Verify, don’t trust
In money infrastructure, “trust us” is not good enough.
Every trust claim we make ships with a proof the reader can check themselves — offline, without trusting our database or our word. “Verify, don’t trust” is not a slogan here. It is a set of things you can actually run.
That bar is higher than most fintech tooling sets for itself. Dashboards report. APIs assert. Terms of service ask you to believe. When the subject is equity attribution or contribution splits, belief is the wrong instrument. You need something you can recompute a result, re-verify its signature, and re-walk its hash chain without asking permission.
Why “trust me” fails in money and equity
Partnership economics are not a product feature. They are the relationship. When one party controls the ledger of who contributed what, or who is owed what share, the other party is not a partner — they are a counterparty waiting on a report.
That arrangement fails in predictable ways.
- Asymmetry of evidence. The party who runs the spreadsheet owns the narrative. The other side can ask questions; they cannot independently recompute the answer.
- Silent drift. Model versions change. Inputs get restated. A share that was 40% last quarter becomes 37% with a quiet rationale. Without a signed, versioned result, there is nothing to point at later.
- Dispute cost. Once money is on the table, memory and goodwill are not enough. The conversation shifts from growth to proof. Lawyers appear. The partnership that was supposed to compound starts consuming attention.
- Audit theater. Export a CSV. Attach a PDF. Hope the auditor accepts the export as ground truth. That is not verification. That is documentation of a claim.
None of this requires bad faith. It only requires imperfect memory, diverging incentives, and a system that cannot be checked from the outside. In equity and contribution attribution, that is the default. It should not be.
What verifiable actually means
Verifiable means you can take the artifact, leave our servers, and still know whether it is intact. Two concrete mechanisms do that work for attribution.
Signed results. Fifty50 — our equity and contribution-attribution engine — signs every finalized split with an ed25519 signature. The signature covers the partnership, the model version, and each partner’s share. Anyone can verify that signature offline against our published public key. The verifier is standalone: Python standard library plus the cryptography package. Nothing phones home. If the signature checks, the split is the one we produced under that model version. If it does not check, something changed or someone is presenting a forgery. You do not need our database to decide which.
Tamper-evident history. A partnership’s contribution history is a hash chain. Each event is cryptographically linked to the one before it. Edit an old entry, reorder events, or delete a record, and the chain breaks. The break is detectable by anyone who re-walks the hashes. We host a standalone verifier for that chain as well. Same idea: take the data, run the check yourself, trust the math rather than the host.
Together those two properties answer the questions that matter in a dispute: Is this the split that was finalized? Has the contribution record been altered since? You get answers without asking us to re-export anything under oath.
Who vouches for the signing key
Signed results only help if you know the key that signed them is the key you expect. Most systems skip this step. They publish a public key on a website and ask you to believe the site was not compromised, the key was not rotated quietly, and the operator did not swap it under pressure.
That is still a trust claim. We close it with an on-ledger root.
The attribution signing key is anchored on the XRP Ledger. Our checkout wallet — an on-ledger XRPL account — has cryptographically signed a statement that vouches for that key. The key that signs your split therefore inherits an on-ledger root of trust. If anyone swapped the attribution key, the voucher signature would stop verifying against what is on the ledger. Forging the voucher requires the wallet’s private key. We do not ask you to take our word that the key is current; we ask you to check the ledger statement and the signature over it.
That is the harder half of “verify, don’t trust.” Results that verify are useful. A signing key that itself has an independent, public root of trust is what keeps the verification from collapsing back into “trust the website.”
Machine-readable, human-readable
All of the above is callable without a sales call. Attestations live at /.well-known/attestations.json — machine-readable, fetchable, suitable for an auditor’s script or a partner’s CI check. The same material is explained for humans at /trust. Public key material, the shape of what is signed, and how the on-ledger voucher works are not buried in a PDF. They are published where verification tooling expects to find them.
If a claim cannot be checked from those surfaces, it is not a claim we are making. That is the discipline: every trust assertion ships with a path to independent confirmation.
Non-custodial is the other half
Verification of attribution is incomplete if settlement still requires handing someone else the keys. Custody is a trust surface. We refuse it.
Sentinel — our settlement tooling — emits unsigned instructions. Each party signs and broadcasts with their own wallet. We never hold keys. We never hold funds. Bring-your-own-custody is not a preference; it is the architecture. The split can be fair and the history can be tamper-evident, and still the money only moves when the people who own it authorize the move.
That separation matters. A system that proves the number and then asks you to wire into its account has only solved half the problem. A system that proves the number and leaves custody with the parties has removed itself from the critical path of both truth and funds.
What this means for you and your auditor
You do not need to trust Frederick & Sons to use the output. You need to run the verifiers, check the signatures, walk the hash chain, and confirm the on-ledger voucher for the signing key. An auditor can do the same without a special access grant. A co-founder on the other side of a contribution dispute can do the same without waiting for our support queue.
What you get is not a promise that we are honest. You get artifacts that fail closed when they are wrong. That is a different category of assurance. It is the category money infrastructure should have been in all along.
The work of a partnership is the work. The split, the history, and the settlement path should not require faith in the operator of the tooling. They should require a laptop, the published keys, and a few minutes to run the checks.
Trust is cheap to request and expensive to repair. Verification is the opposite: slightly more work up front, and durable when the relationship is under load. That is the standard we build to. The proofs are live. Run them.
What actually runs it
None of this is aspirational — the proofs are live and the tooling runs today.
- Fifty50 computes the contribution-fair split and signs the result. You can run it right now.
- Sentinel settles on-chain, non-custodially — it emits unsigned instructions each party signs and broadcasts with their own wallet.
- Tokenized Partnerships is the closed loop: Fifty50’s signed split → Sentinel’s settlement → a tamper-evident audit trail.
Check any of it yourself — the standalone
split-signature verifier and
audit-chain verifier (Python stdlib plus cryptography,
nothing phones home), the machine-readable attestations,
and the human walkthrough at /trust.
Run the split engine yourself, or read exactly how to verify every claim on this page.
Run Fifty50 → Verify it yourself →Not a securities offering. Not investment, legal, tax, or financial advice. We do not custody or transfer funds — you hold your own keys and funds. Software / decision-support only.