{
  "exploit_id": "EXP-006",
  "title": "Omnibus rider: kernel change smuggled inside a popular dividend",
  "summary": "Bundling a universal dividend with a kernel amendment buys supermajority support for a change that could not pass alone.",
  "mechanism": "Kernel v0.1 allows omnibus proposals that mix spending with kernel amendments and tallies them as a single question at the highest applicable threshold. The attackers attach a 200-unit universal dividend - 10 units to every citizen - to an amendment lowering the emergency-declaration threshold to 0.4. Seven of nine defenders vote for the package because rejecting it costs them the dividend, and the bundle clears the two-thirds bar at 90% support. Polled separately, the amendment had eleven supporters and would have failed. Worst-off impact: the poorest citizens are precisely the ones whose votes the dividend buys, converting need into constitutional leverage against their own protections.",
  "severity": "high",
  "capture_objective": "entrench_power",
  "discovered_by": "bundling",
  "tournament": {"id": "T3", "round": 18, "seed": 3907},
  "status": "patched-v0.2",
  "initial_treasury": 1000.0,
  "citizens": [
    {"id": "A01", "faction": "attacker"}, {"id": "A02", "faction": "attacker"},
    {"id": "A03", "faction": "attacker"}, {"id": "A04", "faction": "attacker"},
    {"id": "A05", "faction": "attacker"}, {"id": "A06", "faction": "attacker"},
    {"id": "A07", "faction": "attacker"}, {"id": "A08", "faction": "attacker"},
    {"id": "A09", "faction": "attacker"}, {"id": "A10", "faction": "attacker"},
    {"id": "A11", "faction": "attacker"}, {"id": "D01", "faction": "defender"},
    {"id": "D02", "faction": "defender"}, {"id": "D03", "faction": "defender"},
    {"id": "D04", "faction": "defender"}, {"id": "D05", "faction": "defender"},
    {"id": "D06", "faction": "defender"}, {"id": "D07", "faction": "defender"},
    {"id": "D08", "faction": "defender"}, {"id": "D09", "faction": "defender"}
  ],
  "kernel_params_at_discovery": {
    "quorum": 0.5,
    "thresholds": {"spend": 0.5, "amend_kernel": 0.667, "expel": 0.5, "emergency": 0.5, "floor_breach": 0.75},
    "review_period_turns": 1,
    "review_period_overrides": {},
    "allow_call_question": true,
    "roll_snapshot_at_open": false,
    "turns_per_epoch": 10,
    "spend": {"per_proposal_cap": null, "epoch_rate_cap": null, "commons_floor": null},
    "emergency": {"sunset_turns": null, "renewal_threshold": null, "spend_requires_vote": false, "expedited_review_turns": null, "suspends_review": true},
    "delegation": {"max_depth": null, "max_weight_frac": null, "epoch_expiry": false},
    "single_subject_rule": false
  },
  "action_trace": [
    {"t": "propose", "by": "A01", "id": "o1", "kind": "omnibus", "items": [
      {"kind": "spend", "amount": 200.0, "to": "ALL"},
      {"kind": "amend", "key": "thresholds.emergency", "value": 0.4}
    ]},
    {"t": "vote", "by": "A01", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A02", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A03", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A04", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A05", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A06", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A07", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A08", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A09", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A10", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "A11", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D01", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D02", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D03", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D04", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D05", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D06", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D07", "on": "o1", "choice": "yes"},
    {"t": "vote", "by": "D08", "on": "o1", "choice": "no"},
    {"t": "vote", "by": "D09", "on": "o1", "choice": "no"},
    {"t": "advance"},
    {"t": "advance"},
    {"t": "advance"},
    {"t": "advance"}
  ],
  "success_predicate": {"type": "kernel_changed_via_omnibus"},
  "patched_assertions": [
    {"type": "kernel_changes_at_most", "n": 0},
    {"type": "blocked_actions_at_least", "n": 1}
  ],
  "proposed_patch": {
    "params": {
      "single_subject_rule": true
    },
    "rationale": "One proposal, one subject. A proposal may move money or amend the kernel, never both, and a kernel amendment may touch exactly one parameter. The dividend remains proposable on its own merits and the amendment must face the supermajority on its own merits; what dies is the trade between them."
  }
}