Risk Disclosure

CashPop is an experimental protocol. The following risks are material and disclosed for transparency.

Protocol risks

Smart contract risk. All on-chain contracts deploy at TGE. Despite two external audits planned, smart contracts may contain undiscovered vulnerabilities. The $POP Jetton contract is immutable; a critical vulnerability cannot be patched.

Oracle risk. The protocol depends on DRAND beacon availability and TON-VRF validator honesty. Combined failure (both compromised simultaneously) is improbable but possible. Single-source failure causes Rounds to pause until resolved.

Question reservoir poisoning. The LLM ensemble could be manipulated to generate questions favoring known answers. We mitigate via adversarial debiasing, calibration pretesting, and a sampled human review layer, but cannot guarantee complete neutrality.

Sybil attack. The Trust Ladder economics make Sybil farming unprofitable at scale, but a well-resourced adversary could distort outcomes in low-participation Rounds. Minimum participant thresholds (default 32) provide partial mitigation.

Token risks

TGE delay. Target TGE Q1–Q2 2027. Delay is possible due to regulatory, technical, or market reasons. Accumulated POP would carry forward to actual TGE date.

Price volatility. $POP price post-TGE is determined by markets. The anti-reflexivity design protects core protocol economics from price collapse but does not protect token holders from price decline.

Liquidity risk. Initial DEX liquidity is 5% of supply (500M $POP). Slippage on large trades is possible.

Vesting non-compliance. Off-chain promises about vesting depend on smart contract enforcement. Smart contract bugs could permit early unlock; mitigation is audit.

Regulatory risks

Reclassification risk. $POP may be reclassified as a security by some regulators despite our structuring. This could trigger additional geoblocks or operational restrictions.

Operator entity risk. The regulatory framework for crypto operators continues to evolve. Future requirements could affect protocol operations.

Geoblock evasion risk. Users who circumvent US/UK geoblocks (VPN, etc.) violate our Terms of Service. We disclaim responsibility for adverse outcomes to evasion users.

AdMob ToS risk. Our reward model depends on AdMob revenue. AdMob could change ToS to disallow certain models, requiring redesign or migration to alternative ad networks.

Operational risks

Telegram dependency. The protocol depends on Telegram Mini-App platform availability. Telegram could change platform policies or restrict access.

TON dependency. Smart contracts deploy to TON. TON network outage or chain reorg could affect settlement.

Cloudflare dependency. Infrastructure runs on Cloudflare. CF outage causes service degradation; sustained outage requires migration.

Team risk. Founders are pseudonymous through Phase 1. Identity disclosure is staged. Team disappearance during Phase 1–2 would severely impact protocol but is mitigated post-TGE by DAO governance.

Macro risks

Market downturn. A broad crypto market decline would compress $POP price, ad revenue (downstream of crypto-adjacent ad demand), and user attention.

Regulatory crackdown on Telegram mini-apps. Major jurisdictions could restrict access to Telegram or crypto mini-apps, reducing addressable market.

Competitive replacement. A competitor with better mechanics, larger backing, or first-mover advantage could displace CashPop. Genre is competitive (Hamster Kombat, Catizen, Bombie, future entrants).

What we are NOT at risk of

We are explicitly NOT exposed to:

• Rug pull. All major protocol decisions move to DAO post-TGE. Team cannot unilaterally drain Treasury.
• Reward-token collapse. Rewards are ad-USD-denominated, not token-denominated. Token price falling does not reduce rewards.
• Pre-TGE insider dump. No pre-TGE token sale, no investor pre-allocation at favorable prices.
• Hidden token allocation. All allocation is documented in Token Distribution. No "secret" allocations.

Reporting security issues

PGP key: published at security.cashpop.meme/pgp.txt. Email: support@cashpop.meme. Bug bounty: launched at TGE with up to $500K per critical finding.

Responsible disclosure: please give us 14 days before public disclosure of any vulnerability. We will credit you and pay a bounty per the severity tiers published at Phase 3.

Disclaimer

This document is for informational purposes only and does not constitute investment, legal, or financial advice. Participation in CashPop carries risk. Do your own research before participating. We make no representation or warranty about future protocol performance.