Who can act, what every control does, and where trust still lives.

Formation splits authority across distinct, named wallets and enforces the split on-chain. Below is the whole model in plain English, plus an honest map of the one place it can still be gamed.

Four labels, used everywhere.

Cryptography proves provenance: who signed, that nothing was altered. It does not prove the truth of an off-chain statement. That distinction is why a milestone is attested, never enforced.

• enforced: The program guarantees it. No party can bypass it, not even the platform. (Math / on-chain rules)
• attested: A specific, named party cryptographically signed that an off-chain fact is true. (An accountable human's signature)
• disclosed: Stated up front and written on-chain, but not yet machine-enforced. (Visibility + reputation)
• unverified: A bare claim with no backing. (Nothing)

Six roles. Separate keys. No one can stand in for another.

Issuer ≠ verifier ≠ platform. The separation is the trust model, and the program enforces it by pinned pubkey.

• Operator: Formation itself, the company running the app.
  Can: Bootstrap the deal account and pay rent.
  Can't: Custody funds, touch the bond, or sign any consequential act.
• Issuer: The founder or company raising capital.
  Can: Close the round, post a bond, register documents.
  Can't: Move money from the vault or change the terms after close.
• Verifier: An independent third party: auditor, counsel, or committee.
  Can: Sign attestations, gate eligibility, queue releases, resolve challenges.
  Can't: Redirect a release to themselves or change a slash destination.
• Investor: Someone committing capital into escrow.
  Can: Commit USDC, claim a refund, claim their position.
  Can't: Have their committed funds moved at anyone's discretion.
• Challenger: An investor who flags a problem (must hold a position).
  Can: Open a challenge that freezes every release at once.
  Can't: Spam challenges, because opening one requires real skin in the game.
• Beneficiary: A pre-named escrow or investor-committee account.
  Can: Receive a slashed bond at the pinned payout address.
  Can't: Be changed after the bond is posted.

A raise that can't change the rules after you're in.

1. 01. The raise opens (Raising)
   Terms are hashed and frozen on-chain: floor, ceiling, deadline, lockups, use of proceeds. Investors commit real USDC into a program-owned vault, not the issuer's wallet.
   Investor commits · Issuer may post a bond
2. 02. The deadline closes the round (Raising → Funded / Failed)
   After the deadline the issuer closes. It succeeds only if the floor was met. If it wasn't, the deal closes failed and every investor can pull a full refund. No discretion either way.
   Issuer signs the close
3. 03. Milestones are verified, releases queued (Funded)
   The verifier attests each milestone, then queues a release that pins the exact amount and recipient and starts a timelock. This moves zero dollars. It opens a visible challenge window.
   Verifier attests & queues
4. 04. Money moves, or stays frozen (Funded)
   Once the timelock elapses with no open challenge, anyone can push the pre-authorized transfer to the pinned recipient. A single open challenge freezes every release until it resolves.
   Permissionless to execute · Investor can challenge

Every mechanism, and exactly what backs it.

Setting up the raise

• Escrow vault [enforced]: A program-owned vault holds investor USDC. No human holds the key, so the platform is structurally not a custodian.
• Terms hash [enforced, disclosed]: A fingerprint of the full terms is frozen on-chain at creation, so nobody can silently rewrite them. Anyone can re-hash and check.
• Eligibility gate [enforced, attested]: On private rounds the program rejects any commit the verifier hasn't signed off. No PII on-chain, only a credential hash.

Taking the money

• Commit [enforced]: An investor moves real USDC into the vault for a non-transferable Subscription recording their stake.
• Close [enforced]: Success only if the floor is met by the deadline, otherwise it closes failed. Issuer-signed, no partial allocation.
• Refund [enforced]: On a failed deal each investor pulls their USDC back. The issuer cannot block it; double-claims are impossible.

Proving things & moving money out

• Document registry [attested]: Anchors a fingerprint of any document on-chain as evidence, without publishing the file itself.
• Attestation [attested]: The verifier signs that an off-chain fact is true. The chain proves who signed, never that the statement is true.
• Milestone release [enforced, attested]: Two steps with a timelock between: queue pins amount + recipient, execute settles after the challenge window. Funds can't be redirected.

Keeping the issuer honest

• Challenge [enforced]: Any committed investor can freeze every release with one challenge until the verifier resolves it.
• Issuer bond [enforced]: The issuer locks their own slashable USDC before close. There is no instruction to pull it back at will.

Protecting investors after the raise

• Vesting [enforced]: Team tokens unlock on a cliff schedule funded up front. No manual issuer-withdrawal path exists.
• Position & LP locks [enforced]: Positions stay locked until the lockup elapses; pooled liquidity is timelocked and challenge-gated.
• Transfer caps [enforced]: The instrument is frozen-by-default Token-2022; a transfer hook caps per-transfer size and rolling velocity.

Where trust still lives.

Formation makes the parts that can be enforced on-chain enforceable by default, and makes the remaining off-chain assumptions explicit, visible, and accountable. It does not claim nothing can go wrong.

Enforced trustlessly

No party can bypass these, not even the platform.

• Custody & refund-on-failure
• Timelocked two-step release
• Release blocked by any open challenge
• Vesting, LP & position locks
• Frozen-by-default transfers + size/velocity caps
• The bond's issuer-can't-pull-it-back property

The two-wallet problem

The program enforces that the verifier signed, but it cannot prove the verifier is truly independent of the issuer. Signatures prove provenance, never identity. We don't pretend otherwise. We defend it in layers:

• Identity binding: a wallet tied to a KYB'd entity (Solana Attestation Service)
• Visible separation: issuer and verifier are distinct, named pubkeys
• The challenge layer: any committed investor can freeze releases
• The issuer bond: real, slashable capital makes self-dealing costly
• Reputation: verifiers build public track records