On-Chain Protocol Β· Live & Mainnet-Ready

The Protocol

Gold-backed tokens, verifiable reserves, and compliant transfers β€” enforced on-chain and governed by role-based access control.

Goldie is a protocol for representing physical precious metals on-chain. Instead of one monolithic token, a factory deploys a dedicated, self-contained ecosystem for each issuer's token β€” so every issuer keeps control of their own supply, compliance rules, and reserve attestations.

Three guarantees are enforced by the contracts themselves: tokens can only move between compliant, verified parties; supply is backed by attested physical reserves; and holders can redeem tokens back for the underlying metal through a transparent, escrowed process.

Architecture

One factory transaction spins up a complete, isolated token ecosystem.

🏭

TokenFactory

A single createToken() call deploys a complete, isolated ecosystem per token β€” token, access manager, identity registry, compliance checker, backing verifier, timelock, and redemption manager β€” using CREATE2 for deterministic addresses.

πŸͺ™

PreciousMetalToken

A gold-backed ERC-20 carrying on-chain metadata (purity, weight unit, mint cap). Every transfer is checked against the compliance layer, and supply is minted or burned only by authorized roles.

πŸ”

Access Managers

OpenZeppelin AccessManager-based RBAC with a clean split between platform-wide roles and per-token roles (minter, burner, reserve attester, redemption operator, and more), with timelocks on sensitive actions.

βš–οΈ

Identity & Compliance

An identity registry (KYC / jurisdiction status) plus a compliance checker that enforces allowlists, balance caps, daily volume limits, and jurisdiction rules on every transfer.

βœ…

Backing Verifier

Proof of Reserve on-chain: a reserve attester commits the backing amount, a keccak256 document hash, and a Merkle bar-list root, with configurable staleness enforcement.

πŸ”„

Redemption Manager

An escrow-based redemption lifecycle: holders request a redemption, tokens are held in escrow, and an operator fulfils (burning the tokens) or cancels (returning them).

Governance & Access Control

Every privileged action is gated by an explicit on-chain role β€” with separation of duties enforced from the platform down to each individual token.

🧱

Two-tier access control

A platform-level AccessManager governs the protocol, while every token gets its own dedicated AccessManager β€” so an issuer runs their token without ever touching platform governance.

⏳

Timelocked sensitive actions

High-impact operations such as upgrades and admin changes route through a timelock, giving stakeholders a visible, on-chain delay to review before anything can take effect.

πŸ”‘

Safe multisig for sensitive roles

Sensitive roles are assigned to Safe multisig approval groups with an M-of-N signing threshold, so no single key can unilaterally mint, upgrade, or reconfigure a token.

🎯

Least privilege by design

Each capability β€” mint, burn, attest, pause, redeem β€” is its own granular role. Operators are granted exactly what they need and nothing more.

πŸ›‘οΈ

Guarded upgradeability

Contracts use OpenZeppelin UUPS upgrades, gated behind admin roles and per-token timelocks, so logic can evolve without ever compromising custody.

🧾

Fully auditable

Every grant, revoke, and scheduled operation emits an on-chain event indexed by the subgraph β€” a complete, public record of who can do what, and when it changed.

πŸ”

Sensitive roles are secured by Safe multisig

Any role marked Sensitive cannot be granted to a single key. It is assigned to a Safe multisig approval group with an M-of-N signing threshold β€” so high-impact actions like minting, burning, upgrades, and admin changes require multiple independent approvals before they can execute on-chain.

Platform roles

PlatformAccessManager

πŸ‘‘
ADMIN_ROLESensitive

Root AccessManager admin β€” function-to-role mappings, role admins, and delays.

βš™οΈ
PLATFORM_ADMINSensitive

Role administrator and platform-wide configuration.

πŸͺͺ
ISSUER_REGISTRAR

Register, reactivate, and migrate issuers.

βœ…
COMPLIANCE_OFFICERSensitive

Suspend / revoke issuers and delist / relist tokens.

Per-token roles

TokenAccessManager Β· scoped to each token

πŸ‘‘
ADMIN_ROLESensitive

Root token admin β€” clawback, satellite wiring, upgrades, redemption config.

βš™οΈ
TOKEN_ADMINSensitive

Role administrator β€” grants and revokes the roles below.

πŸͺ™
MINTERSensitive

Mint new tokens.

πŸ”₯
BURNERSensitive

Burn / forceBurn for redemption settlement.

🏦
TREASURY_MANAGERSensitive

Set the mint cap and treasury.

πŸͺͺ
IDENTITY_REGISTRAR

Investor identity β€” verify, block, jurisdiction.

βœ…
COMPLIANCE_OFFICER

Compliance policy plus freeze / unfreeze.

⏸️
PAUSER

Pause / unpause the token.

πŸ”
RESERVE_ATTESTER

Attest reserves (proof of reserve).

πŸ”’
HOLD_AGENT

Place / release holds (escrow).

πŸ”
REDEMPTION_OPERATOR

Fulfill / cancel redemptions.

Proof of Reserve

On-chain commitments anchor off-chain custody evidence β€” independently verifiable.

Commit on-chain, prove off-chain

The chain stores only compact commitments β€” a reserve amount, a document hash, and a Merkle root. The full custody reports and bar lists live off-chain (IPFS / object storage) and are anchored by those hashes.

Merkle bar lists

Each physical bar becomes a leaf: keccak256("serial|weightMg|purityPpm"), combined with OpenZeppelin sorted-pair hashing so an inclusion proof verifies identically on-chain and off-chain.

Attested by a dedicated role

Only a RESERVE_ATTESTER may call attestReserves(amount, documentHash, barListRoot, documentURI), emitting a public ReservesAttested event that anyone can audit.

Freshness guarantees

Attestations expire past a configurable staleness threshold, so consumers can detect when a token's reserve proof is out of date rather than trusting it blindly.

How It Flows

Every step emits an event indexed by the subgraph β€” a complete, public audit trail.

Issuance

registerIssuer
createToken
mint (role-gated)

Compliant transfer

transfer()
canTransfer
identity + caps + jurisdiction
settle

Redemption

requestRedeem (escrow)
fulfillRedeem (burn)
or cancel (return)

Deployed Contracts

Deployed and independently verifiable on Ethereum β€” running live today and architected for mainnet. Every address links to Etherscan.

A complete token ecosystem β€” all seven contracts below are deployed in a single factory transaction, each one a dedicated on-chain module for this individual token:

Built On

πŸ“œ

Solidity contracts using audited OpenZeppelin standards

πŸ§ͺ

Built and tested with Foundry

πŸ›‘οΈ

UUPS-upgradeable modules with per-token timelocks

πŸ”—

Chainlink oracle integration for gold (XAU/USD) pricing

πŸ“Š

The Graph subgraph indexing every contract event

🌐

Deployed on Ethereum Sepolia β€” mainnet-ready architecture

Build on Goldie

Whether you're an issuer bringing physical metal on-chain, a vault or auditor joining the proof-of-reserve flow, or a developer integrating gold-backed assets β€” the protocol is open and verifiable.

Get in Touch