IDAA Header Logo

First Capital Architecture Defence

An industry-informed evidence standard for digital asset verification, compliance documentation, custody-control records, source-of-funds clarity, sanctions risk review, and institutional due diligence.

Digital Asset Evidence Standards Initiative
1CAD PROTOCOL STANDARD
IDAA · 1CAD Protocol Standard

Case Registry

IDAA maintains a structured public registry of documented digital asset consumer protection cases. Every case is evidence-based, regulatory-grade, and published only with the explicit written consent of the submitting party.

Principle 1

Only IDAA Changes Status

No party — submitter, respondent, legal counsel, or regulator — can change a case status. Only IDAA, as the standards initiative, makes status determinations.

Principle 2

Proof Required for Every Change

Every status change requires documented evidence archived in the Vault. RESOLVED requires on-chain proof or signed settlement. No status change is made on assertion alone.

Principle 3

Immutable Status Log

Every status change is timestamped and archived in the 1CAD Vault. The full history is preserved permanently and cannot be altered retroactively.

Principle 4

Submitter Consent Required

A case enters the public registry only with explicit written consent. Without consent, only a Vault ID is published — no details, no parties, no amounts.

Public Cases — 1 of many · Founding Case
IDAA-2026-001 ⊙ PUBLIC RESOLVED Founding Case · Published with submitter consent · Party names withheld by submitter agreement
Disputed Retention of Digital Assets — Funds Returned (provider name withheld)
Date
May 8, 2026
Asset
400 POL · Polygon
Respondent
Name withheld for confidentiality
Jurisdiction
EU Resident (Spain) · MiCA
Category
Consumer Protection
Vault ID
ZS-VAULT-2026-99121-XF
Situation

The submitter alleges that a crypto payment card provider (name withheld) retained 400 POL tokens belonging to an EU resident, citing blockchain irreversibility — while, according to the submitter, the assets remained in the provider's own controlled wallet.

IDAA has documented the submitter's evidence package, including the in-app disclosure, the technical explanation given and the potential MiCA questions raised. On-chain analytics referenced by the submitter indicate 410 POL present on the receiver wallet. A formal demand was submitted via legal counsel.

Resolution: On June 7, 2026, an on-chain transfer of 409.99 POL was received by the submitter's wallet, returning substantially all of the disputed assets. Status updated to RESOLVED on the basis of on-chain proof, in line with the 1CAD Case Lifecycle Standard.

No court, regulator, or respondent admission has established liability. The case is resolved by the return of assets only. Provider identity remains withheld; publication is for evidence-tracking purposes only.

Status Log
May 8, 2026 OPEN
Case submitted. Transaction evidence and AML data collected.
May 11, 2026 ACTIVE
1CAD compliance package complete and archived. Formal demand delivered to respondent.
May 13, 2026 UNDER REVIEW
Provider acknowledged case. A withdrawal mechanism was provided. Recovery process initiated.
June 7, 2026 RESOLVED
On-chain return of 409.99 POL received by the submitter's wallet. Proof: Polygon tx 0xdee249498f1… (block 88,028,484). Case closed on the basis of on-chain proof; no liability established.
Private Vault
ZS-VAULT-2026-[REDACTED] · Confidential · accessible to submitter and authorised legal/regulatory bodies only
Request Documentation →
Documented by 1CAD Protocol Partner #001 · 1CAD Protocol v2026-V1.3
External Systemic Cases — Under IDAA Analysis
IDAA-EXT-2026-001 ◎ EXTERNAL ANALYZING External submission · Systemic industry incident · No individual submitter
EIP-7702 "Set-Code" Delegation Exploit — $58.7M Systemic Consumer Drain
Period
Apr 7 – May 22, 2026
Assets Affected
$58.7M · ERC-20, NFT, LSD
Victims
12,000 retail addresses
Chains
Mainnet · Base · Optimism · Arbitrum
Category
Systemic UI Disclosure Failure
Recovery Rate
0.4% only
Situation

Between April 7 and May 22, 2026, malicious actors exploited EIP-7702 (Ethereum "Pectra" hardfork), deploying 38 distinct phishing kits using the new 0x04 transaction type. This primitive allows an EOA to temporarily delegate code execution to a smart contract — effectively handing full wallet control to an attacker for 24 hours.

The critical failure: MetaMask v12.4 and earlier displayed these high-risk code-delegation requests as standard "Sign-in with Ethereum" prompts — with no warning, no simulation, and no visual distinction from a routine login. Retail users with extensive DeFi experience signed away total account control without knowing it.

Once bonded, automated on-chain drainers executed batched multicall sweeps — clearing ERC-20 balances, liquidating NFTs (including CryptoPunks at 35% below floor), and force-unwinding liquid staking positions via flash-loan loops. Median time from signature to empty wallet: 47 minutes. Fastest recorded drain ($1.2M): 11 minutes.

Capital was laundered through Across, Stargate, and THORChain into non-KYC exchanges within 6 hours. Emergency patches (MetaMask v12.5+, Rabby v0.97+) were deployed in late May 2026 — after $58.7M in user assets were already unrecoverable.

IDAA Analysis — In Progress

IDAA is reviewing this incident across all dimensions where the 1CAD Protocol may provide practical assistance to those affected. This includes preparation of the five-document compliance package to support victims in interactions with banks, tax authorities, and financial institutions — helping establish documented loss evidence, reduce adverse tax treatment of drained assets, and build a structured record for any future recovery or legal proceedings. Analysis is also being conducted on systemic prevention — what standards, disclosure requirements, and verification frameworks could reduce the impact of similar incidents going forward. No formal determination has been made. Analysis ongoing.

Status Log
May 22, 2026 REPORTED
Incident confirmed by Wintermute Research and SlowMist. 12,000 addresses compromised. $58.7M drained. Emergency wallet patches deployed by MetaMask and Rabby.
June 2026 ANALYZING
IDAA commenced review for Scam Registry inclusion and MiCA compliance guidance on wallet UI disclosure standards for EIP-7702 transactions.
Submit Related Evidence →
External systemic case · Under IDAA review · Not a 1CAD individual case · No vault ID assigned

A case enters the public registry only when all of the following conditions are met:

Documented refusal to return assets by respondent
False technical pretext used to deny recourse
Misleading disclosure identified and documented
MiCA, AML, or sanctions non-compliance identified
1CAD five-document package complete and archived
Explicit written consent of submitting party obtained

Report a Digital Asset Consumer Protection Violation

If you have experienced disputed asset retention, misleading disclosures, or other violations by a digital asset service provider, IDAA can document, attest, and escalate your case under the 1CAD Protocol.

Consumer Protection
Disputed retention, misleading disclosure, false technical pretext
MiCA Non-Compliance
EU residents affected by unlicensed or non-compliant providers
AML / Sanctions
Counterparty sanctions exposure, source-of-funds issues
Your Visibility Choice
Public registry or private vault only — you decide