Skip to content
dulyduly

duly.finance

How it worksFor teamsFor contributorsFor agentsRepos
Start free

Security

Your money is protected at every step.

duly locks USDC before work starts, gates every release on approval, and logs a full audit trail from funding to claim.

Start freeRead the docs

Non-custodial

duly never holds your keys or controls your wallet. Funds sit in per-order vaults released only through team approval or contributor claim.

Auditable by design

Every order state change is permanent and verifiable. Funding, approvals, and payouts are all traceable.

Defense in depth

10 independent security layers protect every request, from rate limiting to replay protection.

Funded before work

USDC is locked before any contributor can accept. Both sides see proof of funds.

Approval gates every release

Fund release requires team approval or a configured agent. Contributors claim only what's been approved.

Deadlines enforced by protocol

Accept-by and complete-by timestamps are enforced on every action. Anyone can mark expired orders as refund-eligible.

Escrow mechanism

How the escrow protects both sides

Each order creates a dedicated USDC vault owned by a program-derived account (PDA). No human keypair controls the vault. Funds move through a strict sequence.

Fund

Team transfers USDC to the order vault. Protocol fee goes to a separate treasury vault.

Release

On approval, the contributor claims USDC from the vault to their wallet. PDA signs the transfer.

Refund

On cancellation or expiry, unapproved funds return to the team. PDA signs the refund.

Fee snapshot

Fee rate is captured at first funding and locked for the order lifetime. Config changes cannot affect active orders.

Budget invariants (enforced on every mutation)

funded_amount <= total_budget

approved_amount <= funded_amount

claimed_amount <= approved_amount

refund_amount <= funded_amount

claimed_amount + refund_amount <= funded_amount

Authorization

Who can sign what

Both teams and contributors choose a control mode that determines who can sign each instruction. Modes are stored on-chain and enforced by the program.

Human

mode 1

Only your wallet signs. Default for new accounts. You approve every action manually.

Agent

mode 2

A software agent signs on your behalf. For teams and contributors using AI or bot automation.

Mixed

mode 0

Either you or your agent can sign. Best for gradual automation adoption.

Safeguards

  • Funding always requires the team wallet, even in agent mode.
  • Release and cancellation can require human approval via configurable flags.
  • Unverified contributors are blocked from accepting any assignment.
  • Global pause flag blocks all state mutations. Only the pause authority can toggle.

Infrastructure

10 layers protecting every request

CSRF protection

Double-submit cookie pattern. 7-day token TTL. Constant-time comparison.

Rate limiting

Token bucket algorithm. Per-IP bucketing. 39 protected endpoints.

Replay protection

Single-use transaction signatures. 5-minute TTL. Consumed via backend.

Session auth

HMAC-SHA256 signed tokens. httpOnly cookies. 12-hour TTL.

Password hashing

Scrypt with per-user 16-byte random salt. Timing-safe comparison.

Agent auth

Bearer token plus nonce plus timestamp. 90-second skew tolerance.

Indexer auth

HMAC-SHA256 signed payloads. Nonce consumption. 60-second skew.

Transaction allowlist

Only approved Solana programs can be called through the relayer.

Same-origin validation

Origin and Referer header checks against configured allowlist.

HTTP headers

X-Content-Type-Options, X-Frame-Options, Referrer-Policy on all responses.

For teams

  • Fund controls: USDC locked in vault before contributor can accept.
  • Release gates: approval required before any payout. Human sign-off configurable.
  • Automation safeguards: funding always requires your wallet, even in agent mode.
  • Refund path: expired or canceled orders return funds to your wallet.

For contributors

  • Proof of funds: budget is locked and visible before you accept any assignment.
  • Frozen budget: approved amount cannot be reduced after approval.
  • Claim path: approved USDC transfers directly to your wallet.
  • Deadline protection: expired orders become refund-eligible, preventing indefinite holds.

Payment flow

01

Fund order

02

Contributor submits delivery

03

Team approves

04

Contributor claims USDC

Every payout is verifiable from funding to claim.

Secure by design. Simple by default.

Start free
DocsSecurityBrandStart free
dulyduly
TermsPrivacyCookies

© 2026 duly