the scorecard is ratified.
+Once set, the tuple $\mathcal{G}$ is immutable. Phase transitions occur automatically by timestamp, with the scoring phase having infinite duration (duration $= 0$) until the scorecard is ratified or the timeout elapses.
 
 %==========================================================================
 \section{Mathematical Model of Defifa Economics}
@@ -111,7 +125,7 @@ Once set, the tuple $\mathcal{G}$ is immutable. Phase transitions occur automati
 
 The economic behavior of a Defifa game is determined jointly by:
 \begin{enumerate}[nosep]
-    \item The immutable game parameters $\mathcal{G}$ (cf.\ Section 1.3), fixed at deployment;
+    \item The immutable game parameters $\mathcal{G}$ (cf.\ Section~1.3), fixed at deployment;
     \item The evolving state variables, which track the pot, token supplies, and claim status over time.
 \end{enumerate}
 
@@ -126,7 +140,7 @@ The economic behavior of a Defifa game is determined jointly by:
 $B(t)$ & Pot (treasury balance) at time $t$ \\
 $n_i(t)$ & Number of NFTs minted in tier $i$ at time $t$ \\
 $N_{\text{total}}(t)$ & Total NFTs outstanding: $\sum_i n_i(t)$ \\
-$M(t)$ & Total mint cost accumulated: $\sum_i n_i(t) \cdot p_i$ \\
+$M(t)$ & Total mint cost accumulated: $N_{\text{total}}(t) \cdot p$ \\
 $w_i$ & Scorecard weight assigned to tier $i$ ($\sum_i w_i = W_{\text{total}}$) \\
 $d_i(t)$ & Tokens redeemed from tier $i$ after ratification \\
 $B_{\text{prize}}$ & Net prize pool after fee extraction \\
@@ -136,34 +150,32 @@ $B_{\text{prize}}$ & Net prize pool after fee extraction \\
 \label{tab:state}
 \end{table}
 
-At any time $t$, the state of the game is fully determined by the pair
-$\bigl(\mathcal{G}, \; \{B(t), n_i(t), w_i, d_i(t)\}\bigr)$,
-where $\mathcal{G}$ is the fixed game configuration and the second component evolves endogenously as players interact.
+Note that because all tiers share a uniform price $p$, the total mint cost simplifies to $M(t) = N_{\text{total}}(t) \cdot p$ and the pot composition is $B(t) = M(t)$. This uniformity is a deliberate design choice that ensures fair parimutuel dynamics---the pot fraction in each tier reflects only the \emph{count} of mints, not differential pricing.
 
 \subsection{Minting --- Pot Formation}
 
-During the mint phase $[t_{\text{mint\_start}},\; t_{\text{mint\_start}} + t_{\text{mint}})$, any participant may purchase NFTs from any tier $i$ at the fixed price $p_i$ per token.
+During the mint phase $[t_{\text{mint\_start}},\; t_{\text{mint\_start}} + t_{\text{mint}})$, any participant may purchase NFTs from any tier $i$ at the uniform price $p$ per token.
 
 \textbf{Minted quantity.} For a payment amount $x$ of base asset directed at tier $i$:
 \begin{equation}
-q_i = \left\lfloor \frac{x}{p_i} \right\rfloor
+q_i = \left\lfloor \frac{x}{p} \right\rfloor
 \end{equation}
 
 \textbf{Reserved minting.} If tier $i$ has a reserved rate $\rho_i > 0$, then for every $\rho_i$ tokens minted by paying players, one additional token is minted to the reserved-token beneficiary. Reserved tokens are \emph{not} paid for, but their cost is counted toward $M(t)$ for purposes of protocol-token distribution (cf.\ Section~2.6).
 
 \textbf{State updates.} At the instant of a mint event where player $j$ purchases $q$ tokens of tier $i$:
 \begin{align}
-B(t^+) &= B(t^-) + q \cdot p_i \tag{Treasury balance} \\
-n_i(t^+) &= n_i(t^-) + q \tag{Tier supply} \\
-M(t^+) &= M(t^-) + q \cdot p_i \tag{Total mint cost}
+B(t^+) &= B(t^-) + q \cdot p \\
+n_i(t^+) &= n_i(t^-) + q \\
+M(t^+) &= M(t^-) + q \cdot p
 \end{align}
 
 \textbf{Pot composition.} At the end of the mint phase, the pot is:
 \begin{equation}
-B_{\text{mint}} = \sum_{i=1}^{N} n_i \cdot p_i
+B_{\text{mint}} = \sum_{i=1}^{N} n_i \cdot p = N_{\text{total}} \cdot p
 \end{equation}
 
-This is the total capital at risk in the game, and represents the complete prize pool before fee extraction.
+\textbf{World Cup example.} Suppose the game attracts 15,000 total mints across 32 tiers. Argentina: 2,000 (13.3\%), France: 1,800 (12.0\%), Brazil: 1,500 (10.0\%), \ldots, Saudi Arabia: 10 (0.07\%). Total pot: $15{,}000 \times 0.01 = 150$~ETH. The pot fractions reveal the crowd's consensus probabilities.
 
 \subsection{Refund --- Optionality Window}
 
@@ -173,21 +185,14 @@ If $t_{\text{refund}} > 0$, a refund phase follows minting. During $[t_{\text{mi
     \item Any NFT holder may burn their token to reclaim its mint price.
 \end{itemize}
 
-\textbf{Refund mechanics.} A player burning $q$ tokens of tier $i$ receives exactly $q \cdot p_i$ base asset from the treasury:
+\textbf{Refund mechanics.} A player burning $q$ tokens of tier $i$ receives exactly $q \cdot p$ base asset from the treasury:
 \begin{equation}
-R_{\text{refund}} = q \cdot p_i
+R_{\text{refund}} = q \cdot p
 \end{equation}
 
-\textbf{State updates.} After a refund:
-\begin{align}
-B(t^+) &= B(t^-) - q \cdot p_i \\
-n_i(t^+) &= n_i(t^-) - q \\
-M(t^+) &= M(t^-) - q \cdot p_i
-\end{align}
+Because all tiers share the uniform price $p$, the per-NFT backing ratio $B(t) / N_{\text{total}}(t) = p$ is always preserved.
 
-The refund phase creates a \emph{free option} for participants: they can observe late-breaking information (injury reports, market movements, team changes) and exit at zero cost.
-
-\textbf{Key property.} The refund is dollar-for-dollar: every token refunded removes exactly its mint price from the pot, preserving the per-NFT backing ratio $B(t) / N_{\text{total}}(t)$ for uniform-priced games.
+\textbf{World Cup example.} Two days before the tournament, a star player for Brazil suffers an injury. 300 Brazil holders refund their NFTs, reducing the pot from 150~ETH to 147~ETH. The refund activity signals the belief shift---other participants observe the on-chain volume and update their expectations.
 
 \subsection{Prize Distribution --- The Scorecard Formula}
 
@@ -198,19 +203,19 @@ After the real-world event concludes and a scorecard is ratified, the game enter
 \sum_{i=1}^{N} w_i = W_{\text{total}} = 10^{18}
 \end{equation}
 
-Each $w_i \in [0, W_{\text{total}}]$ represents the fraction of the prize pool allocated to tier $i$'s holders.
+The exact-sum constraint is enforced on-chain---the \texttt{validateAndBuildWeights} function in \texttt{DefifaHookLib} reverts if the cumulative weight does not equal \texttt{TOTAL\_CASHOUT\_WEIGHT} exactly.
 
 \textbf{Per-token weight.} The weight assigned to a single NFT in tier $i$ is:
 \begin{equation}
 w_i^{\text{token}} = \frac{w_i}{\hat{n}_i}
 \end{equation}
 
-where $\hat{n}_i$ is the \emph{effective} number of tokens eligible for redemption in tier $i$ at the time the scorecard is ratified:
+where $\hat{n}_i$ is the \emph{effective} number of tokens eligible for redemption in tier $i$:
 \begin{equation}
-\hat{n}_i = n_i^{\text{minted}} - n_i^{\text{remaining}} - (n_i^{\text{burned}} - d_i)
+\hat{n}_i = n_i^{\text{minted}} - n_i^{\text{remaining}} - (n_i^{\text{burned}} - d_i) + n_i^{\text{pendingReserves}}
 \end{equation}
 
-Here $n_i^{\text{minted}}$ is the initial supply, $n_i^{\text{remaining}}$ is the unminted supply, $n_i^{\text{burned}}$ is the total burned count, and $d_i$ is the number of tokens redeemed \emph{in the complete phase specifically}. This formula ensures that as tokens are redeemed in the complete phase, the denominator adjusts to maintain fair distribution for remaining holders.
+Including pending reserves in the denominator prevents paid holders from front-running reserve mints to extract disproportionate value.
 
 \textbf{Cash-out value.} When a player burns a set of token IDs $\{k_1, k_2, \ldots, k_m\}$, the total claim is:
 \begin{equation}
@@ -222,43 +227,42 @@ where $i(k_j)$ is the tier of token $k_j$, $B_{\text{prize}}$ is the current tre
 
 The term $(B_{\text{prize}} + A_{\text{redeemed}})$ reconstructs the \emph{original} post-fee pot, ensuring that the order of redemptions does not affect the payout per token. This is a critical design property: it makes Defifa a \emph{path-independent} mechanism.
 
-\textbf{Special cases:}
-\begin{itemize}[nosep]
-    \item \textbf{Winner-take-all:} $w_j = W_{\text{total}}$ for a single tier $j$, all others zero.
-    \item \textbf{Proportional split:} $w_i = W_{\text{total}} \cdot n_i / N_{\text{total}}$, weights by participation count.
-    \item \textbf{No contest (by convention):} All $w_i$ set proportionally to return mint prices, effectively implementing a full refund through the standard scorecard mechanism.
-\end{itemize}
+\textbf{World Cup example.} Argentina wins; scorecard assigns 40\% to Argentina ($w_1 = 4 \times 10^{17}$). Post-fee pot: $147 \times 0.925 = 135.975$~ETH. An Argentina holder with 1~NFT receives: $\frac{4 \times 10^{17} / 2{,}000}{10^{18}} \times 135.975 \approx 0.0272$~ETH---a 2.72x return on their 0.01~ETH mint.
 
 \subsection{Fee Extraction Pipeline}
 
-Before prize distribution begins, the Deployer contract extracts protocol fees by calling \texttt{fulfill\-Commitments\-Of}. This triggers a \texttt{send\-Payouts\-Of} call on the terminal, distributing the pot according to the scoring-phase splits.
+Before prize distribution begins, the Deployer contract extracts protocol fees by calling \texttt{fulfill\-Commitments\-Of}. This function computes the fee amount and sends only the fee portion as payouts via \texttt{send\-Payouts\-Of}, while the remaining balance stays in the treasury as surplus for player cash-outs.
 
-\textbf{Split structure.} The splits configured at game launch allocate the pot as follows:
+\textbf{Split structure.} The splits configured at game launch allocate fees as follows:
 \begin{enumerate}[nosep]
-    \item \textbf{Base protocol fee:} $1/\phi_{\text{base}}$ of the pot to the base protocol project (default: 5\%)
-    \item \textbf{Defifa fee:} $1/\phi_{\text{defifa}}$ of the pot to the Defifa project (default: 5\%)
+    \item \textbf{Defifa fee:} $1/\phi_{\text{defifa}}$ of the pot to the Defifa project (default: $\phi_{\text{defifa}} = 20$, i.e., 5\%)
+    \item \textbf{Base protocol fee:} $1/\phi_{\text{base}}$ of the pot to the base protocol (NANA) project (default: $\phi_{\text{base}} = 40$, i.e., 2.5\%)
     \item \textbf{Custom splits} ($\mathcal{S}$): Any additional game-creator-defined splits
-    \item \textbf{Remainder:} Returned to the game's treasury via \texttt{addToBalanceOf}
+    \item \textbf{Remainder:} Stays in the game's treasury as surplus for player cash-outs
 \end{enumerate}
 
 \textbf{Fee formulas.} Let $B_{\text{pot}}$ be the treasury balance at commitment fulfillment:
 \begin{align}
-F_{\text{base}} &= \frac{B_{\text{pot}}}{\phi_{\text{base}}} \\[4pt]
-F_{\text{defifa}} &= \frac{B_{\text{pot}}}{\phi_{\text{defifa}}} \\[4pt]
+F_{\text{defifa}} &= \frac{B_{\text{pot}}}{\phi_{\text{defifa}}} = \frac{B_{\text{pot}}}{20} = 0.05 \cdot B_{\text{pot}} \\[4pt]
+F_{\text{base}} &= \frac{B_{\text{pot}}}{\phi_{\text{base}}} = \frac{B_{\text{pot}}}{40} = 0.025 \cdot B_{\text{pot}} \\[4pt]
 F_{\text{custom}} &= \sum_{s \in \mathcal{S}} \frac{B_{\text{pot}} \cdot \text{percent}_s}{\text{SPLITS\_TOTAL\_PERCENT}}
 \end{align}
 
 The prize pool available for player claims is:
 \begin{equation}
-\boxed{B_{\text{prize}} = B_{\text{pot}} - F_{\text{base}} - F_{\text{defifa}} - F_{\text{custom}}}
+\boxed{B_{\text{prize}} = B_{\text{pot}} - F_{\text{defifa}} - F_{\text{base}} - F_{\text{custom}}}
 \end{equation}
 
-With default parameters ($\phi_{\text{base}} = \phi_{\text{defifa}} = 20$, no custom splits):
+With default parameters ($\phi_{\text{defifa}} = 20$, $\phi_{\text{base}} = 40$, no custom splits), the total fee rate is \textbf{7.5\%}:
 \begin{equation}
-B_{\text{prize}} = B_{\text{pot}} \cdot \left(1 - \tfrac{1}{20} - \tfrac{1}{20}\right) = 0.9 \cdot B_{\text{pot}}
+B_{\text{prize}} = B_{\text{pot}} \cdot \left(1 - \tfrac{1}{20} - \tfrac{1}{40}\right) = 0.925 \cdot B_{\text{pot}}
 \end{equation}
 
-\textbf{Fee recycling.} The fees paid to the Defifa and base protocol projects are processed as standard Juicebox payments, which mint project tokens (\$DEFIFA, \$BASE\_PROTOCOL) to the beneficiary---in this case, the game's hook contract. These tokens are later distributed to players upon claim (Section~2.6).
+\textbf{Resilient fee handling.} The \texttt{sendPayoutsOf} call is wrapped in a try-catch. If the payout fails for any reason, the \texttt{CommitmentPayoutFailed} event is emitted, the fulfilled commitments value is set to a sentinel~(1), and the final ruleset is still queued. Players can cash out immediately---the fee amount stays in the pot, slightly benefiting cash-out recipients. This ensures the game always reaches completion regardless of fee-collection failures.
+
+\textbf{Fee recycling.} The fees paid to the Defifa and base protocol projects are processed as standard Juicebox payments, which mint project tokens (\$DEFIFA, \$NANA) to the game's hook contract. These tokens are later distributed to players upon claim (Section~2.6).
+
+\textbf{World Cup example.} With a 147~ETH pot: Defifa fee: $147 / 20 = 7.35$~ETH (5\%). Base protocol fee: $147 / 40 = 3.675$~ETH (2.5\%). Total fees: 11.025~ETH (7.5\%). Prize pool: $147 - 11.025 = 135.975$~ETH (92.5\%).
 
 \subsection{Protocol Token Allocation}
 
@@ -267,12 +271,12 @@ When fees are paid to the Defifa and base protocol projects, those projects mint
 \textbf{Token allocation per player.} For a player burning tokens with cumulative mint cost $c$:
 \begin{align}
 X_{\text{defifa}} &= \frac{c}{M} \cdot D_{\text{total}} \\[4pt]
-X_{\text{base}} &= \frac{c}{M} \cdot P_{\text{total}}
+X_{\text{nana}} &= \frac{c}{M} \cdot P_{\text{total}}
 \end{align}
 
-where $M$ is the total mint cost of all tokens ever minted, $D_{\text{total}}$ is the total \$DEFIFA tokens held by the hook, and $P_{\text{total}}$ is the total \$BASE\_PROTOCOL tokens held by the hook.
+where $M$ is the total mint cost of all tokens ever minted, $D_{\text{total}}$ is the total \$DEFIFA tokens held by the hook, and $P_{\text{total}}$ is the total \$NANA tokens held by the hook.
 
-\textbf{Key property.} Protocol token distribution is proportional to \emph{original mint cost}, not to scorecard weight. This means that even holders of losing tiers ($w_i = 0$) receive protocol tokens when burning their NFTs, creating a partial consolation mechanism that rewards participation regardless of outcome.
+\textbf{Key property.} Protocol token distribution is proportional to \emph{original mint cost}, not to scorecard weight. Since all tiers share the same price $p$, each NFT generates the same protocol-token claim regardless of tier. Even holders of losing tiers ($w_i = 0$) receive protocol tokens when burning---a consolation that rewards participation regardless of outcome.
 
 %==========================================================================
 \section{Attestation Governance and Scorecard Ratification}
@@ -299,9 +303,11 @@ where $n_i^{\text{holder}}$ is the number of tier-$i$ tokens delegated to (or he
 v^{\text{holder}} = \sum_{i \,:\, n_i^{\text{holder}} > 0} V_{\max} \cdot \frac{n_i^{\text{holder}}}{n_i^{\text{total}}}
 \end{equation}
 
-\textbf{Checkpoint-based snapshots.} Attestation power is measured at a fixed historical timestamp (the scorecard's \texttt{attestationsBegin} time), using historical checkpoints. This prevents vote-buying attacks where an actor acquires tokens immediately before voting.
+\textbf{Checkpoint-based snapshots.} Attestation power is measured at the scorecard's \texttt{attestationsBegin} timestamp---always a past timestamp set during \texttt{submitScorecardFor}. This prevents same-block transfer manipulation.
 
-\textbf{Delegation.} During the mint phase only, holders may delegate their attestation units to a chosen delegate address per tier. Delegation is per-tier, snapshot-locked, and mint-phase-only.
+\textbf{Delegation.} During the mint phase only, holders may delegate their attestation units to a chosen delegate address per tier. Delegation is per-tier, snapshot-locked, and mint-phase-only (the \texttt{\_update} function enforces \texttt{DELEGATE\_CHANGES\_UNAVAILABLE\_IN\_THIS\_PHASE} after MINT).
+
+\textbf{World Cup example.} Argentina (Tier~1) has 2,000 NFTs. A fan holding 100 Argentina NFTs has attestation power: $10^9 \times 100/2{,}000 = 50{,}000{,}000$ from Tier~1. Despite Argentina having the most mints, each \emph{tier} contributes equally to governance weight---Argentina's 2,000 holders collectively cap at $10^9$, the same as Saudi Arabia's 10 holders.
 
 \subsection{Quorum and Ratification Conditions}
 
@@ -312,14 +318,14 @@ v^{\text{holder}} = \sum_{i \,:\, n_i^{\text{holder}} > 0} V_{\max} \cdot \frac{
 
 where $N_{\text{minted\_tiers}}$ is the number of tiers that have at least one minted token.
 
-\textbf{Example.} For a game with 4 tiers (all minted):
-$$Q = \frac{4}{2} \cdot 10^9 = 2 \times 10^9$$
+\textbf{World Cup example.} All 32 tiers have minted tokens:
+$$Q = \frac{32}{2} \cdot 10^9 = 16 \times 10^9$$
 
-This requires the equivalent of 2 full tiers' worth of unanimous attestation---for instance, all holders of 2 tiers attesting, or 50\% of holders across all 4 tiers.
+This requires the equivalent of 16 full tiers' worth of unanimous attestation. If the default delegate holds delegated power from a majority of minters across 16+ tiers, they can single-handedly meet quorum---which is exactly the intended fast path for games with trusted organizers.
 
 \textbf{Ratification conditions.} A scorecard can be ratified when all three conditions are met:
 \begin{enumerate}[nosep]
-    \item The scorecard's grace period has expired,
+    \item The scorecard's grace period has expired ($\texttt{gracePeriodEnds} \leq \texttt{block.timestamp}$),
     \item The attestation count meets or exceeds quorum,
     \item No other scorecard has been ratified for this game.
 \end{enumerate}
@@ -335,7 +341,7 @@ Each submitted scorecard passes through five states:
 \textbf{State} & \textbf{Condition} \\
 \midrule
 PENDING & \texttt{attestationsBegin} $>$ \texttt{block.timestamp} \\
-ACTIVE & \texttt{attestationsBegin} $\leq$ \texttt{now} $\leq$ \texttt{gracePeriodEnds} \\
+ACTIVE & \texttt{attestationsBegin} $\leq$ \texttt{now} and (grace not expired or quorum not met) \\
 SUCCEEDED & Grace period expired AND attestations $\geq$ quorum \\
 DEFEATED & A different scorecard was ratified \\
 RATIFIED & This scorecard was ratified \\
@@ -344,7 +350,9 @@ RATIFIED & This scorecard was ratified \\
 \caption{Scorecard lifecycle states.}
 \end{table}
 
-Multiple scorecards may coexist in ACTIVE or SUCCEEDED state simultaneously, but only one can ever be ratified. This creates a competitive dynamic where multiple proposed outcomes compete for attestation support.
+Multiple scorecards may coexist in ACTIVE or SUCCEEDED state simultaneously, but only one can ever be ratified. Scorecards that fail to reach quorum remain ACTIVE indefinitely---the game's \texttt{scorecardTimeout} provides the ultimate backstop (see Section~9.1).
+
+The grace period is computed relative to \texttt{attestationsBegin}, not submission time: $t_{\text{grace\_end}} = t_{\text{attest\_begin}} + \tau_{\text{grace}}$. This prevents the grace period from expiring before attestations even start.
 
 \subsection{Resistance to Strategic Manipulation}
 
@@ -352,32 +360,27 @@ The attestation model incorporates several defenses:
 
 \textbf{Defense 1: Per-tier cap.} No single tier's holders can contribute more than $V_{\max}$ attestation units, regardless of how many tokens they hold.
 
-\textbf{Defense 2: Checkpoint snapshots.} Attestation power is computed at a fixed historical timestamp. Acquiring tokens after the snapshot provides zero additional voting power.
+\textbf{Defense 2: Checkpoint snapshots.} Attestation power is computed at a fixed historical timestamp (\texttt{attestationsBegin}). Acquiring tokens after the snapshot provides zero additional voting power.
 
 \textbf{Defense 3: Mint-phase-only delegation.} Delegation is locked after the mint phase, preventing last-minute delegation changes during the scoring phase.
 
 \textbf{Defense 4: 50\% quorum across tiers.} Requiring half of all minted tiers' worth of attestation power means no coalition controlling fewer than half the minted tiers can unilaterally ratify a fraudulent scorecard.
 
-\textbf{Remaining attack surface.} A coalition controlling sufficient attestation power across $\lceil N_{\text{minted}}/2 \rceil$ tiers can ratify an arbitrary scorecard. The critical insight is that attestation power within a tier is \emph{proportional to token holdings}, not absolute. An attacker holding 100\% of a tier's supply---even just 1 token---receives the full $V_{\text{max}} = 10^9$ attestation power for that tier.
+\textbf{Defense 5: Scoring-phase-only submission.} Scorecard submission is restricted to the SCORING phase, preventing pre-accumulation of attestations during minting.
 
-\textbf{Worst-case attack cost (heavily minted tiers).} When all tiers are well-populated, the attacker must acquire majority holdings in at least $\lceil N/2 \rceil$ tiers:
+\textbf{Remaining attack surface.} A coalition controlling sufficient attestation power across $\lceil N_{\text{minted}}/2 \rceil$ tiers can ratify an arbitrary scorecard. An attacker holding 100\% of a tier's supply---even just 1~token---receives the full $V_{\text{max}} = 10^9$ attestation power for that tier.
+
+\textbf{Worst-case attack cost (heavily minted tiers):}
 \begin{equation}
-C_{\text{attack}}^{\text{worst}} \geq \sum_{i \in \text{majority set}} \left\lceil \frac{n_i + 1}{2} \right\rceil \cdot p_i
+C_{\text{attack}}^{\text{worst}} \geq \sum_{i \in \text{majority set}} \left\lceil \frac{n_i + 1}{2} \right\rceil \cdot p
 \end{equation}
 
-\textbf{Best-case attack cost (sparse tiers).} When some tiers have zero or minimal mints, the attacker can buy 1 token in each unminted tier, becoming the sole holder and receiving full attestation power:
+\textbf{Best-case attack cost (sparse tiers):}
 \begin{equation}\label{eq:cheapattack}
-C_{\text{attack}}^{\text{best}} = \sum_{i \in \text{cheapest } \lceil N/2 \rceil \text{ unminted}} p_i
-\end{equation}
-
-This is potentially orders of magnitude cheaper. In a 32-tier game at 0.01~ETH where 16 tiers have zero mints, the attacker spends $16 \times 0.01 = 0.16$~ETH to meet quorum---regardless of pot size. \textbf{This is the most significant governance vulnerability identified} and is discussed further in Section~9.2.
-
-For the attack to be profitable, the attacker must redirect more than $C_{\text{attack}}$ in prize value:
-\begin{equation}
-B_{\text{prize}} > C_{\text{attack}} \cdot \frac{W_{\text{total}}}{\sum_{i \in \text{majority}} w_i^{\text{proposed}}}
+C_{\text{attack}}^{\text{best}} = \lceil N/2 \rceil \cdot p
 \end{equation}
 
-For the sparse-tier attack, this condition is almost always satisfied when the pot is nontrivial. Games with broad, uniform participation across all tiers are resistant; games with uneven participation are vulnerable.
+This is potentially orders of magnitude cheaper. See Section~9.2 for a full analysis of governance attack economics and mitigations.
 
 %==========================================================================
 \section{Price Dynamics and Value Flows}
@@ -385,19 +388,17 @@ For the sparse-tier attack, this condition is almost always satisfied when the p
 
 \subsection{NFT Intrinsic Value During Minting}
 
-During the mint phase, the intrinsic value of a tier-$i$ NFT depends on the holder's subjective probability assessment.
-
 \textbf{Expected value at mint.} Let $\pi_i$ be a player's subjective probability that tier $i$ wins. The expected post-fee payout for one tier-$i$ NFT in a winner-take-all game is:
 \begin{equation}
 \mathbb{E}[V_i] = \pi_i \cdot \frac{B_{\text{prize}}}{n_i} + X_i^{\text{protocol}}
 \end{equation}
 
-A rational risk-neutral player mints tier $i$ when $\mathbb{E}[V_i] > p_i$, which requires:
+A rational risk-neutral player mints tier $i$ when $\mathbb{E}[V_i] > p$, which requires:
 \begin{equation}
-\pi_i > \frac{p_i - X_i^{\text{protocol}}}{B_{\text{prize}} / n_i}
+\pi_i > \frac{p - X_i^{\text{protocol}}}{B_{\text{prize}} / n_i}
 \end{equation}
 
-This threshold probability decreases as the pot grows (more participants in other tiers create larger prizes) and increases as more tokens of tier $i$ are minted (diluting the per-token payout within the tier).
+\textbf{World Cup example.} Argentina has 2,000 mints. If the scorecard assigns 40\% to the winner, an Argentina holder's expected value is $\pi_A \times 0.4 \times 135.975 / 2{,}000$. For this to exceed 0.01~ETH: $\pi_A > 36.8\%$. If you believe Argentina has a $>37\%$ chance of winning, minting is positive expected value.
 
 \subsection{Post-Scorecard Valuation}
 
@@ -406,25 +407,15 @@ After the scorecard is ratified and fees are extracted, each NFT has a determini
 V_i^{\text{token}} = \frac{w_i}{\hat{n}_i \cdot W_{\text{total}}} \cdot (B_{\text{prize}} + A_{\text{redeemed}}) + V_i^{\text{protocol}}
 \end{equation}
 
-\textbf{Winning tier (full weight).} In a winner-take-all game with $w_j = W_{\text{total}}$:
-$$V_j^{\text{token}} = \frac{B_{\text{prize}} + A_{\text{redeemed}}}{\hat{n}_j} + V_j^{\text{protocol}}$$
-
-\textbf{Losing tier (zero weight).} When $w_i = 0$:
-$$V_i^{\text{token}} = V_i^{\text{protocol}}$$
+\textbf{Winning tier:} $V_j^{\text{token}} = \frac{B_{\text{prize}} + A_{\text{redeemed}}}{\hat{n}_j} + V_j^{\text{protocol}}$
 
-Losing-tier tokens have zero prize value but retain protocol-token value.
+\textbf{Losing tier ($w_i = 0$):} $V_i^{\text{token}} = V_i^{\text{protocol}}$ (protocol tokens only).
 
 \subsection{Secondary Market Implications}
 
-\textbf{Pre-ratification.} NFT value is driven by subjective outcome probabilities. Prices reflect the market's consensus probability-weighted expected payout, analogous to prediction-market shares.
-
-\textbf{Post-ratification.} NFT value is deterministic and publicly computable. Any secondary-market price deviating from the redemption value creates an arbitrage:
-\begin{itemize}[nosep]
-    \item If $P_{\text{market}} < V_i^{\text{token}}$: buy on the market, burn for profit.
-    \item If $P_{\text{market}} > V_i^{\text{token}}$: never occurs rationally (burn dominates holding).
-\end{itemize}
+\textbf{Pre-ratification.} NFT value is driven by subjective outcome probabilities, analogous to prediction-market shares.
 
-Post-ratification secondary markets should converge immediately to redemption value, eliminating any residual price discovery.
+\textbf{Post-ratification.} NFT value is deterministic and publicly computable. Any price deviation from redemption value creates an arbitrage, so secondary markets should converge immediately to redemption value.
 
 %==========================================================================
 \section{Rational Actor Analysis}
@@ -432,43 +423,31 @@ Post-ratification secondary markets should converge immediately to redemption va
 
 \subsection{Mint-Phase Strategy: Entry Timing}
 
-In a fixed-price game, there is no direct price advantage to minting early vs.\ late within the mint phase. However, strategic considerations arise.
-
-\textbf{Equilibrium.} In a Nash equilibrium of the minting game with risk-neutral players, each player mints the tier maximizing their expected payoff. Denoting by $\pi_i$ the true probability of tier $i$ winning and by $f_i = n_i \cdot p_i / B$ the fraction of the pot allocated to tier $i$:
+\textbf{Equilibrium.} In a Nash equilibrium of the minting game with risk-neutral players, denoting by $\pi_i$ the true probability of tier $i$ winning and by $f_i = n_i / N_{\text{total}}$ the fraction of NFTs allocated to tier $i$:
 \begin{equation}
 \mathbb{E}[\text{return}_i] = \frac{\pi_i}{f_i} \cdot (1 - \phi) - 1
 \end{equation}
 
-where $\phi = 1/\phi_{\text{defifa}} + 1/\phi_{\text{base}} + \phi_{\text{custom}}$ is the total fee rate.
+where $\phi = 1/\phi_{\text{defifa}} + 1/\phi_{\text{base}} + \phi_{\text{custom}}$ is the total fee rate (default: 7.5\%).
 
-In equilibrium, expected returns equalize across tiers: $\mathbb{E}[\text{return}_i] = \mathbb{E}[\text{return}_j]$ for all $i,j$ with non-zero minting, which implies:
-\begin{equation}
-\frac{\pi_i}{f_i} = \frac{\pi_j}{f_j} \quad \Rightarrow \quad f_i = \pi_i
-\end{equation}
+In equilibrium, expected returns equalize across tiers: $f_i = \pi_i$.
 
-\textbf{Result.} In equilibrium, the fraction of the pot in each tier equals the market's consensus probability of that tier winning. This is the classical parimutuel result: the pot allocation \emph{reveals} the collective probability assessment.
+\textbf{Result.} In equilibrium, the fraction of NFTs in each tier equals the market's consensus probability of that tier winning. This is the classical parimutuel result.
 
-\subsection{Refund-Phase Strategy: Option Exercise}
+\textbf{World Cup example.} Argentina's 2,000 mints out of 15,000 total = 13.3\% share. In equilibrium, this implies a 13.3\% probability of winning---approximately matching real-world bookmaker odds.
 
-The refund phase creates a \emph{free put option} on each minted NFT, struck at the mint price.
+\subsection{Refund-Phase Strategy: Option Exercise}
 
-\textbf{Option value.} Let $V_i(t_{\text{refund\_end}})$ be the expected value of a tier-$i$ token at the end of the refund phase. The refund option has value:
+The refund phase creates a \emph{free put option} on each minted NFT, struck at the mint price $p$:
 \begin{equation}
-O_i = \max\bigl(p_i - V_i(t_{\text{refund\_end}}),\; 0\bigr)
+O_i = \max\bigl(p - V_i(t_{\text{refund\_end}}),\; 0\bigr)
 \end{equation}
 
-A rational player exercises (refunds) when $V_i(t_{\text{refund\_end}}) < p_i$, which occurs when new information shifts the expected outcome against their chosen tier.
+A rational player exercises (refunds) when new information shifts the expected outcome against their chosen tier.
 
-The refund phase serves three purposes:
-\begin{enumerate}[nosep]
-    \item \textbf{Risk reduction}: allows players to participate speculatively with a guaranteed exit.
-    \item \textbf{Information revelation}: refund activity signals belief updates.
-    \item \textbf{Adverse selection mitigation}: partially solves the ``winner's curse'' problem.
-\end{enumerate}
-
-\subsection{Scoring-Phase Strategy: Attestation Delegation}
+\subsection{Scoring-Phase Strategy: Attestation}
 
-\textbf{Equilibrium.} In the unique subgame-perfect equilibrium of the attestation game (assuming common knowledge of the event outcome):
+\textbf{Equilibrium.} In the unique subgame-perfect equilibrium (assuming common knowledge of the event outcome):
 \begin{enumerate}[nosep]
     \item All holders attest to the \emph{truthful} scorecard---the one reflecting the actual event outcome.
     \item The truthful scorecard achieves quorum, as holders of winning tiers have the strongest incentive to attest.
@@ -476,13 +455,11 @@ The refund phase serves three purposes:
 
 \subsection{Complete-Phase Strategy: Claim vs Hold}
 
-\textbf{Dominant strategy.} For risk-neutral players with positive time preference, burning immediately weakly dominates holding. The claim value does not depreciate (the path-independent formula ensures later claimants receive the same amount), but the time value of money favors immediate realization. Holding is justified only by expected protocol-token appreciation exceeding the discount rate:
+\textbf{Dominant strategy.} For risk-neutral players, burning immediately weakly dominates holding. The claim value does not depreciate (path-independence), but the time value of money favors immediate realization. Holding is justified only by expected protocol-token appreciation exceeding the discount rate:
 \begin{equation}
-\frac{dP_D}{dt} \cdot \frac{p_i}{M} \cdot D_{\text{total}} > r \cdot V_i^{\text{token}}
+\frac{dP_D}{dt} \cdot \frac{p}{M} \cdot D_{\text{total}} > r \cdot V_i^{\text{token}}
 \end{equation}
 
-where $r$ is the player's discount rate.
-
 %==========================================================================
 \section{Solvency and Conservation Laws}
 %==========================================================================
@@ -497,11 +474,13 @@ For any scorecard $\mathbf{w}$ with $\sum_i w_i = W_{\text{total}}$ and any sequ
 The total claim across all tokens is:
 $$\sum_{i=1}^{N} n_i^{\text{eligible}} \cdot \frac{w_i}{\hat{n}_i \cdot W_{\text{total}}} \cdot (B_{\text{prize}} + A_{\text{redeemed}})$$
 
-Since $n_i^{\text{eligible}} = \hat{n}_i$ at the start (before any complete-phase redemptions), and the term $(B_{\text{prize}} + A_{\text{redeemed}})$ is invariant, this equals:
+Since $n_i^{\text{eligible}} = \hat{n}_i$ at the start, and $(B_{\text{prize}} + A_{\text{redeemed}})$ is invariant, this equals:
 $$\sum_{i=1}^{N} \frac{w_i}{W_{\text{total}}} \cdot B_{\text{prize}} = \frac{B_{\text{prize}}}{W_{\text{total}}} \sum_{i=1}^{N} w_i = B_{\text{prize}}$$
 \end{proof}
 
-This guarantees that the treasury is exactly drained after all eligible tokens are redeemed---there is no residual and no shortfall.
+This guarantee is strengthened by the exact-sum validation on-chain:
+\texttt{validate\-And\-Build\-Weights} reverts if $\sum_i w_i \neq W_{\text{total}}$.
+Under-allocated scorecards are rejected.
 
 \subsection{Solvency Under Sequential Cash-Outs}
 
@@ -510,7 +489,7 @@ The payout to any individual NFT holder is independent of the order in which oth
 \end{corollary}
 
 \begin{proof}
-The per-token claim formula (Eq.~\ref{eq:cashout}) uses $(B_{\text{prize}} + A_{\text{redeemed}})$ as the reference pot, which is constant regardless of how many tokens have been redeemed. As each token is redeemed, both $n_i^{\text{burned}}$ and $d_i$ increment by 1, leaving $\hat{n}_i$ invariant. Therefore, each token receives the same payout regardless of when it is redeemed.
+The per-token claim formula (Eq.~\ref{eq:cashout}) uses $(B_{\text{prize}} + A_{\text{redeemed}})$ as the reference pot, which is constant. As each token is redeemed, both $n_i^{\text{burned}}$ and $d_i$ increment by~1, leaving $\hat{n}_i$ invariant.
 \end{proof}
 
 \subsection{Fee Impact on Total Claimable Value}
@@ -520,10 +499,10 @@ The total value available to players (prize + protocol tokens) is:
 V_{\text{total}} = B_{\text{prize}} + V_{\text{protocol}} = B_{\text{pot}} \cdot (1 - \phi) + V_{\text{protocol}}
 \end{equation}
 
-With default fees ($\phi = 10\%$):
-$$V_{\text{total}} = 0.9 \cdot B_{\text{pot}} + V_{\text{protocol}}$$
+With default fees ($\phi = 7.5\%$):
+$$V_{\text{total}} = 0.925 \cdot B_{\text{pot}} + V_{\text{protocol}}$$
 
-Whether the net present value exceeds the mint cost depends on whether $V_{\text{protocol}} > 0.1 \cdot B_{\text{pot}}$---whether protocol token value compensates for the fee extraction.
+Whether the net present value exceeds the mint cost depends on whether $V_{\text{protocol}} > 0.075 \cdot B_{\text{pot}}$---whether protocol token value compensates for the fee extraction.
 
 %==========================================================================
 \section{Game-Theoretic Properties}
@@ -546,41 +525,32 @@ Asset type & Fungible bet tickets & Non-fungible ERC-721 \\
 Secondary market & Typically none & Full ERC-721 transferability \\
 Refund option & Typically none & Configurable refund phase \\
 Token rewards & None & Protocol token distribution \\
+Safety fallback & None & NO\_CONTEST with full refunds \\
 \bottomrule
 \end{tabular}
 \caption{Comparison: Traditional parimutuel vs.\ Defifa.}
 \end{table}
 
-\textbf{Parimutuel equivalence.} Under uniform pricing ($p_i = p$), binary scorecard (one winner), and no refund phase, a Defifa game is equivalent to a classical parimutuel pool with odds:
+\textbf{Parimutuel equivalence.} Under uniform pricing (enforced by protocol---always true), binary scorecard, and no refund phase, Defifa is equivalent to a classical parimutuel pool with odds:
 \begin{equation}
-\text{odds}_i = \frac{B_{\text{prize}}}{n_i \cdot p} = \frac{(1 - \phi) \cdot \sum_k n_k}{n_i}
+\text{odds}_i = \frac{B_{\text{prize}}}{n_i \cdot p} = \frac{(1 - \phi) \cdot N_{\text{total}}}{n_i}
 \end{equation}
 
+\textbf{World Cup example (winner-take-all).} Argentina ($n_1 = 2{,}000$) out of 15,000 total mints: $\text{odds}_{\text{Argentina}} = \frac{0.925 \times 15{,}000}{2{,}000} = 6.94\times$. A 0.01~ETH bet pays 0.069~ETH---precisely classical parimutuel odds with a 7.5\% takeout rate.
+
 \subsection{Information Aggregation}
 
 The minting and refund dynamics create a multi-round price-discovery mechanism:
 
-\textbf{Round 1 (Mint phase).} Players reveal information through tier selection. Under equilibrium, the pot distribution converges to the collective probability distribution.
+\textbf{Round~1 (Mint phase).} Players reveal information through tier selection. Under equilibrium, the mint distribution converges to the collective probability distribution.
 
-\textbf{Round 2 (Refund phase).} Players who received new information can exit, and the refund pattern reveals belief updates.
+\textbf{Round~2 (Refund phase).} Players who received new information can exit, revealing belief updates.
 
-\textbf{Round 3 (Secondary market).} If NFTs trade on secondary markets during the scoring phase, prices reflect the most current probability assessments.
-
-This three-round structure is informationally richer than single-shot betting mechanisms.
+\textbf{Round~3 (Secondary market).} If NFTs trade on secondary markets during the scoring phase, prices reflect the most current probability assessments.
 
 \subsection{Multi-Game Dynamics and Protocol Flywheel}
 
-Defifa generates a \emph{protocol-level flywheel} through its fee-token mechanism:
-
-\begin{enumerate}[nosep]
-    \item Game fees $\to$ minted to protocol projects as payments,
-    \item Protocol tokens are issued to the game hook,
-    \item Players claim protocol tokens upon burning NFTs,
-    \item Protocol token value reflects aggregate fee revenue across all games,
-    \item Higher token value $\to$ higher expected returns $\to$ more participation $\to$ more fees.
-\end{enumerate}
-
-\textbf{Flywheel dynamics.} Let $G$ be the number of active games, $\bar{B}$ the average pot size, and $\phi$ the fee rate. The aggregate fee revenue is:
+Defifa generates a \emph{protocol-level flywheel} through its fee-token mechanism. Let $G$ be the number of active games, $\bar{B}$ the average pot size, and $\phi$ the fee rate (default: 7.5\%). The aggregate fee revenue is:
 \begin{equation}
 R = G \cdot \bar{B} \cdot \phi
 \end{equation}
@@ -590,7 +560,7 @@ The fraction of the pot recovered through protocol tokens is:
 \frac{V_{\text{protocol}}^{\text{game}}}{\bar{B}} = \phi^2 \cdot \mu \cdot G
 \end{equation}
 
-where $\mu$ is the revenue multiple of protocol token valuation. This shows that the protocol-token recovery rate increases linearly with the number of games $G$, creating a positive network effect.
+where $\mu$ is the revenue multiple of protocol token valuation. For $\phi = 0.075$, $\mu = 10$, and $G = 100$: recovery rate $= 0.005625 \times 10 \times 100 = 5.625\times$. While extreme, this demonstrates the positive network effect: more games create more protocol token value.
 
 %==========================================================================
 \section{Parameter Design Space}
@@ -598,19 +568,13 @@ where $\mu$ is the revenue multiple of protocol token valuation. This shows that
 
 \subsection{Tier Count and Price Calibration}
 
-\textbf{Tier count.} The number of tiers $N$ affects quorum difficulty ($Q \propto N$), per-tier dilution, and attack cost. Optimal regime: $4 \leq N \leq 32$ balances governance tractability with outcome granularity.
+\textbf{Tier count} (maximum: 128). More tiers increase governance robustness but potentially slow ratification. Optimal: $4 \leq N \leq 32$. A 32-team World Cup game is the sweet spot.
 
-\textbf{Price calibration.} Uniform pricing ($p_i = p$) creates clean parimutuel dynamics where pot fractions equal minting fractions. Non-uniform pricing allows odds-adjustment at design time. Recommended: uniform pricing between 0.01 and 1~ETH per NFT.
+\textbf{Price calibration.} Since all tiers share a uniform price $p$ (enforced by the protocol), the price affects accessibility, pot size per capita, and attack economics. Recommended: 0.01--0.1~ETH per NFT.
 
 \subsection{Timing Parameters}
 
-\textbf{Mint duration}: Should approximate time until event, capped at $\sim$30 days.
-
-\textbf{Refund duration}: 1--7 days provides meaningful optionality without excessive uncertainty.
-
-\textbf{Attestation start time}: 1--24 hours delay for preparation.
-
-\textbf{Attestation grace period}: 1--7 days for broad participation.
+\textbf{Mint duration}: $t_{\text{mint}} \approx \min(\text{time until event}, 30\text{ days})$. \textbf{Refund duration}: 1--7 days. \textbf{Attestation grace period}: 3--7 days (minimum: 1 day, enforced by protocol). \textbf{Scorecard timeout}: 90--180 days for permissionless games, 30 days for trusted-organizer games.
 
 \subsection{Fee Calibration and Protocol Sustainability}
 
@@ -625,7 +589,7 @@ The default fee structure is competitive with existing markets:
 Horse racing (parimutuel) & 15--25\% \\
 Sports betting (vig) & 4--10\% \\
 Prediction markets (fees) & 1--5\% \\
-\textbf{Defifa (default)} & \textbf{10\%} \\
+\textbf{Defifa (default)} & \textbf{7.5\%} \\
 \bottomrule
 \end{tabular}
 \caption{Fee comparison across prediction platforms.}
@@ -636,135 +600,365 @@ The effective fee rate, accounting for protocol token rebates, is:
 \phi_{\text{eff}} = \phi \cdot (1 - \alpha)
 \end{equation}
 
-where $\alpha$ is the fraction of fee value retained in protocol tokens. For $\alpha = 0.5$: $\phi_{\text{eff}} = 5\%$, competitive with low-fee prediction markets.
+where $\alpha$ is the fraction of fee value retained in protocol tokens. For $\alpha = 0.5$: $\phi_{\text{eff}} = 0.075 \times 0.5 = 3.75\%$, highly competitive with low-fee prediction markets.
 
 %==========================================================================
-\section{Open Problems and Mechanism Design Recommendations}
+\section{Safety Mechanisms}
 %==========================================================================
 
-The formal analysis in Sections~2--8 reveals several structural properties of the Defifa mechanism that merit attention. This section catalogs open problems discovered through systematic code review and game-theoretic analysis, ordered by severity, and proposes concrete protocol-level mitigations.
+Defifa includes a comprehensive safety system---the \textbf{NO\_CONTEST} mechanism---that prevents funds from being permanently locked when governance fails or the game is non-viable. NO\_CONTEST is a first-class game phase (defined in the \texttt{DefifaGamePhase} enum) with three complementary triggers.
+
+\subsection{The No-Contest System}
+
+\subsubsection{Trigger~1: Minimum Participation Threshold}
+
+At game creation, the organizer sets \texttt{minParticipation}---a minimum treasury balance required for the game to proceed to scoring. The \texttt{currentGamePhaseOf()} function checks the balance against this threshold before returning SCORING. If below, it returns NO\_CONTEST.
 
-\subsection{Governance Deadlock and Fund Recovery: A Deep Study}
+\emph{What it solves:} Ghost games with negligible participation skip directly to refundability. \emph{Attack surface:} A majority holder can refund enough tokens to push the balance below threshold. \emph{Mitigation:} Set the threshold conservatively low (${\sim}10\%$ of expected pot). Set to~0 to disable.
 
-\textbf{Severity: Significant (design consideration).}
+\subsubsection{Trigger~2: Scorecard Ratification Timeout}
 
-\subsubsection{Historical Context}
+At game creation, the organizer sets \texttt{scorecardTimeout}---a duration after SCORING begins. If no scorecard is ratified within this window, \texttt{currentGamePhaseOf()} returns NO\_CONTEST.
+
+\emph{What it solves:} All governance deadlock scenarios---no scorecard submitted, quorum unreachable, dead delegate, dead attestation holders. This is the only mechanism providing a hard, trustless, time-bounded guarantee that funds cannot be locked permanently. Set to~0 to disable.
+
+\subsubsection{Trigger~3: Explicit Activation}
+
+Once \texttt{currentGamePhaseOf()} returns NO\_CONTEST (from either trigger), anyone calls \texttt{triggerNoContestFor(gameId)}. This:
+\begin{enumerate}[nosep]
+    \item Sets \texttt{noContestTriggeredFor[gameId] = true} (permanent flag)
+    \item Queues a new ruleset with no payout limits, making surplus equal to balance
+    \item Enables full-refund cash-outs at mint price
+\end{enumerate}
 
-The original Defifa (Juicebox~V3 era) included \texttt{NO\_CONTEST} and \texttt{NO\_CONTEST\_INEVITABLE} phases. In~V3, each game phase had to be manually advanced by calling \texttt{queueNextPhaseOf()}. If nobody called this function before a funding cycle ``rolled over,'' the \texttt{\_noContestInevitable()} check detected the rollover and \texttt{\_queueNoContest()} reconfigured the project for permanent full-price refunds (\texttt{duration=0}, \texttt{cashOutTaxRate=0}, \texttt{pausePay=true}). The~V5 port pre-queues all rulesets at launch, eliminating the rollover risk---but also eliminating the sole trigger for no-contest. The dead code was removed as part of the~V5 cleanup (see AUDIT\_FINDINGS L-D5). This section formally analyzes whether a new form of no-contest should be reintroduced.
+During NO\_CONTEST, the \texttt{computeCashOutCount} function returns the cumulative mint price---identical to MINT/REFUND phase behavior, implementing a complete refund.
 
-\subsubsection{Exhaustive Deadlock Scenario Analysis}
+\subsubsection{Priority Rules}
 
-We identify five distinct scenarios in which game funds could become permanently inaccessible:
+COMPLETE takes priority over NO\_CONTEST---a ratified scorecard is final. Once \texttt{noContestTriggeredFor} is set, the game stays in NO\_CONTEST permanently.
 
-\textbf{Scenario~A: No scorecard submitted.} The game reaches SCORING. Nobody calls \texttt{submitScorecardFor()}. All tier cash-out weights remain zero. The hook returns \texttt{cashOutCount = 0} and \texttt{afterCashOutRecordedWith} reverts with \texttt{NOTHING\_TO\_CLAIM}. Funds remain in the treasury indefinitely.
+\subsubsection{Defense in Depth}
 
-\textbf{Scenario~B: Quorum unreachable.} A scorecard exists but attestation power is fragmented. No single scorecard accumulates 50\% of eligible attestation weight. The governor's \texttt{stateOf()} returns ACTIVE indefinitely---there is no expiry on attestation.
+The \texttt{defaultAttestationDelegate} provides a social fast-path for routine governance. Combined with the automated NO\_CONTEST triggers, this creates layered safety: delegate (fast-path social resolution) + timeout (hard backstop) + threshold (early exit for ghost games).
 
-\textbf{Scenario~C: Dead attestation delegate.} The \texttt{defaultAttestationDelegate} is set to an inaccessible address. Since delegation can only be changed during MINT, the accumulated attestation power is irrecoverably locked after MINT ends.
+\subsection{Governance Attack Economics}
 
-\textbf{Scenario~D: Attestation power in dead addresses.} If $>50\%$ of game pieces are transferred to contracts that cannot call \texttt{attestToScorecardFrom()}, exercisable attestation power drops below quorum permanently.
+\textbf{All governance systems are manipulatable with sufficient capital.} The relevant question is not \emph{whether} an attack is possible, but whether the \textbf{mechanism structurally prevents profit} regardless of how much the attacker spends. Making attacks ``more expensive'' is insufficient---a sufficiently capitalized adversary will pay any price. The defense must be structural, not economic.
 
-\textbf{Scenario~E: Split target reverts on ratification.} \texttt{ratifyScorecardFrom()} calls \texttt{fulfillCommitmentsOf()}, which calls \texttt{sendPayoutsOf()}. If a split target reverts, the entire ratification transaction fails despite a governance-approved scorecard.
+\subsubsection{The Scaling Problem (Current Design)}
 
-\begin{table}[h]
+The per-tier attestation power cap assigns equal $V_{\text{max}} = 10^9$ to every tier regardless of supply. An adversary buys 1~token in each of $\lceil N/2 \rceil$ sparse tiers at cost $C_{\text{attack}} = \lceil N/2 \rceil \cdot p$, while the pot scales as $B_{\text{pot}} = \sum_i n_i \cdot p$:
+\begin{equation}
+\text{ROI} \approx \frac{2 \cdot N_{\text{total}}}{N}
+\end{equation}
+
+Attack cost is $O(N)$ while the pot is $O(N_{\text{total}})$, so ROI grows linearly with participation. For our 32-team World Cup at 0.01~ETH: 0.16~ETH to capture a 138.75~ETH pot---an $867\times$ return. No amount of threshold-tuning fixes this: any defense based on ``make it cost more'' fails against unlimited capital.
+
+\subsubsection{Benefit-Weighted Attestation: The Structural Fix}
+
+The insight: \textbf{the beneficiaries of a scorecard should not be the ones who ratify it.} The more a tier receives from a scorecard, the less that tier's attestation power counts toward ratifying it.
+
+For a scorecard $S$ with weights $\{w_1, \ldots, w_N\}$, tier $i$'s effective attestation power:
+\begin{equation}\label{eq:bwa}
+\boxed{V_i^{\text{eff}}(S) = V_{\text{max}} \cdot \left(1 - \frac{w_i}{W_{\text{total}}}\right)}
+\end{equation}
+
+This is the \textbf{perfect proportion}: a pure linear reduction where benefit and governance power are complementary. The function has a critical mathematical invariant---total available attestation power is \emph{constant} for every valid scorecard:
+\begin{equation}
+\sum_{i=1}^{N} V_i^{\text{eff}}(S)
+  = V_{\text{max}} \cdot \sum_{i=1}^{N}\!\left(1 - \frac{w_i}{W_{\text{total}}}\right)
+  = V_{\text{max}} \cdot (N - 1)
+\end{equation}
+
+since $\sum w_i = W_{\text{total}}$. The mechanism does not favor concentrated scorecards over distributed ones in terms of \emph{how much} power exists---it only changes \emph{who} holds it.
+
+\textbf{Why linear is optimal.} Stronger-than-linear functions (e.g., quadratic $(1-x)^2$) reduce total available power for distributed scorecards relative to concentrated ones---the opposite of what is desired. Weaker-than-linear functions leave too much power with beneficiaries. The linear form uniquely preserves the $(N-1) \cdot V_{\text{max}}$ invariant while providing maximal separation between beneficiary and non-beneficiary power.
+
+\subsubsection{Why This Kills the Attack}
+
+\textbf{Fraudulent scorecard} (100\% to attacker's monopoly tier):
+
+\begin{table}[H]
 \centering
-\begin{tabular}{lccc}
+\begin{tabular}{lll}
 \toprule
-Scenario & Funds stuck? & Delegate resolves? & Automated? \\
+\textbf{Tier} & \textbf{Weight} & \textbf{Effective power} \\
 \midrule
-A: No scorecard & Yes & Yes, if active & No \\
-B: Quorum unreachable & Yes & Yes, if has power & No \\
-C: Dead delegate & Yes & No & No \\
-D: Dead attestation holders & Yes & No & No \\
-E: Split target reverts & Yes & No & No \\
+Attacker's tier & 100\% & $V_{\text{max}} \times 0 = 0$ \\
+Each of 31 others & 0\% & $V_{\text{max}} \times 1.0$ \\
 \bottomrule
 \end{tabular}
 \end{table}
 
-\subsubsection{Effectiveness of the Default Attestation Delegate}
+The attacker has \textbf{zero} attestation power for their own scorecard. No amount of capital changes this. The fraudulent scorecard accumulates 0 attestation and dies.
+
+\textbf{Truthful scorecard} (Argentina wins 40\%):
 
-When set, the \texttt{defaultAttestationDelegate} receives attestation units from every minter who does not specify a custom delegate. If no minter re-delegates, the delegate holds 100\% of attestation power---easily exceeding quorum. It resolves Scenarios~A and~B in the common case.
+\begin{table}[H]
+\centering
+\begin{tabular}{lll}
+\toprule
+\textbf{Tier} & \textbf{Weight} & \textbf{Effective power} \\
+\midrule
+Argentina & 40\% & $0.6 \times V_{\text{max}}$ \\
+Runner-up & 20\% & $0.8 \times V_{\text{max}}$ \\
+Semi-finalists ($\times 2$) & 10\% each & $0.9 \times V_{\text{max}}$ each \\
+Other 28 tiers & $\approx$0\% & $\approx V_{\text{max}}$ each \\
+\midrule
+\textbf{Total available} & & $31 \times V_{\text{max}}$ \\
+\textbf{Quorum} & & $16 \times V_{\text{max}}$ \\
+\bottomrule
+\end{tabular}
+\end{table}
 
-However, it provides no hard guarantee because it depends on four assumptions: (1)~the delegate is set (\texttt{address(0)} is valid), (2)~the delegate remains operational, (3)~the delegate acts honestly (it could self-ratify a malicious scorecard), and (4)~minters do not re-delegate. The delegate is an excellent first line of defense---a trusted, social mechanism---but not a trustless, automated one.
+The truthful scorecard has nearly $2\times$ the attestation power needed. The delegate marshals power from non-winning tiers (full strength), and even the winning tiers retain 60--90\% power.
 
-\subsubsection{Candidate Mechanism~A: Minimum Participation Threshold}
+\subsubsection{Scaling Against Unlimited Capital}
 
-At game initialization, the organizer sets \texttt{minParticipation}---a minimum treasury balance required to proceed to SCORING. If the balance is below this threshold, the game enters a no-contest state where cash-outs return mint prices. Implementation: one new \texttt{uint256} in the ops data; \texttt{currentGamePhaseOf()} checks the balance before returning SCORING.
+The attacker's fallback: buy into \emph{non-winning} tiers to accumulate attestation power for a fraudulent scorecard. But those purchases go \emph{into the pot}---the attacker enriches the treasury they are trying to steal.
 
-\emph{What it solves:} Ghost games with negligible participation skip directly to refundability. \emph{What it does not solve:} Post-threshold governance deadlocks (Scenarios~B--E). \emph{Attack surface:} A majority holder can refund enough tokens to push the balance below threshold, unilaterally killing the game. \emph{Mitigation:} Set the threshold conservatively low (${\sim}10\%$ of expected pot).
+\textbf{Attacker buys 1 token in 16 sparse tiers (0.16~ETH):} winning tier contributes 0 power; 15 other sparse tiers contribute $15 \times V_{\text{max}}$; honest tiers $\approx 0.03 \times V_{\text{max}}$. Total $\approx 15.03 \times V_{\text{max}} < 16 \times V_{\text{max}} =$ quorum. \textbf{Fails}---one tier short because the winning tier is dead weight.
 
-\subsubsection{Candidate Mechanism~B: Scorecard Ratification Timeout}
+\textbf{Attacker buys massively into honest tiers (80~ETH):} gains 50\% share in 16 honest tiers, adding $8 \times V_{\text{max}}$. Total $\approx 23 \times V_{\text{max}} >$ quorum. \textbf{Passes}---but invested 80~ETH to attack an 80~ETH pot. Net extraction = honest holders' original contribution. Attack cost now \textbf{scales linearly with the pot}---not because we made it expensive, but because the structure demands it.
 
-At game initialization, the organizer sets \texttt{scorecardTimeout}---a duration after SCORING begins. If no scorecard is ratified within this window, the game enters a no-contest state. Implementation: one new \texttt{uint256}; \texttt{currentGamePhaseOf()} checks \texttt{block.timestamp > scoringStart + timeout}.
+\subsubsection{Dead Token Economics: The Attack Tax}
 
-\emph{What it solves:} All five deadlock scenarios (A--E). This is the only mechanism providing a hard, trustless, time-bounded guarantee. \emph{Interaction with the governor:} Partially-attested scorecards expire gracefully. The critical edge case is a SUCCEEDED scorecard that hasn't been ratified when the timeout fires---mitigated by generous timeouts (90--180~days) or a short ``ratification grace period.'' \emph{Attack surface:} Minimal---an adversary cannot accelerate the timeout.
+The key insight making governance manipulation structurally unprofitable: \textbf{tokens purchased for governance power in non-winning tiers are dead money under a fraudulent scorecard.}
 
-\subsubsection{Do We Need a Formal State?}
+Under BWA, an attacker needs tokens in non-winning tiers (full governance power) to ratify a scorecard that benefits their winning tiers (zero power). But under the fraudulent scorecard, those non-winning tiers receive 0\% of the pot. The attacker's non-winning tokens are a sunk cost---capital destroyed in the act of governance manipulation.
 
-Both mechanisms can be implemented as \emph{computed states} in \texttt{currentGamePhaseOf()}---no on-chain state transition required. The SCORING ruleset already has \texttt{cashOutTaxRate = 0} and \texttt{pausePay = true}, which are the correct parameters for refunds. Adding a named enum value provides clearer UI/indexer signaling, but the behavior itself requires no new handler logic beyond the existing MINT/REFUND refund path.
+Combined with the 7.5\% fee extraction (5\% Defifa + 2.5\% base protocol), this creates a formal profitability condition.
 
-\subsubsection{Assessment and Recommendation}
+\begin{theorem}[Attack Profitability Threshold]\label{thm:profitability}
+In a Defifa game with $N$ tiers, fee rate $\phi = 7.5\%$, and BWA, an attacker controlling fraction $\alpha_w$ of winning-tier tokens and fraction $\alpha_v$ of non-winning (voting) tier tokens profits if and only if:
+\begin{equation}
+\alpha_w > \alpha_v \cdot \frac{N-1}{(1-\phi)N - 1}
+\end{equation}
+\end{theorem}
 
-The \texttt{defaultAttestationDelegate} resolves the vast majority of practical deadlocks and is sufficient for games with trusted organizers. However, for permissionless, trustless game creation, a hard guarantee is essential. We recommend:
+For the default fee rate ($\phi = 0.075$):
+
+\begin{table}[H]
+\centering
+\begin{tabular}{lll}
+\toprule
+$N$ (tiers) & Threshold $\alpha_w / \alpha_v$ & Interpretation \\
+\midrule
+2 & 1.176 & Must own 17.6\% more of winning tiers \\
+4 & 1.111 & Must own 11.1\% more \\
+8 & 1.094 & Must own 9.4\% more \\
+32 & 1.084 & Must own 8.4\% more \\
+128 & 1.082 & Converges to $1/(1-\phi) \approx 1.081$ \\
+\bottomrule
+\end{tabular}
+\caption{Profitability threshold by tier count.}
+\end{table}
+
+\begin{corollary}[Uniform Buyer Loss]
+An attacker who buys uniformly across all tiers ($\alpha_w = \alpha_v$) always loses money---their return is $(1-\phi) \cdot \alpha \cdot \text{pot}$ while their cost is $\alpha \cdot \text{pot}$, yielding a guaranteed $-7.5\%$ loss regardless of the scorecard, tier count, or pot size.
+\end{corollary}
+
+\begin{corollary}[Dead Token Tax]
+In a game with $N$ tiers where the attacker claims weight for 1 tier, $(N-1)/N$ of the attacker's governance tokens are dead---they cost money to buy but return nothing. For the World Cup ($N = 32$), 96.9\% of the attacker's governance investment is dead money.
+\end{corollary}
+
+\subsubsection{The Complete Defense Stack}
+
+\begin{table}[H]
+\centering
+\begin{tabular}{lll}
+\toprule
+\textbf{Layer} & \textbf{Mechanism} & \textbf{Defends against} \\
+\midrule
+Structural & Benefit-weighted attestation & Self-interested manipulation \\
+Economic & Dead token tax + fee extraction & Profitability of residual attacks \\
+Temporal & Post-ratification timelock (\S9.4) & Fraud slipping through BWA \\
+Adaptive & Graduated quorum (\S9.4) & Concentrated fraudulent scorecards \\
+Corrective & Attestation withdrawal (\S9.4) & Social engineering / phishing \\
+Social & Trusted delegate & Coordination failure \\
+Parametric & \texttt{minParticipation} + \texttt{scorecardTimeout} & Ghost games, deadlock \\
+Design & Uniform participation (\S9.3) & 51\% ownership concentration \\
+\bottomrule
+\end{tabular}
+\caption{Layered governance defense stack.}
+\end{table}
+
+\textbf{The irreducible limit.} Like all proof-of-stake systems, Defifa has a 51\% security threshold: an attacker who controls $>$50\% of every tier's tokens can ratify any scorecard. This is the fundamental limit of all token-weighted governance and cannot be eliminated by mechanism design alone. The defense is \emph{game design}---structuring games so that organic participation makes 51\% ownership prohibitively expensive.
+
+\textbf{The bottom line.} Benefit-weighted attestation transforms Defifa governance from an economic arms race into a structural equilibrium. The ``perfect proportion''---$\text{power} = 1 - \text{benefit}$---is the unique linear function that preserves constant total attestation across all valid scorecards while maximally separating beneficiary power from non-beneficiary power. Combined with dead token economics and fee extraction, self-serving governance is not just structurally difficult---it is provably unprofitable under the conditions identified in Section~9.3.
+
+\subsection{Resilient Game Design}\label{sec:game-design}
+
+The profitability threshold from Section~9.2 implies specific design principles that make Defifa games structurally resistant to governance attacks. This section derives the conditions under which attack profitability goes to zero and identifies the proven ideal game design.
+
+\subsubsection{The Uniform Participation Theorem}
+
+\begin{theorem}[Uniform Participation]\label{thm:uniform}
+In a Defifa game with BWA, if all $N$ tiers have equal supply ($n_i = n$ for all $i$), then no attacker controlling any fraction $\alpha$ of the total supply can profit from governance manipulation.
+\end{theorem}
+
+\begin{proof}
+Under uniform supply, any buyer's ownership fraction is identical across all tiers: $\alpha_w = \alpha_v = \alpha$. The profitability condition (Theorem~\ref{thm:profitability}) requires $\alpha_w > \alpha_v \cdot (N-1)/((1-\phi)N - 1)$, which reduces to $1 > (N-1)/((1-\phi)N - 1)$. Since $(1-\phi)N - 1 < N - 1$ for any $\phi > 0$, the right side exceeds 1---the condition can never be satisfied. The attacker always loses exactly the fee fraction $\phi$.
+\end{proof}
+
+This theorem establishes that \textbf{participation uniformity is the fundamental design variable} for game security. The closer a game's tier supplies are to uniform, the harder it is for any attacker to achieve the $\alpha_w > 1.08 \times \alpha_v$ threshold needed for profit.
+
+\subsubsection{Design Principles}
+
+\textbf{Principle 1: Choose events with balanced interest.} The single most important design decision is selecting an event where participants naturally spread their mints across tiers. Events with clear favorites and longshots concentrate supply, creating the imbalance attackers exploit.
+
+\begin{itemize}[nosep]
+\item \textbf{Ideal}: Tournament stages (World Cup groups, March Madness brackets) where multiple teams have genuine fanbases
+\item \textbf{Good}: Multi-candidate elections, multi-outcome market predictions
+\item \textbf{Risky}: ``Favorite vs.\ field'' structures where one tier attracts 90\%+ of supply
+\end{itemize}
+
+\textbf{Principle 2: More tiers, but only if they attract participation.} Additional tiers dilute the attacker's governance power across more dead tokens. However, adding tiers that attract zero organic participation creates cheap governance power for attackers. The optimal tier count $N^*$ maximizes tiers with meaningful supply:
+\[
+N^* = \max \{ N : \forall i, \; n_i \geq n_{\min} \}
+\]
+where $n_{\min}$ is the supply level below which a tier becomes a governance attack vector.
+
+\textbf{Principle 3: Reserve tokens as supply smoothing.} Configuring a reserved rate $\rho_i$ on every tier ensures that even tiers with low organic demand have tokens held by the delegate. These reserve tokens count toward supply (diluting attacker ownership), are held by the delegate (used to attest truthfully), and push $\alpha_w$ and $\alpha_v$ closer together. A reserved rate of $\rho = 1$ effectively halves the attacker's ownership fraction in any tier they haven't bought into.
+
+\textbf{Principle 4: Meaningful minimum participation.} Setting \texttt{minParticipation} ensures the pot is large enough that the attacker's token purchases represent a small fraction of total supply.
+
+\textbf{Principle 5: Scorecard timeout as hard backstop.} Always set \texttt{scorecardTimeout} for permissionless games to ensure fund recovery if governance fails.
+
+\subsubsection{Anti-Patterns}
+
+\textbf{Anti-pattern 1: Extreme favorites.} A game where Tier~1 attracts 10,000 mints and Tiers 2--32 attract 10 each. The attacker buys 11 tokens in each of 16 sparse tiers (cost: 1.76~ETH), gaining majority control at full governance power, while the pot holds 103.1~ETH.
+
+\textbf{Anti-pattern 2: Excess empty tiers.} Adding 128 tiers when only 8 attract organic interest. The remaining 120 tiers are free governance power---1 token each at minimum cost.
+
+\textbf{Anti-pattern 3: No safety parameters.} Running a permissionless game with \texttt{scorecardTimeout = 0} and \texttt{minParticipation = 0}. If governance fails, funds are permanently locked.
+
+\subsubsection{The World Cup as Near-Ideal Design}
+
+The 32-team FIFA World Cup game exemplifies resilient design:
 
 \begin{enumerate}[nosep]
-\item \textbf{Scorecard ratification timeout} as the primary safety mechanism. Covers all five deadlock scenarios. Implementation cost: one \texttt{uint256}, one timestamp comparison. Recommended default: 90~days.
-\item \textbf{Minimum participation threshold} as an optional complement. Provides early termination for non-viable games. Implementation cost: one \texttt{uint256}, one balance check.
-\item Both mechanisms should be \textbf{optional} (default: 0 = disabled) to preserve backward compatibility.
-\item The game should \textbf{remain fully playable without either mechanism}---they are safety nets, not requirements.
+\item \textbf{Balanced interest}: All 32 teams have genuine fanbases, ensuring organic minting across all tiers. Even ``longshot'' teams attract nationalist buying.
+\item \textbf{High tier count}: $N = 32$ means the profitability threshold requires 8.4\% ownership advantage---and 96.9\% of governance tokens are dead money.
+\item \textbf{Natural uniformity}: Group-stage structure ensures competitive teams in each group, providing diverse entry points.
+\item \textbf{Cultural event alignment}: The World Cup attracts large, globally distributed participation---making any attacker's fraction small.
+\item \textbf{Clear resolution}: Tournament brackets provide unambiguous outcomes, reducing scorecard disputes to mechanical verification.
 \end{enumerate}
 
-The combination of delegate (fast-path social resolution) + timeout (hard backstop) + threshold (early exit) provides defense in depth where each mechanism covers the failure modes of the others.
+\textbf{Is there a proven ideal game design?} Yes, with qualification. The Uniform Participation Theorem proves that a game with perfectly uniform tier supply is impervious to profitable governance attacks regardless of attacker capital. The ``ideal'' is therefore any event structure that naturally produces uniform minting---and the World Cup is the canonical real-world example. The qualification: no mechanism can prevent a 51\% attacker, just as no proof-of-stake protocol can. The defense is making 51\% ownership prohibitively expensive through high, uniform participation.
+
+\subsection{Governance Hardening}\label{sec:hardening}
+
+The defense stack in Section~9.2---BWA, dead token economics, and resilient game design---provides strong structural guarantees. This section describes four implemented mechanisms that provide defense-in-depth against residual attack vectors. These are additive: each one independently strengthens the system, and they compose without interference.
 
-\subsection{Cheap Cross-Tier Attestation Capture}
+\subsubsection{Post-Ratification Timelock}
 
-\textbf{Severity: Critical.}
+\textbf{Problem.} Without a timelock, \texttt{ratifyScorecardFrom} executes the scorecard instantly---the moment quorum is met and the grace period expires. There is zero time for the community to react to fraud that slips through BWA.
 
-As identified in the corrected attack cost analysis (Equation~\ref{eq:cheapattack}), the per-tier attestation power cap creates an unintended vulnerability in games with uneven participation. The mechanism assigns equal maximum attestation power ($V_{\text{max}} = 10^9$) to every tier \emph{regardless of minted supply}. A tier with 1~token has the same governance weight as a tier with 10,000 tokens.
+\textbf{Mechanism.} A mandatory delay $\tau_{\text{lock}}$ exists between a scorecard reaching quorum (after grace period) and its execution. During this window:
+\begin{enumerate}[nosep]
+\item The scorecard enters the \textsc{queued} state---visible but not yet executable.
+\item Multiple scorecards can reach \textsc{queued} or \textsc{succeeded} simultaneously. The first to be ratified wins; others become \textsc{defeated}.
+\item After $\tau_{\text{lock}}$ expires, the scorecard transitions to \textsc{succeeded} and can be ratified.
+\end{enumerate}
+
+Multiple scorecards can coexist in \textsc{queued}/\textsc{succeeded} simultaneously. The first \texttt{ratifyScorecardFrom} call wins. Under BWA + graduated quorum, marshaling enough attestation power for a fraudulent competing scorecard is extremely expensive.
 
-\textbf{The attack.} An adversary identifies $\lceil N/2 \rceil$ tiers with zero or minimal mints. They purchase 1 token in each, becoming the sole holder and receiving full $V_{\text{max}}$ per tier. Their total attestation power: $A_{\text{attacker}} = \lceil N/2 \rceil \cdot V_{\text{max}} \geq Q$. They meet quorum unilaterally and ratify a scorecard directing $W_{\text{total}}$ to their tokens.
+\textbf{Recommended:} $\tau_{\text{lock}} = 3$--$7$ days. Same pattern as Compound Governor, OpenZeppelin TimelockController, and Gnosis Safe.
 
-\textbf{Numerical example.} A 32-tier game at 0.01~ETH. Popular tiers accumulate 1,000 tokens each; 16 tiers receive no organic mints. The attacker buys 1 token in each empty tier for 0.16~ETH total and ratifies a scorecard directing ${\sim}144$~ETH to one of their tiers. \textbf{Return on investment: ${\sim}900\times$.}
+\textbf{Implementation.} A \textsc{queued} state exists between \textsc{active} and \textsc{succeeded}. \texttt{ratifyScorecardFrom} only executes when the state is \textsc{succeeded} (timelock expired). The \texttt{timelockDuration} is configurable per game (set to 0 to disable).
 
-\textbf{Root cause.} The quorum function counts \emph{any tier with nonzero supply} as eligible, conflating ``meaningful community participation'' with ``a tier a single actor created a position in.''
+\subsubsection{Graduated Quorum by Scorecard Concentration}
 
-\textbf{Recommended fix.} Introduce a minimum supply threshold for quorum eligibility:
+\textbf{Problem.} Base quorum is flat: $Q_{\text{base}} = N_{\text{eligible}} \times V_{\text{max}} / 2$ regardless of the scorecard's weight distribution. A ``steal everything'' scorecard faces the same quorum as a distributed one.
+
+\textbf{Mechanism.} Apply a concentration penalty based on the largest tier weight's squared share, scaled by the \emph{headroom}---the gap between maximum achievable BWA attestation and the base quorum:
+\begin{equation}
+\text{headroom} = Q_{\text{base}} - V_{\text{max}} - N = \frac{(N-2) \times V_{\text{max}}}{2} - N
+\end{equation}
 \begin{equation}
-Q = \frac{1}{2} \sum_{i=1}^{N} \mathbf{1}\!\left[n_i \geq n_{\text{min}}\right] \cdot V_{\text{max}}
+Q(S) = Q_{\text{base}} + \text{headroom} \times \left(\frac{\max_i(w_i)}{W_{\text{total}}}\right)^2
 \end{equation}
-where $n_{\text{min}} \geq 2$. Alternatively, weight each tier's attestation power by a concave function of supply, such as $\min(V_{\text{max}}, \sqrt{n_i} \cdot V_{\text{max}} / \sqrt{n_{\text{ref}}})$.
 
-\subsection{Prize Pool Under-Allocation}
+The $-N$ term accounts for per-tier integer rounding loss in the BWA computation (\texttt{mulDiv} truncation).
 
-\textbf{Severity: Significant.}
+\textbf{Properties:}
+\begin{itemize}[nosep]
+\item \textbf{Self-capping.} The penalty can never exceed headroom, so the adjusted quorum is always reachable by non-beneficiary attestors.
+\item \textbf{Nonlinear.} $\text{maxShare}^2$ is quadratic: gentle for moderate concentration (25\% max $\to$ 6.25\% of headroom), steep for extreme (100\% max $\to$ 100\% of headroom).
+\item \textbf{No magic constants.} The formula derives entirely from game parameters.
+\end{itemize}
+
+\begin{table}[H]
+\centering
+\begin{tabular}{lll}
+\toprule
+\textbf{Distribution} & \textbf{maxShare} & \textbf{Penalty (fraction of headroom)} \\
+\midrule
+Equal across 32 tiers & 3.1\% & 0.1\% (essentially unchanged) \\
+World Cup (40/20/10/10/\ldots) & 40\% & 16\% \\
+Winner-take-all (100/0/\ldots) & 100\% & 100\% (quorum = max achievable BWA) \\
+\bottomrule
+\end{tabular}
+\caption{Graduated quorum impact by scorecard concentration.}
+\end{table}
 
-The weight validation in \texttt{setTierCashOutWeightsTo} uses a strict greater-than check: \texttt{if (\_cumulativeCashOutWeight > TOTAL\_CASHOUT\_WEIGHT) revert}. A scorecard with weights summing to \emph{less than} $W_{\text{total}}$ passes validation. The residual $B_{\text{prize}} \cdot (1 - \sum_i w_i / W_{\text{total}})$ remains permanently trapped in the treasury, breaking the conservation guarantee of Theorem~6.1 (which assumes $\sum_i w_i = W_{\text{total}}$).
+Distributed scorecards are barely affected. Concentrated fraudulent scorecards face quadratically increasing quorum, up to the theoretical BWA maximum for winner-take-all.
 
-\textbf{Recommended fix.} Change to exact equality: \texttt{if (\_cumulativeCashOutWeight != TOTAL\_CASHOUT\_WEIGHT) revert}.
+\subsubsection{Attestation Withdrawal}
 
-\subsection{Attestation Timing Misconfiguration}
+\textbf{Problem.} Without withdrawal, attestation would be irreversible. Holders tricked into attesting to a fraudulent scorecard (phishing, social engineering) cannot correct their mistake.
 
-\textbf{Severity: Significant.}
+\textbf{Mechanism.} Holders can revoke attestation during the \textsc{active} phase:
+\begin{enumerate}[nosep]
+\item Each attestor's BWA weight is stored: \texttt{attestedWeightOf[msg.sender]}.
+\item \texttt{revokeAttestationFrom(gameId, scorecardId)} subtracts the stored weight from the scorecard's count.
+\item Revocation is only available while the scorecard state is \textsc{active}. Once \textsc{queued} (grace period ended + quorum met), revocations are disabled to prevent attest/revoke griefing.
+\end{enumerate}
 
-Both \texttt{attestationsBegin} and \texttt{gracePeriodEnds} are computed relative to \texttt{block.timestamp} at submission time---not relative to each other. If $\tau_{\text{grace}} < \tau_{\text{attest\_start}}$, the grace period expires \emph{before attestations begin}, creating a zero-length effective attestation window. Additionally, \texttt{initializeGame} performs no validation on the relationship between these parameters.
+During \textsc{active}, the grace period is still running, giving honest holders time to correct mistakes. Combined with the timelock, the overall correction window spans the grace period plus timelock duration.
 
-\textbf{Recommended fix.} Compute \texttt{gracePeriodEnds} relative to \texttt{attestationsBegin}: $t_{\text{grace\_end}} = t_{\text{attest\_begin}} + \tau_{\text{grace}}$, or validate in \texttt{initializeGame} that $\tau_{\text{grace}} \geq \tau_{\text{attest\_start}}$.
+\subsubsection{Scorecard-Aware Attestation Power (BWA Implementation)}
 
-\subsection{Pre-Scoring Scorecard Submission}
+\textbf{Problem.} The raw \texttt{getAttestationWeight} computes attestation power without regard to which scorecard is being attested to. For BWA to function, attestation power must be \emph{scorecard-dependent}: each tier's contribution reduced by $(1 - w_i / W_{\text{total}})$.
 
-\textbf{Severity: Moderate.}
+\textbf{Mechanism.} Modify the attestation flow to be scorecard-aware:
+\begin{enumerate}[nosep]
+\item When \texttt{attestToScorecardFrom} is called, retrieve the scorecard's tier weights.
+\item For each tier where the attestor has power, compute the BWA-reduced weight:
+\[
+\text{power}_i^{\text{eff}} = \text{power}_i^{\text{raw}} \times \left(1 - \frac{w_i}{W_{\text{total}}}\right)
+\]
+\item Sum the effective power across all tiers and record this as the attestation count.
+\end{enumerate}
 
-The \texttt{submitScorecardFor} function contains no game-phase check. Scorecards can be submitted and accumulate attestations during the MINT phase---before the underlying event has occurred. While \texttt{setTierCashOutWeightsTo} enforces SCORING for weight application, pre-accumulated attestations let a coordinated group achieve SUCCEEDED state before scoring opens, then ratify instantly.
+\textbf{Storage approach.} The tier weights must be accessible during attestation. Storing weights in the scorecard struct is recommended: written once at submission ($O(N)$ storage, $\sim$400k gas for 128 tiers), read many times during attestation (zero additional calldata per attestation).
 
-\textbf{Recommended fix.} Add a phase check requiring SCORING phase for scorecard submission.
+\textbf{Quorum adjustment.} Under BWA, maximum possible attestation for any scorecard is $(N-1) \times V_{\text{max}}$ (the constant-total invariant). Base quorum is $N_{\text{eligible}} \times V_{\text{max}} / 2$, representing 50\% of raw power. The graduated quorum mechanism (Section 9.4.2) further adjusts this per-scorecard based on concentration, storing the result in \texttt{quorumSnapshot}.
 
-\subsection{Fee Extraction Fragility}
+\subsection{Governance Deadlock Analysis}
 
-\textbf{Severity: Moderate.}
+The following table summarizes all governance deadlock scenarios and their resolution:
 
-In \texttt{fulfillCommitmentsOf}, the function calls \texttt{sendPayoutsOf} with \texttt{minTokensPaidOut} set to the full treasury balance. The split structure returns ${\sim}90\%$ back via \texttt{addToBalanceOf}. If the terminal interprets \texttt{minTokensPaidOut} as the minimum that permanently leaves the project, this transaction reverts---permanently blocking fee extraction and game completion.
+\begin{table}[H]
+\centering
+\begin{tabular}{ll}
+\toprule
+\textbf{Scenario} & \textbf{Resolution} \\
+\midrule
+No scorecard submitted & \texttt{scorecardTimeout} $\to$ NO\_CONTEST \\
+Quorum unreachable & \texttt{scorecardTimeout} $\to$ NO\_CONTEST \\
+Dead delegate & \texttt{scorecardTimeout} $\to$ NO\_CONTEST \\
+Dead attestation holders & \texttt{scorecardTimeout} $\to$ NO\_CONTEST \\
+Split target reverts & try-catch $\to$ fee stays in pot $\to$ game continues \\
+All minters refund & Treasury = 0, nothing to recover \\
+Insufficient participation & \texttt{minParticipation} $\to$ NO\_CONTEST \\
+\bottomrule
+\end{tabular}
+\caption{Governance deadlock scenarios and resolutions.}
+\end{table}
 
-\textbf{Recommended fix.} Set \texttt{minTokensPaidOut} to~0 or to the expected fee amount.
+Every deadlock scenario is resolved by either \texttt{scorecardTimeout} or \texttt{minParticipation}, provided these optional parameters are set. A game with both set to~0 relies on the delegate and community coordination.
 
 %==========================================================================
 \section{Conclusions and Practical Implications}
@@ -772,29 +966,32 @@ In \texttt{fulfillCommitmentsOf}, the function calls \texttt{sendPayoutsOf} with
 
 This paper has formalized the cryptoeconomic mechanisms of Defifa: a prediction-game protocol that transforms NFT minting into a parimutuel wagering mechanism with governance-ratified outcomes.
 
-\textbf{Prize Distribution Mechanics.} Defifa implements a path-independent, weight-proportional prize distribution through Equation~\ref{eq:cashout}. Using $(B_{\text{prize}} + A_{\text{redeemed}})$ as the reference pot ensures every token holder receives the same payout regardless of redemption order. Theorem~6.1 proves total payouts exactly exhaust the prize pool (provided $\sum_i w_i = W_{\text{total}}$; see Section~9.3).
+\textbf{Prize Distribution Mechanics.} Defifa implements a path-independent, weight-proportional prize distribution through Equation~\ref{eq:cashout}. Using $(B_{\text{prize}} + A_{\text{redeemed}})$ as the reference pot ensures every token holder receives the same payout regardless of redemption order. Theorem~6.1 proves total payouts exactly exhaust the prize pool. The on-chain exact-sum validation ($\sum w_i = W_{\text{total}}$) provides a hard guarantee that no prize pool value is trapped.
+
+\textbf{Governance Security.} The attestation model achieves a balance between decentralization and efficiency. Section~9.2 introduces \textbf{benefit-weighted attestation} (BWA): the ``perfect proportion'' where a tier's governance power for a given scorecard equals $V_{\text{max}} \times (1 - w_i / W_{\text{total}})$. This structural mechanism makes self-serving scorecards unratifiable regardless of attacker capital. The dead token economics prove that even attacks overcoming BWA are unprofitable: tokens purchased for governance power in non-winning tiers return \$0 under the fraudulent scorecard, creating a guaranteed loss when combined with fee extraction. Section~9.3 formalizes the Uniform Participation Theorem, proving that games with equal tier supply are impervious to profitable governance attacks.
 
-\textbf{Governance Security.} The attestation model (Section~3) achieves a balance between decentralization and efficiency. The per-tier cap on attestation power ($V_{\text{max}} = 10^9$) prevents any single tier from dominating governance, while the 50\% quorum across minted tiers ensures broad participation. However, Section~9 identifies a critical governance vulnerability: cheap cross-tier attestation capture (9.2), where an attacker buying 1~token in each of $N/2$ unpopular tiers can unilaterally meet quorum. The corrected attack cost (Eq.~\ref{eq:cheapattack}) shows that governance security depends not just on tier count and prices, but critically on participation uniformity across tiers. The deep study in Section~9.1 identifies five distinct deadlock scenarios and evaluates two candidate safety mechanisms (participation thresholds and ratification timeouts), concluding that both are valuable optional additions but that the existing system remains fully playable without them when games have active organizers and trusted delegates.
+\textbf{Safety Mechanisms.} The NO\_CONTEST system (Section~9.1) provides comprehensive fund-recovery guarantees through minimum participation thresholds, scorecard timeouts, and the default attestation delegate---layered safety where each mechanism covers the failure modes of the others.
 
-\textbf{Market Efficiency.} The equilibrium analysis demonstrates convergence to the classical parimutuel result: pot fractions equal consensus probabilities. The three-round information structure (mint $\to$ refund $\to$ secondary) provides richer information aggregation than single-shot mechanisms.
+\textbf{Market Efficiency.} The equilibrium analysis demonstrates convergence to the classical parimutuel result: mint fractions equal consensus probabilities. The uniform pricing enforced by the protocol ensures clean dynamics. The three-round information structure (mint $\to$ refund $\to$ secondary) provides richer information aggregation than single-shot mechanisms.
 
-\textbf{Protocol Sustainability.} The fee-token flywheel creates positive network effects where more games increase protocol token value, which reduces effective fee rates, which attracts more players.
+\textbf{Protocol Sustainability.} The 7.5\% default fee rate (5\% Defifa + 2.5\% base protocol) positions Defifa competitively with traditional parimutuel systems (15--25\%) while the protocol token rebate further reduces the effective rate.
 
 \textbf{Practical Recommendations.}
 \begin{enumerate}[nosep]
-    \item \textbf{Tier count}: 4--32 tiers for governance security and outcome expressiveness.
-    \item \textbf{Pricing}: Uniform pricing between 0.01--1 ETH for clean parimutuel dynamics.
+    \item \textbf{Participation uniformity is paramount}: The Uniform Participation Theorem (Section~9.3) proves games with equal tier supply are impervious to profitable governance attacks. Choose events where all tiers attract organic interest.
+    \item \textbf{Tier count}: 4--32 tiers. Only add tiers that will attract meaningful participation; empty tiers are cheap governance power for attackers.
+    \item \textbf{Reserve tokens}: Configure reserved rates on every tier to smooth supply and dilute attacker ownership in sparse tiers.
+    \item \textbf{Pricing}: 0.01--0.1~ETH per NFT for accessibility and attack resistance.
     \item \textbf{Refund phase}: 1--7 days for meaningful optionality.
-    \item \textbf{Attestation}: Trusted default delegate; 24-hour start delay; 3-day grace period. Ensure $\tau_{\text{grace}} \geq \tau_{\text{attest\_start}}$ (Section~9.4).
-    \item \textbf{Fees}: Default 10\% split is competitive; organizer splits should not exceed 5\%.
-    \item \textbf{Participation}: Ensure all tiers attract meaningful participation to resist cheap governance capture (Section~9.2). Consider minimum-supply quorum thresholds.
-    \item \textbf{Deadlock protection}: For permissionless games, set a scorecard ratification timeout (90--180~days recommended) and optionally a minimum participation threshold. For trusted-organizer games, the \texttt{defaultAttestationDelegate} is sufficient (Section~9.1).
+    \item \textbf{Attestation}: Trusted default delegate; 3--7 day grace period.
+    \item \textbf{Fees}: Default 7.5\% is competitive; organizer splits should not exceed 5\%.
+    \item \textbf{Safety}: Always set \texttt{scorecardTimeout} (90--180 days) and \texttt{minParticipation} for permissionless games.
 \end{enumerate}
 
-\textbf{Synthesis.} Defifa implements a rigorous approach to prediction gaming through the composition of three well-understood mechanisms: parimutuel pooling for price formation, attestation governance for outcome resolution, and Juicebox V5 for treasury management. The mathematical analysis confirms that the system conserves value and converges to informationally efficient equilibria. The protocol token layer adds a novel incentive dimension that aligns participant, organizer, and protocol interests around game volume growth.
+\textbf{Synthesis.} Defifa implements a rigorous approach to prediction gaming through the composition of three well-understood mechanisms: parimutuel pooling for price formation, attestation governance for outcome resolution, and Juicebox V6 for treasury management. The mathematical analysis confirms that the system conserves value and converges to informationally efficient equilibria. The protocol token layer adds a novel incentive dimension that aligns participant, organizer, and protocol interests around game volume growth.
 
-The open problems identified in Section~9---particularly the cheap cross-tier attestation capture (9.2) and prize pool under-allocation (9.3)---represent the most important areas for protocol hardening before production deployment at scale. The recommended mitigations (minimum-supply quorum thresholds, exact weight validation) are backwards-compatible and address the identified vulnerabilities without altering the core mechanism design. The deep study of governance deadlock (9.1) confirms that the existing architecture is sound---the \texttt{defaultAttestationDelegate} resolves the majority of practical deadlocks---but that optional safety mechanisms (ratification timeout, participation threshold) provide valuable defense in depth for permissionless deployment without adding mandatory complexity.
+The elegance of Defifa resides in its architectural composability: prediction games with arbitrary outcomes, arbitrary tier structures, and arbitrary payout distributions emerge from the same set of twelve parameters (Eq.~1), executed deterministically by immutable smart contracts with a single, time-bounded governance input. From a 4-team presidential election to a 32-team World Cup, the same protocol handles it all---and the safety mechanisms ensure that every game resolves, one way or another.
 
-The elegance of Defifa resides in its architectural composability: prediction games with arbitrary outcomes, arbitrary tier structures, and arbitrary payout distributions emerge from the same set of parameters, executed deterministically by immutable smart contracts with a single, time-bounded governance input. The game remains fully playable and efficient without additional states---the proposed safety mechanisms are optional parameters that expand the design space for risk-averse game creators while preserving the protocol's minimalist architecture for those who prefer it.
+The most significant finding is the Uniform Participation Theorem: \textbf{a game with uniform tier supply is provably impervious to profitable governance attacks regardless of attacker capital.} This transforms game design from an art into an engineering discipline---the designer's job is to choose events and tier structures that naturally produce uniform participation, and the cryptoeconomics handle the rest.
 
 \end{document}