Sovereign verification infrastructure for global gold.

Abstract

VPAY Genesis is a sovereign verification infrastructure that makes gold-backed tokenization observable at the level of the physical bar, the reasoning model, and the trading witness. It is built around a single rule that is enforced in code rather than asserted in marketing: no verification, no token. The protocol ships three on-chain covenants — Matter (AttestationBridge), Mind (KommitBridge), and Witness (MasieBridge) — each independently auditable on Polygon Mainnet, each administered by a Gnosis Safe multisig (2-of-2 today, migrating to 2-of-3) with the deployer EOA renounced, and each backed by a founder allocation locked irrevocably in an OpenZeppelin VestingWalletCliff contract with a 12-month cliff and 48-month linear release. This document is the protocol’s reference manual for institutional readers. It is honest about what is shipped (the contracts, the founder lock, the public source), in commissioning (Tier-1 smart contract audit, LBMA ISAE 3000 reserve attestation, bankruptcy-remote SPV), and queued (SOC 2 Type II, ERC-3643 institutional secondary layer, Chainlink Proof of Reserve). The protocol is not yet live for minting and will not be until the first production Genesis Scanning Unit clears in Q3 2026. The contracts will not let it be.

The verification gap in global gold.

Tokenized gold today asks the holder to trust three things at once: that the bars exist, that the custodian is honest, and that the chain reflects the vault. None of the three is observable from the chain alone. The largest live gold tokens publish monthly attestations and pooled custody statements, which is institutionally acceptable but procedurally trusted. The 2022–2024 collapses across custody, exchange, and stablecoin issuance taught the market a specific lesson: visibility on-chain does not equal visibility off-chain, and the gap between the two is where the failure modes live.

VPAY Genesis answers that gap with a structural choice. Rather than improving the attestation cadence, the protocol moves the attestation point upstream — to the moment of physical weigh-in at the mine, sealed by hardware cryptography in a Genesis Scanning Unit, written directly to Polygon Mainnet, and only then permitted to mint. The mint authority is not the issuer; it is a smart contract that reads the attestation and refuses without it. The custodian is not a trust assertion; it is the on-chain attestation record itself, which any auditor can replay independently.

Why this exists in Ghana.

Ghana produced approximately 130 tonnes of gold in 2026, ranked #1 in Africa. The Ghana Gold Board (GoldBod), operationalized in April 2026 under the GANRAP statutory framework passed Parliament February 2025, acquired ~104 tonnes domestically in 2025. The Bank of Ghana’s 2025 Financial Statements (1 May 2026) reported $13.8B in reserves with 5.7 months of import cover. None of these figures are VPAY claims; they are the national backdrop that makes this protocol institutionally sensible in this jurisdiction at this moment. Article 114 of Ghana’s constitutional regulatory framework is the on-ramp under which the protocol intends to operate; the PKA license is one of the items in commissioning.

The verification trinity.

VPAY composes three independent on-chain covenants. Each makes a different claim verifiable. Together they form the protocol’s structural answer to the verification gap.

The trinity is not a marketing arrangement. Each leg is a deployed Polygon Mainnet contract with a distinct economic role and a distinct external dependency. Matter depends on hardware. Mind depends on the cryptographic commit-reveal of reasoning artifacts. Witness depends on canonical price-data hashes. Each can fail independently. Each can be audited independently. None of them can be silently substituted for trust in the issuer.

The Physics Gate — Matter attested.

The Genesis Scanning Unit (GSU) is the hardware root of the protocol. At point of weigh-in, eight independent gates must pass simultaneously within a 200ms sealed reading window. Any single gate failure rejects the attestation and the contract will not mint. There is no human override.

The eight gates.

1. Mass. Load-cell reading certified against a known calibration mass.
2. XRF purity. X-ray fluorescence spectral signature matched against gold reference spectra.
3. GPS location. Multi-constellation GNSS fix locking the reading to a registered mine coordinate within tolerance.
4. Tamper seal. Physical and electronic seal state attesting the unit has not been opened since last calibration.
5. Time-of-flight. Geometry consistency between scan elements; rejects spoofed or partial sample readings.
6. Hardware identity. Cryptographic identity rooted in a hardware secure element (HSM-class).
7. Operator co-sign. A second authenticated operator must co-sign the reading; no solo attestation.
8. Replay protection. Monotonic nonce + timestamp window prevents resubmission of past readings.

AttestationBridge contract.

The AttestationBridge is the on-chain enforcer. It holds MINTER_ROLE on the SovereignToken ($SOV) contract. The token contract has no other minter. The bridge accepts attestations from registered SovereignNodes (each GSU is a registered node) and, on a confirmed attestation, mints $SOV proportional to the attested mass under the formula in § 7.

The contract refuses to mint when any gate has not signaled pass. There is no onlyOwner path that bypasses this check. The Safe multisig — the sole admin — has the authority to pause the contract via CircuitBreaker but does not have the authority to mint without attestation. This is a deliberate design constraint, not an oversight.

Address: 0x0ba2c622a2571c449fed251b165096f48adb8b0a · source-verified on Polygonscan.

Proof of Reasoning — Mind attested.

Where AttestationBridge proves matter (gold exists), KommitBridge proves mind — that a specific reasoning output was produced by a specific model under specific context and seed, verifiable on-chain and challengeable by anyone.

Mechanism.

Pre-inference, the reasoner commits the tuple (modelWeightsHash, contextHash, seedCommit, outputHash) on-chain with a reasoner bond. An open challenge window admits any challenger who posts a counter-bond and an independently replayed output hash. The reasoner reveals the seed; an off-chain replay oracle certifies the canonical output hash. Slashing is asymmetric: a successful challenger receives 50% of the slashed reasoner bond, the remainder is credited pro-rata to active period operators via the MinerRewards contract. Failed challenges forfeit the challenger bond to the same pool.

Why this matters for tokenized gold.

Modern verification stacks include AI-assisted decision components — signal engines, risk managers, allocation models. Without an on-chain commit of the model and seed, the institution holding the token is asked to trust the issuer’s self-report that the model behaved correctly. Kommit makes that self-report cryptographically replayable. If the issuer’s model produced output X at block N, the public record proves that. If it did not, anyone with the seed and inputs can challenge.

Address (v1.2): 0x6B986eF2EFDB5852F1DAa51e450E3ecA86B1590E · source-verified · PROTOCOL_ID = VPAY-GENESIS-KOMMIT-v1.2.

Proof of Witness — the trade attests itself.

MasieBridge closes the trinity. Every leveraged trade emits an on-chain witness at entry and exit. The witness includes the source candle hash — the canonical Binance candle bytes that were the basis for the entry — permitting any reader to recompute and verify that the trade was opened against the data it claimed.

Anti-replay, anti-backdate.

The contract enforces an exists gate on tradeIds (no double-emission) and a symmetric 60-second timestamp drift window (no backdating). The candle byte layout is fixed in the canonical CANDLE-ENCODING v1.0 schema (128-byte fixed-order). The public verifyTrade() function takes a tradeId and the asserted candle bytes; it recomputes keccak256(candleBytes) and matches against the stored hash. The math, not a press release, is the audit.

An optional decisionHash field links a witness to a KommitBridge outputHash, marrying Mind and Witness on a single trade. When linked, the trade is verifiable as: this model produced this decision (Mind), against this candle data (Witness), and minted against this attested gold (Matter).

Address: 0x358c50C1DAe9AD41D0070a3767221F3c191b22F6 · source-verified · PROTOCOL_ID = VPAY-GENESIS-MASIE-v1.0.

$SOV — the mint formula.

$SOV is an ERC-20 token on Polygon Mainnet with a fixed maximum supply of 100,000,000. Each $SOV represents a defined fraction of physical gold value, minted only against a confirmed AttestationBridge call. The mint formula is transparent and deterministic.

Where g is the attested gold mass in grams and XAU/USD is the spot gold price in US dollars at the moment of attestation, sourced from the Chainlink XAU/USD oracle. The denominator $1,000 sets the per-token unit value at $1,000 of gold equivalent at mint time, giving the protocol approximately 19 years of mint runway at realistic adoption against the fixed supply cap.

Founder allocation: irrevocable, on-chain, Safe-administered.

18,999,950 SOV (the headline 19M minus a 50 SOV operational carve-out) is locked in SOVVesting, an OpenZeppelin VestingWalletCliff contract. The beneficiary is the Safe multisig (2-of-2 today, migrating to 2-of-3), not the founder’s externally-owned account. The cliff is twelve months (first vest 22 April 2027). The linear release runs forty-eight months thereafter (full unlock 22 April 2030). The contract has no revoke function; this is not a posture choice, it is a base-class property of VestingWalletCliff.

SovereignToken: 0x5833ABF0Ecfe61e85682F3720BA4d636084e0eC0 · verified

SOVVesting: 0x452987FE45BbbF38A8cf12854F99983b549369F1 · verified

Gold-collateralized lending with 150% over-collateralization.

The VPAYVault contract reads the AttestationBridge record for any attested gold position and permits borrowing against it at a maximum 150% loan-to-value over-collateralization ratio. The over-collateral buffer is intentionally conservative: institutional lending against tokenized commodities historically requires 110%–130% over-collateral; 150% sits in the upper safe envelope of contemporary practice.

Circuit breaker.

A shared CircuitBreaker contract can pause AttestationBridge, VPAYVault, and dependent contracts globally or per-node. The Safe multisig is the sole pause authority. The contract enforces an anti-flash-resume policy: after a pause, the resume requires a minimum cool-down window before any state-mutating transactions are accepted. The intent is to allow incident response without exposing the protocol to a coordinated pause-then-drain pattern.

VPAYVault: 0x8e0cec6a163ad43b1df8d050acf162f251d37165 · CircuitBreaker: 0xeaef8dc4872a73815aea74a31ff7c83fdaa347d4

Safe-administered · no single-key control.

Every administrative role on every v2 contract sits behind a Gnosis Safe multisig (2-of-2 today, migrating to 2-of-3) at 0xFc93b70fAa2045e19CEae43d1b645b2137c68A67. The deployer externally-owned account has renounced DEFAULT_ADMIN_ROLE on every contract. This is verifiable independently on-chain via hasRole(0x0, deployer) == false for any contract in the v2 stack.

What the Safe can and cannot do.

The Safe can: pause contracts via CircuitBreaker, grant or revoke operational roles (DISTRIBUTOR, WITNESS, etc.), register new models in the Kommit registry, register new SovereignNodes for new mine sites.

The Safe cannot: mint $SOV without a confirmed AttestationBridge call, change the mint formula, mint additional founder tokens (the SOVVesting contract has no mint path), bypass the eight-gate physics check.

Upgrade posture.

Contracts are not behind transparent or beacon proxies. Upgrade paths require redeployment of new contract versions with explicit Safe-administered role migration. This is intentional: contract permanence trades upgrade convenience for the assurance that no admin transaction can silently rewrite the protocol’s economic invariants.

Article 114 · AML/KYC · cross-jurisdictional posture.

VPAY Genesis is designed to operate under Ghana’s Article 114 constitutional regulatory framework with the PKA license as the primary domestic authorization. The Chief Compliance Officer is in place; the AML and KYC programmes are documented; the framework is observable, not asserted.

Cross-jurisdictional readiness.

• MiCA (EU): queued for H1 2027 with full CASP authorization scope
• FATF Travel Rule: Sygna Bridge / Notabene integration in scope for cross-border transfers > €1,000
• DORA: EU operational resilience documentation queued Q1 2027
• SEC Reg D/S: securities legal opinion engagement (ENSafrica · Hogan Lovells) queued Q4 2026

The institutional readiness state for every compliance item is published live and updated at the Institutional Readiness Roadmap. Items are tagged as shipped, in commissioning, or queued. Status is not a marketing claim; it is an accountability commitment.

The Asante engineering tradition.

The protocol’s naming convention is not decoration. The Akan register — Sika Dwa Kofi, the Golden Stool; NANANOM, the council of ten analytic specialists; Anokye, the orchestrating decision authority; Mate Masie, the principle of witnessed memory — is a deliberate structural framing of the verification trinity through an engineering tradition that pre-dates modern central banking by centuries.

Asante metallurgy, gold-dust accounting, and ceremonial witness were a continuous engineering practice from the seventeenth century. The Golden Stool is the canonical example of a sovereign object whose attestation is the legitimacy: the stool was not the king, the stool was the seat of the people, and the king attested before it rather than from it. That distinction — attestation as a precedent for authority rather than a consequence of it — is the same distinction the protocol enforces in code.

The cultural layer is deliberately load-bearing for the protocol’s identity but not for its economics. The contracts work identically without the cultural names. The names exist because the principles they encode are not Silicon Valley imports; they are a continuous regional engineering tradition that the protocol is choosing to acknowledge rather than rebrand. Heritage detail is at /heritage.html.

Roadmap to institutional readiness.

Four independent institutional audits (the most recent dated 26 May 2026) scored the protocol at a mean 5.4 / 10 from the institutional-capital frame — strong on chain transparency and founder accountability, gated on external assurance and legal structuring. The roadmap below is the protocol’s public commitment to close that gap.

Risk disclosures.

Specific risk surfaces.

• Smart contract risk. The v2 stack is internally tested but not yet externally audited by a Tier-1 firm. The protocol does not enter mint state until the external audit is delivered.
• Hardware risk. The GSU is in pre-production. Field calibration, environmental tolerance, and tamper-resistance are subjects of ongoing engineering. The contract refuses to mint until the first production node clears.
• Oracle risk. The protocol currently depends on the Chainlink XAU/USD price oracle. Secondary oracle and TWAP fallbacks are queued.
• Custody risk. Until the bankruptcy-remote SPV is structured and an LBMA-accredited custodian is engaged, gold held against the protocol is exposed to issuer balance-sheet risk. This is the primary item in commissioning.
• Regulatory risk. The protocol’s primary authorization is pending under Ghana’s Article 114 framework. Cross-jurisdictional authorizations (MiCA, SEC, MAS) are queued and not yet held.
• Governance risk. The Safe multisig holds administrative authority. While the Safe cannot mint without attestation, it can pause and unpause the protocol. The multisig quorum (2-of-2 today, migrating to 2-of-3) mitigates but does not eliminate the risk of administrator collusion.

References.

[1] Bank of Ghana. 2025 Annual Financial Statements. Published 1 May 2026.

[2] United States Geological Survey. Gold Statistics and Information 2026. usgs.gov

[3] Republic of Ghana. Ghana Gold and Reserve Acquisition Programme (GANRAP). Passed Parliament February 2025, operational April 2026.

[4] Ghana Gold Board (GoldBod). Chief Executive Officer’s public disclosure, May 2026. ~104 tonnes acquired domestically 2025.

[5] OpenZeppelin Contracts · VestingWalletCliff. docs.openzeppelin.com

[6] Chainlink. XAU/USD Price Feed on Polygon Mainnet. data.chain.link

[7] Gnosis Safe (Safe{Wallet}). Multisig smart-account infrastructure. safe.global

[8] World Gold Council. Tokenized Gold: A Primer for Institutional Investors. 2025.

[9] LBMA. Responsible Gold Guidance v9. London Bullion Market Association, 2024.

[10] International Auditing and Assurance Standards Board. ISAE 3000 (Revised): Assurance Engagements Other than Audits or Reviews of Historical Financial Information.

[11] Financial Action Task Force. Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. 2021.

[12] European Securities and Markets Authority. Markets in Crypto-Assets Regulation (MiCA). Regulation (EU) 2023/1114.

[13] European Banking Authority. Digital Operational Resilience Act (DORA). Regulation (EU) 2022/2554. Effective January 2025.

[14] Tokeny Solutions. ERC-3643 (T-REX) Standard for Permissioned Tokens. eips.ethereum.org

[15] American Institute of CPAs. SOC 2 Trust Services Criteria.

About EcoVent Africa Limited.

EcoVent Africa Limited is a Ghana-registered company (Reg. No. CS274771225) headquartered at 40 Nii Nortei Nyanchi Street, Dzorwulu, Accra. The company was founded in 2026 with the mandate to build sovereign verification infrastructure for global gold. The founder is Ano Yoofi Agyei. The Chief Compliance Officer is Ibilola Macaulay.

VPAY Genesis is the company’s flagship protocol. All ten production smart contracts are deployed on Polygon Mainnet, source-verified, and administered by a Gnosis Safe multisig (2-of-2 today, migrating to 2-of-3) at 0xFc93b70fAa2045e19CEae43d1b645b2137c68A67. The full contract ledger with addresses, deployment dates, and Polygonscan verification links is published at /#ledger. The diligence pack is accessible via NDA at /diligence.html.

The company welcomes engagement from institutional counterparties, regulators, refineries, custodians, and software integrators. Contact: Ano@ecoventafrica.com.