Protocol Model

ATAMO operates through a separated-control architecture. Token state, Safe authorization, action recording, Timelock scheduling, and participation coordination are not combined into a single wallet or contract path.

This structure is designed to ensure that administrative actions remain constrained, reviewable, and dependent on multiple control steps before execution.

The core privileged execution chain is:

ATAMO Custodian Safe → Timelock Proxy → SecureToken Proxy → SecureToken Implementation

The TokenActionRecorder and ATMSParticipationVault support governance coordination and participation, but they do not bypass Timelock execution authority.

ATAMO operates with a maximum supply of 200,000,000 ATMS.

Maximum supply in base units is 200000000000000000000000000.

The token contract enforces this cap during mint execution. Any attempt to mint above the maximum supply is rejected by contract logic.

ATAMO does not rely on off-chain policy statements for supply control. Supply enforcement exists at the contract level.

Token issuance is restricted to the Timelock-controlled execution path.

Minting is not available to a normal externally owned wallet and is not intended to be executed through direct discretionary action.

The mint path is restricted to Timelock-originated execution through: mintByTimelock(address to, uint256 amountBaseUnits)

Before minting can occur, the contract enforces: totalSupply + amountBaseUnits <= MAX_SUPPLY * 10 ** decimals()

This means issuance cannot exceed the defined supply cap through the normal administrative path.

The protocol includes pause and unpause mechanisms intended for emergency control.

Pause authority is restricted to the Timelock path and is not designed as an instant single-wallet action.

This mechanism exists as a safety control and not as a routine operational shortcut.

ATAMO separates Safe authorization, governance-action recording, and Timelock execution.

TokenActionRecorder records structured proposal metadata containing the target contract, encoded call data, predecessor dependency, uniqueness salt, and requested delay.

The recorder is Safe-only and does not execute actions itself. Execution still goes through the Timelock.

Supported recorder operation categories

• MINT_BY_TIMELOCK
• PAUSE
• UNPAUSE
• REQUEST_UPGRADE
• APPROVE_UPGRADE

This model reduces the recording surface area by restricting recorder proposal types to defined token-administration operations.

Governance action recording and Timelock scheduling are controlled by the ATAMO Custodian Safe.

Administrative actions therefore require multisignature approval before entering or progressing through the governance pipeline.

The multisignature Safe acts as the authorization entry point, reducing reliance on a single key holder.

Current Safe threshold: 2 of 3.

Sensitive administrative actions follow a staged execution sequence:

1. Safe multisignature authorizes an action
2. TokenActionRecorder may record the action metadata
3. Timelock schedules the operation
4. Minimum delay passes
5. Timelock executes the operation
6. Target contract applies the authorized change

Execution path: Safe → TokenActionRecorder → Timelock Scheduling → Delay Period → Execution → Target Contract

This structure is intended to prevent immediate discretionary execution of administrative actions.

The Timelock contract is the protocol's delayed execution layer.

When an operation is scheduled, the Timelock records the earliest valid execution time, the latest valid execution time, execution status, and cancellation status.

A scheduled operation can execute only if all required conditions are satisfied.

Execution conditions

1. The minimum delay has passed
2. The operation has not already executed
3. The operation has not been cancelled
4. The grace period has not expired
5. Any predecessor dependency has already executed

These rules prevent both instant execution and stale indefinite execution windows.

Scheduled operations may be cancelled before execution.

Cancellation authority may be held by the Timelock owner and by a designated guardian address.

The guardian functions as an emergency brake only. It does not grant authority to schedule new operations or execute existing ones.

Current deployed guardian: 0xe3b72bdb899364ce86949746D31CCba5f384b949.

The token contract uses an upgradeable architecture, but upgrades are restricted through a multi-step process.

Upgrade authorization is separated into:

1. upgrade request
2. upgrade approval
3. UUPS upgrade execution

The request stage records a commitment hash for the proposed upgrade. The approval stage verifies that commitment and enforces timing constraints before authorization can proceed.

Upgrade verification checks

• expected nonce verification
• commit hash verification
• timing window enforcement
• Timelock authorization requirement
• approved implementation matching

Upgrades are not designed to function as an instant discretionary control path.

Upgrade requests are subject to a proposal delay of 2 days. If approval does not occur within the defined expiration period of 30 days, the request becomes invalid.

Protocol integrity constraints

• upgrades must pass through the defined request and approval sequence
• upgrades cannot execute instantly
• upgrade activity remains publicly observable before execution
• the protocol model is intended to preserve supply enforcement and structured authorization
• upgrades are not presented as an unrestricted arbitrary admin override

Administrative authority exists, but it is structurally restricted by staged approval and delayed execution.

Timelock operations are identified through a deterministic hash:

keccak256(abi.encode(target, data, predecessor, salt))

This identifier is derived from the operation parameters and allows independent tracking of scheduling, execution, and cancellation.

If a predecessor dependency is specified, execution cannot occur until the predecessor operation has completed.

ATMSParticipationVault is a separate participation and registry layer. It does not directly execute privileged token governance actions.

The vault supports staking, staking lots, cooldown-based withdrawal requests, early-unstake penalties, penalty-funded rewards, signal submission, proposal creation, weighted proposal support, proposal finalization, and execution-link tracking.

Participation properties

• minimum participation stake is 50,000 ATMS
• support threshold is 100,000 ATMS
• reward eligibility age is 30 days
• maximum active stake lots per wallet is 5
• proposal support windows range from 1 day to 180 days
• proposal creation requires mature active stake
• support weight is based on reward-share accounting
• proposal support does not automatically execute protocol changes

Major governance actions emit on-chain events, including proposal creation, scheduling, execution, cancellation, parameter updates, staking events, proposal support, and proposal finalization.

This allows external observers, monitoring tools, and block explorers to reconstruct governance and participation history directly from blockchain data.

Administrative activity is therefore observable through public on-chain records rather than off-chain claims alone.

ATAMO v1.0.0 release verification is based on a signed Git tag and signed SHA256 checksum manifest.

Primary release files:

• releases/v1.0.0/deployment-manifest.mainnet.json
• releases/v1.0.0/deployment-records-full.mainnet.json
• releases/v1.0.0/ATAMO_DEPLOYMENT_STATEMENT_mainnet_2026-05-16.txt
• releases/v1.0.0/SHA256SUMS
• releases/v1.0.0/SHA256SUMS.asc

These artifacts support independent verification of contract addresses, deployment records, ownership relationships, release integrity, and governance topology.

• token supply is capped at the contract level
• minting authority is Timelock-restricted
• administrative actions cannot execute instantly
• multisignature authorization is required before privileged execution
• upgrades require staged approval
• scheduled actions may be cancelled before execution
• governance activity is publicly observable on-chain
• participation signaling is separated from execution authority

These properties do not remove administrative authority. They are intended to constrain it, delay it, and make it publicly observable.

Protocol security depends on the integrity of the multisignature signers, correct Timelock configuration, and active public monitoring of scheduled operations.

If the multisignature authority behaves maliciously, it may still authorize operations within the protocol rules. However, the Timelock delay ensures that such actions remain visible before execution.

ATAMO therefore relies on structured controls and public observability rather than claiming the absence of administrative power.

ATAMO combines capped token supply, multisignature authorization, governance-action recording, delayed execution, cancellation capability, staged upgrade approval, and participation coordination into a single protocol control model.

The system is designed to avoid instant unilateral execution of sensitive actions while preserving the ability to manage protocol operations through a transparent and reviewable path.

ATAMO therefore operates as a controlled administrative protocol with verifiable execution rules, rather than as a token managed through unrestricted direct wallet authority.

The ATAMO protocol separates authority, action recording, execution, and participation into distinct layers. This architecture is designed to reduce single-actor control risk and to create a visible review window before sensitive actions complete.

Security interpretation

• administrative actions require multisignature authorization
• scheduled actions remain cancellable before execution
• upgrade flow requires staged approval rather than direct replacement
• governance history can be monitored through on-chain events
• participation support coordinates visibility but does not bypass Timelock execution
• the model increases transparency without pretending admin authority does not exist

The security model is therefore based on separation of roles, execution delay, bounded authority, and public observability.