Technical Paper

Anti-abuse approach

3.8 Threat model

The trust layer is built against three classes of abuse:

  1. Single-account farming — one user uploads receipts they did not actually pay for, or re-uploads the same receipt with cosmetic variations to earn bINT multiple times.
  2. Multi-account farming — one operator runs several accounts, sometimes sharing a single receipt across them, to circumvent the per-user daily ceiling.
  3. Synthetic content — receipts generated by image-synthesis tools that look plausible while representing fabricated transactions.

Each class has its own signal family. The layer assumes that abuse is iterative — that an attacker will probe the system and adjust — and is therefore designed to recalibrate over time rather than rely on fixed rules.

3.9 Signal categories

Across the three classes, the layer draws on signal categories named here at a high level:

  • Perceptual similarity — detects re-use of the same receipt across uploads.
  • Device and session continuity — detects unusual patterns in how an account interacts with the protocol.
  • Cross-account correlation — detects clusters of accounts that share patterns inconsistent with independent households.
  • Synthetic-media authenticity — detects images that show characteristics inconsistent with photographs of physical receipts.
  • Behavioural rhythm — detects upload patterns that diverge from honest household behaviour. The specific signals that compose this category are managed in the internal operations layer.

Each category produces signals that feed the receipt's trust score and, where relevant, the user's health. The specific signals, thresholds, and cluster construction method are managed in the internal operations layer.

3.10 Treatment

Treatment is graduated:

  • A signal in isolation lowers the trust band for the affected receipt.
  • A cluster of signals across receipts lowers the user's health, which compresses the daily ceiling.
  • A persistent pattern across users opens a review case in the operational queue; resolution may involve human review, additional verification, or — in repeated and unambiguous cases — account-level action.

The graduated treatment is intentional. Receipts and users sit on a trust spectrum, and the protocol's economic logic depends on keeping that spectrum legible.

Previous
User health
Next
Decision matrix