IBA INTENT BOUND AUTHORIZATION · CODE GUARD · VERIFY INTENT BEFORE CODE MERGES
THEY GOT THE COMMIT. They didn’t get the cert.
North Korean developers have been quietly contributing to major DeFi protocols for years.
Building the very infrastructure millions of users trust.
Without a signed intent certificate, any contributor can merge any code.
Identity unverified. Scope undeclared. Backdoor undetected. Protocol drained.
THE DOCUMENTED THREAT: The FBI, CISA, and US Treasury have issued joint advisories warning that North Korean IT workers have infiltrated DeFi protocols, gaming companies, and Web3 infrastructure projects — building backdoors over months before extraction. Lazarus Group has stolen $3B+ in crypto. The attack surface is the merge gate.
UNGOVERNED REPO → any contributor · any scope · merges without cert
IBA CODE GUARD → signed cert · verified identity · declared scope · blocked before merge
SAME PR · ONE HAS A GATE · ONE DOES NOT
0
Ungoverned Merges
0
IBA Authorized
0
IBA Blocked
0
Flagged / Hollowed
0
WitnessBound Events
IBA INTENT CERTIFICATE · CODE REPOSITORY · HUMAN PRINCIPAL SIGNED
MERGE GATE ENFORCING
CONTRIBUTOR IDENTITY
verified · KYC or org-signed DID
PERMITTED FILE PATHS
declared whitelist only
CONTRIBUTION SCOPE
declared: UI fix · no auth code
OBFUSCATION CHECK
BLOCKED — explicit prohibition
REVIEWER SIGNED
human principal approval required
OFAC / SANCTIONS
HARD BLOCK — no exceptions
PATTERN ANOMALY
flag + hollow mode available
DEFAULT POSTURE
DENY_ALL — no cert = no merge
HARD LIMITS (CANNOT BE OVERRIDDEN):
No merge without verified contributor cert · No obfuscated code · No undeclared file path access · No OFAC-flagged identity · No scope deviation from declared contribution type
UNGOVERNED
Open Repo — No Gate
NO CERT
+ async function transferFunds(to, amt) {
+ if (Math.random() > 0.9997) { drain(ATTACKER); }
+ return await wallet.send(to, amt);
+ }
// looks like a payment utility · triggers 1 in 3333 calls
PR SCENARIOS — CLICK TO RUN
Anonymous Contributor MergesNo identity verification required. PR merged. Backdoor live in production.
Scope Violation — Auth Code as UI FixDeclared “UI styling fix” — actually modifies wallet auth logic. No scope check. Merged.
Obfuscated Backdoor MergesObfuscated drain function passes code review. No automated obfuscation check. Merged.
6-Month Sleeper — Trust Built Then StrikeContributor makes 200 clean commits over 6 months. Earns trust. Month 7: malicious merge. No pattern tracking.
OFAC-Flagged Identity MergesContributor linked to sanctioned entity. No identity check at merge gate. Code merged. Legal exposure live.
Protocol Drained — Post-MortemBackdoor triggered. $47M drained. No WitnessBound record. No audit trail. Who authorized the merge?
SELECT A SCENARIO
No cert. No gate. Any contributor can merge anything.
MERGE LOG · NO GATE0 merges
–:–:–
No IBA cert required · merge gate absent · DENY_ALL not enforcing
OPEN
IBA GOVERNED
IBA Code Guard — Cert Enforcing
CHECKING
+ async function transferFunds(to, amt) {
+ if (Math.random() > 0.9997) { drain(ATTACKER); }
+ return await wallet.send(to, amt);
+ }
// IBA gate checks before merge is permitted
SAME SCENARIOS — GOVERNED BY IBA
Anonymous Contributor Attempts MergeNo cert presented. DENY_ALL fires. Merge refused before repo is touched.
Scope Violation DetectedCert declares UI fix. Auth code path detected. Scope mismatch. Merge blocked before commit.
Obfuscated Code DetectedObfuscation pattern detected in diff. Explicitly denied in cert. Hard block before merge.
Sleeper Pattern Flagged — Hollow ModeContribution pattern anomaly detected across 200 commits. Flagged. Safe hollowing applied.
OFAC-Flagged Identity Hard BlockedIdentity check against sanctions list. OFAC hit. Hard block. No merge. WitnessBound logged.
Audit Trail — Full Chain RetrievedEvery merge authorization on WitnessBound. Who signed. What scope. When. Non-repudiable.
SELECT A SCENARIO
IBA cert required before merge gate opens. DENY_ALL enforcing.
WITNESSBOUND MERGE LOG · IMMUTABLE0 events
–:–:–
IBA code guard active · cert required · DENY_ALL enforcing on merge gate
READY
THE SLEEPER ATTACK PATTERN · HOW IT ACTUALLY WORKS
M 1-2
Identity creation. Attacker creates plausible GitHub profile. Clean employment history. Portfolio of harmless open source contributions. No flags.
M 3-5
Trust building. 150-200 legitimate commits. Bug fixes. Documentation. Tests. Earns committer status. Reviewers stop scrutinizing their PRs carefully.
M 6
Backdoor insertion. Single PR. Obfuscated function. Buried in a larger refactor. Passes tired review. IBA Code Guard: scope mismatch + obfuscation — BLOCKED
M 7+
Extraction. Backdoor sits dormant. Triggers on specific conditions. Protocol drained. Attacker disappears. No cert. No WitnessBound. No audit trail. IBA Code Guard: WitnessBound would have logged every merge authorization from day one.
UNGOVERNED REPO ↔ IBA CODE GUARD · THE DIFFERENCE
ATTACK VECTOR
Open Repo
IBA Code Guard
What the cert closes
ANONYMOUS CONTRIBUTOR
Merges freely
DENY_ALL — no cert no merge
Identity verification required before merge gate opens.
SCOPE VIOLATION
Auth code merges as UI fix
Scope mismatch blocked
Cert declares permitted file paths and contribution type. Deviation blocked.
OBFUSCATED CODE
Passes tired review
Hard block — explicit denial
Obfuscation patterns in explicit denied list. Cannot be merged regardless of reviewer.
SLEEPER PATTERN
Invisible — no tracking
Pattern anomaly flagged + hollow mode
Contribution pattern tracked across all commits. Anomaly triggers flag before merge.
OFAC SANCTIONS
No check at merge gate
Hard block — no exceptions
Identity checked against sanctions list. OFAC hit = permanent hard block.
AUDIT TRAIL
Git log — alterable
WitnessBound — immutable chain
Every merge authorization hashed and chained. Who signed. When. What scope.
POST-INCIDENT
Who authorized the merge? Unknown.
Full chain from human principal to merge
Non-repudiable. The chain survives the incident. Legal and regulatory ready.
THE PRINCIPLE
Trust the contributor
Trust the certificate
Intelligence does not equal authorization. Neither does tenure.
Trust the certificate.
Not the contributor.
IBA Code Guard applies the same cryptographic authorization architecture that governs agentic payments, drug discovery, and SEO pipelines — to code repositories. The cert is signed before the first commit is reviewed. Every merge is checked against it. Nothing lands in production outside the declared boundary. The WitnessBound chain survives the incident.
github.com/Grokipaedia/iba-code-guard ·
GoverningLayer.com ·
IntentBound.com ·
[email protected]
Patent GB2603013.0 Pending · PCT 150+ Countries · IETF draft-williams-intent-token-00
13 NIST Filings · 10 NCCoE Filings · Acquisition enquiries welcome · [email protected]
Patent GB2603013.0 Pending · PCT 150+ Countries · IETF draft-williams-intent-token-00
13 NIST Filings · 10 NCCoE Filings · Acquisition enquiries welcome · [email protected]