Chapter 5 · § 5.4 · Recipe

Narrow Surface Area

Fewer than 1,000 lines of consensus-critical code.

By Sultan Meghji · Originally published April 2026 · Next review October 2026 · ~5 min

Problem

Immutable code is unfixable code. How does the protocol manage that risk?

Solution

Fewer than 1,000 lines. Formally verified. Audited on cadence.

The waterfall is implemented in fewer than 1,000 lines of consensus-critical code. The surface is narrow by design. The implementation is formally verified for the safety properties (priority preservation, no skipped tier, no double-distribution). The audit trail covers every commit to the consensus-critical files. Independent re-audit is on a published cadence.

Discussion

Narrow is the operative word. A system with ten thousand lines of immutable consensus-critical code is wrong before the immutability is wrong. The waterfall does one thing — distribute available collateral in priority order, with verifiable guarantees on tier-respect — and does that thing in a deliberately small contract surface.

△ Warning Immutability cuts both ways. A bug in the waterfall is not patchable by governance. The mitigations are formal verification, narrow surface, third-party audits, and a published incident response that includes the option of forking the chain if a fundamental flaw is discovered. The fork option is the unhappy-path equivalent of governance and exists for exactly the case immutability cannot otherwise repair.

The same principle applies in Chapter 6: the regulatory perimeter is narrow by design. The fewer load-bearing surfaces a protocol has, the easier it is to keep them right.

Narrow Surface Area

Problem

Solution

Fewer than 1,000 lines. Formally verified. Audited on cadence.

Discussion

See Also