Methodology

Lemma Critical Brief is a structured incident-analysis reference collection published by Lemma. It archives individual incidents in the AI, cryptographic infrastructure, supply chain, and regulatory-attribute domains in a one-incident-per-Brief format, structurally analyzing each event's failure primitive and the gap that strengthening detection alone cannot close. Briefs are written for CSOs, analysts, and regulatory practitioners to reference as citation sources.

The structure this series examines — assertions of trust decoupled from the layer that verifies them — extends beyond cyber-attack damage cases to the broader category of trust-layer risk events in the age of AI.

Concretely, this includes (a) attack incidents (e.g., provenance manipulation, credential misuse, framework authentication bypass), and (b) trust-layer risk events in the age of AI (e.g., training data provenance, AI input integrity, credential lifecycle attributes, independent verification of agent authority). The surface taxonomy differs, but the common structural failure — absence of an independent verification layer — runs through both.

Lemma's core thesis is the recognition that detection is not proof (Detection ≠ Proof).

Confidence scores returned by detection tools — for example, "99.7% probability of anomaly" — do not constitute evidence in regulatory reporting, administrative procedures, or litigation that "an unauthorized exercise of authority occurred." Detection is a layer that narrows the blast window once damage is already in flight; it does not change what a bridge / system / agent will accept in the first place.

Pre-execution attestation closes this structural gap. By cryptographically committing "what / to whom / up to where authority was granted" before a transaction, the defense line shifts from reliance on detection to reliance on verification. Detection and pre-execution attestation are not competing approaches but complementary ones: detection narrows the blast window after an event; pre-execution attestation independently verifies the trust boundary before the event.

Each Brief applies this thesis to the context of its target incident in §5 "Structural gap that detection alone cannot close."

Each Brief consists of the following 9 sections:

• TL;DR — target incident, damage scale, failure primitive, and Lemma's response, in one paragraph
• §1 Incident Overview — name / date / damage scale / principal parties
• §2 Timeline — chronology in ISO dates, technical facts only
• §3 Attack Vector / Event Chain — initial compromise → lateral movement → impact realization (for attack incidents), or failure decomposition (for trust-layer risk events that are not attacks)
• §4 Structural Analysis — naming the structural pattern of the failure primitive, with shared structure and differences from neighbouring incidents
• §5 The Structural Gap Detection Alone Cannot Close — applying the Detection ≠ Proof thesis to the case at hand
• §6 Response and Industry Developments — official post-mortems, individual responses, and cross-industry movements
• §7 Lemma's Analysis — Lemma's design response to the structural gap exposed by the case, in one paragraph, with inline links to the relevant essay and reference implementation
• §8 Sources — external primary and secondary sources, each with URL, date, and provenance label
• §9 Distribution — note that the Brief is public analysis, with Discovery Call contact

Cross-links to neighbouring Briefs in the same or adjacent categories are auto-generated from the frontmatter related_briefs field as navigation cards rendered below the body, alongside discovery via the Category and Pillar archives.

The voice is sober. Industry terminology is used without annotation. Detection tools and existing vendors (Blockaid, PeckShield, Mandiant, etc.) are not framed as adversaries but as complementary roles.

Briefs are classified according to Lemma's 4 Pillars:

• Pillar 01 — Verifiable Origin: the layer that independently verifies the origin of messages, data, and code
• Pillar 02 — Verifiable AI: the layer that ZK-commits the process of AI judgment
• Pillar 03 — Agent Authority Proof: the layer that records and proves the delegation relationships of agents
• Pillar 04 — Regulatory Attribute Proof: the layer that proves KYC / AML / regulatory attributes via selective disclosure

Each Brief carries a primary_category (main category) and secondary_categories (cross-cutting categories), making it accessible from both the Pillar archive and the Category archive.

Category names are defined independently by Lemma. Crossover with external classifications (AIID, OECD AIID, etc.) is expressed through secondary_categories.

Each Brief has a Permanent URL (slug never changes; archive numbers are not reused).

Citation is recommended in the following formats. Plain text uses Brief 001 as a concrete example; BibTeX and APA are shown in template form.

Plain text

Lemma Critical Team. (2026).
"KelpDAO / rsETH Unauthorized Unlock — RPC Manipulation Attack on the DVN Observation Layer".
Lemma Critical Brief No.001. Lemma / FRAME00, Inc.
https://lemma.frame00.com/critical/briefs/001-kelpdao-rseth/

BibTeX

@techreport{lemma_critical_<NN>,
  author      = {{Lemma Critical Team}},
  title       = {<Title>},
  number      = {<NN>},
  year        = {2026},
  institution = {Lemma / FRAME00, Inc.},
  url         = {<Brief URL>}
}

APA

Lemma Critical Team. (2026).
<Title> (Lemma Critical Brief No.<Number>). Lemma / FRAME00, Inc.
<Brief URL>

Each Brief page provides a "Cite this Brief" box with the three formats selectable via tabs.

After publication, each Brief is maintained according to the following policy:

• Typos / minor corrections (misspellings, broken links, notation inconsistencies): overwritten in place, no version change
• Content revisions (factual additions, interpretive changes, incorporation of new facts): retained via version numbering. The frontmatter version increments from 1.0 → 1.1 (minor) or 2.0 (major). A "Revision History" section is added at the end of the Brief, briefly recording the changes in each version
• Retraction (when misinformation or misclassification is identified): a retraction notice is left at the original URL and the content is withdrawn. Per the Permanent URL policy, the URL itself is not deleted

Lemma Critical Brief is a structured analysis of public information. The series is:

• Public analysis, not an audit, assessment, or recommendation for any specific organization
• For use in decision-making, direct consultation with your organization's Lemma Critical contact is recommended
• For commercial use or translation inquiries, please contact the Lemma editorial team

Contact:

• Discovery Call: tally.so/r/Pd2Rl5 — for tips, corrections, or commercial-use inquiries
• Whitepaper request: tally.so/r/xX0VYv