Abstract
A case discussion of a fiat-backed stablecoin failure mode that requires no stolen mint key, no falsified bank statement, no broken ERC-20, and no direct contract exploit. The system overstates how much it can safely mint because claims and reserves are measured on incompatible finality clocks, and because the authorization join between them is left unguarded. Every component is correct in isolation — the token contract is sound, the bank report honest, the bridge verifies its messages, the attestation accurately scoped — yet the failure lives in the seams between them, where one ledger's notion of 'done' is handed to another that means something different by it. The thesis is narrow: form is not finality.
Executive summary
This working paper dissects a failure mode in fiat-backed stablecoins that no single audit would catch — because no single component is broken. The token contract is sound, the bank report is honest, the bridge verifies its messages, and the attestation is accurately scoped. The system still overstates how much it can safely mint.
The reason is structural: claims and reserves are measured on incompatible finality clocks, and the authorization join between them is left unguarded. The bug is not in any box; it lives in the wiring between boxes — the seams where one ledger's notion of "done" is handed to another ledger that means something different by it.
The thesis is deliberately narrow — form is not finality — but the implications are not. As reserves, attestations, and settlement move onto programmable rails measured by different clocks, this class of seam-misclassification risk generalizes well beyond the single case discussed here. The full paper works through the mechanism, the failure, and what a correct authorization join would require.