Reliability Β· Edge Cases
Edge-Case Catalog
The master, de-duplicated index of everything that can go wrong across every RideChain subsystem β each failure mode with its impact, its defined mitigation, and a link to the doc that owns it.
1. Overview β the failure philosophy
RideChain operates in the rural interior where the unhappy path is the common path: SMS drops, 2G flickers, GPS lies, gateways flake, webhooks vanish, operators step out, and a non-trivial slice of users actively try to game the gate. Every subsystem is therefore designed defensively around seven repeating principles. This page is the master catalog; each subsystem doc carries its own id="edge" section, and every row below links back to the doc that owns the fix.
π΄
Offline-first
Actions queue in a local outbox (Drift/SQLite) and replay on reconnect; a booking made in a no-signal village still "sticks". SMS/IVR fallbacks keep status flowing.
π
Idempotent everywhere
Every money- or state-touching call carries an idempotency key. A double-tap, a replay, or a re-delivered webhook maps to the same entry and changes nothing twice.
πͺ
Webhook-reconciled
The gateway/KYC webhook β never the client's "I paid" β is the source of truth, with a polling reconciliation job as the backstop when a webhook is lost.
π
Graceful degradation
When a sensor or service fails, the system steps down a notch (manual confirm, straight-line ETA, cached route, stale-while-revalidate) instead of blocking the delivery.
π
Graduated trust
New actors start with low caps and prepaid low-value parcels only; limits unlock as trust accrues. This is the #1 lever for bounding fraud exposure.
π
Dual-OTP + POD custody
Every handover gates on QR match β two-sided OTP β geofenced, time-stamped POD photo before any escrow releases. Four interlocking controls per leg.
π§Ύ
Append-only ledger
Money is paise-integer and immutable; disputes post an ADJUSTMENT entry, never an edit. Any discrepancy is always traceable to one entry.
Failures cluster into seven domains. The map below is the mental index for the rest of this page β every subsystem table that follows is a slice of one or more of these domains.
flowchart TB
ROOT["RideChain failure domains"]
ROOT --> NET["π Network & connectivity"]
ROOT --> PAY["π° Payment & settlement"]
ROOT --> IDF["πͺͺ Identity & fraud"]
ROOT --> GEO["π Geo & tracking"]
ROOT --> CUS["π¦ Custody & physical"]
ROOT --> OPS["π οΈ Operational"]
ROOT --> SCL["β‘ Scale & infra"]
NET --> NET1["Offline / 2G / dead zone"]
NET --> NET2["SMS / OTP delivery fails"]
NET --> NET3["Lost / duplicate webhook"]
PAY --> PAY1["Both gateways down"]
PAY --> PAY2["Double-pay / chargeback"]
PAY --> PAY3["Ledger vs gateway mismatch"]
IDF --> IDF1["Deepfake / duplicate Aadhaar"]
IDF --> IDF2["Collusion / account farms"]
IDF --> IDF3["GPS spoof / fake delivery"]
GEO --> GEO1["GPS denied / drift / skew"]
GEO --> GEO2["Mock-location / teleport"]
CUS --> CUS1["Wrong / tampered parcel"]
CUS --> CUS2["Lost / damaged / cold-chain"]
CUS --> CUS3["Point closed / hub overflow"]
OPS --> OPS1["Partner declines / drops"]
OPS --> OPS2["No road / flood / breakdown"]
SCL --> SCL1["Hot shard / cache stampede"]
SCL --> SCL2["Festival 10Γ / cost runaway"]
classDef dom fill:#e8f0fb,stroke:#1f5fae,color:#143d6e;
class NET,PAY,IDF,GEO,CUS,OPS,SCL dom;
How to read this page: each subsystem section is a Scenario β Impact β Mitigation β Detail table. The Detail column links to the doc that owns the design. Rows are de-duplicated across the source docs β where two subsystems share a failure (e.g. GPS spoof at handover), it appears once under its primary owner and is cross-linked from the other.
2. Booking & lifecycle
Owner: Booking & Delivery Flow. The lifecycle is a finite state machine whose every off-ramp (no partner, cancel, failed handover, dispute) is an explicit side state with defined money behaviour. ESCROW_HELD is the pivot: before it, cancels are clean refunds; after it, work done is paid for.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| Double-tap / duplicate "place booking" | Two orders, two charges | Idempotency-key on placement; the second request returns the existing booking β never a second order or capture. | Booking Β· creation |
| Payment captured but matching exhausts the cascade | Booker charged, no service | NO_PARTNER_FOUND β REFUNDED: auto-refund the full held escrow; booker made whole. | Booking Β· states |
Cancel before ESCROW_HELD (DRAFT/QUOTED/PAYMENT_PENDING) | None β no money committed | Free cancel / void; full refund of any auth. Nothing captured yet. | Booking Β· cancel |
Cancel after assignment (ASSIGNED/EN_ROUTE_PICKUP) | Partner already travelling | Small cancellation fee compensates partner travel; remainder refunded; shown up front. | Booking Β· cancel |
| Partner cancels mid-leg | Journey stalls | Re-dispatch from MATCHING; any completed prior leg stays paid; booker not penalised. | Booking Β· cancel |
| Quote vs final-charge mismatch | Booker feels cheated | Quote is locked at booking; re-quote only on a genuine parameter change and only with explicit booker consent. | Commission |
| Network drop mid-booking | Action lost, double-book risk | Local outbox persists the action and replays on reconnect, deduped by idempotency-key; webhook reconciles payment. | Booking Β· no-app |
Sender absent / refuses at a DOOR pickup | Trip wasted | Retry, then AT_PICKUP β FAILED_PICKUP; refund minus any travel fee. | Booking Β· cancel |
Receiver absent at a DOOR drop | Undeliverable last mile | Auto-fallback to nearest RideChain Point for collection; else FAILED_DELIVERY β RETURNED reverse leg. | Last-Mile |
| Booking OTP not received (SMS down / no signal) | Can't confirm consent | Fallback channels: WhatsApp β IVR voice readout β in-app display β operator-assisted re-send. | Booking Β· OTP |
| Perishable / urgent parcel delayed | Spoilage, SLA breach | Flag tightens SLA + routing priority; breach triggers proactive notify + partial-refund / re-route policy. | Last-Mile |
| Declared-value dispute on damage / loss | Contested liability | Declared value recorded at booking; claims reconcile against it via DELIVERED β DISPUTED. | Booking Β· cancel |
| Relay second-leg partner never picks up at hub | Parcel stuck mid-journey | Hub holds custody; leg-2 re-dispatched after timeout; SLA clock paused; leg-1 already paid. | Last-Mile |
3. Onboarding, KYC & identity
Owner: Onboarding & KYC. Identity is the front door for fraud, so the gate is resumable, deepfake-resistant, and one-account-per-Aadhaar. A pending background check never blocks the head start β new partners simply start at the lowest trust tier.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| Aadhaar OTP not received (SMS down / Aadhaar phone unreachable) | Onboarding stalls | Retry + alternate-channel prompts; persistent fail routes to assisted mode at a Point; gate is resumable so no progress is lost. | Onboarding Β· KYC |
| Face / liveness mismatch (deepfake / photo-replay) | Spoofed identity | Active liveness (blink/turn) + match-score threshold + deepfake-resistant model; repeated fails lock the attempt and flag the device fingerprint. | Onboarding Β· KYC |
| Duplicate Aadhaar (same person, second account) | Trust-laundering / multi-account abuse | One active account per Aadhaar token; the identity gate detects the existing token and blocks the duplicate at sign-up. | Onboarding Β· KYC |
| RC / DL expired or owner-name mismatch | Illegal / unsafe vehicle on road | VAHAN/Sarathi flags expiry/name mismatch; motorized eligibility withheld until a valid, name-matching document is provided. | Onboarding Β· KYC |
| Penny-drop name mismatch with KYC name | Payout to wrong account | Payouts stay disabled until the account holder name matches the KYC name, or it's resolved via manual review with evidence. | Onboarding Β· KYC |
| KYC provider (Cashfree) downtime | Onboarding pipeline halts | Queue + retry the verification (idempotent, never double-verifies); proceed to non-blocking steps; fall back to manual review if downtime persists. | Onboarding Β· KYC |
| Vouch fraud (collusion to inflate starting trust) | Bad actor gets undeserved caps | Vouches raise starting trust only, never bypass KYC; voucher is liable on the abuse signal and can be demoted; graduated tiers cap exposure regardless. | Onboarding Β· KYC |
| Account farms (one operator, many fake accounts) | Incentive farming / collusion rings | Device + SIM fingerprinting clusters related sign-ups; duplicate-Aadhaar block + graph review suppress the farm. | Β§9 Fraud |
| Stolen / borrowed identity attempt | Impersonation | Liveness + face match must match the OKYC photo of the same person; mismatch blocks onboarding and flags the Aadhaar token. | Onboarding Β· KYC |
| Background check still pending | Slow gate blocks revenue | Partner starts at New tier with prepaid low-value parcels only; full limits unlock when the check clears. | Onboarding Β· KYC |
| Partner sells / changes their vehicle | Matching offers a non-existent capacity | Re-verify the new vehicle (RC via VAHAN, DL still valid) before it can be matched; the old vehicle is retired from the capacity profile. | Onboarding Β· KYC |
| No smartphone at all | Excluded segment | Point-assisted onboarding: operator runs the KYC flow on their own device (with on-device consent), then provisions a lightweight account. | Onboarding Β· KYC |
| Low-literacy user stuck mid-flow | Drop-off at the gate | Voice-guided vernacular prompts at every step; one-tap escalation to assisted mode where a Point operator co-pilots. | Onboarding Β· KYC |
4. Payments & settlement
Owners: Payments & Integration and Split-Money Settlement. The platform holds no money (no RBI nodal/PA licence): funds sit in gateway escrow and split per leg via Razorpay Route β Cashfree Easy Split. Everything is paise-integer and webhook-reconciled.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| Both gateways down | No pay-ins possible | Queue the payment intent, retry with backoff across both rails, circuit-break degraded rails, notify booker; nothing matches until a real capture lands. | Payments |
| Webhook never arrives after capture | Order stuck in AUTHORIZED | Polling reconciliation job fetches gateway status and applies the same idempotent ESCROW_HELD transition; stuck orders are swept. | Payments |
| Double / replayed webhook | Double-processing risk | Dedupe by gateway event-id; append-only ledger keys to one entry, so a duplicate event changes nothing twice. | Payments |
| User pays twice (double-tap) | Two captures into escrow | Shared idempotency key on the order; the second pay is detected and the duplicate auto-refunded. | Payments |
| UPI timeout / pending status | Ambiguous payment state | Poll the gateway for the true status before any retry; re-charge only on confirmed failure, always with the same idempotency key. | Payments |
| Partial relay then failure (leg 2 never completes) | Mixed delivered/undelivered | Pay completed legs (their drop-OTP fired); partial-refund the undelivered remainder; per-leg ledger releases make this exact. | Split-Settlement |
| Chargeback after delivery | Revenue clawed back fraudulently | Defend with the POD photo + drop-OTP + QR-scan evidence bundle; the custody chain is the proof of delivery. | Payments |
| Split target (partner / Point) KYC incomplete at release | Can't legally pay the slice | Hold that slice in gateway escrow until Cashfree Easy KYC + penny-drop clears; the rest of the split still releases; held slice settles on completion. | Split-Settlement |
| Payout to a closed / invalid UPI handle | Funds bounce mid-air | Retry, then fall back to the alternate rail or the payee's RideChain Wallet; notify the payee; persistent failure β manual ops with the exact ledger entry. | Split-Settlement |
| COD shortfall at reconciliation | Negative partner balance | Debit the partner's wallet for the gap via an ADJUSTMENT; apply a trust-tier hit; repeated shortfalls lower the COD ceiling. | Payments |
| Double-release of the same slice | Pays a payee twice | Idempotency-key on every ledger entry; a replayed release maps to the same entry and transfers nothing twice. | Split-Settlement |
| Ledger vs gateway mismatch at reconciliation | Books don't tie out | Flag the booking and freeze further releases until ops reconciles; the immutable ledger makes the discrepancy traceable to one entry. | Split-Settlement |
| Currency rounding (paise don't divide evenly) | Splits drift from the total | All math in paise integers; remainder paise deterministically allocated to the platform slice, so Ξ£ slices always equals the captured fare. | Split-Settlement |
| Tax-reserve shortfall (under-withheld) | Reserve can't cover liability | Top up from the platform's net margin via an ADJUSTMENT; partners/Points are never clawed back β the platform slice absorbs the gap. | Split-Settlement |
| Gateway split API down | Settlement can't fire | Queue the split instruction and retry with backoff; success-rate router fails over Route β Easy Split; nothing settles until a real transfer confirms. | Split-Settlement |
5. Last-mile & custody
Owner: Last-Mile Delivery. The last mile is where things physically go wrong most. Custody never transfers without the two-sided gate, so a stranded parcel simply waits in custody rather than going astray. The custody log pinpoints exactly where any chain broke.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| Point closed / operator absent at a scheduled handover | Handover can't happen | Run reschedules to the next stop and retries on the return leg; backup nearby Point offered; parcel waits in custody, never handed over without the gate. | Last-Mile |
| Parcel sits too long at a Point (storage limit hit) | Operator burdened, parcel stale | Storage clock fires a final receiver reminder, then triggers return-to-sender as a reverse leg; operator never bears indefinite storage. | Last-Mile |
| Relay second-leg partner never arrives at the hub | Parcel stuck, leg-1 already paid | Hub retains custody; leg 2 re-dispatched from MATCHING after timeout; SLA clock pauses; Partner A keeps the leg-1 slice regardless. | Last-Mile |
| Wrong parcel scanned at handover (QR mismatch) | Wrong item delivered | Scan must match the assigned parcel-ID or the app blocks the handover β no OTP prompt, no custody transfer, no release. | Last-Mile |
| QR seal tampered / opened | Theft / contamination en route | Tamper-evident seal flags the handover; photo evidence captured; parcel held, escalated to dispute; downstream-leg money gated until resolved. | Last-Mile |
| Block Hub overflow (volume exceeds capacity) | Bottleneck, delays cascade | Intake throttling + spillover to a sibling hub; bundling-first dispatch smooths peaks; oversized/perishable get priority slots. | Last-Mile |
| Milk-run vehicle breaks down mid-route | Stranded sweep of parcels | Remaining stops re-dispatched to a backup / on-demand partners; already-swept parcels stay in custody until rescued; bookers notified. | Routing |
| Cold-chain break detected | Perishable contents spoil | Flag the consignment, re-route to the fastest leg, record the break in the custody log, apply damage/declared-value policy if compromised. | Last-Mile |
| Parcel lost or damaged in transit | Booker out a parcel + value | Custody log pinpoints the leg/partner where the chain broke; insurance covers up to the declared-value cap; resolved via the dispute flow. | Last-Mile |
| Receiver cannot reach the Point | Last-mile gap | Home-drop fallback: convert the final leg to a DOOR delivery (small fee) using landmark addressing; else hold or return-to-sender. | Last-Mile |
| GPS / geofence fails at a remote rural Point | Auto-confirm can't fire | Fall back to operator manual confirm (still two-sided OTP + photo); the geofence check degrades but the other three custody checks hold; logged for audit. | Geolocation |
| Perishable spoilage risk in transit | SLA breach, refund | Perishable flag forces priority routing + fastest viable leg, Point-storage exclusion, and a spoilage flag triggering proactive notify + partial-refund. | Last-Mile |
6. Geo & tracking
Owner: Geolocation. Geolocation in the interior is unreliable by default. The rule: degrade gracefully rather than block, but never let a fraud-flagged or stale fix satisfy a custody check. The server timestamp is always authoritative β the device clock never is.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| GPS denied / location permission revoked | No auto-confirm at geofence | Block GPS-based auto-confirm and fall back to operator manual confirm at a Point; prompt to re-grant. | Geolocation |
| No signal / 2G-only area | Fixes can't stream live | Buffer fixes in the local outbox and replay on reconnect; SMS-fallback status updates keep the booker informed. | Geolocation |
| GPS drift / low-accuracy fix | False geofence pass/fail | Enforce an accuracy threshold before any geofence pass; anchor to the surveyed Point coordinate instead of a drifting fix. | Geolocation |
| Mock-location / GPS spoof | Fake arrival, early release | Detect via the OS mock flag + sensor/speed plausibility, flag the fix, and block escrow release until manual confirm. | Geolocation |
| Impossible-speed "teleport" between fixes | Spoofed track | Speed-plausibility check between consecutive fixes flags physically impossible jumps; the fix is rejected and the partner flagged. | Geolocation |
| Battery low on partner device | Tracking gaps mid-job | Reduce sampling cadence everywhere to protect the ability to finish the job; warn ops if it risks the SLA. | Geolocation |
| Device clock skew | Mis-ordered custody events | Use the trusted server timestamp for all custody and ordering β the device clock is never authoritative. | Geolocation |
| Geofence too small at a rural Point | Legit arrivals held forever | Radii are tunable per Point; widen the fence where GPS is poor so legitimate arrivals are not blocked. | Geolocation |
| Landmark address ambiguous | Partner can't find the spot | Operator- or voice-assisted clarification narrows it; otherwise route to the nearest Point anchor as the deliverable point. | Geolocation |
| Tunnel / forest dead zone | Stale dot looks "live" | Freeze to last-known position with a staleness flag and hold the ETA rather than showing a stale dot as live; resume on reacquire. | Geolocation |
| Partner leaves the geofence before OTP | Handover outside custody | Block the handover and require re-confirmation inside the fence β the geofence check must hold at the moment of the OTP. | Geolocation |
| Offline during handover | Geofence/OTP/POD can't post | Queue the events locally and reconcile on reconnect, deduped by timestamp; custody holds until confirmed. | Geolocation |
7. Matching & dispatch
Owner: Nearest-Partner Matching. Matching assumes partners decline, go offline and try to game offers. A single-offer lock prevents thundering herds; a graduated trust gate keeps high-value jobs away from new partners.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| No eligible partner online | Job can't be served now | Widen the radius progressively β check the milk-run schedule for a later bundle β if still none, NO_PARTNER_FOUND + auto-refund escrow. | Matching |
| All ranked partners decline | No taker for the offer | Cascade the full ranked list; apply a surge bump to make the job attractive; notify a wider pool before declaring no-partner. | Matching |
| Partner goes offline after accepting | Accepted job goes dead | Auto re-dispatch from MATCHING to the next candidate; apply a reliability penalty; booker not charged for the drop. | Matching |
| Thundering herd β one job offered to many | Duplicate accepts, races | Single-offer model with an assignment lock in Redis; only one partner holds the offer at a time. | Matching |
| Over-capacity partner accepts too much | Vehicle can't carry the load | Capacity check at accept time (current load + this parcel vs vehicle limit); reject the accept and cascade if it would overflow. | Matching |
| Stale GPS makes "nearest" wrong | Sub-optimal assignment | Enforce a location-accuracy / freshness threshold; ignore stale fixes and recompute the nearest set on a fresh ping. | Geolocation |
| Spoofed location to grab nearby jobs | Unfair / fraudulent offers | Mock-location / fraud flag on the partner; offers suppressed pending review; cross-checked against geo accuracy signals. | Matching |
| New partner offered a high-value job | Outsized fraud exposure | Trust gate blocks it β new partners are eligible only for low-value, short, prepaid jobs until graduated. | KYC tiers |
| Relay leg-2 unmatched at hub | Parcel stalls at hub | Hold in hub custody, pause the leg SLA clock, re-match leg 2 on a timer; leg 1 stays paid. | Matching |
| Bundling time-window conflict | A parcel's SLA can't be met in-batch | Split the batch and re-seed a faster bundle or an on-demand offer. | Matching |
| Vehicle mismatch discovered at pickup | Unsafe load risk | Re-match to an eligible larger class (or upcharge per policy) rather than forcing an unsafe load; original offer voided. | Matching |
| Fairness vs efficiency tradeoff | Either unfair or inefficient | Fairness boost is bounded β it only reorders among already-eligible near-tie candidates and never forces an unsafe or wildly-detoured assignment. | Matching |
8. Routing
Owner: Fastest-Route Finding. Missing roads, stale maps, floods and broken-down trucks are the norm. The engine never silently drops a parcel: it splits, upgrades, reroutes, or falls back to straight-line + landmark + Point anchor.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| OSRM has no road for a remote hamlet | No route, no ETA | Fall back to straight-line distance + nearest landmark + a manually-placed Point anchor so the partner still gets a destination and a sane ETA buffer. | Routing |
| Stale OSM data (road exists, map doesn't) | Detours / unroutable | Manual road overrides in PostGIS + partner-reported new roads, applied on top of the OSM extract until the next refresh. | Routing |
| Monsoon-flooded route | Impassable edge | Seasonal/monsoon weighting marks the edge impassable; the engine reroutes around it and recomputes ETA conservatively. | Routing |
| Vehicle class can't traverse a planned edge | Plan a Bolero down a footpath | Vehicle-class graph marks the edge impassable for that class, so the route is never planned down it in the first place. | Routing |
| VRP infeasible (capacity / time windows can't fit) | Can't service the batch as-is | Split the batch into two runs or upgrade to a higher-capacity vehicle; never silently drop a parcel from a run. | Routing |
| Breakdown mid-route | Run stranded | Freeze custody at the current point and re-dispatch the remaining stops to a new partner/vehicle. | Last-Mile |
| GPS reports off-road / jitter | Bad route input | Map-matching snaps the fix to the nearest plausible road segment using the recent track before any routing happens. | Routing |
| Ferry / river crossing closed (hours / weather) | Corridor cut | Crossing edge becomes impassable outside operating hours; reroute via an alternate crossing or hold the run for the next window. | Routing |
| Route cache stale after a real-world change | Stale route served | TTL bounds staleness; a road-block/flood/closure event invalidates affected keys immediately so the next query re-solves. | Routing |
| ETA comes out wildly off actual | Booker mistrust | Recompute from the live position with a conservative buffer band; persistent miss feeds back into the corridor's weighting factors. | Routing |
| OSRM & maps provider both down | Routing service outage | Serve last-known cached routes and degrade to straight-line + landmark guidance; Dispatch is alerted to assist manually. | Routing |
| Very large VRP (too many stops for the budget) | Solver hangs / spikes CPU | Cap stops per run and time-box the solver; the heuristic returns the best route found within the budget rather than chasing optimality. | Scale |
9. Fraud & trust
Cross-cutting across KYC, Geo, Custody and Payments. Graduated trust is the #1 lever β it bounds the financial exposure of any single bad actor before any other control even fires. Layered on top are dual-OTP + tamper-evident QR + POD, geofence proof, and graph ML for collusion.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| Fake identity / deepfake at onboarding | Bad actor inside the gate | Active liveness + face match against the OKYC photo + deepfake-resistant model; fail locks the attempt and flags the device. | Onboarding Β· KYC |
| Parcel theft / tampering in custody | Lost goods, broken trust | Dual-OTP + tamper-evident QR seal + geo-stamped POD; the custody log pinpoints the breaking leg; downstream money gated. | Last-Mile |
| Fake delivery (partner marks delivered without handing over) | Money released for nothing | Drop-OTP from the receiver + geofence proof + POD photo must all line up before escrow releases; no proof, no release. | Geolocation |
| GPS spoof to fake arrival / grab jobs | Early release / unfair offers | OS mock flag + speed plausibility + accuracy gate; a flagged fix can't satisfy custody, escrow stays held, offers suppressed. | Geolocation |
| Collusion ring (sender β partner β Point) | Coordinated multi-party fraud | Graph ML over device/SIM/UPI/route overlaps surfaces clusters; flagged rings reviewed and demoted; graduated trust caps the damage. | Β§9 Fraud |
| Rating manipulation (fake reviews / coordinated downvotes) | Skewed trust scores | Weight ratings by verified completed jobs; anomaly-detect coordinated bursts; ratings inform but never solely set the trust tier. | KYC tiers |
| Incentive / referral farming | Promo budget drained | Device + SIM fingerprinting + duplicate-Aadhaar block cluster fake accounts; bounded, time-boxed promos cap the bleed. | Commission |
| Cash leakage at a PUDO Point (COD) | Collected cash not remitted | COD reconciled into the ledger as an ADJUSTMENT; shortfall debits the wallet + trust-tier hit; repeated shortfalls lower the COD ceiling. | Split-Settlement |
| Account farms (one operator, many fake accounts) | Trust-laundering at scale | One-account-per-Aadhaar + device/SIM fingerprint clustering + graph review suppress the farm before it can transact. | Onboarding Β· KYC |
| Social engineering of villagers (impersonating RideChain) | Tricked into handing over a parcel / OTP | Masked calling (no real numbers exchanged) + IVR awareness messaging; OTP is never asked for by a "support call"; operator-assisted verification. | Β§12 Usability |
| Stolen device with an active session | Hijacked partner account | Re-auth on sensitive actions; remote session revoke; anomaly detection on sudden geo/behaviour change flags the session. | Onboarding Β· KYC |
| Chargeback fraud after a real delivery | Revenue clawed back | POD + drop-OTP + QR-scan evidence bundle defends the chargeback; the custody chain proves the parcel was delivered. | Payments |
10. Scale & infra
Owner: Scale & Low-Cost. Scale optimisations create their own failure modes β a shard gets hot, a queue stampedes, the bill runs away. The edge (Cloudflare) absorbs read load; Redis is a cache (never a source of truth); the ledger is partitioned; budgets cap cost.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| Hot region / block overloads one shard | One shard saturates, others idle | Detect skew; split / re-shard the block; route reads to replicas; cap that shard's heavy work. | Scale |
| Thundering herd on surge / festival open | Stampede at the door | Rate-limit at the Cloudflare edge; queue dispatch; serve cached quotes; shed non-urgent work first. | Scale |
| DB write hotspot on the money ledger | Ledger write contention | Append-only writes partitioned by month + region; batch + queue settlement writes off the hot path. | Scale |
| Redis eviction loses live state | Live offer/lock state vanishes | Treat Redis as a cache, not a source of truth; rebuild from Postgres; tune TTLs and the maxmemory policy. | Scale |
| Cache stampede on an expired hot key | Pile-up of identical rebuilds | Per-key lock (single-flight) + stale-while-revalidate so only one rebuild runs while others serve stale. | Scale |
| Webhook storm (PG / KYC re-deliveries) | Duplicate-event flood | Idempotency keys + a bounded queue absorb duplicates; the reconciliation job is the backstop. | Scale |
| OSRM CPU spike on a big VRP | Solver pegs the CPU | Cap stops per run, time-box the solve, fall back to a greedy route; cache hot route geometry. | Scale |
| Cost runaway (autoscale gone wild) | Bill spikes uncontrolled | Budgets + billing alerts; hard autoscale caps; backpressure sheds load before the bill spikes. | Scale |
| Festival 10Γ spike | Demand swamps supply | Surge prices demand down; the edge absorbs read load; async queues defer non-urgent work; shards scale per region. | Scale |
| Cross-region latency for a far user | Slow responses | Edge terminates close to the user; reads hit the nearest regional DB / replica; keep writes within the shard. | Scale |
| Cold-start a brand-new region | Demand with no supply | Seed Points + partners first, then open bookings; a region with no supply never accepts demand it can't serve. | Scale |
| Low-connectivity clients drop mid-action | Lost action, double-submit risk | Offline outbox persists the action and replays on reconnect, deduped by idempotency key. | Scale |
11. Compliance & data
Cross-cutting across KYC and Payments. The platform holds no money (no PA/nodal licence), stores no card data (PCI scope minimised), and tokenizes raw Aadhaar. Consent, retention and prohibited-goods screening are first-class.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| DPDP consent / retention obligation | Regulatory non-compliance | Explicit on-device consent at capture; purpose-bound storage with retention windows; user can withdraw consent and request erasure. | Onboarding Β· KYC |
| Raw-Aadhaar number leak risk | Sensitive-data breach | Tokenize via OKYC; never store the raw number; mask in all UI/logs; access is least-privilege and audited. | Onboarding Β· KYC |
| PCI scope from handling card data | Heavy compliance burden | No card data ever touches RideChain β the gateway tokenizes and stores it; we hold only a reference. | Payments |
| GST / TDS edge cases on splits | Mis-collected tax | A tax reserve is withheld per booking into the platform slice; shortfalls top up from net margin via an ADJUSTMENT, never a clawback. | Split-Settlement |
| Gig-worker norm compliance | Labour-law exposure | Transparent statements, fair cancellation/surge sharing, and graduated tiers documented; partners see every paise via the ledger. | Commission |
| e-way bill for high-value B2B consignments | Goods movement non-compliant | High-value B2B legs require an e-way-bill reference at booking; the parcel can't move without it where the threshold applies. | Booking |
| Prohibited / illegal goods shipped | Legal liability, safety | T&C prohibition + category screening at booking + operator visual check at a Point; flagged consignments are held and escalated. | Booking |
| Declared-value cap exceeded on a claim | Over-exposure on loss | Liability is capped at the declared value recorded at booking; claims reconcile against it; insurance covers up to the cap. | Last-Mile |
12. Usability, low-literacy & connectivity
Cross-cutting across Booking (no-app) and KYC. Rural reach means many users can't read, have no smartphone, speak the wrong default language, or sit offline. The flow degrades across channels and reading levels.
| Scenario | Impact | Mitigation | Detail |
|---|---|---|---|
| User can't read text | Can't complete the flow | Voice + icon/photo-led UI so size/category are chosen without reading; OTPs read aloud where needed. | Booking Β· no-app |
| No smartphone | Excluded from self-serve | Point-assisted booking by the operator + WhatsApp bot + IVR / missed-call callback; same DRAFT β β¦ β SETTLED booking. | Booking Β· no-app |
| Wrong / unsupported language shown | Confusion, drop-off | Hindi-first vernacular UI with language selection; audio prompts in the chosen language across the flow. | Booking Β· no-app |
| Offline at booking / handover time | Action and status lost | Local outbox queues the action and replays on reconnect; SMS-fallback status keeps the booker informed. | Booking Β· no-app |
| Elderly / first-time user overwhelmed | Abandoned before completing | Simplified assisted screens at a Point; one-tap escalation to a co-piloting operator; minimal steps with confirmations. | Onboarding Β· KYC |
| Fat-finger errors (wrong digit / wrong tap) | Wrong booking / wrong OTP | Confirmation steps before commit; OTP audio readback; re-quote only on consented change so a mis-tap can't silently overcharge. | Booking Β· OTP |
| SMS OTP not delivered | Stuck at a gate | Fallback channels: WhatsApp β IVR voice readout β in-app display β operator-assisted re-send. | Booking Β· OTP |
| User mistrusts a "support" call asking for OTP | Social-engineering exposure | Masked calling means RideChain never needs the real OTP; IVR awareness messaging teaches users never to share it. | Β§9 Fraud |
13. Severity & priority β highest-risk classes
Not every edge case is equal. The four classes below are where a failure costs money, goods, identity integrity or safety β so their controls are layered and non-bypassable. The consistent theme: graduated trust bounds the blast radius first, then idempotency, the append-only ledger, and the dual-OTP + POD custody chain make the remaining failures recoverable and provable.
| Risk class | Severity | Primary controls | Owner docs |
|---|---|---|---|
| Money loss β double-pay, double-release, chargeback, COD leakage, ledger mismatch | Critical | Idempotency keys Β· append-only paise ledger Β· webhook + polling reconciliation Β· escrow-held pivot Β· graduated COD ceilings | Payments Β· Split-Settlement |
| Parcel loss β theft, wrong handover, tampering, damage, lost in transit | Critical | QR match β dual-OTP β geofenced POD custody gate Β· tamper-evident seal Β· custody log Β· declared-value cap + insurance | Last-Mile Β· Booking |
| Identity fraud β deepfake, duplicate Aadhaar, account farms, collusion, GPS spoof | Critical | Graduated trust (#1 lever) Β· liveness + face match Β· one-account-per-Aadhaar Β· device/SIM fingerprint Β· graph ML | KYC Β· Β§9 Fraud |
| Safety β unsafe load, social engineering, prohibited goods | High | Vehicle-class capacity gate Β· masked calling + IVR awareness Β· prohibited-goods screening Β· operator visual check | Matching Β· Β§12 Usability |
| Availability / reliability β gateway down, hot shard, festival 10Γ, OSRM down | High | Dual-gateway failover Β· edge rate-limit + queues Β· cache SWR + single-flight Β· graceful degradation everywhere | Scale Β· Routing |
| Inclusion / access β no smartphone, low literacy, offline, wrong language | Material | Point-assisted flows Β· WhatsApp + IVR Β· voice + icon UI Β· offline outbox Β· SMS-fallback status | Booking Β· KYC |
The single most important control is graduated trust. Before any cryptographic, ledger or custody control even runs, a new actor simply cannot touch a high-value parcel or a large COD float. That cap on exposure is what makes every other mitigation a recoverable nuisance rather than a catastrophe.