🗳

Coming with Mainnet — Q1 2028

XInfinitum
DAO Governance

One human. One vote. Biometric-verified. The XInfinitum DAO is the world's first blockchain governance system where vote weight cannot be bought — every verified human receives exactly one vote, regardless of how much XFIN they hold.

Governance Model Validator Admission

Vote Per Human

Wealth cannot buy governance influence. Capital buys yield, not power.

Biometric Verified

PALLAS QSSK biometric confirms unique human identity per vote — no Sybil attacks.

Governance Phases

Progressive decentralization from Pilon Labs full control to complete DAO authority.

Governance Roadmap

Phase 1 — Testnet (Q2 2027)

Pilon Labs Full Control

All protocol decisions made by Pilon Laboratories during testnet. DAO structure designed and tested. Validator selection by Pilon Labs. KYC onboarding system deployed. PQC bridge framework built.

Phase 2 — Mainnet Genesis (Q1 2028)

DAO Controls Validators & Treasury

DAO governance live. Validator admission votes. Treasury allocation by DAO. Protocol parameters still held by Pilon Labs.

Phase 3 — Growth (2029)

DAO Controls Protocol Parameters & Upgrades

Full DAO authority over protocol parameters. Upgrade proposals and constitutional changes require DAO supermajority.

Phase 4 — Maturity (2030+)

Full DAO Governance · Pilon Labs = Service Provider

Complete decentralization. Pilon Laboratories operates as a service provider to the protocol. The community owns the network.

Identity Registry

The DAO as Identity Custodian

The XInfinitum DAO does not just govern the protocol — it governs access to the most sensitive data on the network: the mapping between wallet addresses and verified human identities.

Every XInfinitum user completes KYC before receiving a wallet address. That identity-to-address mapping is stored in an encrypted, append-only identity registry — controlled by the DAO, not by Pilon Laboratories, not by any single company, and not accessible to the public under any circumstances.

🔐

Addresses Are Not Public

Your wallet address is never broadcast on-chain, never listed in the block explorer, and is not searchable by anyone. It is known only to you and the DAO's encrypted registry.

⚖️

Legal Access Only

The DAO processes identity disclosure requests only under formal legal authority — equivalent to a court order. No entity may request a wallet-to-identity lookup without passing a DAO governance vote at the Constitutional threshold (80% approval, 20% quorum).

🛡️

No Backdoors

Pilon Laboratories has no privileged access to the identity registry after Phase 2. The DAO holds the keys. No government agency, no exchange, no third party may access the registry outside of a DAO-approved legal disclosure process.

How the Identity Registry Works

KYC Verification — User submits identity documents via the PALLAS app. Biometric confirms liveness. Identity document is deleted after verification. A ZK enrollment proof is generated.

Wallet Address Issued — A CRYSTALS-Dilithium5 key pair is generated. The public key (wallet address) is stored only in the encrypted identity registry alongside the ZK enrollment proof nullifier.

Address is Private — The address is NOT published on-chain, NOT listed in the block explorer, and NOT shared with anyone. You control who knows your address. Transactions sent to you require you to first share your address with the sender.

DAO Governs Registry Access — The encrypted identity registry is controlled by the DAO from Phase 2 onward. Any access request — including from law enforcement — is processed as a Constitutional Amendment-class governance vote.

Selective Disclosure — If a legal process succeeds (DAO vote passes), only the specific wallet(s) named in the request are disclosed. No bulk queries. No surveillance capability. Each disclosure is a permanent, auditable, on-chain record.

DAO Oracle Network

Oracle Node Enrollment — How Address Decryption Works

No single entity can decrypt a wallet address. The DAO Oracle Network is a distributed threshold system: M-of-N verified PALLAS device holders must cooperate — each holding one shard of the decryption key — before any identity can be disclosed. Here is exactly how Oracle nodes are enrolled and how they operate.

What Is an Oracle Node?

Oracle nodes are volunteer DAO members whose PALLAS QSSK devices hold one encrypted shard of the identity registry decryption key. A legally authorized identity disclosure requires M-of-N oracle devices to cooperate simultaneously — each device contributing its shard, each requiring live biometric authorization from its registered owner. Collusion or coercion requires coordinating multiple verified humans across multiple jurisdictions at the same moment.

5-of-9

Threshold — five devices must cooperate. Four cannot decrypt. Any four can be lost without losing the key.

Jurisdictions — nodes distributed across five or more legal jurisdictions. No single government controls the threshold.

Persistent keys — decryption keys exist ephemerally only during an authorized decryption event. They are never stored at rest.

Oracle Enrollment Process

Volunteer Application — Any KYC-verified DAO member holding a PALLAS QSSK device may submit an Oracle Node application. The application includes jurisdiction of residence, device serial attestation, and a declaration of availability. No stake requirement beyond standard DAO membership. No compensation — oracle holders are volunteers contributing to network integrity.

DAO Governance Vote — Active oracle applications are queued and periodically put to a DAO-wide governance vote. The DAO evaluates the applicant pool to ensure geographic and jurisdictional diversity across the oracle set. A standard Protocol Upgrade-class vote (75% approval, 10% quorum) approves the selection. Existing oracle holders may not vote on their own replacement or expansion.

PALLAS Device Registration for Oracle Role — Once selected, the oracle volunteer connects their PALLAS device via USB-C to the PALLAS Oracle enrollment interface. The device's SLE97 Secure Element generates a unique oracle keypair inside the chip using QRNG entropy. The oracle public key is published to the network. The oracle private key never leaves the SE. The device is now registered as an oracle node — biometric presence required to activate it.

Key Shard Distribution — The identity registry master decryption key is split using a threshold secret sharing scheme (5-of-9). Each oracle device receives one encrypted shard, stored inside the SLE97 SE — not in application memory, not on the host device, inaccessible without biometric unlock. No oracle holder knows any other holder's shard. The combination of any five shards reconstructs the decryption key ephemerally, in SE memory only, for the duration of the authorized disclosure event.

✓

Oracle Node Active — The oracle device holder is notified of any DAO-authorized decryption requests directed at the oracle network. All decryption events require live biometric authorization from the holder. The oracle holder may not be compelled silently — the decryption event is permanent, public, and on-chain.

How a Wallet Address Gets Decrypted

Address decryption only occurs after a successful Constitutional Amendment-class DAO vote (80% approval, 20% quorum) authorizing the specific disclosure. The following sequence executes automatically upon vote confirmation:

DAO vote passes. Smart contract issues a signed decryption authorization event to the oracle network. The specific wallet address(es) named in the vote are included in the authorization. No other address may be decrypted.

Oracle holders notified. Each of the nine oracle device holders receives a secure notification of the pending decryption event. Five must respond within the authorization window. Each oracle holder independently reviews the DAO vote result before authorizing — no oracle holder is obligated to participate even after a valid vote, though sustained refusal is subject to DAO review.

Biometric authorization. Each participating oracle holder connects their PALLAS device via USB-C and provides live biometric authentication. The SLE97 SE releases the encrypted shard only after biometric confirmation. No remote activation. No software override. Physical presence and live fingerprint are required.

Ephemeral key reconstruction. Once five shards are submitted, the threshold scheme reconstructs the decryption key ephemerally — inside a secure computation environment, never written to persistent storage. The key exists for the duration of the decryption operation only. It is destroyed immediately after use. No shard holder, no Pilon Laboratories employee, no DAO administrator ever holds the full key in reconstructed form outside of this ephemeral window.

Disclosure and permanent audit record. The decrypted identity data for the specifically named wallet(s) is delivered to the authorized legal recipient only. The decryption event — including the DAO vote result, participating oracle attestations, date and time, and legal authorization hash — is permanently recorded on-chain. The record is public and immutable. No bulk queries. No undisclosed disclosures. Every decryption event is visible to every network participant forever.

PALLAS Oracle Nodes — Address Decryption Architecture

Why PALLAS hardware is required for oracle nodes: Software-only oracle implementations can be compelled silently — a government or adversary can capture a private key from a server or force a software operator to run a decryption in the background. PALLAS makes silent compulsion physically impossible: biometric presence is required at the hardware level, the SE cannot be remotely activated, and the decryption event is immediately and permanently recorded on-chain. There is no way to decrypt quietly. The oracle holder's physical authorization is a public, traceable act.

Proposal Thresholds

Proposal Type	Fee	Quorum	Approval
Parameter adjustment	$50 USD equiv.	5%	60%
AI model training approval	$75 USD equiv.	7%	66%
Protocol upgrade	$120 USD equiv.	10%	75%
Constitutional amendment	$150 USD equiv.	20%	80%

XInfinitumDAO Governance