Introduction
Chapter 1: Introduction
1.1 The Retention Crisis in Digital Health
The global market for digital mental health and behavioral modification applications has achieved extraordinary commercial scale while delivering catastrophic product efficacy. Valued at approximately $7.48 billion in 2024 and projected to reach $17.52 billion by 2030 at a compound annual growth rate of 14.6%, the sector represents one of the fastest-growing verticals in consumer technology (Grand View Research, 2024). The adjacent digital therapeutics (DTx) market, encompassing clinically validated software interventions, stands at $7.67 billion and is forecast to reach $32.5 billion within the same horizon (Deloitte, 2024). Venture capital has poured billions into the premise that software can meaningfully alter human behavior at scale.
The premise is failing. Comprehensive mobile attribution benchmarks reveal that the median 15-day retention rate for mental health applications is 3.9% (Adjust, 2024). Over 80% of the initial user cohort abandons these platforms between days 1 and 10. By day 30, only 3.3% of users remain engaged. These figures are not outliers drawn from marginal products; they represent the industry median, encompassing well-funded applications backed by clinical advisory boards, sophisticated onboarding funnels, and aggressive growth marketing teams. The sector masks a fundamental product failure with user acquisition volume: for every hundred users acquired at a cost of $3 to $12 per install, ninety-six will have abandoned the product within a month. The economics work only because the remaining four percent convert to subscriptions at rates sufficient to cover the cost of the ninety-six who churned, a model that optimizes for revenue extraction from a self-selected minority rather than for population-level behavioral change.
This retention crisis is not unique to mental health. Fitness applications exhibit comparable attrition patterns. Habit-tracking applications, despite their intuitive appeal and the visibility of products like Habitica, Streaks, and Fabulous, suffer from the same structural decay curve. The problem is pervasive across every category of behavioral technology, from meditation (Headspace, Calm) to nutrition tracking (MyFitnessPal, Noom) to productivity systems (Forest, Focus@Will). The pattern is consistent enough to suggest a systemic failure mode rather than a collection of independent product-design errors.
The paradox is sharpened by the evident demand. Users download these applications in enormous numbers, indicating genuine intent to change behavior. They complete onboarding flows, set goals, and engage with initial content. The problem arises when the psychological difficulty of sustaining a behavioral change exceeds the motivational force the application can exert. At that inflection point — typically between days 3 and 10 — the application has no mechanism to retain the user. It can send push notifications, display streak counters, and offer encouraging messages. None of these interventions address the core problem: the user’s immediate desire to defect from the behavioral contract exceeds the cost of defection, because the cost of defection is zero. The user simply stops opening the application, and the application has no recourse.
This structural weakness is particularly pronounced in the high-achiever demographic — executives, founders, and elite professionals. This cohort operates under chronic digital overload, high-stakes pressure, and a psychological framework defined by self-reliance. They routinely delay seeking support until their performance or relationships face severe disruption (Shanafelt et al., 2015). For this population, the gentle nudges and gamified rewards of conventional behavioral technology are not merely insufficient; they are insulting. The mismatch between the severity of the behavioral challenge and the triviality of the intervention produces not just churn, but contempt for the product category itself.
The market, in short, has achieved scale without achieving efficacy. It has monetized the intention to change without delivering the change itself. The billions flowing into the sector are financing sophisticated user acquisition machinery wrapped around products that fail 96% of their users within thirty days. This dissertation argues that the failure is not a matter of better features, improved user interfaces, or more sophisticated machine learning models. The failure is structural, rooted in the absence of a fundamental element that every effective behavioral regulation system requires: consequential feedback.
1.2 The Feedback Loop Failure Hypothesis
The retention crisis described above can be understood through a lens older and more rigorous than contemporary UX design: cybernetics, the science of communication and control in living systems and machines. The foundational insight of cybernetics, articulated by Norbert Wiener (1948) and formalized by W. Ross Ashby (1956), is that stable regulation requires closed feedback loops in which the output of a system is measured, compared against a reference signal, and used to correct subsequent behavior. When feedback is absent, delayed, distorted, or decoupled from consequence, the system loses the capacity for self-correction. It drifts, oscillates, or collapses.
Conant and Ashby (1970) established the formal theorem that every good regulator of a system must contain a model of that system. Applied to behavioral technology, this theorem implies that an application capable of effectively regulating human behavior must embody an accurate model of the forces that drive and constrain that behavior. If the model is naive — if it treats motivation as a simple scalar that can be incremented by badges and streaks — the regulator will fail precisely when regulation is most needed, at the moment when competing drives overwhelm the target behavior.
The hypothesis advanced in this dissertation is that existing behavioral technology platforms fail because they suffer from feedback loop interruption: the critical path between action, consequence, and correction is either severed, delayed beyond the threshold of psychological salience, or replaced by symbolic proxies that carry no real cost. This hypothesis draws on a cybernetic model of human drives termed the Human Vice Control System (HVCS), which treats fundamental human impulses — acquisition, validation-seeking, status maintenance, comparative signaling, boundary enforcement, short-horizon gratification, and energy conservation — not as moral categories to be suppressed but as interacting control signals within a multi-input, multi-output adaptive system. Each drive functions as a sub-controller proposing actions, with a winner-take-most arbitration step determining behavior at any given moment.
Within this framework, six failure modes of modern systems become legible as instances of feedback interruption:
First, capitalism without counter-pressure. When competitive correction is removed through monopoly, rent-seeking, or regulatory capture, the acquisition drive no longer requires invention to satisfy itself. It produces extraction rather than innovation. The feedback loop from greed through competition to correction is broken; loss risk is removed, and the engine consumes the system it was meant to drive (Stiglitz, 2012).
Second, social media without reputational decay. When identity is anonymous, amplification is algorithmic, and memory is ephemeral, status-seeking inflates without social correction. Boundary enforcement (expressed as outrage) becomes costless, and the system destabilizes into performative extremism. The feedback loop from exposure through consequence to calibration is severed (Zuboff, 2019).
Third, consumer abundance without bodily cost visibility. When ultra-processed food engineering bypasses satiety mechanisms and pharmaceutical intervention masks metabolic signals, short-horizon gratification no longer self-limits through physical degradation. The body ceases to report truth fast enough for the pride and validation-seeking sub-controllers to activate corrective behavior (Monteiro et al., 2019).
Fourth, desire without reciprocity. When pornographic saturation and parasocial substitutes detach validation-seeking from the requirement for reciprocal investment, the external selection pressure that historically drove self-improvement disappears. The system stops training itself because the feedback loop from rejection through self-adjustment to renewed effort is interrupted.
Fifth, sloth without comparison pressure. When infinite entertainment fills rest periods with low-cost stimulation, the energy-conservation drive becomes terminal rather than recuperative. The boredom that historically reactivated acquisition and comparative signaling is pharmacologically suppressed by content algorithms optimized for passive consumption (Alter, 2017).
Sixth, moral absolutism without consequence routing. When shame-based suppression attempts to zero out drive variables rather than channel them, the suppressed energy leaks sideways into hypocrisy, pathology, or explosive decompensation. The feedback loop from vice through consequence to recalibration is replaced by a suppression-and-leak cycle that destabilizes the broader system.
These six failure modes share a common structure: a drive that is adaptive under conditions of timely, truthful, costly feedback becomes pathological when that feedback is removed, delayed, or distorted. The insight generalizes to behavioral technology. Existing platforms fail because they provide feedback that is slow (weekly summaries rather than immediate consequence), symbolic rather than causal (badges rather than financial loss), and costless to ignore (push notifications that can be dismissed without penalty). They function as open-loop systems in a domain that requires closed-loop control.
The critical design question, therefore, is not what features an application should offer, but what feedback a user receives, how fast, how truthful, and at what cost. This question, drawn directly from control-theory analysis, reframes the behavioral technology design problem from a feature-engineering challenge to a feedback-engineering challenge. It demands that the system provide consequence density — the reliable coupling of behavioral output to meaningful, timely, and personally costly outcomes.
This reframing motivates the central technical contribution of this dissertation: the design, formal verification, and prototype implementation of a platform that closes the feedback loop between behavioral intention and behavioral consequence through three interlocking mechanisms — financial stakes calibrated by prospect theory, decentralized peer verification, and formal safety invariants that prevent iatrogenic harm.
1.3 Styx: System Overview
Styx is a peer-audited behavioral market that operationalizes the feedback-engineering framework described above. The platform enables users to create financially-staked behavioral contracts — termed oaths — in which real money is placed in escrow and forfeited upon verified failure. A decentralized network of peer auditors — termed Furies — evaluates submitted proof of compliance. A double-entry financial ledger with a SHA-256 hash-chained audit trail ensures that every monetary movement is cryptographically verifiable. A formal safety protocol — the Aegis Protocol — enforces medical, financial, and psychological guardrails that prevent the system from causing harm.
The system architecture comprises three interlocking layers:
Layer 1: Hardware Oracle Layer. Biological and cognitive oath categories are verified through hardware and device oracles. HealthKit (iOS) and Health Connect (Android) provide objective biometric data for weight management, cardiovascular stamina, glucose stability, sleep integrity, and sobriety verification via heart rate variability. Screen Time APIs verify digital fasting and deep work focus commitments. For oath categories that cannot be objectively instrumented — creative output, environmental tidiness, nutritional transparency — the system employs perceptual hashing (pHash) with a Hamming distance threshold of 5 bits to detect duplicate or recycled proof submissions, and EXIF metadata validation to confirm temporal and geographic authenticity. These oracle mechanisms are designed to make the cost of fabricating proof prohibitively high relative to the cost of genuine compliance.
Layer 2: Financial Escrow Layer. User stakes are held in Stripe For Benefit Of (FBO) escrow accounts, ensuring zero-custody operation: Styx never holds user funds in corporate accounts. All financial movements are recorded in a PostgreSQL double-entry ledger where every transaction creates symmetric debit and credit entries, maintaining a system-wide balance invariant of zero. The ledger is complemented by a SHA-256 hash-chained truth log in which each event’s hash incorporates the previous event’s hash and the current event’s serialized payload, producing a tamper-evident chain. This dual-layer financial architecture provides both accounting integrity (through double-entry balancing) and audit integrity (through cryptographic chaining).
Layer 3: Fury Consensus Layer. For oath categories that require subjective human judgment — Does this photograph genuinely depict a prepared healthy meal? Does this time-lapse video demonstrate sustained creative practice? — a decentralized network of 3 to 7 peer auditors (Furies) evaluates each submitted proof. Furies stake $2.00 of their own money per audit, creating symmetric skin in the game: the oath-taker risks their stake on genuine compliance, and the auditor risks their stake on truthful evaluation. Fury accuracy is tracked through a weighted scoring function that penalizes false accusations at 3x the weight of successful audits, with demotion triggered when accuracy falls below 0.80 after a 10-audit burn-in period. Honeypot proofs — known-good or known-bad submissions injected into the audit queue every 6 hours — provide calibration data and detect lazy or colluding auditors.
The key innovation of this architecture is that it makes cheating expensive through dual mechanisms: financial stake loss (prospect-theoretic penalty) and reputational cost (integrity score degradation). The loss aversion coefficient $\lambda = 1.955$, drawn from a comprehensive meta-analysis of 607 empirical estimates across economics, psychology, and neuroscience (Brown et al., 2024), calibrates the psychological weight of stake forfeiture. Users do not merely lose money when they fail; they lose money in a context where losses are psychologically weighted at approximately twice the magnitude of equivalent gains, amplifying the motivational force of the financial stake beyond its nominal dollar value.
The platform supports 27 oath types organized across 7 behavioral streams: Biological (weight management, cardiovascular stamina, glucose stability, sleep integrity, sobriety), Cognitive (digital fasting, deep work focus, inbox zero, learning retention), Professional (sales velocity, developer throughput, punctuality), Creative (deep writing, visual arts, music practice, maker builds), Environmental (nutritional transparency, tidiness, personal presentation, active reading), Character (civic engagement, philanthropic velocity, family presence), and Recovery (no-contact boundary enforcement, substance abstinence, behavioral detox, environment avoidance). Each stream maps to specific verification methods through an oracle routing table that ensures the appropriate level of objective measurement or subjective audit is applied to each oath category.
The system is implemented as a Turborepo monorepo comprising six workspaces: a NestJS API backend with BullMQ task queuing and Stripe payment integration; a Next.js web dashboard with Zustand state management; a React Native mobile application with Expo for sensor bridging and biometric access; a Tauri desktop application for administrative oversight; a shared TypeScript library containing core algorithms, types, and constants; and an interactive pitch deck. The codebase contains over 467 automated tests across unit, integration, and end-to-end suites, plus 8 validation gates that enforce invariants ranging from ledger balance integrity to the absence of gambling-adjacent terminology in production builds.
1.4 Research Questions
This dissertation addresses five research questions that span behavioral economics, mechanism design, control theory, safety engineering, and regulatory analysis. Each question corresponds to a distinct theoretical or practical challenge that must be resolved for financially-staked behavioral contracts to function as a viable, safe, and legally compliant intervention.
RQ1: How can loss aversion ($\lambda = 1.955$) be operationalized as a calibrated penalty coefficient within a digital commitment device?
Prospect theory establishes that losses loom larger than gains (Kahneman & Tversky, 1979; Tversky & Kahneman, 1992). The median loss aversion coefficient across 607 empirical estimates is $\lambda = 1.955$ with a 95% confidence interval of [1.820, 2.102] (Brown et al., 2024). However, the existing literature on commitment devices — from stickK’s referee-based contracts (Karlan et al., 2016) to DietBet’s shared-pot weight loss challenges (Leahey et al., 2014) — treats financial stakes as a binary presence-or-absence variable rather than as a calibrated parameter. RQ1 asks how $\lambda$ can be formally incorporated into stake sizing, penalty messaging, and tier progression within a digital platform, and what formal properties (monotonicity, boundedness, fairness) such an operationalization must satisfy.
RQ2: What mechanism design properties must a decentralized peer-audit network satisfy for incentive-compatible truthful reporting?
The Fury consensus layer presents a novel variant of the peer prediction problem (Miller et al., 2005; Prelec, 2004). Unlike traditional peer prediction settings where the ground truth is never revealed, Styx operates in a hybrid regime: some proofs are objectively verifiable (HealthKit biometrics, GPS geofences) while others require subjective human judgment (photographs of meals, time-lapse videos of creative work). RQ2 asks what properties the auditor incentive structure must satisfy to ensure that truthful reporting is the dominant strategy, how honeypot injection and false-accusation weighting contribute to incentive compatibility, and whether the Fury accuracy function constitutes a proper scoring rule under the constraints of the system.
RQ3: Can a cybernetic model of human drives (HVCS) serve as a principled design framework for behavioral technology?
The Human Vice Control System (HVCS), articulated in this dissertation as an original theoretical contribution, models fundamental human drives as competing sub-controllers within a multi-input, multi-output adaptive control loop. Unlike the prevailing approach in behavioral technology design — which draws piecemeal from nudge theory (Thaler & Sunstein, 2008), self-determination theory (Ryan & Deci, 2000), and habit loop models (Duhigg, 2012) — the HVCS provides a unified framework grounded in control theory (Wiener, 1948; Ashby, 1956) and the good regulator theorem (Conant & Ashby, 1970). RQ3 asks whether this cybernetic model can serve as a principled, a priori design framework — not merely a post-hoc explanatory narrative — for behavioral technology, and whether the design decisions embodied in Styx’s architecture can be systematically derived from HVCS principles.
RQ4: What formal safety invariants (Aegis Protocol) prevent iatrogenic harm in a financially-staked behavioral platform?
A platform that uses financial penalties to drive behavioral change creates risks that do not exist in conventional wellness applications. Users might stake money on dangerous weight-loss targets, accelerating eating disorders. Repeated failures could trigger financial spirals. Recovery-stream contracts (no-contact boundary enforcement) could be weaponized as instruments of social isolation or domestic abuse. RQ4 asks what formal safety invariants — expressed as a conjunction of boolean predicates over system state — are necessary and sufficient to prevent these iatrogenic harms, and whether those invariants can be proven to hold across all reachable system states. The Aegis Protocol, formalized in this dissertation, comprises six safety predicates covering absolute stake caps, minimum contract duration, failure-triggered downscaling, integrity-based access control, BMI floor enforcement, and weight-loss velocity caps, plus a separate anti-isolation guarantee for recovery-stream contracts.
RQ5: How does the legal classification of financially-staked behavioral contracts map onto the skill-chance spectrum under U.S. gambling law?
The legal viability of the platform depends on its classification as a skill-based contest rather than an illegal gambling product. U.S. gambling law generally requires three elements: prize, consideration, and chance. Styx clearly involves prize (return of stake plus potential Fury bounties) and consideration (user deposits). The critical variable is whether the outcome — successful completion of a behavioral contract — is determined predominantly by skill and effort or by chance. RQ5 asks how the platform’s design choices (behavior-based metrics, objective verification, no randomization, transparent scoring algorithms, medical guardrails) map onto the three principal state-level tests for the skill-chance distinction: the predominance test, the material-element test, and the any-chance test. The analysis draws on the legal frameworks under which existing platforms such as DietBet and HealthyWage operate (Leahey et al., 2014) and the broader jurisprudence of daily fantasy sports, e-sports, and prize-based skill contests.
1.5 Scope and Delimitations
This dissertation follows the Design Science Research (DSR) methodology as articulated by Hevner et al. (2004) and refined by Peffers et al. (2007). DSR is distinguished from empirical behavioral research by its objective: rather than testing hypotheses about naturally occurring phenomena, DSR creates and evaluates artifacts — constructs, models, methods, and instantiations — that address identified problems. The artifact in this case is the Styx platform, comprising both the theoretical framework (HVCS model, Aegis safety invariants, Fury mechanism design) and the working prototype (Turborepo monorepo with 467+ automated tests).
The following elements are in scope:
-
Formal definitions and proofs. Nine formal definitions (D1–D9) specify the mathematical objects underlying the system: the double-entry ledger, the hash-chained truth log, the integrity score function, the Fury accuracy function, the Aegis safety predicate set, the dispute resolution finite state machine, the honeypot detection mechanism, the anti-isolation predicate, and the perceptual hash duplicate detection function. Nine formal theorems (T1–T9) prove properties of these definitions, including balance invariance, tamper evidence, score boundedness, incentive compatibility of truthful auditing, safety predicate satisfaction, FSM termination, honeypot detection bounds, anti-isolation guarantees, and duplicate detection bounds. Each proof includes explicit code-to-proof mappings linking formal claims to TypeScript implementations.
-
Working prototype. The Styx platform is implemented as a production-grade Turborepo monorepo comprising a NestJS API, Next.js web application, React Native mobile application, Tauri desktop application, and shared TypeScript library. The codebase includes 467+ automated tests across unit, integration, and end-to-end suites, 8 validation gates, Playwright browser tests across 4 engines, and Terraform infrastructure-as-code for deployment. The prototype demonstrates technical feasibility and provides the instantiation artifact required by the DSR methodology.
-
Mechanism design analysis. Formal analysis of the Fury consensus layer as a peer prediction mechanism with financial stakes, including incentive compatibility under truthful and strategic auditor behavior, the role of honeypot injection in calibration, and the properties of the weighted accuracy scoring function.
-
Legal analysis. A comprehensive analysis of U.S. gambling law as applied to financially-staked behavioral contracts, covering federal statutory definitions, the three principal state-level skill-chance tests, the operational precedents of existing platforms, and the specific design decisions that position Styx on the skill side of the spectrum.
-
Safety formalization. The Aegis Protocol is formalized as a conjunction of boolean predicates over system state, with proofs that the predicate set prevents each identified category of iatrogenic harm. The Recovery Protocol’s anti-isolation guarantee is separately formalized and proven.
The following elements are out of scope:
-
Empirical evaluation with live users. No randomized controlled trial (RCT) has been conducted. The dissertation does not claim to demonstrate that Styx produces superior behavioral outcomes compared to existing platforms. It demonstrates feasibility, formal correctness, and safety — not clinical efficacy. Empirical evaluation is identified as the primary direction for future work.
-
Native hardware oracle implementation. HealthKit and Health Connect integrations exist as architectural stubs with defined interfaces, but the native Swift (iOS) and Kotlin (Android) bridges required for actual biometric data access are not implemented. The mobile application currently supports text-based proof submission and camera-based photo/video proof, but does not read live sensor data from wearable devices.
-
On-chain migration. The system currently uses a PostgreSQL-backed hash-chained truth log that provides tamper evidence within the trust boundary of the database operator. Migration to a public or consortium blockchain for decentralized trust is discussed as future work but is not implemented or formally analyzed.
-
AI-generated proof detection. The perceptual hashing and EXIF validation mechanisms detect duplicate and metadata-inconsistent proofs, but do not address the emerging challenge of AI-generated synthetic media (deepfakes, AI-generated photographs). Detection of AI-generated proof is identified as a critical future research direction.
-
International regulatory analysis. The legal analysis is confined to U.S. federal and state law. International gambling regulation, GDPR implications for immutable truth logs (particularly Article 17, the right to erasure), and cross-border payment compliance are noted as important considerations but are not analyzed in depth.
The geographic scope of the analysis is the United States, with state-by-state variation in gambling law addressed through the three principal skill-chance tests. The target user population is adults aged 18 and older, with the Aegis Protocol enforcing age verification, BMI floors, and velocity caps as formal safety constraints.
1.6 Significance
This dissertation makes contributions across four dimensions: theoretical, methodological, practical, and legal. Each contribution addresses a gap identified in the existing literature and verified through the gap analysis conducted during the research process.
1.6.1 Theoretical Contributions
The Human Vice Control System (HVCS). This dissertation introduces a cybernetic model of human drives that treats impulses not as moral categories to be suppressed but as competing sub-controllers within a multi-input, multi-output adaptive control loop. The HVCS extends the foundational work of Wiener (1948) and Ashby (1956) into the domain of behavioral technology design by providing a unified framework for analyzing feedback loop failures in modern institutions and deriving design requirements for systems that restore consequential feedback. While perceptual control theory (Powers, 1973) and self-regulation models (Carver & Scheier, 1998) have applied control-theoretic concepts to individual psychology, the HVCS is, to the author’s knowledge, the first formal application of multi-loop control theory to the design of behavioral technology platforms. The model generates testable predictions about which design interventions will stabilize or destabilize user behavior, and it provides a principled basis for the Styx architecture that goes beyond the ad hoc application of individual behavioral science findings.
Consequence density as a design primitive. The HVCS analysis identifies consequence density — the degree to which behavioral outputs are reliably coupled to meaningful, timely, and personally costly outcomes — as the fundamental variable that determines whether a behavioral technology platform can sustain engagement and produce behavioral change. This concept unifies otherwise disparate findings across the retention crisis literature, the commitment device literature, and the gamification literature under a single explanatory variable. Platforms fail not because they lack features, but because they lack consequence density. Platforms succeed not because they are better designed, but because they provide feedback that is fast, truthful, and costly to ignore.
1.6.2 Mechanism Design Contributions
Fury consensus as a peer prediction variant. The Fury auditor network constitutes a novel variant of the peer prediction problem (Miller et al., 2005) in which auditors evaluate proofs under a hybrid verification regime: some proofs are objectively verifiable while others require subjective judgment. The mechanism combines financial staking ($2.00 per audit), asymmetric penalty weighting (false accusations penalized at 3x), burn-in periods (10 audits before demotion eligibility), and honeypot calibration (known-truth proofs injected every 6 hours) to create an incentive structure in which truthful reporting dominates strategic manipulation. The formal analysis of this mechanism, including proofs of incentive compatibility and accuracy dominance (Theorems T4 and T7), contributes to the mechanism design literature on peer prediction with financial stakes.
Integrity score as a reputation-gated access control mechanism. The integrity score function ($IS(u) = \max(0, IS_0 + \beta_c \cdot c_u - \beta_f \cdot f_u - \beta_s \cdot s_u - \beta_d \cdot d_u)$) defines a reputation system that simultaneously serves as access control (tier-gating stake amounts), incentive alignment (rewarding compliance and penalizing fraud), and safety mechanism (restricting high-risk users to lower stakes). The formal properties of this function — non-negativity, monotonicity with respect to compliance, sensitivity to fraud — are proven in Theorem T3. The design represents a novel integration of reputation systems with financial access control in the context of behavioral contracts.
1.6.3 Safety Engineering Contributions
Aegis Protocol: formal safety invariants for commitment devices. The Aegis Protocol formalizes six safety predicates as a conjunction of boolean constraints over system state: absolute stake cap ($\sigma \leq \sigma_{max}$), minimum contract duration ($\delta \geq \delta_{min}$), failure-triggered downscaling ($\kappa < \bar{\kappa} \lor \sigma \leq \sigma_{reduced}$), integrity-based access control ($IS(u) \geq IS_{threshold} \lor \sigma \leq \sigma_{tier}$), BMI floor enforcement ($BMI(u) \geq BMI_{min}$), and weight-loss velocity cap ($v_w \leq \bar{v}_w$). To the author’s knowledge, this is the first formal specification of safety invariants for a commitment device platform. Existing platforms implement ad hoc safety measures (DietBet’s maximum weight-loss rate, HealthyWage’s minimum contest duration), but none provide formal definitions, proofs of invariant satisfaction, or systematic coverage analysis of potential iatrogenic harms.
| Anti-isolation guarantee for recovery contracts. The Recovery Protocol addresses a unique risk category: no-contact boundary enforcement contracts could be weaponized as instruments of social isolation or coercive control. The anti-isolation predicate ($\forall c \in C_{recovery}: | targets(c) | \leq \bar{n}_{NC} \land duration(c) \leq \bar{\delta}_R \land AP(c) \neq \emptyset \land \bigwedge Ack(c)$) formally constrains the maximum number of no-contact targets (3), the maximum contract duration (30 days), the requirement for an accountability partner, and the requirement for explicit safety acknowledgments. This formalization, proven in Theorem T8, represents the first formal treatment of anti-isolation constraints in the commitment device literature. |
1.6.4 Practical Contributions
Working prototype with code-to-proof mapping. The Styx prototype demonstrates that the formal properties proven in the dissertation are not merely theoretical constructs but are directly implemented and enforced in executable code. Each of the 9 formal theorems includes explicit mappings from mathematical definitions to TypeScript function signatures, enabling independent verification that the code faithfully implements the formal specification. The prototype’s 467+ automated tests, 8 validation gates, and Playwright end-to-end test suite provide additional assurance of implementation correctness.
Total addressable market validation. The market analysis conducted as part of this research identifies a total addressable market exceeding $50 billion across behavioral health, commitment devices, enterprise wellness programs, and digital therapeutics. The platform’s architecture supports three distinct go-to-market strategies: consumer commitment devices (Variant 1: refund-only), social shared-pot contests (Variant 2: DietBet-style), and B2B employer-sponsored wellness challenges (Variant 3: SaaS). This multi-variant approach, grounded in legal analysis of the skill-chance spectrum, demonstrates that the formal contributions of this dissertation have practical commercial application.
1.6.5 Legal Contributions
Skill-chance spectrum analysis for behavioral contracts. The legal analysis maps Styx’s design decisions onto the three principal state-level tests for distinguishing skill-based contests from gambling: the predominance test (majority of states), the material-element test (some states), and the any-chance test (a few jurisdictions). The analysis demonstrates that the platform’s emphasis on behavior-based metrics, objective verification, absence of randomization, transparent scoring algorithms, and medical guardrails positions it on the skill side of the spectrum under the predominance test, with specific design recommendations for jurisdictions applying stricter tests. This analysis provides a reusable framework for evaluating novel financial commitment products under existing gambling law.
1.7 Key Terms
The following terms are used with specific technical meanings throughout this dissertation. Each definition is grounded in the formal notation conventions established in the notation reference (Appendix A) and corresponds to specific code implementations in the Styx prototype.
Behavioral contract (oath). A time-bound agreement in which a user commits to performing a specified behavior, verified by designated oracle or peer-audit methods, with a financial stake held in escrow that is returned upon verified success and forfeited upon verified failure. Formally, a contract $c \in C$ specifies an oath category $o \in O$, a duration $\delta$, a stake amount $\sigma$, a verification method, and success criteria.
Commitment device. A mechanism by which an individual voluntarily restricts their future choice set or imposes costs on future defection in order to align present behavior with long-term preferences (Bryan et al., 2010). In the Styx context, the financial stake functions as a commitment device by making the cost of behavioral defection immediate and salient rather than abstract and deferred.
Loss aversion coefficient ($\lambda$). The parameter in prospect theory’s value function that quantifies the asymmetry between the psychological weight of losses and gains. The value $\lambda = 1.955$, used as a design constant in the Styx platform, is the mean estimate from Brown et al.’s (2024) meta-analysis of 607 empirical observations. It indicates that a monetary loss is perceived as approximately 1.955 times as impactful as an equivalent monetary gain.
Fury (peer auditor). A registered user who participates in the decentralized proof verification network. Furies stake $2.00 per audit and earn bounty rewards for accurate verdicts. The term derives from the Erinyes of Greek mythology, spirits of vengeance who enforced moral order. In the system, Furies enforce behavioral compliance through peer evaluation rather than algorithmic judgment.
Integrity Score ($IS$). A non-negative integer that quantifies a user’s behavioral track record within the platform. Computed as $IS(u) = \max(0, 50 + 5 \cdot c_u - 15 \cdot f_u - 20 \cdot s_u - 1 \cdot d_u)$, where $c_u$ is completed oaths, $f_u$ is fraud strikes, $s_u$ is failed oaths, and $d_u$ is months inactive. The integrity score gates access to financial tiers: scores below 20 restrict users to zero-stake mode; scores above 500 unlock unlimited staking.
Fury Accuracy ($FA$). A real-valued score in $[0, 1]$ that measures an auditor’s reliability. Computed as $FA(v) = \text{clamp}_{0}^{1}((a_v - 3 \cdot \bar{a}_v) / n_v)$, where $a_v$ is successful audits, $\bar{a}_v$ is false accusations, and $n_v$ is total audits. False accusations are penalized at 3x weight. Auditors with accuracy below 0.80 after 10 or more audits are demoted from the Fury network.
Aegis Protocol. The formal safety framework comprising six boolean predicates whose conjunction must evaluate to true before any contract is permitted to proceed. The predicates enforce absolute stake caps, minimum contract duration, failure-triggered stake downscaling, integrity-based tier gating, BMI floor enforcement, and weight-loss velocity caps. Named for the mythological shield of Athena, the protocol functions as a defensive boundary preventing iatrogenic harm.
Truth Log. A SHA-256 hash-chained append-only event log in which each entry’s hash incorporates the previous entry’s hash and the current entry’s serialized payload. This produces a tamper-evident chain: modifying any historical entry invalidates all subsequent hashes. The truth log provides audit integrity independent of the double-entry ledger’s accounting integrity.
Double-entry ledger. A financial record-keeping system in which every transaction creates two entries of equal magnitude: a debit to one account and a credit to another. This ensures that the sum of all account balances across the system is always zero, providing a structural invariant that can be continuously verified. In Styx, all monetary movements — stake deposits, escrow captures, Fury bounties, refunds, and fee deductions — are recorded as double-entry transactions.
Proof verification pipeline. The end-to-end process by which a user’s submitted evidence of behavioral compliance is evaluated. The pipeline routes proofs through oracle verification (for hardware-measurable behaviors), perceptual hash duplicate detection (for media-based proofs), EXIF metadata validation (for temporal and geographic authenticity), and Fury consensus evaluation (for subjectively-judged proofs). The pipeline produces a binary accept/reject verdict that determines whether the associated contract’s stake is returned or forfeited.
Human Vice Control System (HVCS). A cybernetic model introduced in this dissertation that treats fundamental human drives as competing sub-controllers within a multi-input, multi-output adaptive control loop. The model provides a unified framework for analyzing feedback loop failures in behavioral technology and modern institutions, and for deriving design requirements for systems that restore consequential feedback. The HVCS is grounded in the control theory tradition of Wiener (1948), Ashby (1956), and Conant and Ashby (1970), and extends it into the domain of behavioral technology design.
Honeypot injection. A calibration mechanism in which proofs with known verdicts (either known-good or known-bad) are inserted into the Fury audit queue at regular intervals (every 6 hours, when at least 3 Furies are active). Auditors who correctly identify honeypots receive an integrity bonus (+5); those who fail receive an integrity penalty (-5). Honeypots serve dual purposes: they provide ground-truth calibration data for auditor accuracy measurement, and they create a detection mechanism for lazy or colluding auditors.
Recovery protocol. A specialized set of constraints governing recovery-stream contracts, particularly no-contact boundary enforcement. The protocol limits the maximum number of no-contact targets to 3, the maximum contract duration to 30 days, requires an accountability partner for every recovery contract, mandates explicit safety acknowledgments (voluntary participation, no minors involved, no dependents affected, no legal obligations violated), and auto-fails contracts after 3 missed daily attestations.
Linguistic cloaking. A runtime vocabulary substitution system that replaces Stygian terminology with neutral equivalents for distribution through platform gatekeepers (Apple App Store, Google Play, Stripe). The cloaker maps domain-specific terms to compliance-safe alternatives: “stake” becomes “vault deposit,” “bet” becomes “commitment,” “fury” becomes “peer reviewer,” “oath” becomes “goal contract.” This mechanism addresses the practical requirement that app store review processes and payment processor policies may flag gambling-adjacent terminology.
1.8 Dissertation Organization
This dissertation is organized into five substantive chapters plus references and appendices. The structure follows the Design Science Research reporting framework (Peffers et al., 2007), proceeding from problem identification and motivation (Chapter 1), through knowledge base and related work (Chapter 2), artifact design and development (Chapter 3), demonstration and evaluation (Chapter 4), to communication and discussion (Chapter 5).
Chapter 2: Literature Review surveys the theoretical foundations and empirical evidence across seven research traditions that inform the Styx design: behavioral economics and prospect theory, with emphasis on loss aversion calibration and commitment device theory; habit formation and self-regulation, including self-determination theory and the crowding-out hypothesis; cybernetics and control theory, establishing the formal basis for the HVCS model; mechanism design and game theory, covering peer prediction, incentive compatibility, and the revelation principle; platform economics and two-sided markets, analyzing network effects and cross-side externalities in audit marketplaces; contingency management and addiction science, examining the evidence base for financial incentives in substance abuse treatment; and digital health regulation, covering U.S. gambling law, HIPAA applicability, and state-level privacy legislation. The review identifies specific gaps in each tradition that this dissertation addresses.
Chapter 3: Methodology presents the Design Science Research framework, the system architecture, and the formal definitions that constitute the dissertation’s core artifact. The chapter establishes nine formal definitions (D1–D9) specifying the mathematical objects underlying the Styx system, describes the dual-layer API architecture and its rationale, presents the technology stack and workspace organization, and articulates the validation strategy encompassing unit tests, integration tests, validation gates, and formal proofs. The methodology chapter also addresses the philosophical positioning of DSR relative to positivist and interpretivist research paradigms, justifying the artifact-creation approach for a problem domain where the contribution is a designed system rather than an observed phenomenon.
Chapter 4: Results presents the nine formal theorems (T1–T9) that constitute the primary evaluative contribution of the dissertation. Each theorem is stated with its formal preconditions and claims, proven using the mathematical framework established in Chapter 3, and mapped to specific TypeScript implementations in the Styx codebase. The theorems prove: ledger balance invariance (T1), truth log tamper evidence (T2), integrity score properties (T3), Fury accuracy dominance of truthful reporting (T4), Aegis safety predicate satisfaction (T5), dispute resolution FSM termination (T6), honeypot detection lower bounds (T7), anti-isolation guarantee (T8), and perceptual hash duplicate detection bounds (T9). Each proof is accompanied by a code-to-proof mapping table that identifies the exact source files, function names, and test suites that implement and verify the proven property.
Chapter 5: Discussion addresses each research question in turn, synthesizing the formal results from Chapter 4 with the theoretical context from Chapter 2. The chapter evaluates the extent to which the HVCS model succeeds as a principled design framework (RQ3), assesses the calibration of $\lambda = 1.955$ within the platform’s financial mechanics (RQ1), analyzes the incentive properties of the Fury consensus layer (RQ2), evaluates the completeness and sufficiency of the Aegis safety invariants (RQ4), and maps the platform’s legal positioning onto the skill-chance spectrum (RQ5). The chapter also identifies limitations, including the absence of empirical user data, the reliance on architectural stubs for native hardware oracles, the challenge of AI-generated proof detection, and the geographic constraint of the legal analysis. Future work is discussed across six dimensions: randomized controlled trials, native sensor bridge implementation, on-chain truth log migration, international regulatory analysis, AI-generated media detection, and longitudinal integrity score calibration.
Chapter 6: References provides the complete bibliography in APA 7th edition format, comprising 65–75 cited works drawn from the eight research traditions surveyed in Chapter 2.
Chapter 7: Appendices contains supplementary material including complete algorithm listings with line-by-line annotations, the PostgreSQL database schema, the API specification, the oath category taxonomy with oracle routing mappings, the notation conventions reference, and the literature coverage matrix.