The architecture, in detail.
VPAY Genesis is a five-layer stack — physical hardware (GSU) → on-chain attestation → token + vault economics → intelligence layer (NANANOM) → institutional API. Each layer is independently inspectable. Each layer enforces the layer above it.
Five layers. One enforcement chain.
Nothing happens without the layer below it. The token cannot mint without the contract; the contract cannot accept without the hardware; the hardware cannot sign without the seal.
Five independent layers · each enforces the layer above it · no step can be skipped
Gold lot
Licensed source — refinery, weigh-in, assay office.
GSU reads
XRF · mass · GPS · sealed signature.
Polygon attests
8 / 8 gates · written to mainnet.
SOV mints
SOV = (grams × XAU/USD) ÷ $1,000.
Vault designed to lend
VPAYVault is designed to lend against attested SOV reserves at 95–150% over-collateralisation.
Mass · purity · origin · seal — physics, not paperwork · bench prototype stage · vendor stack under NDA
The contract refuses to mint without physics.
Every other "tokenized gold" project is a trust contract — somebody, somewhere, signs a paper saying bullion exists. VPAY Genesis is different. The contract that mints SOV will not move unless eight independent physical and cryptographic gates pass simultaneously, in the same sealed reading, within the same 200-millisecond window. This is the primitive invention. We call it the Physics Gate.
What the Physics Gate produces is a Digital Twin of the bar — a cryptographically signed, on-chain representation that mirrors the physical asset with hardware-rooted fidelity. From the moment the eighth gate latches, the bar exists in two places at once: in the vault, and on the chain.
Two scales agree
A physical mass cannot disagree with itself. Load cell and XRF mass sub-system must match within ±50mg.
require(scaleMass.delta(xrfMass) < 50mg)XRF spectrum match
Only gold emits the K-α / K-β peak at this exact intensity. Counterfeit alloys (gold-plated tungsten, brass) fail trivially.
require(spectrum.match(NIST_Au, ±0.5%))GPS within polygon
Spoofing GPS requires a GNSS simulator that leaves detectable TDOA fingerprints — and the polygon is registered on-chain.
require(SovereignNode.contains(gps))Continuous integrity
Opening the GSU enclosure breaks a continuous current loop or optical-fibre reference — instantly detectable.
require(seal == INTACT)Read → sign < 200ms
200ms is too fast to swap physical lots. Real-time substitution requires lab-grade equipment inside a sealed enclosure.
require(t_sig - t_read < 200ms)TPM-bound key
TPM-bound private keys cannot be extracted from silicon. Cloning a GSU requires physical possession of the chip.
require(SovereignNode.isRegistered(devicePub))Two-key co-sign
PMMC officer or refinery weigh-master co-signs the reading. Two-key signing requires two licensed humans, two devices, two licences.
require(operatorSig.verify(reading))Nonce + block anchor
Blockchain finality is asymmetric — old readings cannot become new. Each reading carries a per-device nonce and a Polygon block-hash anchor.
require(!nonceUsed[d][n] && blockhash(anchor) == seenHash)Defence in depth — any one layer defended is sufficient.
Anchored in matter
Every gate is anchored in a physical or chemical reality — mass, atomic spectrum, satellite geometry, tamper-evident seal, semiconductor TPM. You cannot fake gold spectra without gold.
Enforced on-chain
Every gate is enforced by Solidity require() statements in AttestationBridge.sol — public, unmodifiable except via the Safe, and the Safe cannot disable a gate, only swap which oracle interprets it.
Slashed if forged
KommitBridge (IP #2) bonds reasoners with SOV. Any third party can challenge a forged attestation with a counter-bond and slash 50% of the stake. Forgery isn't just hard — it's unprofitable.
Defeat one layer · the next two still hold. Defeat two · the third reverts.
| Patent claim | Claim #1 · VPAY Genesis provisional · filed 2026-04 · Ghana national filing · PCT routing pending |
| On-chain enforcer | AttestationBridge.sol · 0x0ba2…8b0a · Polygonscan verified ↗ |
| Source on GitHub | foundry-round2/contracts/AttestationBridge.sol ↗ |
| Companion IP | Kommit · Proof of Reasoning · IP #2 · the mind layer → |
The Gold Sovereign Unit.
A sealed, tamper-evident measurement device. Built around an embedded Raspberry Pi for cost; deployable at PMMC assay offices, GoldBod weigh-in stations, refinery weigh-in interfaces, and any licensed collection point across the gold supply chain. TIER 2 reference unit · 250 × 200 × 80 mm · concept render.
Mass
Calibrated load cell with anti-tamper drift detection. Reports gram-precision with timestamped variance.
Purity
X-ray fluorescence (XRF) spectroscopy. Identifies the spectral signature of the lot — fingerprint, not just a number.
GPS + telemetry
Location, environmental conditions, device health all captured with the reading. Sealed bundle.
Cryptographic seal
The bundle is signed by a hardware-rooted key on the GSU. Unsigned readings are rejected at the bridge.
Tamper-evident means the GSU detects physical breach and writes a permanent seal_broken flag. The bridge auto-rejects any reading from a flagged unit until re-certified.
The on-chain enforcement layer.
Ten contracts. Polygon Mainnet. 100% Polygonscan source-verified. All admin role authority sits behind a Gnosis Safe multisig (2-of-3); the deployer EOA holds zero admin rights post-migration.
Founder · CCO · Third owner · 2-of-3 · deployer EOA renounced · DEFAULT_ADMIN_ROLE on all 10 contracts
| Contract | Purpose | Address | Status |
|---|---|---|---|
| SovereignToken (SOV) | ERC-20 + AccessControl, 100M fixed supply | 0x5833…0eC0 ↗ | Verified |
| CircuitBreaker | Global + per-node pause; anti-flash-resume | 0xeaef…47d4 ↗ | Verified |
| SovereignNode | GSU registration + physics attestations | 0x85fd…2fe1 ↗ | Verified |
| MinerRewards | SOV rewards for GSU operators | 0xfcb7…db19 ↗ | Verified |
| AttestationBridge | "No verification, no token" enforcer; holds MINTER_ROLE | 0x0ba2…b8b0a ↗ | Verified |
| VPAYVault | Gold-collateralised lending (95–150% over-collateral) | 0x8e0c…7165 ↗ | Verified |
| GuardianBond | Guardian accountability via SOV/$ETH staking | 0x180a…2ff1 ↗ | Verified |
| KommitBridge (v1.2) | Proof of Reasoning · pre-inference commit + bond + challenge + operator-credit distribution | 0x6B98…590E ↗ | Verified |
| SOVVesting | Founder allocation · 12-month cliff · 4-year linear · irrevocable | 0x4529…69F1 ↗ | Verified |
| MasieBridge (v1.0) | Proof of Witness · third leg of the verification trinity · keccak-256 candle hash on every trade | 0x358c…22F6 ↗ | Verified |
Admin: Gnosis Safe (2-of-3) 0xFc93b70fAa2045e19CEae43d1b645b2137c68A67 · Source on GitHub ↗
One token. Minted by the gold itself.
1 = $1,000 of attested gold · 95% recipient · 5% operator pool · no verification, no token
SOV is an ERC-20 backed strictly by hardware-attested, on-chain-recorded physical gold. Mint formula: SOV = (g × XAU/USD) ÷ 1,000 — value tracks the gold price. Burn returns the underlying claim. SOV is a verification credential for attested gold — not currently purchasable, not offered for sale, and not an investment product. See /risk.
Fixed supply
100M tokens hard cap. Founder allocation locked in SOVVesting with 12-month cliff and 4-year linear schedule.
Mint gating
The token contract grants MINTER_ROLE only to AttestationBridge. The bridge will not mint without a confirmed hardware attestation.
Mint economics
5% of each mint routes to MinerRewards (operator pool). 95% to the recipient. Both flows are recorded on-chain.
Use cases
Institutional gold exposure without the metal leaving Ghana. Working capital collateral. Programmable settlement.
Capital priced against verified reserves.
VPAYVault is a working-capital facility for institutional counterparties holding attested SOV reserves — custodians, exchanges, treasury operations, sovereign reserve managers, and integrated commodity desks. Loans will be priced against a Chainlink XAU/USD feed (1-hour max staleness) once the v1.1 oracle bridge is live, with 95–150% over-collateralisation depending on counterparty tier. The collateral is on-chain-verifiable, and the verification layer is jurisdiction-agnostic by design: a GSU attests metal in whatever accredited vault a mandate specifies. Launch custody is licensed Ghanaian vaulting — third-party custodian and insurance engagement in progress — because the gold does not need to travel to be trusted. Where it sits is a mandate decision, not a protocol constraint.
The vault converts a SOV reserve position into working liquidity without unwinding the underlying gold — the difference between holding gold as a static balance-sheet item and holding it as a productive collateral position, priced against a hardware-rooted, on-chain-verified physical attestation rather than a paper vault receipt.
The vault now has its own page — terms, counterparties, receipts and honest status: the full vault brief →
Matter, mind, and witness. All attested.
In Asante tradition, a sovereign claim requires an act of matter (visible, undeniable), an act of mind (declared, accountable), and a witness who keeps the record (Mate Masie — what I hear, I keep). We rebuilt all three in Solidity.
AttestationBridge
The on-chain receiver that refuses to mint a single SOV unless a hardware-rooted GSU has signed the physics — mass, purity, GPS, cryptographic seal. Deployer EOA holds zero authority post-migration.
View on Polygonscan →KommitBridge v1.2
Proof of Reasoning. Before any inference is published, the reasoner commits a hash of model-weights + context + seed + intended output and posts a bond. Anyone can challenge. Divergence slashes — 50% bounty to challenger.
How Kommit works →MasieBridge
Proof of Witness. Every paper-leverage trade lands an on-chain commitment at entry and exit — anti-replay, anti-backdate, with a free public verifyTrade(). Track records become mathematical.
SOV
Matter attested + mind attested + witness kept = the network has the standing to call something sovereign. SOV is what comes out the other side: a token the contract refused to mint without all three.
Token mechanics →The framework is refinery-agnostic. LBMA Good Delivery is the global standard.
VPAY attests gold from any LBMA Good Delivery refinery. Refinery identity is part of the attestation payload, not a hard-coded address. Three canonical world references for the standard the framework aligns with:
London Good Delivery
The benchmark · 400-oz bars · LBMA member refineries · the standard PAXG is vaulted against.
Royal Ghana Mint
PMMC · accredited under Article 114. The local refinery anchor for VPAY's GSU attestation flow.
Perth Mint · AU 9999
The world-class refining standard the framework aligns with — not a partner; a public benchmark we attest against. Refinery-agnostic by design.
The NANANOM council.
Every Genesis attestation is read by the Ananse intelligence layer: ten specialised modules — each named in the Akan engineering tradition — analyse market state, geopolitical risk, microstructure, news flow, and physical attestation health. Their verdicts converge on Okomfo Anokye, the orchestrator. Together they form the Council of Eleven. Council states and verdicts shown below are illustrative — the engine runs in paper-trade mode ahead of Phase 3 Gate clearance.
Ten specialists counsel · Anokye consolidates · verdicts illustrative · paper-trade mode
Okomfo Anokye
Synthesises every council member's verdict into a unified decision. The only authority that issues TRADE / CAUTION / HOLD / RETREAT / EMERGENCY signals. Layer 2 Kyerema retuning before consensus.
Royal verdict · illustrative: HOLD · Akyeampɔn VETO · negative EV · blocking all entriesNyankonton
Price forecasts · 4h, 24h, 1w · pattern recognition.
Adwene
Strategy advisor · aggressive / defensive / neutral mode.
Ananse
14-condition signal engine · institutional flow.
Bosompra
Market sentiment · Fear & Greed regime gate.
Asase Yaa
ETF flows · COT positioning · gold–silver ratio.
Fontomfrom
Alert engine · regime change escalation.
Tigare
System health · uplink integrity · process state.
Tano
Geopolitical risk · conflict + escalation index.
Bosompo
Shipping & maritime disruption tracker.
Kyerema
Layer 2 news engine · MODERATE / HIGH / CRITICAL bulletins.
Eleven specialists analyse. Anokye decides. The chain mints only what the council blesses.
If matter must be proved, so must mind.
An attestation of matter answers what — there is gold, here, weighed, sealed. An attestation of mind answers who reasoned what, against which model, with which seed, in what context. Without that, an intelligence layer is a black box: accountable to no one, replayable by no one, slashable by no one. Kommit closes the loop. The same rule of evidence applied to AI itself.
Hash + bond, before output
The reasoner publishes a hash of the inference tuple and posts a bond — minimum 10 SOV.
commit(keccak(modelHash, ctxHash, seedCommit, outputHash), bond)1 hour · permissionless
Any third party can challenge by posting a counter-bond (≥ reasoner's) plus their independently-replayed output hash.
challenge(commitId, replayedHash, counterBond)Seed disclosed · oracle verifies
The reasoner reveals the seed. An off-chain oracle replays the inference and certifies the canonical output hash on-chain.
revealSeed(commitId, seed); oracleSlash(commitId, canonicalHash)50% bounty · forgery unprofitable
If the output diverges, the reasoner's bond is slashed: 50% bounty to the challenger, remainder to the operator pool. Failed challenges forfeit.
require(canonicalHash != reasoner.outputHash) // slash + bountyThe mind covenant — three layers of accountability.
Pre-committed
The reasoner cannot retroactively pick a favourable answer. The hash is locked on-chain before inference runs. Reveal-after-the-fact is structurally impossible.
Anyone can challenge
No oracle gate-keeps the challenge window. Any third party with an independent replay environment can post a counter-bond and force the truth into the open.
Slash > gain
The asymmetric slashing schedule means a successful forgery costs more than it pays. Forgery isn't impossible — it's unprofitable.
| Patent claims | Claims K1–K12, C1–C3, U1 · "The Commit" · VPAY Genesis provisional addendum · filed 2026-04 · Ghana national filing · PCT routing pending |
| On-chain enforcer | KommitBridge v1.2 · 0x6B98…1590E · Polygonscan source-verified ↗ |
| Source on GitHub | foundry-round2/contracts/KommitBridge.sol ↗ |
| Audit posture | 106 Foundry tests + 4 invariants × 128k calls · 2-pass red-team (internal + external sub-agent) reconciled GO before broadcast · admin behind Safe (2-of-3) |
| Companion IP | ⚛ The Physics Gate · IP #1 → · ◈ Mate Masie · IP #3 → |
Track records are claims. Ours are proofs.
LIVE · Polygon Mainnet · v1.0 · 2026-05-16 0x358c50C1DAe9AD41D0070a3767221F3c191b22F6 · Verified on Polygonscan
If matter must be proved and mind must be proved, so must the track record. Hedge fund performance numbers are claims — even audited records are auditor-attested. Mate Masie turns the paper-leverage track record into a mathematical witness. Every trade leaves an on-chain commitment at entry. Another at exit. Anyone with a keccak-256 implementation and Binance candle data can verify any one of them — for free, on-chain, forever. The math is the audit.
Trade fires · commitment lands
When Ananse or Opɛ opens a paper-leverage trade, the relayer calls openWitness() on Polygon with trade ID, pair hash, E8 entry price, side, leverage, entry timestamp, and the keccak-256 hash of the canonical Binance entry-candle bytes.
Once. Live. No revision.
A trade ID can only be witnessed once — the exists gate makes replay impossible. The entry timestamp must land within ±60 seconds of block.timestamp — backdating a winning trade is impossible.
PnL · candle hash · exit reason
On exit, closeWitness() commits exit price, exit timestamp, realised PnL (signed E8), the exit-candle hash, and an exit-reason taxonomy: TP · SL · time · signal-flip · council-retreat. Both witnesses are irrevocable.
No auth · no trust · no auditor
verifyTrade(tradeId, candleBytes) is a public view function. Anyone — investor, regulator, journalist — recomputes keccak-256 over a Binance candle and matches it against the stored hash. The match is the proof.
| Status | v1.0 · LIVE on Polygon Mainnet · admin-migrated to Safe · Polygonscan source-verified in-broadcast |
| Address | 0x358c50C1DAe9AD41D0070a3767221F3c191b22F6 |
| Deployed | 2026-05-16 · block 86969835 · 0.5777 POL across 5 atomic txs |
| Contract | MasieBridge.sol · 337 lines · pragma ^0.8.20 · OpenZeppelin AccessControl + ReentrancyGuard · 52 unit tests + 4 fuzz × 256 runs all green |
| Protocol ID | VPAY-GENESIS-MASIE-v1.0 |
| Trinity link | The decisionHash field is optional · it can link directly to a KommitBridge outputHash, marrying the Mind and Witness covenants on a single trade. |
| Verification | keccak-256( binance_candle_bytes ) == witness.sourceCandleHash — public, free, no auth required |
| Companion IP | ⚛ The Physics Gate · IP #1 → · ◉ Kommit · IP #2 → |
For exchanges, custodians, regulators.
Three role-based access tiers. WebSocket streams for live attestations and compliance alerts. Token verification, device management, audit endpoints. The mock spec is public; production API tiers are in onboarding. Counterpart on the operator side: GenesisOS — the institutional operations terminal, powered by the Ananse intelligence layer.
Exchange
Token verification at point of trade. Reserve attestation queries. Real-time mint/burn feed (planned).
GET /v1/token/verify/{address}
WS /v1/stream/attestations
GET /v1/reserves/summary
Request exchange access →
Custodian
Device registration. GSU health monitoring. Per-node attestation history with hardware identity.
GET /v1/devices/{nodeId}/health
GET /v1/devices/{nodeId}/attestations
POST /v1/devices/register
Request custodian access →
Regulator
Full audit access: every attestation, every reserve movement, every admin action. Compliance is observable, not asserted.
GET /v1/audit/attestations
GET /v1/audit/reserves
WS /v1/stream/compliance-alerts
Request regulator access →
Demo stream · illustrative: GS-ACC-01 · ATT-0x7e3f · 5.312g · AU 999.9 · Obuasi · PASS → ATT-0x8a1c · 5.308g · PASS → ATT-0x9b2d · 5.315g · PASS. Mock API spec is public; production onboarding open for qualified institutions.
The questions you're probably asking.
Is the gold actually held physically somewhere?
Yes. SOV is a claim against attested physical reserves held in Ghana under licensed custody. The token is not a synthetic — every mint corresponds to a hardware-rooted physical reading on-chain.
Who can mint SOV?
Only AttestationBridge — and only when it has received a confirmed hardware attestation from a registered SovereignNode. The token contract grants MINTER_ROLE to no other address. The deployer EOA cannot mint.
What stops someone from spoofing a GSU reading?
The GSU is sealed, hardware-rooted, and tamper-evident. Each device holds a registered key bound to a SovereignNode entry on-chain. Any seal-break or unsigned reading is rejected at the bridge. CircuitBreaker can pause a node globally.
What admin powers does the team retain?
All meaningful admin roles sit behind a Gnosis Safe multisig at 0xFc93…8A67 (2-of-3). The deployer EOA holds zero admin rights post-migration (2026-04-20). Founder allocation is in irrevocable vesting.
Why Polygon?
Sub-cent transaction costs, Ethereum-compatible tooling, mature audit ecosystem, credible neutrality — and as of 8 May 2026, a 1.75-second block time, the chain's first such upgrade since launch, explicitly targeted at institutional adoption and stablecoin payments. Contracts remain L1-portable if circumstances change.
Where is the source code?
Public on GitHub at ecovent-africa/vpay-sovereign (branch foundry-round2). Mirror on Polygonscan source-verified for every deployed contract.
The architecture is open.
The receipts are on Polygon.
Every claim on this page is a click away from a verified contract on Polygonscan. The Foundry test suite, the deploy broadcasts, and the audit reports all travel with the source. Build on it, audit it, or argue with it — the artifacts are sufficient for any of those.