Goldie is a protocol for representing physical precious metals on-chain. Instead of one monolithic token, a factory deploys a dedicated, self-contained ecosystem for each issuer's token β so every issuer keeps control of their own supply, compliance rules, and reserve attestations.
Three guarantees are enforced by the contracts themselves: tokens can only move between compliant, verified parties; supply is backed by attested physical reserves; and holders can redeem tokens back for the underlying metal through a transparent, escrowed process.
Architecture
One factory transaction spins up a complete, isolated token ecosystem.
TokenFactory
A single createToken() call deploys a complete, isolated ecosystem per token β token, access manager, identity registry, compliance checker, backing verifier, timelock, and redemption manager β using CREATE2 for deterministic addresses.
PreciousMetalToken
A gold-backed ERC-20 carrying on-chain metadata (purity, weight unit, mint cap). Every transfer is checked against the compliance layer, and supply is minted or burned only by authorized roles.
Access Managers
OpenZeppelin AccessManager-based RBAC with a clean split between platform-wide roles and per-token roles (minter, burner, reserve attester, redemption operator, and more), with timelocks on sensitive actions.
Identity & Compliance
An identity registry (KYC / jurisdiction status) plus a compliance checker that enforces allowlists, balance caps, daily volume limits, and jurisdiction rules on every transfer.
Backing Verifier
Proof of Reserve on-chain: a reserve attester commits the backing amount, a keccak256 document hash, and a Merkle bar-list root, with configurable staleness enforcement.
Redemption Manager
An escrow-based redemption lifecycle: holders request a redemption, tokens are held in escrow, and an operator fulfils (burning the tokens) or cancels (returning them).
Governance & Access Control
Every privileged action is gated by an explicit on-chain role β with separation of duties enforced from the platform down to each individual token.
Two-tier access control
A platform-level AccessManager governs the protocol, while every token gets its own dedicated AccessManager β so an issuer runs their token without ever touching platform governance.
Timelocked sensitive actions
High-impact operations such as upgrades and admin changes route through a timelock, giving stakeholders a visible, on-chain delay to review before anything can take effect.
Safe multisig for sensitive roles
Sensitive roles are assigned to Safe multisig approval groups with an M-of-N signing threshold, so no single key can unilaterally mint, upgrade, or reconfigure a token.
Least privilege by design
Each capability β mint, burn, attest, pause, redeem β is its own granular role. Operators are granted exactly what they need and nothing more.
Guarded upgradeability
Contracts use OpenZeppelin UUPS upgrades, gated behind admin roles and per-token timelocks, so logic can evolve without ever compromising custody.
Fully auditable
Every grant, revoke, and scheduled operation emits an on-chain event indexed by the subgraph β a complete, public record of who can do what, and when it changed.
Sensitive roles are secured by Safe multisig
Any role marked Sensitive cannot be granted to a single key. It is assigned to a Safe multisig approval group with an M-of-N signing threshold β so high-impact actions like minting, burning, upgrades, and admin changes require multiple independent approvals before they can execute on-chain.
Platform roles
PlatformAccessManager
ADMIN_ROLESensitiveRoot AccessManager admin β function-to-role mappings, role admins, and delays.
PLATFORM_ADMINSensitiveRole administrator and platform-wide configuration.
ISSUER_REGISTRARRegister, reactivate, and migrate issuers.
COMPLIANCE_OFFICERSensitiveSuspend / revoke issuers and delist / relist tokens.
Per-token roles
TokenAccessManager Β· scoped to each token
ADMIN_ROLESensitiveRoot token admin β clawback, satellite wiring, upgrades, redemption config.
TOKEN_ADMINSensitiveRole administrator β grants and revokes the roles below.
MINTERSensitiveMint new tokens.
BURNERSensitiveBurn / forceBurn for redemption settlement.
TREASURY_MANAGERSensitiveSet the mint cap and treasury.
IDENTITY_REGISTRARInvestor identity β verify, block, jurisdiction.
COMPLIANCE_OFFICERCompliance policy plus freeze / unfreeze.
PAUSERPause / unpause the token.
RESERVE_ATTESTERAttest reserves (proof of reserve).
HOLD_AGENTPlace / release holds (escrow).
REDEMPTION_OPERATORFulfill / cancel redemptions.
Proof of Reserve
On-chain commitments anchor off-chain custody evidence β independently verifiable.
Commit on-chain, prove off-chain
The chain stores only compact commitments β a reserve amount, a document hash, and a Merkle root. The full custody reports and bar lists live off-chain (IPFS / object storage) and are anchored by those hashes.
Merkle bar lists
Each physical bar becomes a leaf: keccak256("serial|weightMg|purityPpm"), combined with OpenZeppelin sorted-pair hashing so an inclusion proof verifies identically on-chain and off-chain.
Attested by a dedicated role
Only a RESERVE_ATTESTER may call attestReserves(amount, documentHash, barListRoot, documentURI), emitting a public ReservesAttested event that anyone can audit.
Freshness guarantees
Attestations expire past a configurable staleness threshold, so consumers can detect when a token's reserve proof is out of date rather than trusting it blindly.
How It Flows
Every step emits an event indexed by the subgraph β a complete, public audit trail.
Issuance
Compliant transfer
Redemption
Deployed Contracts
Deployed and independently verifiable on Ethereum β running live today and architected for mainnet. Every address links to Etherscan.
0xf8a6b9110a81f4eb3c5a91326ff95368a0098b060x260a2eb2e9d84fe7c30b3ff9a1652d8397fd4aeb0x454dc47df3afba6910a709feb96ac40f331232830xbf7df7ed8529614d79f735d95cd358e8888acabf0xa8986cbE060aC324fbAD9153d51334F0cb593C14A complete token ecosystem β all seven contracts below are deployed in a single factory transaction, each one a dedicated on-chain module for this individual token:
0x32C1e9288D9Fe565837890F6F94cF88DC4E5a5C80x6817266150dC46D476842f5856EC4BE9C46542a90x4d6965bC7eB2b48aA19536CA7E8B2DE81310Ae6A0x4Fa3571fb366D9BF80e7818103f91F0eF9c7c9480x1b2Fdd3CEf2674910Ac9a05757c672A2994F091D0xcd103d470EfE36f573e1cD4EBFa01A7448B988130x2df349fD84c23bF4606822C76337c4C60b54cE8DBuilt On
Solidity contracts using audited OpenZeppelin standards
Built and tested with Foundry
UUPS-upgradeable modules with per-token timelocks
Chainlink oracle integration for gold (XAU/USD) pricing
The Graph subgraph indexing every contract event
Deployed on Ethereum Sepolia β mainnet-ready architecture
Build on Goldie
Whether you're an issuer bringing physical metal on-chain, a vault or auditor joining the proof-of-reserve flow, or a developer integrating gold-backed assets β the protocol is open and verifiable.
Get in Touch