A protocol for verifiable launches

The token stays in dock until the code proves out.

Drydock holds a launch the way a dry dock holds a ship: structurally. Deposits fund a professional audit of code the founder committed to before any money moved; the report gates deployment mechanically; the escrow itself floats the token out. No custody, no council, no vote, no discretion; and every failure path ends in refunds.

246FLOAT-OUT LEVEL · CP5CP0CP1CP2CP3CP4CP5CP6DRYDOCK PROTOCOLSHT 1 / 1SCALE · TRUSTLESSREV · T0
The condition of the fleet
81.1%

of studied Ethereum liquidity pools followed exit-scam patternsCernera et al., USENIX Security '23

$2.8B

taken by rug pulls in a single year — 37% of all crypto scam revenueChainalysis, 2021

$5–20k

for a professional token audit — payable before a token exists to sellmarket reference, 2026

The strongest countermeasure is priced out of reach at exactly the moment it matters, and the launchpads that filled the gap replaced trust in founders with trust in platforms. Drydock removes the trusted party instead of relocating it. Sources and analysis in the paper §1–2.

Bill of materials

The escrow accepts exactly four inputs. Nothing else exists.

i

Money

Deposits into non-custodial escrow. Withdrawals are pull-based and never expire.

ii

Clock time

Deadlines with hard floors derived from audit physics. Impossible timelines are unrepresentable.

iii

Proofs

Journals over the code, signatures over the report, hashes over the bytes. A fixed verifier checks everything.

iv

Per-user choices

Your deposit, your claim, your refund — each affecting only you.

No actor ever attests, approves, or decides anything on behalf of another actor.Not the platform, not the founder, not the auditor, not a council, not a token vote. Where a decision can't be a proof or a clock, the protocol refunds instead of trusting.

Launch sequence

Seven checkpoints, one invariant: what floats out is what was audited.

The manifest committed at CP0 — supply, split, powers, constructor args — must re-prove over the final audited bundle before deployment. Remediation may change code; it can never change the promises.

  1. CP0

    Commit

    Manifest hash + proof a complete implementation exists. Bad parameters are unrepresentable.

  2. CP1

    Deposit

    Non-custodial escrow. Miss the goal, every deposit refunds in full.

  3. CP2

    Finalize

    Pure clock. The audit fee, fixed by proven code size, escrows for the named auditor.

  4. CP3

    Attest

    The auditor signs its report trailer. Launch conditions evaluate mechanically.

  5. CP4

    Reprove

    Post-remediation code re-proves the same manifest. Properties cannot drift.

  6. CP5

    Float out

    The escrow itself deploys by CREATE2. Anyone can supply the bytes; hashes do the checking.

  7. CP6

    Distribute

    Pro-rata claims from the escrow ledger. Founder proceeds unlock after a timelock.

RF

Every failure path drains here. Goal missed, report late, conditions failed, deadline blown: the escrow enters an absorbing refund state with pull-based, non-expiring withdrawals. Nothing can strand funds and nobody can veto the drain.

Class notation

What the structure guarantees

Proof before money

A creation journal proves a complete, compiling implementation satisfying the manifest existed before the first deposit. Vaporware cannot raise.

Deterministic audit fee

A public rate card maps proven code size to fee and review window. No quotes, no negotiation, committed at creation.

Findings-independent pay

The auditor is paid for the report's existence, never its verdict — the independence norm the profession already requires, enforced by contract.

Escrow-executed float-out

The escrow deploys by CREATE2 after hash-checking the bytes. Anyone may courier the initcode; couriers are powerless by construction.

Escrow-as-ledger

The presale tranche mints to the escrow, and contributors claim pro rata from their own deposit records. No distributor, no snapshot, no operator.

Powerless platform

No guard references any platform key. This site is a viewer over chain state; delete it and every campaign continues.

Sea trials

Honest about the trust model, by design.

Journals verify at labeled tiers: T0 today (named operators re-execute the pinned guest and sign), T1 next (hardware attestation), T2target (zkVM receipts, pure cryptography). The schema is frozen, so upgrading is verifier substitution — and every certificate carries the tier it verified under, forever.

Read the tier model
Aboard
FOUNDERS

Launch on proof, not reputation

Raise the audit you can't yet afford, from the people who want it purchased. Your commitments are the collateral; a clean process is a certificate no marketing can fake.

Campaign anatomy →
CONTRIBUTORS

Every parameter on-chain before you deposit

Goal, cap, fee, deadlines, launch conditions, the auditor's name: fixed at creation. The one cost you can't recover — the spent audit tranche — is priced and disclosed up front.

The honest FAQ →
AUDITORS

Pre-funded engagements, zero guarantor role

A trailer block, a signature, a rate card agreed once. You're paid independent of findings and never touch contributor funds. Your report stays your report.

Integration standard →
Certificate of class

The launch certificate says exactly what it can prove.

It attests

  • The declared properties were proven over the code, before funding and after remediation
  • Named auditor X reviewed exactly this bundle and reported these finding counts
  • The deployed bytecode is hash-identical to the audited bundle
  • Distribution followed the on-chain contribution ledger
  • The verification tier, and the funding-concentration digest, in plain sight

It never attests

  • That the project is a good idea
  • That the team will keep working
  • That the token is worth anything
  • That the audit found everything
  • Anything a discretionary reviewer would have vouched for — there isn't one

Process, never quality. Third-party protocols can require it; nobody can counterfeit it.

Specified in full. Built to be verified.

A 29-page paper with formal state machine, threat analysis, and incentive proofs; frozen schemas; an open-source escrow with machine-checked invariants. Start anywhere — it all agrees.