A protocol for verifiable launches
The token stays in dock until the code proves out.
Drydock holds a launch the way a dry dock holds a ship: structurally. Deposits fund a professional audit of code the founder committed to before any money moved; the report gates deployment mechanically; the escrow itself floats the token out. No custody, no council, no vote, no discretion; and every failure path ends in refunds.
of studied Ethereum liquidity pools followed exit-scam patterns
taken by rug pulls in a single year — 37% of all crypto scam revenue
for a professional token audit — payable before a token exists to sell
The strongest countermeasure is priced out of reach at exactly the moment it matters, and the launchpads that filled the gap replaced trust in founders with trust in platforms. Drydock removes the trusted party instead of relocating it. Sources and analysis in the paper §1–2.
The escrow accepts exactly four inputs. Nothing else exists.
Money
Deposits into non-custodial escrow. Withdrawals are pull-based and never expire.
Clock time
Deadlines with hard floors derived from audit physics. Impossible timelines are unrepresentable.
Proofs
Journals over the code, signatures over the report, hashes over the bytes. A fixed verifier checks everything.
Per-user choices
Your deposit, your claim, your refund — each affecting only you.
No actor ever attests, approves, or decides anything on behalf of another actor.Not the platform, not the founder, not the auditor, not a council, not a token vote. Where a decision can't be a proof or a clock, the protocol refunds instead of trusting.
Seven checkpoints, one invariant: what floats out is what was audited.
The manifest committed at CP0 — supply, split, powers, constructor args — must re-prove over the final audited bundle before deployment. Remediation may change code; it can never change the promises.
- CP0
Commit
Manifest hash + proof a complete implementation exists. Bad parameters are unrepresentable.
- CP1
Deposit
Non-custodial escrow. Miss the goal, every deposit refunds in full.
- CP2
Finalize
Pure clock. The audit fee, fixed by proven code size, escrows for the named auditor.
- CP3
Attest
The auditor signs its report trailer. Launch conditions evaluate mechanically.
- CP4
Reprove
Post-remediation code re-proves the same manifest. Properties cannot drift.
- CP5
Float out
The escrow itself deploys by CREATE2. Anyone can supply the bytes; hashes do the checking.
- CP6
Distribute
Pro-rata claims from the escrow ledger. Founder proceeds unlock after a timelock.
Every failure path drains here. Goal missed, report late, conditions failed, deadline blown: the escrow enters an absorbing refund state with pull-based, non-expiring withdrawals. Nothing can strand funds and nobody can veto the drain.
What the structure guarantees
Proof before money
A creation journal proves a complete, compiling implementation satisfying the manifest existed before the first deposit. Vaporware cannot raise.
Deterministic audit fee
A public rate card maps proven code size to fee and review window. No quotes, no negotiation, committed at creation.
Findings-independent pay
The auditor is paid for the report's existence, never its verdict — the independence norm the profession already requires, enforced by contract.
Escrow-executed float-out
The escrow deploys by CREATE2 after hash-checking the bytes. Anyone may courier the initcode; couriers are powerless by construction.
Escrow-as-ledger
The presale tranche mints to the escrow, and contributors claim pro rata from their own deposit records. No distributor, no snapshot, no operator.
Powerless platform
No guard references any platform key. This site is a viewer over chain state; delete it and every campaign continues.
Honest about the trust model, by design.
Journals verify at labeled tiers: T0 today (named operators re-execute the pinned guest and sign), T1 next (hardware attestation), T2target (zkVM receipts, pure cryptography). The schema is frozen, so upgrading is verifier substitution — and every certificate carries the tier it verified under, forever.
Read the tier modelLaunch on proof, not reputation
Raise the audit you can't yet afford, from the people who want it purchased. Your commitments are the collateral; a clean process is a certificate no marketing can fake.
Campaign anatomy →Every parameter on-chain before you deposit
Goal, cap, fee, deadlines, launch conditions, the auditor's name: fixed at creation. The one cost you can't recover — the spent audit tranche — is priced and disclosed up front.
The honest FAQ →Pre-funded engagements, zero guarantor role
A trailer block, a signature, a rate card agreed once. You're paid independent of findings and never touch contributor funds. Your report stays your report.
Integration standard →The launch certificate says exactly what it can prove.
It attests
- The declared properties were proven over the code, before funding and after remediation
- Named auditor X reviewed exactly this bundle and reported these finding counts
- The deployed bytecode is hash-identical to the audited bundle
- Distribution followed the on-chain contribution ledger
- The verification tier, and the funding-concentration digest, in plain sight
It never attests
- That the project is a good idea
- That the team will keep working
- That the token is worth anything
- That the audit found everything
- Anything a discretionary reviewer would have vouched for — there isn't one
Process, never quality. Third-party protocols can require it; nobody can counterfeit it.
Specified in full. Built to be verified.
A 29-page paper with formal state machine, threat analysis, and incentive proofs; frozen schemas; an open-source escrow with machine-checked invariants. Start anywhere — it all agrees.