In part one I argued that DeFi’s standard incentive layer leaves an airgap between on-chain state and the off-chain reality the chain is trying to govern, and that the airgap dissolves only when honesty becomes load-bearing. That is the architectural property a protocol arrives at when dishonest behavior is structurally unprofitable across every attack vector. Once it holds, on-chain and off-chain reality have the same trust shape, and entire categories of attack (multi-wallet self-dip, sybil-farmed governance, front-running, wash trading, pre-signed replay) stop existing as live threats. They are not defeated case by case. They are dissolved as a class.
That post left the what unfinished. It described the property to achieve without naming the methodology that gets you there. This post names the methodology: Augmented Mechanism Design (AMD).
The question AMD answers
Conventional mechanism design picks a primitive (auction, market, voting rule, distribution function) and tunes its parameters. The architectural assumption is that one mechanism handles one job, and any unwanted behavior (MEV, sybils, extraction) is bounded by parameter choice and external monitoring.
AMD rejects the “one mechanism, one job” framing. Its core claim:
Most useful mechanisms can be augmented with a math-enforced invariant that closes a specific attack class, and the augmentation composes. Multiple invariants stacked on the same mechanism close multiple attack classes simultaneously without breaking the mechanism’s primary function.
The augmentation does not replace the mechanism. The market still clears, the auction still settles, the governance vote still resolves. The augmentation makes a specific failure mode structurally impossible while preserving everything else.
Four invariant types
AMD admits four invariant types, each closing a different attack-tree branch:
-
Structural invariants. Enforced by mechanism shape. Example: commit-reveal binding makes ordering-based extraction impossible because orders are not visible at the time when ordering could be exploited.
-
Economic invariants. Enforced by payoff structure. Example: a distribution rule where dishonesty has negative expected value for every actor across every state.
-
Temporal invariants. Enforced by time-binding. Example: a batch settlement at a single uniform clearing price prevents within-batch ordering games.
-
Verification invariants. Enforced by proof requirement. Example: an on-chain assertion that a fairness axiom holds across all participants, with the contract reverting if any pair violates it.
A protocol with one mechanism (say, an auction) and one invariant (commit-reveal binding) closes one attack class. The same auction with structural ∧ economic ∧ temporal invariants composed (commit-reveal binding ∧ uniform clearing price ∧ cryptographic shuffle for tiebreak) closes the entire MEV category. The composition is the leverage.
Discipline: every claimed property requires an enforcer
A methodology is only as good as the discipline that distinguishes it from aspiration. AMD’s discipline:
Every claimed safety or fairness property must correspond to a structural enforcer in the implementation. A line of math or code that makes the worst-case input fail by construction. A property that lives only in documentation is not a property. It is an intent.
This sounds obvious. In practice the failure mode is constant. A protocol claims “non-extractive” and the formula admits an input where extraction happens. A protocol claims “fair allocation” and the floor logic breaks the axiom for a subset of participants. A protocol claims “1-of-N security” and the verification path was never wired to the execution path.
The audit pattern that catches this class of miss runs in three steps:
- Name the claimed property explicitly in plain English.
- Construct the worst-case input that would violate it. Think adversarially; ignore “users won’t do that”.
- Check whether the formula structurally rejects the worst-case input. If not, the property is not enforced.
Every gap found by this audit closes in one of two ways. Implement the structural enforcer (preferred), or remove the claim from the documentation (audit-honesty closure). Anything else is the property silently depending on inputs staying non-adversarial.
Worked example: an auction with three composed invariants
Take a sealed-bid auction with a commit-reveal structure, batched orders, uniform clearing, and a randomized tiebreak. Each component:
- The commit-reveal binding is a structural invariant. Orders are hidden during the commit window, so front-running has no surface.
- The uniform clearing price is an economic invariant. Every order in a batch settles at the same price, so sandwiching cannot extract from price-impact differential.
- The cryptographic shuffle on tiebreak is a temporal invariant. Order execution within the batch is determined by an entropy source that cannot be biased by any single participant.
Three invariants on one mechanism. The MEV category that exists in single-invariant auctions does not exist here, not because it was patched but because the composition removes the surface.
A note on the entropy source. The temporal invariant only holds if the entropy itself is unbiasable. If the shuffle seed depends on blockhash(N) where N is a block whose proposer is a participant in the batch, the invariant becomes partial. Proposer-influence becomes a bounded but non-zero advantage. The audit discipline above flags this directly: the structural enforcer for “no participant biases the shuffle” must be the entropy source, and if the entropy source is biasable, the enforcer fails. Fixes are either a verifiable delay function on the seed or a commit-reveal among validators with slashing for non-reveal. Neither is exotic; both ship in production today.
Worked example: a distribution with conditional axioms
Cooperative-game distributions (Shapley-style allocations) carry five classical axioms: efficiency, symmetry, linearity, null player, and marginal contribution proportionality. An honestly-implemented Shapley allocation satisfies the first four by construction in the linear case.
The fifth axiom (pairwise proportionality) is interesting because of a common implementation choice: a fairness floor that guarantees no honest participant walks away with zero. The floor deliberately overrides pairwise proportionality for participants whose proportional share would fall below the floor.
A naive implementation claims pairwise proportionality universally and has no on-chain enforcer for the conditional version. Under the audit discipline above, this is a property living in documentation. The structural enforcer is a per-pair check that requires pairwise proportionality for non-floor-bumped pairs, with the floor itself acknowledged as the documented exception.
Once that enforcer ships, the distribution structurally enforces two compatible invariants:
- Strict pairwise proportionality among non-floor pairs (axiom 5 conditional).
- Lawson-floor minimum for every honest contributor (the deliberate override).
Both load-bearing. The claim now matches the code.
Augmentation versus replacement
The reason AMD is augmented mechanism design and not alternative mechanism design is that it does not require redesigning markets or governance from scratch. A protocol with a working AMM can add commit-reveal binding to the order intake. A protocol with a working governance vote can add an axiom-preservation check before execute. A protocol with a working distribution can add a conditional fairness assertion after the floor pass.
Each augmentation closes an attack class while preserving the mechanism’s primary function. The total cost is one structural addition per attack class.
The contrast with “replace the market with a more complex mechanism” is sharp. Replacement requires new tooling, new liquidity, new mental models from participants, and a credible migration story. Augmentation requires a single inline assertion plus the discipline to wire it correctly.
This is why AMD scales as a methodology rather than as a feature. It is a framework for adding structural safety to existing mechanisms without breaking them.
What’s next in the series
Part 3 will go deep on one of the worked examples above. Specifically the commit-reveal ∧ uniform-clearing ∧ shuffle composition: its precise attack surface, the entropy-source tradeoffs, the gas profile of the on-chain components, and what an EIP-level standardization of the pattern would look like.
The methodology only matters when the discipline holds. The series is an exercise in showing that the discipline can hold while the architecture stays usable.