The full technical design — the eight-layer Integrated Trust Architecture, the smart-contract system, the verification pipeline, and the public API — specified for technical readers.
This paper describes how the platform is built. Read the Positioning Paper first for what it is, and the Executive Paper for the platform overview.
USD 9.3B — Lost to Crypto Fraud in 2024 · Source: FBI Internet Crime Report (IC3), 2024
If someone contacts you claiming to be Chronimy, they are a scammer. We only ever communicate through @ChronimyHQ on X (broadcasts) or the in-platform support ticket system (member contact). No phone calls. No SMS. No email. Anything else is fraud.
This is a technical design specification document. It is not an investment offer or solicitation of any kind.
This document is a technical design specification describing the planned architecture of the Chronimy protocol. All smart contract interfaces, API designs, code samples, pseudocode, and system diagrams are illustrative of the intended design only and do not represent deployed, audited, or production-ready code. Production contracts will be developed by SotaTek Vietnam under formal engagement and independently audited by a qualified blockchain security firm prior to mainnet deployment. Deployed contract addresses, audit reports, and verified production code will be published in subsequent versions of this document as they become available. No reliance should be placed on any technical specification herein as representing current operational capability.
This document contains forward-looking statements regarding planned technical implementations, timelines, and system capabilities. These reflect current design intent and are subject to change. Actual implementations may differ materially. Chronimy Holdings AG makes no representation that any described system will be implemented in the form shown or within any stated timeframe.
All architecture concepts, system designs, technical methodologies, and branding constitute the intellectual property of the protocol. Upon Genesis completion of the structural-separation work, this IP will be held in a separately-constituted IP entity (defensive structural separation). The Oracle Consensus Target™ and related analytical frameworks are proprietary. Patent applications are in preparation for key technical innovations prior to public disclosure. Unauthorised reproduction is prohibited.
This Architecture Paper forms Part 2 of the Chronimy Whitepaper Suite. It is a technical design document prepared for developers, integrators, smart contract auditors, and CEX technical due diligence reviewers. It does not constitute financial advice, an investment recommendation, or a prospectus of any kind. CNMY tokens are designed as utility tokens providing access to platform features and governance rights. Nothing in this document constitutes, or should be construed as, an offer or solicitation to purchase securities in any jurisdiction.
KYC / AML — All participation in Chronimy fundraising phases requires KYC and AML verification through Didit.me (primary) or iDenfy (fallback) — both selected for zero US jurisdictional footprint. Records retained for a minimum of five years.
Persons in jurisdictions where participation is restricted by applicable law must not act on any information contained herein. CNMY tokens are designed as utility tokens providing access to platform features and governance rights. Nothing in this document constitutes, or should be construed as, an offer or solicitation to purchase securities in any jurisdiction. Chronimy Holdings AG reserves the right to refuse participation from any individual or entity without explanation and without liability. Switzerland FINMA · AMLA / European Union MiCA · GDPR / United Kingdom FCA · FSMA.
Blockchain-based trust infrastructure built on Polygon PoS. Portable, verifiable, behaviour-backed reputation through an eight-layer Independent Trust Architecture (ITA).
The CNMY utility token (20B fixed supply, ERC-20) powers platform access, fee economics, and deflationary mechanics.
Operates as a Swiss non-profit foundation with zero founder treasury access — enforced architecturally, not by policy.
8 — Independent trust layers — each reinforcing the others. Anti-fragile by design: failure of any one layer does not compromise the system as a whole.
The Executive Whitepaper (Paper 1, 91 pages) covers the business model, economic model, tokenomics, fundraising strategy, and growth mechanics. This paper does not repeat that material. For context on the CHF 65.5M community fundraising ceiling, CNMY economics, and the Aurora-to-Supernova phase model, refer to Paper 1. Section numbers here (6.x–9.x) map directly to Paper 1's Part 2 Technical reference on pages 88–91.
Chain. Specification: Polygon PoS · ERC-20. Detail: Single chain by design. ~USD 0.01/tx. 2s confirmation. CNMY is Polygon-native. Not multi-chain — a deliberate security decision..
Custody. Specification: MPC 4-of-7 Threshold. Detail: Treasury requires 4-of-7 from each of two independent groups — 8 minimum signers from 14 total. No single entity — including the founder — can access funds unilaterally..
Burns. Specification: 4,200 CNMY per Badge. Detail: Permanent burn per Green Badge activation. On-chain, irreversible, verifiable. 5,000 CNMY to PRU vault per activation..
KYC Stack. Specification: Didit.me + iDenfy. Detail: Zero US jurisdictional footprint. Didit.me primary, iDenfy fallback. FATF-aligned CDD. Jurisdictional separation is architectural..
Vesting Trigger. Specification: Exchange Listing. Detail: All vesting triggers at exchange listing. Founder capped at 2%/month, destination hardcoded to an independent designated wallet..
AI Development. Specification: 3-Phase Honest Roadmap. Detail: No proprietary AI at launch. Phase 1: proven third-party APIs. Phase 2: hybrid model. Phase 3: proprietary. Disclosed and documented..
Security researchers and cryptography reviewers. This paper is also intended for regulators requiring technical disclosure of the Chronimy protocol architecture.
"This paper specifies the architecture. Every interface, every mechanism, every constraint documented here exists because trust, at scale, requires infrastructure — not promises."
Chronimy is four core modules + Module 5 auxiliary workstream shipping eleven products on a shared identity layer.
Each phase from Nebula onwards delivers visible product moments. The four core modules + Module 5 auxiliary workstream are the brand. The eleven products are the shipping calendar:
Every revenue-line product is locked. Every viral / governance / distribution product enables a revenue line elsewhere. No product is dropped — eleven shipping moments across three years.
Deinstitutionalisation means moving people out of institutions that have stopped looking after them, and into communities that actually do. That's the dictionary definition. It's what closed the old asylums in the 1970s and gave people their lives back.
Chronimy is the same idea, for the world we're living in now. This Architecture Paper sets out how the protocol is built so that the institution cannot drift from the people it was built to serve. Every design choice is a structural guarantee — if it cannot be enforced by code, it is not a Chronimy commitment.
— The Architect, Chronimy Holdings AG · April 2026
Module deliverables are funded by the phase community raise via the Rédeas vault and released against verified milestones (an optional separate backstop, if secured, covering any shortfall) ; the community raises fund the build and also drive membership growth. Each phase also consumes foundational primitives delivered by earlier phases — these are reusable infrastructure, not speculative work.
Specifically: Module 2 (Pulsar) depends on identity, KYC, and Trust Codes from Module 1 (Nebula). Module 3 (Supernova) depends on transactions and reputation built in Module 2. Module 4 (Verify Others, B2B) depends on the verification primitive from Module 1 and the trust signal from Module 2. Module 5 (Anti-Phishing, auxiliary) cross-references the Verify B2B registry from Module 4.
If a phase under-raises, the build proceeds on the community raise, partners and proxy audience; an optional separate backstop, if secured, can cover the shortfall, and scope reduces to maintain delivery integrity where neither is sufficient (per Failure Mode Provisions). Foundational primitives are designed to remain useful even if downstream phases descope — Module 1 is a complete shippable product on its own. The architecture supports module-by-module delivery without making earlier phases dependent on later ones.
Chronimy's core technical framework: eight independent layers, each reinforcing the others. No single point of failure by architectural design — not by policy. Anti-fragile by construction.
The Independent Trust Architecture is Chronimy's core technical framework — an eight-layer system that transforms trust from a subjective judgment into an objective, verifiable, and enforceable property. Each layer operates independently while communicating via standardised interfaces, creating an anti-fragile design where the failure of any single layer does not compromise the system as a whole.
This section documents layers 1 through 8 as technical design specifications, followed by the Polygon infrastructure and cryptographic primitives on which the entire stack is built.
In the ITA, if any single layer fails — an AI model produces incorrect outputs, a governance vote is gamed, or a behavioural metric is manipulated — the remaining seven layers compensate and the attack surface that exposed the weakness is catalogued and addressed. Each layer reinforces the others.
The system has no single point of failure by architectural design, not by policy.
The Independent Trust Architecture (ITA) is Chronimy's technical framework that transforms trust from a subjective judgment into an objective, verifiable, and enforceable property. The system comprises eight layers, each serving a distinct purpose while communicating with adjacent layers via standardised interfaces.
The architecture is designed to be anti-fragile — a property that distinguishes it from merely resilient systems. Where a resilient system resists failure, an anti-fragile system actively improves when subjected to stress, attack, or partial failure.
8 — Mutually reinforcing layers — no single point of failure by architectural design, not by policy
1. Layer: Identity. Purpose: Verify real humans, unique individuals, financially committed. Key Technology: Didit.me KYC, liveness detection, Proof-of-Bank (CHF 3).
2. Layer: Behavioural. Purpose: Track trust patterns over time through transaction behaviour. Key Technology: On-chain metrics, velocity anomaly detection, scoring engine.
3. Layer: Escrow. Purpose: Secure transaction custody with conditional release. Key Technology: Solidity smart contract, Polygon PoS, 5-state machine.
4. Layer: Vault (PRU). Purpose: Financial backstop covering disputes and shortfalls. Key Technology: Protocol Reserve Unit, Green Badge activation mechanics.
5. Layer: AI Trust. Purpose: Automated fraud detection, pattern recognition, scoring. Key Technology: Three-phase model: third-party → hybrid → proprietary.
6. Layer: Beacon. Purpose: Immutable on-chain transparency and audit trail. Key Technology: Polygon event logs, IPFS content addressing, alert system.
7. Layer: Governance. Purpose: Community control via Guardian Council and Quorum Guardians. Key Technology: 1-badge-1-vote DAO, Guardian Council (7 seats), 21–49 adjudicators.
8. Layer: Development. Purpose: Build, maintain, and upgrade the protocol over time. Key Technology: SotaTek Vietnam, milestone delivery, open-source pathway.
Each layer exposes a defined interface to adjacent layers. Layer N never directly reads internal state from Layer N+2. This enforces loose coupling — individual layers can be upgraded or replaced by SotaTek without cascading changes across the stack, provided the interface contract is maintained.
All layer specifications in this paper describe the intended design to be implemented by SotaTek. No layer is currently deployed on Polygon mainnet. Smart contract code, performance metrics, and API responses shown throughout are illustrative of the specification, not of production systems.
"Identity verification proves who you are. It is the foundation on which every other layer of the ITA depends — without it, behavioural scoring is meaningless, escrow is unsafe, and governance is gameable."
The Identity Layer establishes three properties for every Chronimy user: they are a real human being, not a bot; they are a unique individual with no duplicate accounts; and they are financially committed via Proof-of-Bank. This three-pronged design makes fake account creation economically unviable at scale.
Chronimy does not keep your identity documents. KYC and liveness are performed once, through an independent verification provider. The moment a check passes, the underlying documents are discarded — they are never stored on Chronimy infrastructure. What remains is a member-held zero-knowledge proof: cryptographic evidence that you are a verified, unique human, revealing none of the data behind it.
There is no central archive of identity documents to breach, subpoena, or leak — because it never exists.
Liveness detection via Didit.me confirms a live person is present. Biometric matching against a government-issued ID document.
One verified identity per person. Enforced by cross-referencing document and biometric data against the existing verified user set.
A CHF 3 Proof-of-Bank payment links a verified bank account to the Chronimy identity. Returned immediately on verification.
Selected for zero US jurisdictional footprint, FATF-aligned CDD, liveness detection, and AML screening. Handles the standard onboarding flow for all users.
Activated if Didit.me is unavailable. Also zero US footprint, identical CDD standard. Users experience no difference in the verification flow.
The CHF 3 micro-payment from a verified bank account is returned immediately to legitimate users — they pay nothing. An operator attempting to manufacture fake identities at scale requires a distinct regulated bank account for every fake identity created, making automated fake account creation prohibitively expensive. The CHF 3 connects digital identity to existing regulated financial infrastructure without requiring users to trust Chronimy with anything beyond the momentary bank link.
"Identity verification proves who you are — behavioural tracking proves how you act. The score is earned through demonstrated behaviour on the platform, not purchased or assigned."
The Behavioural Layer monitors transaction history over time, building a dynamic trust score that reflects real-world reliability and gates users through the badge progression system. Unlike static reputation systems, the score is earned through demonstrated behaviour on the platform, not purchased or assigned. Exact scoring parameters — thresholds, decay windows, weighting formulas — will be defined during SotaTek technical workshops as part of the production specification process.
Behavioural Scoring Algorithm — Design Specification Notice. The specific behavioural metrics, trust score ranges, scoring weights, anomaly detection thresholds, and score decay parameters are implementation details to be defined during SotaTek technical workshops. This paper specifies the architectural intent — that a continuous, on-chain-referenced behavioural score drives badge progression — without prescribing parameter values that have not yet been validated through technical design. A scoring specification document will be produced during the Nebula phase technical engagement.
Exact scoring parameters — thresholds, decay windows, weighting formulas — will be defined during SotaTek technical workshops as part of the production specification process. This paper specifies the architectural intent without prescribing parameter values that have not yet been validated through technical design. A scoring specification document will be produced during the Nebula phase technical engagement.
Red. Platform Fee: 10%. Requirements: KYC identity verification only. Limited platform access.. Status: Entry level.
Green. Platform Fee: 7%. Requirements: KYC + liveness detection + Proof-of-Bank (CHF 3). Full escrow access.. Status: Verified.
Silver. Platform Fee: 5%. Requirements: 20 completed transactions + 95% completion rate. Zero referrals required.. Status: Experienced.
Gold. Platform Fee: 2.5%. Requirements: Extended transaction record + 98% completion rate + governance eligibility.. Status: Elite.
Score Earned,Not Purchased — Badge progression requires demonstrated transaction behaviour on the Chronimy platform. There is no mechanism to buy a higher badge tier. CNMY holdings do not affect badge level. Trust is built through action, not through assets.
The Green Badge unlocks escrow access and PRU protection features but is not required to hold CNMY. Users may hold the token without activating any badge. Badge activation is a user-initiated action, not automatic.
Trust is behavioural, not financial. CNMY holdings do not affect badge level. There is no mechanism to buy a higher badge tier.
The Escrow Layer holds transaction funds in a Polygon-deployed smart contract until verified release conditions are met. No intermediary. No geographic restriction. Settlement occurs on-chain in seconds rather than days. The fee structure is gated by badge tier — verified users with proven track records pay less, creating a direct financial incentive for trust-building behaviour on the platform.
Design Specification — Full interface specification in Part 2, Section 7.4. Implementation by SotaTek.
Red. Platform Fee: 10%. Badge Requirements: KYC identity verification only.
Green. Platform Fee: 7%. Badge Requirements: KYC + liveness + Proof-of-Bank (CHF 3).
Silver. Platform Fee: 5%. Badge Requirements: 20 completed transactions + 95% completion rate.
Gold. Platform Fee: 2.5%. Badge Requirements: Extended track record + 98% completion rate.
Disputed escrows are automatically frozen and transferred to the Quorum Guardian adjudication queue. Funds remain in the contract, untouched, until the Guardian panel resolves the dispute. Neither party can withdraw.
Buyers may fund via fiat (converted on entry) or direct crypto. Sellers may receive in either form. The currency path is the user's choice — the escrow contract itself operates in USDC or CNMY natively on Polygon.
"The fee structure is gated by badge tier — verified users with proven track records pay less, creating a direct financial incentive for trust-building behaviour on the platform."
Polygon PoS — single chain by design, not a limitation. CNMY is an ERC-20 token; gas is paid in POL (Polygon's native token since the 2025 migration from MATIC to POL). Typical on-chain cost is a fraction of a cent, with confirmations in roughly 2 seconds. 20B CNMY fixed supply — no additional minting, at any point, ever. Fixed at contract deployment.
The PRU Vault holds 5 billion CNMY (25% of total supply), pre-allocated at deployment. It is a standing reserve — never drawn down by activations, only added to. Each Green Badge activation adds 5,000 CNMY to the PRU, sourced from the separate Burn Reserve (the 5B / 25% pool that also funds the 4,200 CNMY burned per badge). This top-up runs for the first 500,000 verified members; beyond that, the PRU is replenished from platform profit (8% allocation per Section 4). Members do not contribute to the PRU. It is shared by all verified members regardless of activation order — member 500,001 is protected on the same basis as member 1.
The PRU is the platform's system-failure reserve. Platform-funded, shared by all verified members, and used at the Guardian Council's discretion when platform mechanics have demonstrably failed. The PRU does not cover counterparty fraud, user error, market losses, third-party failures, or any transaction where both parties have confirmed completion. Badge tier informs review; it does not create a contractual right or limit.
0 — Founder access to the PRU Vault — enforced at the contract level, not by policy commitment
The Protocol Reserve Unit (PRU) Vault is the financial backstop of the Chronimy ecosystem. Funded by Green Badge activation events, the PRU holds CNMY in a smart contract governed exclusively by the Guardian Council. Zero founder access, zero foundation access — enforced at the contract level, not by policy. The PRU exists to compensate verified users who suffer platform-attributable losses that survive the dispute resolution process.
All compensation review requests require 4-of-7 Guardian Council approval. No single Guardian can authorise a payout. Claim evidence published on-chain before voting.
Governance uses badge-based voting — not token-weighted. One verified badge holder equals one vote. Prevents wealth concentration from distorting protocol decisions.
The PRU Vault operates as a community mutual protection fund, discretionary, with no guarantee of payout. It is designed to cover platform-attributable shortfalls: losses caused by verified platform failures that survive the Quorum Guardian dispute process. It does not cover user negligence, market losses, or third-party fraud outside the platform. Specific eligibility conditions, claim submission process, review timelines, and payout mechanics are to be defined during SotaTek technical workshops and published once contracts are deployed and audited.
"Zero founder access. Zero foundation access. Enforced at the contract level — not a policy commitment, but a cryptographic fact. The Guardian Council is the sole governing body of the PRU Vault."
Claim Approval: All compensation review requests require 4-of-7 Guardian Council approval. No single Guardian can authorise a payout. Claim evidence published on-chain before voting.
1-Badge-1-Vote: Governance uses badge-based voting — not token-weighted. One verified badge holder equals one vote. Prevents wealth concentration from distorting protocol decisions.
Zero Founder Access: Chronimy Holdings AG and founder have no withdrawal rights over the PRU Vault. Enforced at the contract level — not a policy commitment.
AI Trust, Beacon, Governance, Development, Polygon infrastructure, scalability, cryptographic primitives, and the published residual risk profile. Part 1 concludes with a complete ITA cross-reference.
Chronimy's approach is built on an explicit commitment: no AI capability is claimed at launch that does not exist. The layer follows a three-phase development roadmap — beginning with proven, commercially available third-party APIs and progressing toward proprietary models only after the platform has accumulated sufficient transaction data to train and validate them responsibly.
The AI Trust Layer augments human-level verification with automated pattern recognition and fraud detection. AI outputs are advisory inputs to governance — never final decisions. No user account is suspended, no badge is revoked, and no escrow is frozen solely on the basis of an AI output.
Aurora & Nebula phases. Proven commercial fraud detection APIs from established providers. No proprietary AI at launch. Integration into the behavioural scoring pipeline via standard API calls. Vendor selection finalised during SotaTek technical workshops.
Pulsar phase onwards. Third-party APIs remain active alongside early Chronimy-trained models built on platform transaction data accumulated in Phase 1. Hybrid outputs are compared, audited, and weighted. Neither replaces the other until performance is validated.
Supernova & Scale. Full proprietary models trained on Chronimy's own transaction dataset. Third-party APIs transitioned out as proprietary performance is validated. Model governance overseen by the Guardian Council — not the development team alone.
AI GovernanceCommitment — AI outputs are advisory inputs to governance, never final decisions. No user account is suspended, no badge is revoked, and no escrow is frozen solely on the basis of an AI output. Every AI-triggered action requires either a human Guardian review or an on-chain appeal path. This constraint is architectural — it will be enforced in the contract and governance specifications produced during SotaTek workshops, not left to operational policy.
The Beacon Layer makes Chronimy auditable by anyone, at any time, without asking permission. Every significant platform event is emitted as an on-chain Polygon event log and archived to IPFS for permanent, content-addressed storage. Beacon is the foundation of Chronimy's trust claim — not a marketing statement but a verifiable technical property.
"Beacon is the foundation of Chronimy's trust claim — not a marketing statement but a verifiable technical property. Regulators, users, and the Guardian Council all share the same view of platform activity."
The Beacon Layer makes Chronimy auditable by anyone, at any time, without asking permission. Every significant platform event is emitted as an on-chain Polygon event log and archived to IPFS for permanent, content-addressed storage.
Real-time alerts on any activity touching their account, wallet, or active escrows. Configurable notification preferences.
Full platform event stream. Anomaly flagging dashboard. PRU vault balance visibility. Governance vote audit trail.
Public on-chain event logs on Polygon. IPFS-archived records. No special access required — blockchain-native transparency.
All significant contract events — escrow creation, fund deposits, releases, disputes activations, and PRU transactions — are emitted as Polygon event logs. Permanently on-chain. Indexed and queryable by any blockchain explorer or API.
Event data, dispute evidence submissions, and Guardian voting records are archived to IPFS with content-addressed hashes stored on-chain. The archive is immutable and decentralised — no Chronimy server controls it.
Escrow. Events Monitored: Create, fund, deliver, release, dispute open, dispute resolve. Archive: Polygon + IPFS.
Badge. Events Monitored: Green Badge activation, Silver/Gold progression, badge revocation. Archive: Polygon.
PRU Vault. Events Monitored: Deposits from badge activations, claim submissions, claim payouts. Archive: Polygon + IPFS.
Governance. Events Monitored: Guardian Council votes, parameter change proposals, DAO votes. Archive: Polygon + IPFS.
Treasury. Events Monitored: All treasury inflows, outflows, and MPC signing events. Archive: Polygon + IPFS.
Zero PermissionRequired — Beacon data is publicly available on Polygon and IPFS. No API key, no Chronimy account, no permission request needed. Auditors, researchers, and regulators access the same data as the Guardian Council — blockchain-native transparency is not a feature, it is the architecture.
The Governance Layer is the human accountability layer of Chronimy. It provides two distinct governance functions: protocol governance through the Guardian Council, which manages custody, treasury parameters, and critical protocol decisions; and dispute adjudication through Quorum Guardians, a rotating panel of verified users who resolve individual transaction disputes. Both bodies operate on-chain, with all decisions recorded via the Beacon Layer. Protocol Governance Guardian Council 7 Seats. Dispute Adjudication Quorum Guardians 21 – 49. DAO Voting — 1 Badge = 1 Vote. Community governance uses badge-based voting, not token-weighted voting. Every verified Green Badge or higher holder has exactly one vote on protocol proposals — voting weight does not increase with CNMY holdings, badge tier, or account age. This prevents plutocratic concentration. Enforced in the governance contract specification.
"DAO Voting uses badge-based voting, not token-weighted voting. Every verified Green Badge or higher holder has exactly one vote on protocol proposals — voting weight does not increase with CNMY holdings, badge tier, or account age. This prevents plutocratic concentration."
Guardian Council. Responsible For: MPC treasury custody, compensation review request approval, protocol parameter changes. Threshold: 4 of 7.
Quorum Guardians. Responsible For: Individual escrow dispute resolution, adjudication panels. Threshold: To be defined — SotaTek workshops.
DAO (all badge holders). Responsible For: Protocol upgrade proposals, fee range changes, governance rule changes. Threshold: 1 badge = 1 vote.
Vietnam-based, operating across blockchain, backend, mobile, and QA disciplines.
Information security management system certification — enterprise-grade process standards.
Development engagement commences at Nebula fundraising phase. Specifications finalised in workshops.
Genesis. Module Built: None — pre-engagement. Funding Source: Chronimy, IP holding company, patents (no SotaTek spend). Governance: Chronimy Architect.
Aurora. Module Built: Nebula voucher campaign portal + KYC + Get-to-Green + Refer-3 + credit conversion infrastructure (187 features). Funding Source: Aurora community raise (CHF 1.5M). Governance: Architect + Council pre-engagement scoping.
Nebula. Module Built: Module 1 — Platform layer (347 features) — full smart contracts, badge system, Beacon Layer v1, KYC deep integration. Funding Source: Nebula community raise (CHF 13.44M). Governance: Guardian Council 4-of-7 milestone sign-off.
Pulsar. Module Built: Module 2 — Trust & Marketplace (312 features) + Module 4a — Chronimy Verify B2B Launch (155 features). Funding Source: Pulsar community raise (CHF 20.16M). Governance: Guardian Council + DAO vote.
Supernova. Module Built: Module 3 — Enterprise (408 features) + Module 4b — Verify Network Effects (190 features). Funding Source: Supernova community raise (CHF 30.2M). Governance: DAO governance.
Funding model: each phase’s build is funded by that phase’s community raise via the Rédeas vault — community-controlled, milestone-gated, with clawback if a milestone fails. A separate backstop would cover any shortfall, so completion does not hinge on any single raise hitting target.
All smart contracts produced by SotaTek are independently audited by a qualified blockchain security firm before mainnet deployment. Audit reports will be published in full. Contract addresses will be documented once contracts are deployed.
Value-handling contracts are immutable — deployed once, bytecode final, with no proxy and no upgrade key. Neither the development team nor the Guardian Council can alter contract logic after deployment. For a live emergency, a pause-only circuit breaker can halt an affected module to stop an active exploit, but it can never move funds or change logic.
"The Development Layer governs how the Chronimy protocol is built, maintained, and upgraded over time. Payment ties to specification compliance. Open-source transition milestones are planned for the Pulsar phase, subject to Guardian Council approval."
SotaTek Vietnam holds the exclusive development mandate for the initial build through the Nebula phase — responsible for implementing every contract, API, and interface specification contained in this paper. The engagement is formal, milestone-based, and governed by a delivery agreement that ties payment to specification compliance.
SentinelOne 2026 — direct losses on top of $10.5T global cybercrime baseline.
Norton seal retired October 2023. Every existing badge is a static image phishers copy-paste onto fake sites.
Module 4a built during Pulsar. Module 4b (browser extensions, Wall of Shame) built during Supernova.
Verify combines five primitives that, individually, exist in production elsewhere — but no system has combined all five into a single trust layer. The combination is the patent claim.
KYC-verified entity registration. Where It Came From: EV SSL (visual cue removed by browsers in 2019). Verify's Role: One badge per legal entity, KYC-bound, revocable on demand. The badge cannot exist without the verified identity behind it..
DNS TXT domain proof. Where It Came From: Google Workspace / Microsoft 365 / BIMI. Verify's Role: Chronimy issues a unique TXT record (e.g. chronimy-verify=cnmy_a8f3... ); site owner adds it to DNS; automated lookup confirms..
Origin header verification. Where It Came From: Browser CORS / sub-resource integrity. Verify's Role: Live badge API checks the Referer / Origin header on every render. Mismatch = badge is being served from an unauthorised domain..
Live API badge with state. Where It Came From: DigiCert Smart Seal. Verify's Role: Badge is not an image. It is a live API call returning green/amber/red state based on real-time verification..
Self-accusing badge (the differentiator). Where It Came From: Novel — no prior art. Verify's Role: When a phisher copies the embed onto a fake domain, the badge displays: "⚠ This badge was copied from another site. This is likely a phishing attempt." The act of copying becomes the act of being exposed..
Token-economy backing (PRU coverage). Where It Came From: Novel — no prior art (no competitor has a token). Verify's Role: Verified businesses caught in protocol-compliant phishing incidents are first-priority for the PRU vault. No competitor can replicate this without a token..
"Phishers face an impossible choice: show the badge and get exposed, or remove it and look suspicious next to the legitimate site. Verify makes the act of copying the act of being exposed."
1. Action: Company KYC — director verification, business documents, beneficial ownership. System Component: Didit.me + Chronimy review.
2. Action: Domain ownership proof — Chronimy issues unique TXT record. System Component: Verify Site Owner Dashboard.
3. Action: Chronimy verifies TXT record — automated DNS lookup. System Component: Verify backend.
4. Action: Badge issued — linked to: company ID + domain + signing key pair. System Component: Verify backend + signing key infrastructure.
5. Action: Site owner adds embed code — pulls live badge from Verify API. System Component: Badge embed library (~50-line JS, iframe-isolated).
6. Action: Origin check on every render — API confirms Referer / Origin matches registered domain. System Component: Verify Live Badge API.
7. Action: Periodic re-verification — TXT record re-checked every 24 hours; headless render check confirms badge visible. System Component: Verify automation layer.
8. Action: Instant revocation — Chronimy can kill any badge via revocation API; site shows red state immediately. System Component: Verify revocation API + governance.
Green (Verified). Trigger: Origin matches registered domain. Display: "✓ Verified by Chronimy" + heartbeat pulse.
Amber (Issue). Trigger: DNS record lapsed, KYC re-check due, or hidden-badge anti-circumvention warning. Display: "⚠ Verification pending".
Red (Unverified / Fake). Trigger: Origin mismatch — badge is being served from an unauthorised domain. Display: "✗ NOT VERIFIED — This site copied the badge".
The heartbeat is the visible reinforcement that the badge is live, not static. It is risk-context-aware — visual emphasis intensifies on pages where attention matters most.
First page load. 3-second gentle gold pulse (3 pulses, ~1s each)
Returning visitor (same session). No pulse — static green
New session (24h+). Pulse again — reinforces habit
On hover. Subtle glow + tooltip with verified entity name
Red state. Continuous slow pulse + warning overlay
Checkout / login pages. Re-pulse on land — peak attention at peak risk
prefers-reduced-motion. Static badge — accessibility respected
Some site owners may try to install the badge for SEO benefit but hide it visually with CSS. The backend detects this:
An extension of the Trust Code™ primitive, designed to kill email phishing:
chronimy.org/verifySingle Chainby Design — Multi-chain deployment has been permanently retired from the Chronimy specification. Operating across multiple chains multiplies the attack surface, fragments liquidity, and creates cross-chain bridge risk — one of the largest sources of losses in Web3.
Chronimy requires a blockchain that is fast enough for real-world transaction escrow, cheap enough that fees never become a barrier to participation, and mature enough that smart contract security is well-understood. Polygon PoS satisfies all three requirements. It also provides EVM compatibility — meaning the entire Solidity development ecosystem, tooling, and auditing infrastructure available for Ethereum is directly applicable. CNMY is Polygon-native by deliberate design decision, not by default.
Transaction cost. Polygon PoS Response: ~0.01 per transaction — negligible for all user tiers. Decision: Meets requirement.
Confirmation speed. Polygon PoS Response: ~2 second block finality — suitable for escrow state transitions. Decision: Meets requirement.
Smart contract maturity. Polygon PoS Response: EVM-compatible, Solidity ecosystem, extensive audit history. Decision: Meets requirement.
DEX liquidity access. Polygon PoS Response: Uniswap V3 on Polygon PoS — canonical platform for M20–M22 DEX launch. Decision: Meets requirement.
CEX listing pathway. Polygon PoS Response: Polygon-native ERC-20 tokens supported by all major CEX listing programmes. Decision: Meets requirement.
IPFS integration. Polygon PoS Response: Beacon Layer content addressing via IPFS is chain-agnostic and fully compatible. Decision: Meets requirement.
Multi-chain deployment has been permanently retired from the Chronimy specification. Operating across multiple chains multiplies the attack surface, fragments liquidity, and creates cross-chain bridge risk — one of the largest sources of losses in Web3. A single, well-chosen chain with strong audit coverage and EVM maturity is demonstrably more secure than a multi-chain architecture for a trust protocol. CEX listings are the token access story — bridging is not needed.
"On-chain for what requires immutability, off-chain for what requires speed. This separation means platform throughput scales with off-chain infrastructure while maintaining the security guarantees of on-chain settlement."
Smart contract state — badge ownership, escrow balances, PRU holdings, and governance votes — lives on-chain permanently. Application logic, API serving, and user-facing computation run off-chain and write results to the chain only when a permanent record is required.
Polygon PoS network congestion does not stop escrow execution — it delays it. Chronimy's escrow timelock model is designed to tolerate delayed confirmations. No transaction is lost due to network congestion; all pending transactions are queued and confirmed when capacity permits.
Because the value-handling contracts are immutable, there are no routine upgrades and no logic replacement. A member's badge, escrow history, and PRU contributions persist in immutable on-chain state that cannot be silently changed. If new functionality is ever needed, it ships as a separate, opt-in contract — never as a replacement of the contract holding member funds.
New platform capabilities ship as additional, opt-in contracts rather than in-place upgrades of the immutable core. The contracts that hold member funds and badge state are never replaced; anything new is deployed alongside them and adopted by members on their own terms.
Specific TPS targets, API response time SLAs, concurrent user ceilings, gas optimisation benchmarks, and load testing methodologies are implementation details to be produced during SotaTek's technical engagement in the Nebula phase. These will be documented and published once validated testing.
Specific performance targets, load testing benchmarks, and SLA thresholds will be defined during SotaTek technical workshops and published following the audit. This section specifies the architectural approach — not the production SLA figures, which require validated load testing data before being committed.
ZERO — Complete private keys held — no human holds a full private key. The key does not exist as a whole. It exists only in the act of threshold agreement across 8 minimum participants.
Every blockchain project that holds user funds faces the same problem: how do you prevent a single compromised person, a single stolen device, or a single bad actor from draining the treasury? Traditional multi-sig partially solves this but creates a discoverable key set. Chronimy's answer is a dual-group MPC (Multi-Party Computation) ceremony — a cryptographic protocol where 14 independent participants jointly control treasury access, but no single participant ever holds a complete private key. The key does not exist as a whole. It exists only in the act of threshold agreement.
MPC Architecture — Confirmed Parameters: 14 Total Council Participants (7 public + 7 private). 4-of-7 threshold per group required to authorise any custody operation. 48–72h Ceremony Timelock. ZERO Complete Keys Held — no human holds a full private key. Ever.
Publicly selected and named at the appropriate readiness gate (expected at Nebula opening). Their identities are disclosed to the community. Any 4 of the 7 must participate in a signing ceremony. Public accountability makes compromise or collusion visible and attributable.
Identities known only to regulators and FINMA. Not publicly disclosed. Any 4 of the 7 must co-sign. This group provides a regulatory accountability layer — even if Group A were entirely compromised, Group B prevents unilateral fund movement.
CNMY token custody is 100% held in autonomous smart contracts. There are no private keys for the Chronimy treasury in the conventional sense — no hardware wallet, no seed phrase, no single device that grants access. The MPC ceremony distributes key material across 14 participants (7 public + 7 private, in two independent groups) such that the full key can only be reconstructed during a valid 4-of-7 per group signing ceremony (8 minimum signers from 14 total). Stealing fewer than 4 participants' shares within a group yields nothing.
Hash function. Specification: SHA-256 (256-bit output). Standard / RFC: FIPS 180-4 (NIST Secure Hash Standard).
Key derivation function. Specification: HKDF-Expand-Label with member_secret as salt and epoch_window_id as info parameter. Standard / RFC: RFC 5869 (HKDF) — IETF.
Member-to-member key exchange. Specification: X25519 ECDH (Elliptic Curve Diffie-Hellman over Curve25519). Standard / RFC: RFC 7748 (Elliptic Curves for Security) — IETF.
Authenticated symmetric encryption. Specification: ChaCha20-Poly1305 (AEAD construction). Standard / RFC: RFC 8439 (ChaCha20 and Poly1305 for IETF Protocols).
Digital signatures. Specification: Ed25519 (Edwards-curve Digital Signature Algorithm). Standard / RFC: RFC 8032 (Edwards-Curve Digital Signature Algorithm) — IETF.
Transport encryption. Specification: TLS 1.3 with mandatory perfect forward secrecy. Standard / RFC: RFC 8446 (TLS 1.3) — IETF.
Random number generation. Specification: Hardware-backed CSPRNG seeded from HSM entropy source; falls back to NIST-approved DRBG. Standard / RFC: NIST SP 800-90A/B (Random Bit Generators / Entropy Sources).
HSM storage. Specification: FIPS 140-3 Level 3+ HSM at EU-regulated tier-1 datacentre; TPM 2.0 fallback for backup keys. Standard / RFC: FIPS 140-3 (Cryptographic Module Standard); TCG TPM 2.0 Specification.
Side-channel resistance. Specification: Constant-time implementation; verified against timing-analysis test suites. Standard / RFC: Common Criteria EAL4+ guidance.
For each 15-minute UTC-aligned window, a verifier requesting authentication of a member computes:
epoch_window_id = floor(unix_timestamp / 900)
prk = HKDF-Extract(salt = member_secret, ikm = HSM_master_key)
Trust_Code = HKDF-Expand(prk, info = "chronimy.trust_code.v1" || epoch_window_id, length = 256_bits)
display_code = first_8_decimal_digits(Trust_Code)
The 8-digit display code is what the user sees and shares with a verifier in a member-to-member interaction. The full 256-bit Trust_Code is used for cryptographic verification at the protocol level. Window alignment ensures that both the requesting member and the verifying member compute the same Trust_Code for the same window, regardless of network latency.
Each window's Trust_Code is computed independently, and the chain of windows forms a Merkle commitment chain — each window's Trust_Code is a hash-derived child of prior epoch state, but knowing window N's Trust_Code does not reveal prior windows' Trust_Codes due to the one-way nature of HKDF combined with HSM-protected master_key. This satisfies the forward secrecy property: if a Trust_Code is captured during window N, it cannot be used to derive Trust_Codes for windows 1 through N-1.
If the HSM master_key is suspected of compromise, the recovery procedure is:
The full rotation completes within minutes — bounded by the 15-minute window cycle plus broadcast propagation time. Members on the platform during rotation receive an authenticated message indicating the rotation event.
Chronimy Holdings AG intends to engage one or more tier-1 cryptographic protocol audit firms for independent review of the Trust Code specification and implementation at Aurora close. Candidate firms under consideration: leading independent security firms specialising in applied cryptography, protocol review, and cryptographic engineering. Engagement letter to be signed at Aurora close as part of the IPDF and Security & Compliance allocation. The reviewing firm's findings will be published as a supplementary security advisory at Aurora close + 90 days, alongside any specification revisions arising from the review.
"No smart contract system carries zero risk. Chronimy publishes its residual risk profile openly — a practice that distinguishes credible projects from those that make unverifiable safety claims."
Honest Risk Disclosure
No smart contract system carries zero risk. Chronimy publishes its residual risk profile openly — a practice that distinguishes credible projects from those that make unverifiable safety claims. The MPC custody architecture and dual audit requirement are designed to drive these risks as low as technically achievable, but honest documentation of residual risk is itself a trust signal. Investors, users, and regulators should understand what the design mitigates and what remains.
Wallet compromise rate 0.005% — estimated probability with all ITA layers enabled — KYC, behavioural monitoring, escrow, PRU, AI Trust, and Beacon all active. This figure reflects the design target, not a guarantee. Published residual risk profile.
Residual smart contract risk — the irreducible risk of undiscovered vulnerabilities in production Solidity code. Mitigated by dual independent audit but cannot be driven to zero. Published transparently.
All production smart contracts audited by a top-tier independent blockchain security firm before mainnet deployment. Full audit scope: escrow, vesting, burn, PRU vault, treasury, governance contracts. Audit report published in full.
A second independent firm conducts a separate audit before deployment. Two independent findings provide substantially higher assurance than a single audit. Conflicting findings between firms trigger resolution before any deployment proceeds.
Re-entrancy protection. Checks-effects-interactions pattern enforced on all state-changing functions. No external calls before state update.
Access control. Role-based access control on all privileged functions. Guardian role verified on-chain against badge registry — no local mapping.
Upgrade governance. None — value-handling contracts are immutable (no proxy, no upgrade key). Emergencies use a pause-only circuit breaker that cannot move funds or alter logic; new features ship as separate opt-in contracts.
No admin override keys. Zero backdoor admin keys. No function exists that allows the foundation or founder to bypass governance or move user funds.
The Anti-Fragile Property — Confirmed. The nine layers of the ITA are not independent features — they are mutually reinforcing defences. Identity verification makes behavioural scoring meaningful. Behavioural scoring makes escrow fee tiers justified. Escrow tiers fund the PRU vault. The PRU vault backstops the trust claim and backs Verify coverage. AI Trust augments behavioural scoring. Beacon makes all of it auditable. Governance ensures no single actor controls any of it. Development ensures it is built to specification. Verify extends the trust architecture beyond the platform's own users to any website on the open web. Remove any one layer and the others are weakened. Strengthen any one layer and all others benefit. This is anti-fragility by design. All nine layers — cross-reference below.
"The nine layers of the ITA are not independent features — they are mutually reinforcing defences. Remove any one layer and the others are weakened. Strengthen any one layer and all others benefit. This is anti-fragility by design."
1. Layer: Identity. Primary Function: KYC + liveness + Proof-of-Bank (CHF 3). Key Confirmed Fact: Didit.me (zero US footprint).
2. Layer: Behavioural. Primary Function: Transaction history drives badge progression. Key Confirmed Fact: Silver: 20 tx, 95% completion rate.
3. Layer: Escrow. Primary Function: Smart contract custody, 5-state machine. Key Confirmed Fact: Fees: 10→7→5→2.5%.
4. Layer: PRU Vault. Primary Function: Community financial backstop, 5,000 CNMY/badge. Key Confirmed Fact: 4,200 CNMY burned/badge.
5. Layer: AI Trust. Primary Function: Three-phase fraud detection, no proprietary AI at launch. Key Confirmed Fact: Advisory only.
6. Layer: Beacon. Primary Function: On-chain event archive, IPFS content addressing. Key Confirmed Fact: Public, permissionless.
7. Layer: Governance. Primary Function: Guardian Council (7 voting seats) · Vision Guardian (separate constitutional seat, unpaid) · Quorum Guardians (21–49). Key Confirmed Fact: 1-badge-1-vote DAO · 4-of-7 Council threshold · 4-of-7 per group (8 of 14) Genesis Vault keyholders.
8. Layer: Development. Primary Function: SotaTek Vietnam, module-per-phase delivery. Key Confirmed Fact: 1,300+ engineers, ISO 27001.
9. Layer: Trust Verification (Verify). Primary Function: Identity-bound, domain-bound, self-accusing trust layer for any website. Key Confirmed Fact: Pulsar B2B launch · Supernova network effects · PRU-backed.
Zero Founder Access: No function in any contract allows the founder or foundation to access the treasury, PRU vault, or user funds. Enforced at contract level, not by policy commitment.
No Human Keys: Multi-party computation (MPC) ceremony. No complete private key exists. Threshold 4-of-7 per group (8 minimum from 14 total participants) to authorise any treasury transaction.
Public Auditability: All significant platform events are on-chain on Polygon. IPFS-archived. No permission needed to audit Chronimy — the data is publicly available to anyone.
No function in any contract allows the founder or foundation to access the treasury, PRU vault, or user funds. Enforced at contract level — not by policy commitment.
10-participant MPC dual-group ceremony. No complete private key exists. 8 participants minimum across both groups to authorise any treasury transaction.
All significant platform events are on-chain on Polygon. IPFS-archived. No permission needed to audit Chronimy — the data is publicly available to anyone.
Pricing inside the platform is denominated in CHF. Subscription tiers, partner fees, escrow amounts, badge activation costs, and PRU coverage tiers are all CHF-quoted to insulate platform mechanics from CNMY market volatility.
CNMY conversion happens at execution, not at entry. When a member elects to settle a CHF-denominated obligation in CNMY, the conversion uses a Time-Weighted Average Price (TWAP) over a 6-hour smoothing window from the primary CEX listing. This neutralises moment-of-trade volatility and front-running attempts.
Transaction floors and ceilings: minimum platform transaction CHF 1.00 equivalent; maximum per-transaction limits scale with badge tier (Red CHF 100 · Green CHF 500 · Silver CHF 5,000 · Gold unlimited). Members can elect fiat-only settlement (regulated payment partner and SEPA) at any tier.
Secondary-market price is outside platform scope. CNMY trades on DEX/CEX listings at market price. Chronimy Holdings AG does not market-make, peg, or guarantee secondary-market price. Speculative position holders bear standard market risk; platform mechanics are insulated by the CHF denomination.
Contract interface specifications, MPC ceremony, CNMY token, escrow, vesting, burn, Compensation Review Requests, autonomous treasury, and Trust-Locked token architecture. Design intent for SotaTek implementation — not deployed code.
Architecture Paper · Sections 7.1 – 7.12 · Smart Contracts & Custody · Contract Interface Specifications
Part 2 specifies the smart contract architecture that implements the ITA layers described in Part 1. Every contract shown here is a design specification for SotaTek's implementation — not deployed production code. Contracts will be independently audited by two firms before mainnet deployment.
This section covers the contract dependency map, MPC custody ceremony specification, CNMY token contract, escrow, vesting, burn, compensation review requests, treasury, Trust-Locked architecture, and the formal threat model. 7.4 Escrow Contract 7.5 Vesting Contract 7.6–7.7 Burn & Compensation Review Requests 7.8–7.10 Treasury & Glass API 7.11–7.12 Threat Model & Audit
7.4 Escrow Contract · 7.5 Vesting Contract · 7.6–7.7 Burn & Compensation Review Requests · 7.8–7.10 Treasury & Glass API · 7.11–7.12 Threat Model & Audit
Architecture Paper · Sections 7.1 – 7.12 · Smart Contracts & Custody · Contract Interface Specifications
The Chronimy smart contract suite is designed as a set of single-responsibility contracts that communicate through defined interfaces. No contract handles more than one domain. The escrow contract does not know about badge levels — it calls the badge registry. The burn contract does not know about PRU vault distribution — it calls the vault contract. This separation means each contract can be audited, tested, and upgraded independently. A vulnerability in one contract cannot cascade uncontrolled into another.
"No contract handles more than one domain. A vulnerability in one contract cannot cascade uncontrolled into another — each contract is audited, tested, and upgraded independently."
CNMY Token. Section: 7.3. ITA Layer: All Layers. Primary Responsibility: ERC-20 token on Polygon PoS. 20B fixed supply. Transfer, burn, and approval functions..
Badge Registry. Section: 7.3. ITA Layer: Layer 1 & 2. Primary Responsibility: On-chain record of verified badge status per address. Read by all other contracts..
Escrow. Section: 7.4. ITA Layer: Layer 3. Primary Responsibility: Holds transaction funds. 5-state machine. Badge-gated fee rates. Dispute trigger..
Vesting. Section: 7.5. ITA Layer: Layer 8. Primary Responsibility: Team and founder token releases. Triggers at exchange listing. Destination hardcoded..
Burn. Section: 7.6. ITA Layer: Layer 4. Primary Responsibility: Permanent token destruction. Called on Green Badge activation. 4,200 CNMY per event..
PRU Vault. Section: 7.7. ITA Layer: Layer 4. Primary Responsibility: Community reserve. Funded on badge activation. Guardian Council governed claims..
Treasury. Section: 7.8. ITA Layer: Layer 7. Primary Responsibility: Protocol revenue holding. MPC 4-of-7 dual-group custody (from each of two independent groups — 8 minimum signers from 14 total). Zero founder access..
Glass Treasury API. Section: 7.10. ITA Layer: Layer 6. Primary Responsibility: Public read-only treasury transparency interface. Anyone may query balances..
All value-handling contracts are immutable: deployed once, bytecode final — no proxy, no upgrade key, no delegatecall. For a live emergency a pause-only circuit breaker can halt an affected module to stop an active exploit, but it can never move funds or alter logic. Pause is not upgrade.
Standard audited security libraries used as the baseline. No reinventing of audited primitives.
Zero backdoor admin functions. No function exists allowing the foundation or founder to bypass governance or move funds unilaterally. Enforced in contract design.
Why TwoIndependent Groups — A single group of 14 could be compromised by corrupting just 4 members from the same network. The dual-group structure ensures Group A and Group B have no overlap in identity, jurisdiction, or accountability. Compromising one group entirely still yields nothing.
The MPC ceremony is the foundational custody event for the Chronimy protocol. It distributes cryptographic key material across 14 independent participants such that no complete private key is ever held by any single person or device. Treasury transactions can only be authorised when at least 4 participants from Group A and 4 participants from Group B simultaneously participate in a signing ceremony — a requirement that makes collusion, coercion, or compromise of any single group insufficient to move funds.
Confirmed MPC Parameters: 7 + 7 Participants — Group A: public. Group B: known only to regulators and FINMA. 4 + 4 Threshold — 4 of 7 from each group required. Minimum 8 signers across both groups. 48–72h Timelock — every ceremony has a publicly verifiable timelock before execution.
A single group of 14 could be compromised by corrupting just 4 members from the same network. The dual-group structure ensures Group A and Group B have no overlap in identity, jurisdiction, or accountability. Compromising one group entirely still yields nothing — both groups must be simultaneously compromised.
CNMY is a utility token deployed on Polygon PoS as an ERC-20 contract. Its supply is fixed permanently at 20 billion tokens — no minting function exists after the initial deployment. The contract enforces the canonical tokenomics: allocation-locked vesting schedules, badge activation burn mechanics, and PRU vault deposits. The token contract is the most security-critical contract in the suite — it touches every other contract and is the first target an attacker would probe.
Hard-coded at deployment. No mint function. No inflation. Ever.
Polygon PoS. Full EVM compatibility. CEX and DEX listing ready.
Utility: escrow fees, badge activation, governance participation.
Standard ERC-20 decimals. Compatible with all wallets and exchanges.
Vault Reserve. Amount: 5B. Supply %: 25%. Terms: Locked at genesis. Funds the PRU Compensation Review Vault. Guardian Council governed; zero founder access..
Burn Reserve. Amount: 5B. Supply %: 25%. Terms: Deflationary reserve. Source of badge-activation burns and PRU top-ups; tokens permanently removed from supply..
Voucher Sales Funding. Amount: 5B. Supply %: 25%. Terms: Phase-gated. Backs voucher and credit sales across the five phases; the community raise draws from this line, with an optional separate backstop, if secured, covering any shortfall..
Kind Channel. Amount: 1B. Supply %: 5%. Terms: Exchange listing. 20% immediate + 80% linear over 36 months. Stiftung-administered philanthropic disbursement; vetted causes under Stiftungsrat oversight..
Founder. Amount: 1B. Supply %: 5%. Terms: Exchange listing. 20% at listing + 80% linear over 36 months, capped at 2%/month of the vested balance. Destination: designated wallet, hardcoded in Founder Vesting..
Team. Amount: 1B. Supply %: 5%. Terms: Exchange listing. 6-month cliff, then linear over 36 months. Designated team wallets..
Partner Referral Bonus. Amount: 200M. Supply %: 1%. Terms: Phase-gated. Partner and referral programme rewards..
Buffer Reserve. Amount: 300M. Supply %: 1.5%. Terms: Operational contingency reserve..
Scam Victims Airdrop. Amount: 500M. Supply %: 2.5%. Terms: Restitution to a locked list of specific people met on the journey — not open to application; recipient Merkle list locked at deployment; 20% at listing, 80% over 36mo; unclaimed after 24mo burned..
Liquidity. Amount: 1B. Supply %: 5%. Terms: DEX and CEX liquidity provisioning at listing..
Total. Amount: 20B. Supply %: 100%. Terms: Fixed supply. No mint function exists after deployment..
All vesting schedules trigger on exchange listing — not on Token Generation Event (first listing). first listing as a vesting trigger was retired from the Chronimy specification. Exchange listing is a meaningful, verifiable public event. It creates a direct alignment between the team's vesting and platform success: no one is rewarded simply for existing — they are rewarded when the token has a real market. The founder's 2% monthly cap and designated beneficiary wallet destination are hardcoded in the vesting contract, not subject to governance override.
EscrowCreated. Triggered By: Buyer calls createEscrow(). Purpose: Opens the Beacon audit trail for this transaction. Public from this point..
EscrowFunded. Triggered By: Buyer deposits funds. Purpose: Confirms value locked. Timelock countdown begins. Seller notified..
EscrowReleased. Triggered By: Buyer confirms or timelock expires. Purpose: Fee deducted and split per 10-way revenue model. Net funds to seller..
DisputeOpened. Triggered By: Either party calls openDispute(). Purpose: Funds frozen. Quorum Guardian queue triggered. Beacon alert issued..
DisputeResolved. Triggered By: Guardian calls resolveDispute(). Purpose: Funds released to ruling winner. Behavioural scores of both parties updated..
Section 7.5 Vesting Contract · On-Chain Vesting — Six Variants · Exchange Listing Trigger · Designated Wallet Destination. Design Principle: The vesting system is fully autonomous. No human holds keys to any vesting contract. No founder, Guardian, or SotaTek engineer can manually release, accelerate, or modify any vesting schedule after deployment. Vesting triggers, release rates, and destination addresses are locked at the one-time deployment ceremony and cannot subsequently be altered. This is a constitutional guarantee, not a policy. Vesting trigger all schedules activate on one event: first confirmed CEX listing via oracle feed. CNMY is generated at Nebula deployment but vesting does not begin until listing. "first listing" does not apply to Chronimy.
"The vesting system is fully autonomous. No founder, Guardian, or SotaTek engineer can manually release, accelerate, or modify any vesting schedule after deployment. This is a constitutional guarantee, not a policy."
All schedules activate on one event: first confirmed CEX listing via oracle feed. CNMY is generated at Nebula deployment but vesting does not begin until listing. "first listing" does not apply to Chronimy.
Vesting trigger: All schedules activate on one event: first confirmed CEX listing via oracle feed. CNMY is generated at Nebula deployment but vesting does not begin until listing. "first listing" does not apply to Chronimy. This is a constitutional guarantee, not a policy. Vesting triggers, release rates, and destination addresses are locked at the one-time deployment ceremony and cannot subsequently be altered.
Variant 1 — Founder. Allocation: 5% · 1B CNMY. Trigger: Exchange listing. Release: 20% at listing, remaining 80% linear over 36 months (withdrawals capped at 2%/month of vested balance). Destination: designated wallet — hardcoded. Note: Timeline: 36 months post-listing.
Variant 2 — Scam Victims Airdrop. Allocation: 2.5% · 500M CNMY. Trigger: Exchange listing. Release: 20% immediate, 80% linear over 36 months. Destination: Verified victim wallets (Merkle proof). Note: Recipient list locked at deployment.
Variant 2b — Chronimy Kind Channel. Allocation: 5% · 1B CNMY. Trigger: Exchange listing. Release: 20% immediate, 80% linear over 36 months. Destination: Stiftung-administered philanthropic disbursement. Note: A17 canonical · vetted causes · Stiftungsrat oversight.
Variant 3 — Team. Allocation: 5% · 1B CNMY. Trigger: Exchange listing. Release: Linear over 36 months after cliff. Destination: Designated team wallet addresses. Note: Cliff: 6 months from listing. Zero release before cliff..
Variant 4 — Fundraising (4 Phases). Allocation: 20% · 4B CNMY. Trigger: Exchange listing. Release: Phase-dependent schedule. Destination: Aurora/Nebula/Pulsar/Supernova wallets. Note: Parameters vary per phase — see Section 3.5.
Variant 1 — Founder Allocation: 5% · 1B CNMY Trigger: Exchange listing Release: 20% at listing, remaining 80% linear over 36 months (withdrawals capped at 2%/month of vested balance) Destination: designated wallet — hardcoded Timeline: 36 months post-listing
Variant 2 — Scam Victims Airdrop Allocation: 2.5% · 500M CNMY Trigger: Exchange listing Release: 20% immediate, 80% linear over 36 months Destination: locked recipient list (Merkle proof) Note: Locked list, not open to application; unclaimed after 24 months burned
Variant 2b — Chronimy Kind Channel Allocation: 5% · 1B CNMY Trigger: Exchange listing Release: 20% immediate, 80% linear over 36 months Destination: Chronimy Stiftung-administered philanthropic disbursement Note: A17 canonical — vetted causes under Stiftungsrat oversight, separately constituted from operating company. Combined philanthropic envelope (Variants 2 + 2b): 1.5B CNMY = 7.5% of total supply.
Variant 3 — Team Allocation: 5% · 1B CNMY Cliff: 6 months from listing Release: Linear over 36 months after cliff Destination: Designated team wallet addresses Note: Zero release before cliff
Variant 4 — Fundraising (4 Phases) Allocation: 20% · 4B CNMY Trigger: Exchange listing Release: Phase-dependent schedule Destination: Aurora/Nebula/Pulsar/Supernova wallets Note: Parameters vary per phase — see Section 3.5
Designated Wallet Destination — Founder Vesting. Destination address is a designated wallet — hardcoded at deployment, cannot be changed. Designated wallet address is confirmed at the Nebula deployment ceremony.
Parameter Value Modifiable: Vesting trigger — on-chain oracle, first CEX listing confirmed, No Immutable. Founder monthly cap — 2% of vested balance/month. Starts at 4M CNMY/mo (2% × 20% upfront at listing), rising as more vests, No Immutable. Founder destination — designated wallet, address hardcoded at deployment, No Immutable. Acceleration mechanism — None, no early release function exists in contract, No Immutable. Pause/cancel mechanism — None, contract is self-executing, No Immutable. SotaTek admin access — Zero, no admin keys exist post-deployment, No Immutable.
Destination address is a designated wallet — hardcoded at deployment, cannot be changed. Designated wallet address is confirmed at the Nebula deployment ceremony.
Vesting trigger: On-chain oracle — first CEX listing confirmed. Founder monthly cap: 2% of vested balance/month. Starts at 4M CNMY/month (2% × 20% upfront at listing), rising as more vests.
Vesting trigger. Value: On-chain oracle — first CEX listing confirmed. No Immutable.. Modifiable: No — Immutable.
Founder monthly cap. Value: 2% of vested balance/month. Starts at 4M CNMY/mo (2% × 20% upfront at listing), rising as more vests. No Immutable Founder destination designated wallet — address hardcoded at deployment.. Modifiable: No — Immutable.
Founder destination. Value: designated wallet — address hardcoded at deployment. No Immutable.. Modifiable: No — Immutable.
Acceleration mechanism. Value: None — no early release function exists in contract. Modifiable: No — Immutable.
Pause/cancel mechanism. Value: None — contract is self-executing. Modifiable: No — Immutable.
SotaTek admin access. Value: Zero — no admin keys exist post-deployment. Modifiable: No — Immutable.
SotaTek admin access. Value: Zero — no admin keys exist post-deployment. Modifiable: No — Immutable.
The Second Deflationary Hammer
4,200 — CNMY burned per Green Badge activation — permanently sent to 0x000…dEaD. Cannot be recovered, unwrapped, or redirected. Canonical figure.
Every Green Badge activation burns 4,200 CNMY permanently. This is not a fee. The tokens are sent to the zero address (0x000…dEaD) and destroyed forever — they cannot be recovered, unwrapped, or redirected. The burn contract executes automatically on badge issuance with no human trigger required. At projected scale, Green Badge activations create a structural deflationary pressure that compounds with the Buyback profit allocation (13% of all platform profit, 80% burn / 20% IPDF Strategic Reserve top-up).
Green Badge Activation — Token Flow. 10,000 Total CNMY Required per Green Badge activation — the full 10,000 CNMY is the activation unit. 5,000 PRU Vault — locked in PRU vault — provides CHF 1,000 protection coverage for the badge holder. 4,200 Burned Forever — sent to zero address — permanent removal from circulating supply. 800 Rewards — 500 member airdrop + 300 verifier rewards (3 × 100 CNMY each).
Burn contract · badge-triggered permanent deflation · 4,200 CNMY burned per Green Badge · self-executing & immutable · the second deflationary hammer. Badge registry contract. It contains no admin functions, no pause mechanism, and no override capability. SotaTek note: Burn contract specification requires confirmation of zero-address standard for Polygon PoS. Recommended: use a standard ERC-20 burn function, verified to remove from totalSupply.
The platform pre-allocated 5 billion CNMY (25% of total supply) to the PRU Vault Reserve at deployment. Badge activation triggers a release of 5,000 CNMY from this platform-owned reserve into the active PRU pool. This release pattern is capped at the first 500,000 verified members. Beyond that point, the active pool is replenished from platform profit (8% allocation per Section 4). Members do not contribute to the PRU. The pool is shared by all verified members regardless of activation order — member 500,001 is protected on the same basis as member 1.
PRU Vault. Amount (CNMY): 5,000. % of Activation: 50%. Notes: Funds CHF 1,000 protection coverage. Locked in PRU Compensation Review Contract..
Permanent Burn. Amount (CNMY): 4,200. % of Activation: 42%. Notes: Sent to 0x000…dEaD. Irrecoverable. Confirmed by on-chain event..
Member Airdrop. Amount (CNMY): 500. % of Activation: 5%. Notes: Distributed to the new badge holder on activation..
Verifier Rewards. Amount (CNMY): 300. % of Activation: 3%. Notes: 100 CNMY each to the three witness verifiers who confirmed the badge..
TOTAL PER ACTIVATION. Amount (CNMY): 10,000. % of Activation: 100%. Notes: Canonical figure..
At M39 (4,200,000 badge holders), badge activation burns project to 17,640,000,000 CNMY — 88.2% of total supply (4,200 × 4,200,000). Projection only. The Guardian Council may modify burn rates by DAO vote to preserve solvency. Before Buyback (13% of profit, 80% burn / 20% IPDF Strategic Reserve top-up), which provides additional deflationary pressure routed entirely from profit allocations.
The burn contract is self-executing — it fires automatically on the badge issuance event emitted by the Badge Registry. It contains no admin functions, no pause mechanism, and no override capability. Once deployed, the 4,200 CNMY burn per Green Badge cannot be modified by any party.
At 4,200,000 badge holders (M39 Oracle target), badge activation burns project to 17,640,000,000 CNMY — 88.2% of total supply. Projection only. The Guardian Council may modify burn rates by DAO vote to preserve solvency. Before Buyback (13% of profit, 80% burn / 20% IPDF Strategic Reserve top-up), which provides additional deflationary pressure routed entirely from profit allocations.
SotaTek will implement a Solidity function that: (1) listens for the GreenBadgeIssued event, (2) calls transferFrom to pull 4,200 CNMY from the activation pool, (3) calls the ERC20 burn function, and (4) emits a TokensBurned event with badge ID, timestamp, and amount for Glass Treasury logging. Recommended: use a standard ERC-20 burn function, verified to remove from totalSupply.
"The PRU activates exclusively on verified platform operational failures — where Chronimy's own infrastructure caused the shortfall. It does not cover counterparty fraud, non-delivery, user negligence, or market losses."
KYC only — no PRU coverage. Red badge does not activate the protection reserve.
3-witness verified. Full badge activation. CHF 1,000 per claim, per event.
20 tx + 95% completion. CHF 5,000 per claim, per event.
Extended track record + governance role. CHF 25,000 per claim, per event.
Claim Lifecycle — From Dispute to Payout
Claims require 4-of-7 Guardian Council approval. No claim can be processed without reaching this quorum. No founder, SotaTek engineer, or individual Guardian can approve a claim unilaterally.
The PRU (Protocol Reserve Unit) Vault — Chronimy's Platform Operational Integrity Reserve (PRU) — is funded by 5,000 CNMY from every Green Badge activation. The PRU activates exclusively on verified platform operational failures — where Chronimy's own infrastructure caused the shortfall. It does not cover counterparty fraud, non-delivery, user negligence, or market losses. A discretionary Guardian Council vote determines whether and how much is disbursed. No legally enforceable payment right exists.
Approval threshold. 4-of-7 Guardian Council votes — minimum quorum for any payout
Reserve architecture. Hot reserve (~15% of vault) for rapid payouts · Cold reserve (~85%) for replenishment
Replenishment source. 8% of all platform profit routed continuously to vault by treasury contract
Founder access to vault. ZERO — no founder keys exist for any PRU contract function
Claim cap per event. Limited to badge tier ceiling (CHF 1K / 5K / 25K) — no single claim can exceed this amount
The PRU Compensation Review Contract is one of the most governance-sensitive contracts in the Chronimy suite. SotaTek will implement the 4-of-7 multisig approval using the same MPC infrastructure as the custody architecture — Guardian approvals are signed via the MPC ceremony system, not standard wallet keys. This ensures Guardian Council participation remains consistent with the broader custody security model.
Appeal mechanism: Rejected claims may be resubmitted with additional evidence — Appeal window duration is confirmed at the Nebula deployment ceremony. Payout denomination: CHF-pegged CNMY equivalent at oracle spot rate at time of Guardian approval.
The CentralGuarantee — No human holds keys to the Chronimy treasury. No founder, Guardian, or SotaTek engineer can initiate a disbursement. All revenue flowing into the treasury is split and distributed by smart contract logic that executes automatically on receipt.
Every CHF and CNMY of profit routes through ten sub-accounts under three distinct authorisation regimes — (A) on-chain autonomous contracts (Collateral Provision Fee · Burn · PRU Replenish · all market-buy via TWAP), (B) multisig/DAO authorisation (Development Escrow 4-of-7 Guardian Council · DAO Governance >66% supermajority), and (C) AG nominated director fiat administration (Licensing · Member Growth · Core Team \& Ops · Security \& Compliance) under Swiss CO Art. 716+. Vision Guardian and AI Oversight observe all three regimes. This is the architectural embodiment of Chronimy's constitutional 10-way profit split — operated by Chronimy Holdings AG with separately-constituted Chronimy Stiftung for charitable layer — not a policy statement, but a cryptographic and corporate-governance fact.
Revenue ingestion. All escrow fees, API licensing, and service fees routed to treasury contract address — no manual collection required
Distribution trigger. Automatic on receipt — no human action required to initiate any distribution
Founder access. ZERO — no keys exist for treasury. 3% founder remuneration is a smart contract output only.
Modification mechanism. Split percentages adjustable only by DAO supermajority within the fixed ten buckets — no new recipients, no logic change, no individual access
Public auditability. All treasury movements publicly viewable via Glass Treasury dashboard — read-only, real-time, no authentication required
MPC custody. Treasury reserves secured under the 14-participant MPC architecture — 4-of-7 from each group required for any reserve movement
Distribution trigger. Automatic on receipt — no human action required to initiate any distribution. Founder access: ZERO — no keys exist for treasury. 3% founder remuneration is a smart contract output only.
"In every other token system, possession of a private key is sufficient to transfer funds. In Chronimy, it is not. Both the sending and receiving wallet must hold a valid verified badge for any transfer to execute."
In every other token system, possession of a private key is sufficient to transfer funds. In Chronimy, it is not. Both the sending and receiving wallet must hold a valid verified badge for any transfer to execute. A stolen private key cannot move CNMY to an unverified wallet. This bilateral verification is implemented at the ERC-20 transfer function level — it is not a UI restriction or a policy — it is enforced cryptographically by the smart contract on every transfer attempt.
5-Stage Transfer Validation — Wallet Level: Failure at any single checkpoint aborts the transfer entirely.
Failure at any single checkpoint aborts the transfer entirely. No administrator or Guardian can override a checkpoint failure.
Direct wallet-to-wallet transfers outside the escrow system operate under standard ERC-20 rules — badge verification applies only within the protected Chronimy escrow environment. Users may hold CNMY without activating any badge. The badge system is optional — it unlocks protection features, not token ownership. Protection operates only badge-to-badge.
The contract emits a specific error code identifying which checkpoint failed, enabling targeted corrective action. No administrator or Guardian can override a checkpoint failure — resolution requires the relevant party to meet the credential requirement directly.
Transfer function hook. Badge check inserted into ERC-20 transfer() and transferFrom() — executes before every transfer attempt
Badge registry call. Queries on-chain Badge Registry contract for both sender and receiver at point of transfer
Failure mode. Transaction reverts with specific error code — no partial execution, no fee deducted
Admin override. NONE — no bypass function exists in contract. SotaTek cannot override post-deployment.
Patent status. Bilateral badge transfer gate — patent application in preparation. Bilateral claim is Claim 1.
MPC ceremony rotates all key shares after every signing event. Accumulated compromised shares become invalid on the next ceremony — preventing long-term compromise accumulation unique to the dual-group MPC design.
All layers active — bilateral badge, biometric liveness, temporal windows, destination whitelist, MPC custody. Modelled protocol-level theft rate: 0.005% (industry-standard fault-tree estimate; not a guarantee). Residual contract risk: 1–3% lifetime.
Wallet Level 1 Identity Badge · Sender badge verified — minimum tier required. 2 Temporal Window · Transfer within user-defined permitted time windows. 3 Biometric Liveness · Live human confirmed — defeats coercion & remote access. 4 Destination Whitelist · Receiving address on sender's pre-approved list. 5 Receiver Badge · Receiver holds valid verified badge — bilateral requirement.
The Mini Card disclosure model has three states implemented at the smart contract + API layer: Free Mini Card (default, public, indexable, displays badge + verified + ZK proof + member-since), Enhanced Mini Card (CHF 3/mo subscription, per-field toggles), and Full Profile (counterparty requests, member approves with biometric, signed session token issued, member-set TTL). Two-key cryptographic split: Trust Code = handshake credential, Session Token = access credential. See Executive Paper Section 4.6 for the full walkthrough. Patent #5 + extension (in preparation).
A secure system is also a user-resistant system. Friction is calibrated, not eliminated — designed to make malicious authorisations harder to execute, while keeping routine actions fast.
The protocol cannot prevent every fully-informed user action. It can, and does, design friction at the points where catastrophic mistakes typically happen.
Module 1 ships three subscription tiers on the verified identity layer:
Anti-Phishing Premium is a CHF 2/month add-on for Enhanced Profile members; it is included in Premium Membership at no additional cost. Partners receive 20% recurring CDF on Enhanced Profile and Premium Membership subscriptions of attributed members.
Trust-Locked Token Architecture, Glass Treasury API, STRIDE Threat Model, Security Audit Framework — followed by the complete Verification System: KYC Pipeline, Proof-of-Bank, Refer-3 Anti-Sybil, Badge Progression, Trust Code, Contextual Trust Score, Oracle Engine, Quorum Guardians, and External Conduct Review.
In every other token system, possession of a private key is sufficient to transfer funds. In Chronimy, it is not. Both the sending and receiving wallet must hold a valid verified badge for any transfer to execute. A stolen private key cannot move CNMY to an unverified wallet. This bilateral verification is implemented at the ERC-20 transfer function level — it is not a UI restriction or a policy — it is enforced cryptographically by the smart contract on every transfer attempt.
Failure at any single checkpoint aborts the transfer entirely. The contract emits a specific error code identifying which checkpoint failed, enabling wallets to surface precise user feedback. All five checkpoints are enforced on every transfer — including transfers initiated by smart contract interactions, not just user-originated calls. This prevents malicious contract-to-contract drains.
The Glass Treasury is not a reporting tool. It is a constitutional commitment. Every CNMY token movement, every profit split disbursement, every compensation review request, every burn event, and every Guardian vote is permanently visible to any person, institution, or regulator — in real-time, without login, without permission. Chronimy has no private treasury. There is nothing to hide. The Glass Treasury API makes this technically enforceable.
The Glass Treasury API is a read-only public interface — no authentication required, no rate limiting on public queries. It is deliberately designed to be scraped by regulators, journalists, and researchers without any friction. Chronimy's position is that any system that requires a login to verify financial transparency is not transparent.
STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is the industry-standard framework for systematic threat analysis of distributed systems. Applied to Chronimy's smart contract suite, each category maps to specific attack vectors and the architectural controls that mitigate them. This model forms part of the audit brief for both independent security firms.
S. Threat: Spoofing. Attack Vector: Attacker impersonates verified user to initiate badge-protected transfers. Architectural Mitigation: Biometric liveness detection at Checkpoint 3. Static credentials (passwords, keys) insufficient. KYC liveness check on badge issuance prevents credential reuse..
T. Threat: Tampering. Attack Vector: Modification of contract logic post-deployment to redirect funds or bypass checks. Architectural Mitigation: All contracts are immutable — no upgrade proxy, no admin key, no delegatecall pattern. Deployed bytecode is final. SotaTek has zero post-deployment access..
R. Threat: Repudiation. Attack Vector: Parties deny transaction participation or Guardian votes are disputed. Architectural Mitigation: All events permanently archived by Beacon Layer (Layer 6) with IPFS content-addressed storage. On-chain event log is immutable and timestamped..
I. Threat: Information Disclosure. Attack Vector: KYC identity data leaked from on-chain storage. Architectural Mitigation: KYC data is never stored on-chain. Only a cryptographic hash of identity is anchored. PII remains off-chain at KYC provider (Didit.me) under GDPR controls..
D. Threat: Denial of Service. Attack Vector: Gas exhaustion attacks on verification or escrow contracts. Architectural Mitigation: Gas limits set conservatively. Core verification functions use O(1) operations. Emergency circuit breaker in Guardian Council contract pauses affected modules only..
E. Threat: Elevation of Privilege. Attack Vector: Attacker gains Guardian Council authority or founder access to treasury. Architectural Mitigation: Guardian Council requires 4-of-7 MPC threshold from two independent groups. Founder is architecturally excluded from treasury. No single key holds elevated authority..
No Chronimy contract deploys to mainnet without passing audit by two independent top-tier security firms. This is a constitutional requirement, not a recommendation. The two firms must be selected independently, must not share personnel on the engagement, and must produce separate reports. All audit findings are published publicly — including findings that are disputed or accepted as residual risk. Budget: CHF 150–200K (SotaTek Deliverable 13, within Nebula phase).
Audit reports are published on-chain (IPFS hash anchored) and in the Glass Treasury public API within 14 days of receipt. Any critical or high-severity finding must be remediated and re-audited before deployment proceeds.
Part 2 specified the complete smart contract suite that SotaTek will build in the Nebula phase: an ERC-20 token on Polygon PoS, six vesting variants triggered by exchange listing, a badge-triggered burn contract destroying 4,200 CNMY per Green Badge, a PRU Compensation Review Contract governed by 4-of-7 Guardian Council approval, an autonomous treasury splitting all revenue ten ways with zero founder access, a Trust-Locked bilateral badge transfer gate, a read-only Glass Treasury API, a STRIDE threat model across six attack categories, and a dual independent audit mandate budgeted at CHF 150–200K. Every contract is immutable post-deployment. No human holds keys. No override exists.
7.1–7.2. Topic: Contract Architecture & MPC. Key Canonical Values: Twelve-contract autonomous suite · 14-participant dual-group MPC · 4-of-7 threshold from each group · Proactive resharing each ceremony · 48–72h timelock, publicly verifiable.
7.3–7.4. Topic: CNMY Token & Escrow. Key Canonical Values: 20B fixed supply — no minting ever · ERC-20, Polygon PoS single chain · 5 escrow states: AWAITING → COMPLETE · Fee tiers: Red 10% / Green 7% / Silver 5% / Gold 2.5%.
7.5–7.6. Topic: Vesting & Burn. Key Canonical Values: 6 vesting variants, all triggered by exchange listing · 4,200 CNMY burned per Green Badge · Burn contract irreversible — no recovery path.
7.7–7.8. Topic: Compensation Review Requests & Treasury. Key Canonical Values: 5,000 CNMY locked per Green Badge to PRU vault · 10-way profit split hardcoded · Zero founder access — architectural, not policy.
7.9–7.10. Topic: Trust-Locked Token & Glass Treasury. Key Canonical Values: Bilateral badge verification at transfer function level · Patent application in preparation · Glass Treasury API: fully public, no auth required.
7.11–7.12. Topic: STRIDE & Audit Framework. Key Canonical Values: Six threat categories fully mitigated · Dual independent audit mandatory · CHF 150–200K budget · Public report publication required.
Identity, Badge Progression & Trust Codes — Sections 8.1 through 8.10
Part 3 specifies the verification architecture that converts anonymous users into trusted participants. It covers the KYC & liveness pipeline (Didit.me canonical), the CHF 3 Proof-of-Bank anchor, the Refer-3 anti-Sybil mechanism, badge progression from Red through Gold, the Trust Code system, the Contextual Trust Score algorithm, the Oracle Engine, Quorum Guardian System, and External Conduct Review. This is the human layer — the interface between the autonomous smart contracts of Part 2 and the real-world identities that activate them.
The KYC & Liveness Pipeline is Layer 1 of the ITA — the entry gate for every participant in the Chronimy trust system. It establishes that a real, unique human is behind each verified identity. Without passing Layer 1, no badge can be issued, no escrow contract can be initiated, and no PRU coverage is available. The pipeline uses Didit.me as the canonical KYC provider — EU-resident, GDPR-compliant, and carrying zero US jurisdictional footprint, which is a constitutional requirement of the Chronimy architecture.
US footprint. Didit.me Specification: Zero — EU-resident provider. Requirement: Constitutional — no USD, no US infra.
Liveness check. Didit.me Specification: Active liveness — video-based, deepfake resistant. Requirement: Deepfake resistance mandatory.
Document types. Didit.me Specification: Passport, national ID, driving licence — 220+ countries supported. Requirement: Non-US document coverage required.
Data storage. Didit.me Specification: Off-chain, GDPR-compliant, EU data residency. Requirement: No KYC data stored on-chain.
On-chain anchor. Didit.me Specification: Hash of identity only. Requirement: Zero PII in smart contracts.
Deepfake-proof liveness and government-document KYC are strong — but an adversary with resources can fabricate multiple verified identities. Proof-of-Bank adds an economic anchor: a CHF 3 micro-payment from a verified bank account. The cost per fake identity becomes CHF 3 × number of accounts — scaling linearly with attack scale. For a legitimate user, CHF 3 is negligible. For a Sybil attacker creating thousands of fake identities, the cost becomes prohibitive while the cryptographic bank-identity link defeats the attack independently of cost.
KYC proves a document. Proof-of-Bank proves a bank account. Refer-3 proves a social network. To earn a Green Badge, a user must be vouched for by three independent, already-verified users. This social attestation layer means fake identities — even with real documents and bank accounts — cannot self-certify. They need real humans who are already inside the system to vouch for them. Sybil attacks require not just fake identities, but fake relationships with real people — a fundamentally different and much harder attack surface.
User invites 3 verifiers minimum. All 3 confirm. Badge issued within 72 hours of third confirmation. Invite channels: WhatsApp, Telegram, email. Users invite 3–20 people — only 3 confirmations needed.
User invites and receives confirmation from 6+ verifiers. Badge issued within 24 hours — half the standard wait. Excess verifiers beyond 3 become part of the warm pool for deferred organic growth.
The Refer-3 mechanism is the primary viral coefficient engine in the Chronimy growth model. K driven by 3 witnesses × verifier progression rate. If 20% of verifiers eventually complete their own Green Badge journey (conservative given they have already been asked), K = 0.6. Combined with other growth vectors (Trading Arena, content distribution programme), this delivers the documented viral coefficient that underpins the Monte Carlo growth simulation.
The warm pool — users who were invited as verifiers but have not yet completed their own badge — represents 6–18 month deferred conversion. These users are the highest-probability organic growth source in the system: they have a personal relationship with a verified member, they have already been introduced to Chronimy, and the barrier to re-engagement is lower than cold acquisition.
In Chronimy, a badge is not a reward — it is a cryptographic proof of earned trust. Each tier represents a verifiable threshold of demonstrated trustworthiness: KYC identity (Red), socially-witnessed identity (Green), transaction track record (Silver), and community-recognised governance participation (Gold). Badge tier directly determines escrow fee rates and PRU protection coverage — making trust commercially tangible for every transaction.
Requirements: KYC verification (government document + liveness check)
What it proves: Real, unique human identity — nothing more.
Escrow access: Full access — highest fee tier. No PRU protection on transactions.
Requirements: KYC + Proof-of-Bank (CHF 3) + 3 witness verifications + 10,000 CNMY activation
Activation split: 5,000 PRU vault · 4,200 permanently burned · 500 airdrop to badge holder · 300 to verifiers (3×100)
viral coefficient source: Green Badge holders are the viral engine of Chronimy growth — each verification generates 3 new exposures.
Requirements: Green Badge + 20 completed transactions + ≥95% satisfaction rate
No referral requirement: Silver is earned through demonstrated transaction behaviour, not social network.
viral coefficient: Silver Badge adds zero to viral coefficient — it is not a viral mechanism.
Requirements: Silver Badge + 100 completed transactions + 98% satisfaction rate + 6 months active
Governance role: Gold Badge holders are eligible for Quorum Guardian selection and Guardian Council election.
Permanent fee rate: Aurora founders receive Gold fee rate (2.5%) as a founding benefit, permanent.
The Trust Code is a short alphanumeric credential — unique to each holder — that serves as a portable trust signal across any platform, marketplace, or communication channel. It is called Rotating because the live code regenerates every 15 minutes: a code captured by a phishing page is useless within minutes, because only the holder can see and present the current code from their Chronimy app. The Trust Code is available to Green Badge holders and above — Red Badge holders do not receive one. When verified, the code resolves to the holder's current badge tier and protection coverage.
A counterparty shares their Trust Code before any transaction. The verifying party enters the code at chronimy.com or calls the Verification API endpoint. The system returns: badge tier, PRU coverage level, issue date, and validity status — in under 200ms. No account required to verify. No login. The code resolves to publicly readable on-chain state.
The Trust Code is designed to be shared verbally, by text, by QR code, or embedded in a platform profile. It functions as a portable credential that travels with the user across every platform — regardless of whether that platform has a Chronimy integration. Even a platform with no API integration can use the chronimy.com lookup page to verify a counterparty in seconds.
A badge proves a threshold — binary. A trust score is continuous: it rises and falls with behaviour and detects warning signals before they become disputes. The CTS operates beneath the badge layer — it determines whether a holder performs at their tier's standard and feeds anomaly detection protecting the PRU vault from sophisticated fraud.
Transaction History. Category: Completion Track Record. Description: Ratio of completed to initiated transactions. Silver threshold: 95%. Gold threshold: 98%. Weighted by recency — recent completions carry more weight than historical ones..
Dispute Signals. Category: Conduct Record. Description: Number and outcome of escrow disputes raised against or by the user. Dispute wins are neutral; unjustified disputes raised are negative signals. Quorum Guardian findings carry full weight..
Verification Tier. Category: Identity Anchor. Description: Badge tier provides the score floor. A Gold Badge holder starts with a higher base than a Green Badge holder. Tier cannot be gamed — it requires on-chain verified milestones..
Activity Recency. Category: Behavioural Signal. Description: Time-weighted activity score. Dormant accounts decay toward base tier score. Active accounts compound upward. Encourages continuous platform participation..
ECR History. Category: Conduct Flag. Description: Any open or upheld External Conduct Review suppresses CTS score significantly. Resolved ECRs with exoneration restore baseline..
Phase 1 (Nebula): Rule-based CTS scoring using on-chain data only. Simple weighted formula. No ML component. Sufficient for launch and early platform operation.
Phase 2 (Pulsar): Hybrid model. Rule-based scoring plus third-party AI API anomaly signals. Transaction pattern analysis. Domain-specific fraud pattern detection begins as platform data volume grows.
Phase 3 (Supernova): Proprietary fine-tuned model trained on anonymised Chronimy transaction data. Full contextual scoring. Predictive anomaly detection feeding PRU vault risk management.
The Verification API is how Chronimy trust travels beyond the Chronimy platform. Any marketplace, B2B platform, or payment provider can integrate a single endpoint call to instantly verify a counterparty's badge tier, PRU coverage level, and Trust Code validity — before any transaction commits. No user account required. No login. The API reads from on-chain state in real time, making it designed to read live on-chain state, with stale-result risk constrained to network availability.
Part 3 specified the complete verification stack. KYC + liveness (Didit.me, zero US footprint) · CHF 3 Proof-of-Bank Sybil anchor · 3-witness social verification for Green Badge. Badge tiers (Red → Gold) encode escalating trust with fee reductions and PRU coverage increases. The Trust Code makes trust portable. The CTS monitors behaviour continuously. The Verification API exposes all of this to any platform via a single endpoint. Result: real-world identity + bank account + social network required to participate fully.
8.1. Topic: KYC & Liveness. Canonical Values: Didit.me canonical · Zero US jurisdictional footprint · Video liveness — deepfake resistant · KYC hash on-chain only — no PII in contracts.
8.2. Topic: Proof-of-Bank. Canonical Values: CHF 3 — fixed, canonical · Refunded within 24–48 hours · IBAN hash anchored on-chain · Name must match KYC document · Patent application in preparation.
8.3. Topic: Refer-3 Anti-Sybil. Canonical Values: 3 witnesses = 72h badge issuance · 6+ witnesses = 24h fast-track · viral coefficient: K driven by 3 witnesses × verifier progression rate · Warm pool: 6–18 month deferred conversion.
8.4. Topic: Badge Progression. Canonical Values: Red 10% / Green 7% / Silver 5% / Gold 2.5% · Green activation: 4,200 burned + 5,000 PRU vault + 800 distributed · 10,000 CNMY total per activation.
8.5. Topic: Trust Code. Canonical Values: Trademark in preparation · 15-minute rotating credential · Green Badge and above · Resolves to public on-chain state.
8.6. Topic: Contextual Trust Score. Canonical Values: Five input factors · Three-phase AI development · Feeds PRU vault anomaly detection · Decay for dormant accounts.
8.7. Topic: Verification API. Canonical Values: No auth for basic trust check · <200ms response target · Batch up to 50 · Badge history endpoint available.
The Oracle Engine is Chronimy's perpetual governance intelligence layer. It runs three independent AI models simultaneously — the independent AI screen, Claude, and GPT — on the same governance questions, policy proposals, dispute edge cases, and platform anomalies. Where all three reach the same conclusion, that consensus is surfaced to the Guardian Council as a high-confidence recommendation. Where they diverge, the divergence itself is flagged as a signal requiring human deliberation. The engine does not make decisions — it identifies where AI consensus exists and where human judgement is essential.
Processes real-time platform data and external market signals. Contributes current-state context to consensus queries. Optimised for recency and data freshness.
Applies structured reasoning to governance questions. Evaluates policy proposals for internal consistency, precedent alignment, and unintended consequences.
Processes community sentiment and forum signals. Surfaces emerging concerns before they become formal proposals. Tracks platform health indicators.
The specific prompting architecture, consensus aggregation methodology, and divergence scoring algorithm are classified as trade secrets and are not disclosed in this document. The capability described above is accurate; the implementation detail is retained internally.
The Chronimy governance architecture has two separate bodies that are frequently confused. The Guardian Council is the 7-seat executive authority — elected domain specialists who hold conditional power over platform-level decisions. The Quorum Guardians are a separate body of 21–49 Gold Badge adjudicators whose role is dispute resolution and compensation review requests review. They are elected independently, operate on a rotating basis, and report findings to the Guardian Council — they do not hold platform authority themselves. One is strategy; the other is adjudication.
When an escrow dispute is raised that cannot be resolved by the two-party smart contract mechanism, it escalates to a randomly-selected Quorum Guardian panel of three. The panel reviews evidence submitted by both parties, evaluates conduct against platform standards, and issues a finding. Findings are published on-chain (anonymised). The Guardian Council reviews panel findings for compensation review request approval where coverage is triggered. A pattern of Guardian panel findings against a user may trigger a badge review.
The External Conduct Review (ECR) is the mechanism by which verified users report conduct by other platform participants that falls outside normal dispute resolution — fraud allegations, impersonation, off-platform coercion, or systemic bad-faith behaviour. Unlike a standard escrow dispute (transaction-specific), an ECR report concerns a pattern of conduct that affects or could affect multiple participants. ECR reports trigger a Quorum Guardian panel review, with findings escalated to the Guardian Council for badge action where warranted.
Each ECR submission carries: evidence package IPFS hash, subject and reporter identity, allegation category, and linked transaction IDs. Evidence is stored off-chain — only its hash is anchored on-chain.
ecr_id. Type: bytes32. Contents: Unique report identifier — generated on submission.
subject_hash. Type: bytes32. Contents: Hash of reported party's verified identity.
allegation_category. Type: enum. Contents: FRAUD | IMPERSONATION | COERCION | BAD_FAITH | OTHER.
evidence_ipfs_hash. Type: bytes32. Contents: IPFS CID of evidence package — stored off-chain, hash on-chain.
linked_txns. Type: bytes32[]. Contents: Array of related escrow or transaction IDs.
reporter_hash. Type: bytes32. Contents: Hash of reporter identity — pseudonymous to subject, visible to Guardian panel.
Dismissed: Insufficient evidence or allegation not substantiated. Reporter's record unaffected. Repeated bad-faith ECR filings are themselves a conduct flag.
Warning Issued: Conduct found to breach platform standards. Formal warning attached to subject's on-chain record. CTS score impacted.
Badge Suspended: Pattern of conduct or severe single incident. Guardian Council activates suspension. All open transactions paused. Subject notified of appeal process.
Badge Revoked: Confirmed fraud or systematic bad-faith behaviour. Irreversible at Quorum Guardian level — requires Guardian Council supermajority (5-of-7) to execute.
Complete API specification for REST and WebSocket interfaces, authentication, core endpoints for trust, badge, escrow and governance, full webhook event catalogue, rate limiting, SDK documentation, integration examples, sandbox environment — followed by Appendices: AI Trust Layer Architecture, Polygon Technical Reference, Glossary, and.
Authentication, Endpoints, Webhooks & SDKs — Sections 9.1 through 9.8
Part 4 specifies the API and integration architecture that makes Chronimy trust portable across any platform. It covers REST and WebSocket API design, authentication, core endpoints for trust, badge, escrow and governance, the full webhook event catalogue, rate limiting, error standards, SDKs, and integration examples. All specifications are design intent — SotaTek implements under the Nebula phase engagement as Deliverable 12.
The Chronimy API is designed for maximum portability — a marketplace, B2B platform, or payment provider should be able to integrate trust verification in under an hour. It follows REST conventions for synchronous operations and WebSocket for real-time badge state subscriptions. All API specifications represent design intent — implementation detail and confirmed endpoints are SotaTek Deliverable 12, produced during the Nebula phase technical engagement.
Protocol. REST over HTTPS for all synchronous operations. WebSocket (WSS) for real-time badge state subscriptions.
Base URL. https://api.chronimy.com/v1 · Target production endpoint — not live during Aurora phase. Activated at Nebula launch.
Versioning. URL-path versioning (/v1/, /v2/). Non-breaking changes within a version. Breaking changes require new version with 12-month deprecation notice.
Data format. JSON request and response bodies. UTF-8 encoding. ISO 8601 date/time strings throughout.
Response time. Target: <200ms p99 for trust verification endpoints. <500ms p99 for escrow and governance endpoints.
No auth. Usage: Basic trust verification (/v1/verify/{trust_code}). Header: None required.
API Key. Usage: Batch verification, badge history, Glass Treasury reads. Header: X-API-Key: ck_live_....
OAuth 2.0. Usage: User-scoped operations: escrow creation, dispute submission, governance proposals. Header: Authorization: Bearer {token}.
API keys are prefixed: ck_live_ for production, ck_test_ for sandbox. Keys are issued through the developer portal, available from Nebula launch. OAuth 2.0 follows the standard PKCE flow for user-facing integrations.
Primary verification endpoint. Accepts any Trust Code (GN-/SV-/GD- prefix). Returns badge tier, issue date, PRU coverage level, and current validity status. Does not return name, wallet address, or any personal data — trust signal only.
// 200 OK — verified response
{ "status": "success", "data": {
"trust_code": "CHR-A7K2P9",
"badge_tier": "GREEN",
"issued_at": "2025-11-14T09:22:00Z",
"pru_coverage": "CHF 1000",
"valid": true
}}
Verify by on-chain wallet address. Returns same fields as Trust Code endpoint. For direct blockchain integrations where Trust Code exchange is not practical. Returns 404 if wallet has no active badge.
// 404 — no badge found
{ "status": "error", "error": { "code": "BADGE_NOT_FOUND",
"message": "No active badge for wallet address" }}
Batch verification of up to 50 trust codes or wallet addresses in a single request. Returns an array of verification results in the same order as the input array. Partial failures return per-item error objects — the batch itself does not fail if individual items are not found.
Returns badge tier change history for a Trust Code — full timeline from Green through current tier with timestamps. Useful for platforms assessing consistency of a counterparty's verification history over time.
Initiates a new escrow contract on Polygon PoS. Request must include counterparty Trust Code, transaction amount (CHF), and delivery terms hash. Returns contract address and transaction hash.
// 201 Created
{ "data": { "escrow_id": "0x1a2b...", "state": "AWAITING",
"fee_rate": "7%", "tx_hash": "0xabc..." }}
Returns current state and history of an escrow contract. States: AWAITING → FUNDED → DELIVERED → COMPLETE (or DISPUTED). All state transitions are on-chain events — API reads from Glass Treasury cache for <200ms response.
Submits a dispute against an active escrow in FUNDED or DELIVERED state. Requires evidence IPFS hash and allegation category. Triggers Quorum Guardian panel assignment.
Current treasury balance split across all contracts. No authentication required. Publicly accessible to any caller including regulators and researchers.
Submits a governance proposal for Guardian Council review. Requires minimum CNMY stake (Gold Badge). Proposal is published on-chain and visible via Glass Treasury API immediately.
Integrating platforms register a HTTPS endpoint to receive real-time event notifications. When a subscribed event fires, Chronimy delivers a signed POST to the registered URL within 5 seconds of the on-chain event confirmation. At-least-once delivery with exponential back-off retry (1s, 5s, 30s, 5min, 30min). Events not acknowledged within 24 hours are marked failed and logged to the integration dashboard.
badge.upgraded. Trigger: Tier increase. Integration Use: Unlock higher platform features; update fee rate.
badge.downgraded. Trigger: Tier decrease. Integration Use: Alert platform; review pending transactions.
badge.suspended. Trigger: Council suspension. Integration Use: Block open transactions immediately.
badge.reinstated. Trigger: Suspension lifted. Integration Use: Restore access; update cached trust state.
trust_code.rotated. Trigger: Code rotated on tier change. Integration Use: Update stored trust codes in platform database.
escrow.funded. Trigger: AWAITING → FUNDED. Integration Use: Notify seller; trigger delivery process.
escrow.released. Trigger: DELIVERED → COMPLETE. Integration Use: Mark order complete; release seller funds.
escrow.disputed. Trigger: Dispute raised. Integration Use: Pause related processes; notify both parties.
escrow.resolved. Trigger: Dispute resolved. Integration Use: Apply resolution outcome; update records.
Each webhook delivery includes an X-Chronimy-Signature header — HMAC-SHA256 of the raw request body using your webhook secret. Always verify this signature before processing. Reject any delivery where the signature does not match.
Public (no key). Requests / min: 10 / min. Batch size max: N/A. Use case: Casual lookups, widget embeds.
Developer (API key). Requests / min: 120 / min. Batch size max: 50. Use case: Standard integrations, SME platforms.
Business (API key). Requests / min: 600 / min. Batch size max: 200. Use case: High-volume marketplaces, enterprise.
Partner (SLA tier). Requests / min: Negotiated. Batch size max: Negotiated. Use case: Strategic integrations, exchanges.
BADGE_NOT_FOUND. HTTP: 404. Meaning: Trust Code or wallet has no active badge.
TRUST_CODE_INVALID. HTTP: 400. Meaning: Malformed Trust Code — wrong format or prefix.
RATE_LIMIT_EXCEEDED. HTTP: 429. Meaning: Request rate exceeds tier limit — back off and retry.
AUTH_REQUIRED. HTTP: 401. Meaning: Endpoint requires API key or OAuth token not provided.
INSUFFICIENT_SCOPE. HTTP: 403. Meaning: OAuth token lacks required scope for this operation.
ESCROW_STATE_INVALID. HTTP: 409. Meaning: Operation not valid for current escrow state.
Uptime. Target: 99.9%. Notes: Measured monthly excluding scheduled maintenance.
Verification endpoint p99. Target: <200ms. Notes: Trust Code and wallet verification.
Escrow endpoint p99. Target: <500ms. Notes: Includes Polygon RPC call for state read.
Webhook delivery. Target: <5 seconds. Notes: From on-chain event confirmation to first delivery attempt.
SLA targets are aspirational design targets. Formal commitments will be established in the Nebula phase developer programme agreement with SotaTek confirmation of achievable parameters.
Official Chronimy SDKs wrap the REST API with idiomatic interfaces for each language. They handle authentication, request signing, error parsing, and retry logic so integrations can call verify(trustCode) in a single line. SDKs are open-source under MIT licence, maintained by SotaTek under the Nebula engagement, and published to standard package registries.
The badge widget resolves the Trust Code client-side, displays the appropriate tier badge with PRU coverage, and updates automatically if the badge tier changes. No API key required for the widget — it uses the public verification endpoint.
Integrations should never be built against production. The Chronimy sandbox environment mirrors all production API behaviour on the Polygon Amoy testnet — the standard EVM testnet that replaced Mumbai. Sandbox API keys are scoped separately and carry no real-world financial consequences. Badge upgrades, escrow flows, dispute submissions, and webhook delivery are all fully simulated.
Network. Sandbox: Polygon Amoy testnet. Production: Polygon PoS mainnet.
Base URL. Sandbox: https://sandbox-api.chronimy.com/v1. Production: https://api.chronimy.com/v1.
API Keys. Sandbox: Prefixed ck_test_.... Production: Prefixed ck_live_....
CNMY tokens. Sandbox: Test CNMY from faucet — no real value. Production: Real CNMY — real value.
KYC flow. Sandbox: Simulated — no real identity submission. Production: Didit.me live verification.
Webhooks. Sandbox: Delivered — identical format to production. Production: Delivered at-least-once, signed.
Part 4 defines the complete public interface layer of the Chronimy protocol. The API architecture makes trust portable — any marketplace, fintech, or B2B platform can integrate Chronimy verification in hours, not weeks. The webhook system ensures real-time badge state propagation across all integrations the moment anything changes on-chain. The SDK layer makes integration accessible regardless of developer background.
9.1. Title: API Architecture & Authentication. Key Deliverable: REST + WebSocket design, API key & OAuth 2.0, versioning strategy.
9.2. Title: Core Endpoints — Trust & Badge. Key Deliverable: Verify by Trust Code & wallet, batch verification, badge history.
9.3. Title: Core Endpoints — Escrow & Governance. Key Deliverable: Full escrow lifecycle, dispute submission, Glass Treasury reads, governance proposals.
9.4. Title: Webhooks — Full Event Catalogue. Key Deliverable: Badge, escrow & governance events, HMAC signature verification.
9.5. Title: Rate Limits, Errors & SLAs. Key Deliverable: Tier-based limits, error code catalogue, uptime & latency targets.
9.6. Title: SDKs. Key Deliverable: JavaScript, Python, Go, PHP — open-source MIT licence.
9.7. Title: Integration Examples. Key Deliverable: Marketplace check, escrow creation, webhook handler, badge widget.
9.8. Title: Sandbox & Testnet. Key Deliverable: Polygon Amoy testnet, simulated KYC, faucet, badge simulation.
Chronimy does not claim to have built proprietary AI. The AI Trust Layer follows a three-phase architecture that is honest about what exists today versus what will be built. At launch (Nebula phase), the layer uses established third-party AI APIs for anomaly detection. The path to hybrid and eventually proprietary models is defined — but not overstated. All materials reflect only what has been committed to build, not speculative capability.
Chronimy chose Polygon PoS as its single deployment chain after evaluating Ethereum mainnet, Arbitrum, Optimism, and Polygon zkEVM. The decision is architectural, not speculative: Polygon PoS is battle-tested (5+ years in production), has predictable and extremely low transaction costs, supports full EVM compatibility with no Solidity modifications, and has institutional-grade tooling including Hardhat, Foundry, and Chainlink. The multi-chain approach was explicitly retired — a single chain is a security and compliance advantage, not a limitation.
Consensus. Proof-of-Stake (Heimdall + Bor architecture). Validators commit checkpoints to Ethereum mainnet for additional security.
Block time. ~2 seconds. Transaction finality within seconds — critical for responsive badge and escrow state updates.
Gas token. POL (Polygon's native token, formerly MATIC). Transaction fees typically <$0.01 USD — enabling micro-transactions including CHF 3 Proof-of-Bank anchor to be economically viable.
EVM compatibility. Full EVM compatibility. All Ethereum Solidity contracts deploy without modification. Standard toolchain applies.
Chain ID. 137 (mainnet) · 80002 (Amoy testnet)
Chainlink availability. Full Chainlink oracle and VRF support on Polygon PoS — required for Rédeas vault keyholder selection protocol.
Audited standard libraries. Full library support. All Chronimy contracts use audited base contracts where applicable.
No system is trust-free. The Chronimy architecture moves trust to defensible, auditable, replaceable points. This table makes every external dependency visible — what we trust, what fails if it fails, and what mitigates the failure.
Polygon PoS. What we trust: Validator set, finality, EVM correctness. Failure mode: Network halt or reorg. Mitigation / decentralisation path: Live since 2020, hundreds of validators · L2 portability path documented.
Chainlink VRF. What we trust: Verifiable randomness for keyholder selection. Failure mode: Manipulated random output. Mitigation / decentralisation path: Cryptographic proof on every output · Aurora migrates to proprietary commit-reveal.
USDC (Circle). What we trust: Stablecoin redemption + reserve quality. Failure mode: Depeg or freeze. Mitigation / decentralisation path: Largest regulated issuer · Multi-stablecoin path at Aurora.
KYC provider (Didit.me). What we trust: Identity verification accuracy. Failure mode: False positives, service outage. Mitigation / decentralisation path: iDenfy fallback live · Both EU-jurisdiction.
SotaTek Vietnam. What we trust: Smart contract + platform implementation. Failure mode: Delivery failure or vulnerability. Mitigation / decentralisation path: Development Escrow with proof-of-work milestones · 4-of-7 Guardian Council release · Code escrow + secondary firm on retainer.
Guardian Council (4-of-7). What we trust: Threshold approval on releases. Failure mode: Collusion of 5 contributors. Mitigation / decentralisation path: VRF-selected from contributor pool · Skill-based seats · KYC-linked · Own funds at stake.
Smart contract code. What we trust: No undiscovered critical vulnerability. Failure mode: Exploitable bug. Mitigation / decentralisation path: Aurora platform contracts: dual professional audit · Phase-scaled bug bounty Genesis 2K → Supernova 100K (Nebula M10 launch) · Non-upgradeable Genesis Vault.
Swiss AG & Stiftung legal counsel. What we trust: FINMA Auskunftsverfahren outcome, deed integrity. Failure mode: Adverse FINMA classification. Mitigation / decentralisation path: Pre-Aurora filing · External counsel retained · MiCA Annex I review pre-Aurora.
Architect role holder. What we trust: Constitutional discipline · Section 0 compliance. Failure mode: Role holder breach. Mitigation / decentralisation path: Zero treasury access · Universal logging · Vision Guardian omniscient seat · Succession is operational (credential transfer).
Witness pool (Refer-3). What we trust: Genuine human verifiers. Failure mode: Coordinated Sybil ring. Mitigation / decentralisation path: Three witnesses required · KYC-verified · Witness reward tied to ongoing badge integrity · Refer-3 anti-Sybil enforcement.
Geographic exclusion (US/UK/Canada). What we trust: Four-layer enforcement (jurisdiction · IP · KYC · platform). Failure mode: Bypass attempt via VPN + forged KYC. Mitigation / decentralisation path: VPN detection flagged for manual review · KYC document rejection · Constitutional permanent policy (no waiver).
Infrastructure stack. What we trust: Non-US providers (Infomaniak · Hetzner · Bunny · Supabase EU). Failure mode: Provider outage or jurisdictional change. Mitigation / decentralisation path: Multiple redundant providers · Self-hosted alternatives documented · Switzerland-jurisdiction primary.
Reading this table is the single best way to understand where Chronimy is centralised by design (custody threshold, Chronimy, role holder) and where it is decentralised by architecture (token contracts, vesting, geographic exclusion). Every dependency has a documented decentralisation path or replacement candidate.
Every public-facing term carries a single canonical meaning. This glossary is the authoritative reference.
Module 1 — Verify Yourself. Identity layer shipping at Nebula. Get-to-Green · Trust Codes + Free Mini Card · Enhanced Profile · Full Profile.
Module 2 — Transact Safely. Transaction layer shipping at Pulsar. Pay Me · Verified Marketplace · Verify B2B (Pulsar 4a).
Module 3 — Trust at Scale. Scale layer shipping at Supernova. Mobile Native · Vault · DAO Activation · Enterprise API · Browser Extensions · Wall of Shame (Supernova 4b).
Module 4 — Verify Others. Cross-cutting B2B verification (Pulsar 4a + Supernova 4b).
Module 5 — Anti-Phishing. Real-time phishing detection workstream tracked separately. Free / Premium (CHF 2/mo add-on) / Enterprise tiers.
CNMY. Token ticker. 20B fixed supply. Polygon PoS only. Utility token.
PRU Vault. Platform-funded system-failure reserve. Not a guarantee. Capped at first 500K members; profit-replenished thereafter.
Collateral Provision Fee. A variable, discretionary share of monthly profit (up to 20%, no minimum) paid to collateral providers for the CNMY they lock into the operational reserve — paid only after that month’s member claims are covered and the PRU is restored. The platform funds it from residual profit up to a 20% ceiling; in high-claims months it falls toward zero. Staked capital is collateral at risk — a loss-absorbing backstop — and may be drawn down in tail events. Not conventional staking, and not a security: a variable service fee contingent on real loss events.
10-Way Profit Split. Constitutional split of all platform profit: 20% Collateral Provision Fee · 19% Member Growth · 13% Buyback (80% burn / 20% IPDF) · 12% Development · 8% Core Team & Ops · 14% PRU Replenishment · 5% Licensing · 4% IPDF · 3% DAO Governance · 2% Security & Compliance.
Phase Raise Split. 30/20/50 — content distribution (partner commission) / marketing / development. Distinct from 10-Way Profit Split.
Genesis Vault. Pre-Aurora Genesis vault. CHF 300 + CHF 1,000 split per pack. Non-upgradeable. Chainlink VRF keyholders.
Trust Codes. Identity- and reputation-bound authentication primitive (Patent #2). Public name is "Trust Codes". Never "Rotating Trust Codes".
Green Badge. Standard verified status. 10,000 CNMY total per badge: 500 airdrop + 300 verifier rewards (3×100) + 4,200 burned + 5,000 PRU vault.
Refer-3. Anti-Sybil enforcement: every new member requires three Green Badge witnesses to activate. Primary viral coefficient engine.
Mini Card. Three-state disclosure card (Free Mini Card · Enhanced Profile · Full Profile). Patent extension on Trust Codes architecture.
Trust Crest. Passive discovery surface. Standard tier (Enhanced) or Premium tier (Premium Membership).
Free Mini Card. CHF 0. Every Green Badge holder. Three-state disclosure.
Enhanced Profile. CHF 3/month. Extended profile, Trust Code history, Reveals quota, Trust Crest standard.
Premium Membership. CHF 20/month. Full feature suite, Anti-Phishing Premium included, Family Pack 5 accounts, unlimited checks/Reveals, custom domain, priority support, Founder badge, Module 2 fee discount.
Anti-Phishing Premium. CHF 2/month add-on for Enhanced Profile. Included in Premium Membership.
Architect. Constitutional role (not a person). Coordinates operational stack. Section 0 veto only on constitutional immutables. Zero treasury access.
Vision Guardian. Permanent constitutional seat from day one (separate from Council voting seats). Omniscient read access. AI Oversight publishes weekly integrity digest. 75% community vote required to remove. UNPAID — zero profit allocation. Architect compensation disclosed via separate streams (5% token vesting + IP-track licensing consideration + 5% post-launch revenue licence; nothing from community raises).
Guardian Council. 7 voting seats (skill-based: Security & Custody · Legal & Compliance · Technology & Protocol · Community & Trust · Finance & Treasury · Ecosystem & Growth · Member Protection). Vision Guardian is a separate constitutional seat outside the Council voting body (permanent, non-voting, omniscient read access). Selection at appropriate readiness gate. Members may also serve in operational team roles where skills overlap.
Quorum Guardians. 21–49 Gold Badge+ adjudicators. Separate from Guardian Council. Activate when dispute resolution operational (Module 2+).
Genesis. First fundraising phase. Genesis members contribute via the Genesis Vault and provide input on decentralisation timing.
Schedule B. Per-phase release schedule (Cat 1 operational expenses · Cat 2 phase reserve). Agreed before phase opens.
A serious technical reader will probe these four areas before forming a judgement. We name them, characterise the exposure, and document the mitigation.
The risk: A pure utility token with no holding incentive cycles fast — users acquire CNMY only at the moment of paying for a service, then sellers immediately liquidate. High velocity collapses price discovery. The mitigation: CNMY is not the payment medium. Members pay subscriptions in fiat (regulated payment partner) or USDC. CNMY is a sink — burned per Green Badge activation (4,200/badge), staked for LP compensation (locked positions, non-transferable), held for governance weight (1 badge = 1 vote, badge requires 5,000 CNMY in PRU vault). Velocity is structurally suppressed by the tokenomics, not asked of users to suppress it voluntarily.
The risk: Verification logs, dispute records, and Trust Code histories grow per member. On-chain storage of all this would balloon contract state and gas costs as user count rises. The mitigation: On-chain holds the minimum: badge ownership, vesting state, vault balances, governance votes. Off-chain holds the bulk: Trust Code check history, profile data, dispute documentation, Wall of Shame entries. The off-chain layer is universal-logged (Brain Section 0.2 — append-only, publicly readable), backed by IPFS content-addressing for immutability, and cross-anchored to Polygon at periodic checkpoints. State growth on-chain is bounded by member count × small fixed-size record, not member count × activity volume.
The risk: Audits find known bug classes; they do not prove the absence of bugs. Critical-path contracts (FounderVesting, DevelopmentEscrow, Genesis Vault, Rédeas Vault) handle multi-million CHF flows where a single re-entrancy or integer overflow is catastrophic. The mitigation: Aurora platform contracts undergo dual professional audit (CHF 150–200K budget allocated). Beyond audit: critical-path contracts also undergo formal verification using Certora or similar specification-based proving for invariants — fund conservation, access-control discipline, threshold integrity, time-lock enforcement. Bug bounty schedule (Genesis CHF 2K → Supernova CHF 100K, Nebula M10 launch) provides ongoing post-deployment incentive. Genesis Vault is non-upgradeable by constitutional design — this constrains the audit scope but eliminates upgrade-pattern attack surface entirely.
The risk: Maximum Extractable Value attacks — front-running, sandwiching, and back-running of pending transactions — are endemic on public blockchains. Token sales, vesting releases, and DAO votes are typical MEV targets. The mitigation: Polygon PoS has lower MEV intensity than Ethereum mainnet (faster finality, smaller mempool window). Token releases occur via vesting contracts that emit fixed amounts on fixed schedules — there is no auction surface to extract value from. Liquidity contributions to the public market post-listing use commit-reveal or TWAP execution to neutralise MEV-bot attacks. Governance votes are batch-processed at epoch boundaries, removing the per-transaction race condition that creates MEV opportunity. Where MEV cannot be fully eliminated, it is publicly documented (Brain Section 0.2 universal logging) so that any extracted value is visible and attributable.
This document is provided for informational purposes only. It does not constitute financial, legal, investment, or tax advice. It is not an offer to sell or solicitation to buy any security or financial instrument.
CNMY is a utility token. It is designed to function as a utility token under the FINMA and MiCA frameworks in which Chronimy Holdings AG operates. Formal legal opinion (W9 — qualified external legal counsel) is a hard pre-launch gate. It has not been registered under the US Securities Act 1933, FSMA 2000, MiCA, or any other securities regime.
Not available to US persons (Regulation S, Rule 902(k)), UK residents, Canadian residents, or Chinese residents. Geographic exclusion is enforced architecturally — at IP, KYC document, and platform layer — and is permanent constitutional policy.
Forward-looking statements, projections, and modelled outcomes are illustrative only, based on internal assumptions, and may differ materially from actual results.