Every buyer of a research-grade peptide asks for the certificate of analysis. Almost nobody asks the second question. The COA tells you what was in the aliquot the lab tested. It does not tell you whether the vial sitting on your counter came out of the lot that aliquot came from. The gap between those two states is where the chain-of-custody problem lives, and the gap is wider, more legible, and more exploitable than the COA discussion has so far admitted.
The Modern Peptides matter that surfaced in trade press through 2024 and 2025 is the cleanest worked example in the public record. The vendor published COAs from a real ISO 17025 laboratory. The lot identifiers on the COAs were real. The vials shipped to buyers carried lot identifiers that, in a meaningful share of orders, did not match the COA the vendor pointed to. The certificate was authentic. The chain that bound it to any specific vial was not.
The pattern is not unique to that case. It is the structural shape of a gap that almost every COA-based marketing claim assumes does not exist. This piece walks through where the gap actually opens, why batch attestation closes it differently than additional testing does, and what a careful buyer should be looking for on the label of a vial before they accept it.
What does a COA actually attest to?
The lab attests to one thing: the composition of the aliquot you sent us, measured by these methods, on this date, by this technician, with these instrument calibrations on file. That is the surface area of the certificate.
The aliquot is a small fraction of the production lot. The vial in the buyer's hand is a different fraction. The lab cannot attest to anything about the buyer's vial, because the lab never saw it. The honest inference a reader can draw from a COA is statistical: if the aliquot tested clean, and if the lot was filled uniformly, and if the vial in front of me was actually drawn from that lot, then the vial in front of me is likely also clean.
Two "if"s and one "likely." Each of those qualifications is a place the chain can be severed without the COA itself becoming inaccurate.
Where does the chain actually break?
Three places, and a buyer's checklist should cover all three.
Lot definition at fill
A "lot" is whatever the manufacturer says it is. There is no external regulator who watches the fill line and certifies the start and end of a lot. In a clean operation, a lot is defined by a specific bulk batch of active ingredient, dissolved into a specific buffer, filled across a specific run on a specific day. In a less clean operation, "lot" is a marketing concept assigned after the fact. A bulk batch can be split across multiple "lots" for sale, and adjacent bulk batches can be merged into a single "lot" for paperwork. The lab cannot police any of this, because the lab is asked to test what arrives in the sample tubes, not to audit the operation that produced them.
Lot labeling at packaging
The lot identifier may or may not appear on the vial. In a regulated pharmaceutical operation, the identifier is required on the label and is required to match production records. In a research-grade operation, the labeling decision is the operator's. A vial sold under the name "BPC-157, 5 mg" with no lot identifier on the label cannot be matched to any COA. The COA may still be displayed prominently on the website. The two records simply do not bind.
Lot disclosure at sale
Even when the vial carries a lot identifier, the buyer may not be told which lot they are receiving until the vial is in their hand. Order confirmations rarely state the lot. Some operators rotate stock first-in first-out and the lot the buyer receives is whichever lot the picker grabs from the shelf. The buyer cannot ask, at order time, "send me a vial from lot 2024-08-21," because the operator's systems do not generally support that.
Each of these three breaks is independently exploitable. Stacked, they form a paper trail that looks plausible from the outside and is essentially unfalsifiable from the inside.
Why is more testing not the answer?
It is tempting to read the chain-of-custody problem as a sampling-density problem. Test more aliquots per lot, the reasoning goes, and the COA becomes more reliable.
The reasoning is wrong, because the binding problem is upstream of the testing problem. A COA covering a hundred aliquots from a hundred lots tells you nothing about the vial in your hand unless that vial is bound to one of the tested lots. The marginal information from a tested aliquot stops at the lot boundary. Once the vial is on a different lot, or on no lot at all, the testing density on the original lot is irrelevant to the buyer.
This is why the second-generation answer is not better COAs. It is binding. The right artifact is not a longer certificate. It is a signed record that ties the certificate, the lot, and the vial in the buyer's hand into one continuous statement that can be audited by a third party.
What does batch attestation actually look like?
A working batch-attestation protocol has four moving parts.
A unique identifier on every vial, machine-readable, not human-typeable. A printed QR code or a similar opaque token. The buyer scans it at delivery.
A signed record linking that vial identifier to a lot identifier in the seller's production records. The signature is on the seller side, but the record is published into a registry that the seller cannot edit retroactively.
A signed record linking that lot identifier to the COA the seller wants to claim for it. The lab cosigns this link, attesting that the aliquot they tested was drawn from the lot under that identifier. The lab's cosignature is the most important step; it is the line at which the lab has accepted responsibility for the binding, not just for the analytical work.
A buyer-side scan event that posts a witnessed timestamp into the registry the moment the buyer receives the vial. The timestamp is the only place the buyer is in the loop, and it is the only piece of the protocol that cannot be forged in advance.
Each of these four parts is engineering, not law. None of them requires a regulatory change. They can be implemented today, by any vendor willing to do the work, against any registry that meets the conditions a third-party witness has to meet.
What should the buyer's checklist actually be?
Three questions, in order.
First: does the vial carry a lot identifier visible on the label, distinct from the SKU, distinct from the batch-of-shipment number? If the answer is no, the COA cannot bind to the vial, and the buyer is reading a document that describes a different object.
Second: does that lot identifier match the lot identifier on the COA the seller is pointing to? If the seller publishes one COA per product and the lots on shipped vials vary, the answer is no for most vials.
Third: is there an independent record, accessible without a seller account, that ties the vial-level identifier to the COA and lot in a witnessed timestamp? If no, the buyer is reading a paper trail with no audit hook. If yes, the chain is closed and the certificate is doing the work it was supposed to do.
The COA was never the problem. The COA was the lab doing its job. The problem is the silence between the lab's signature and the vial's label. Anyone who closes that silence has done more for the consumer than another decimal place of analytical precision can.