No backend can move your money. The validators enforce the rules.
There is no Stede server sitting between you and your funds. Your dollars live in a program-owned vault, and your rules live on the token itself. Every Solana validator runs the same check on every transfer. There's nothing to trust us about.
What that means in practice
You hold it, not us
Your funds sit in a program-owned vault that no person, including the Stede team, has the keys to. Stede can't move, freeze, or claw back a single dollar. Unwrap back to plain USDC one-to-one whenever you want.
On-chain, not in an app
Rules are enforced by Token-2022 transfer hooks at the token level, checked by the network itself. They apply to every transfer of a Stede dollar, not just ones made through our app. No backend approves your sends, the validators do.
Fail-open, by design
A rule you haven't turned on doesn't exist on-chain, so it auto-passes. Only rules you've explicitly opted into can ever stop a transfer. This is a safety property: nothing Stede ships can accidentally lock you out of your own money.
All or nothing
If any enabled rule says no, the entire transaction reverts. There's no partial transfer, no stuck balance, no inconsistent state to recover from. Either the send completed under your rules or it never happened.
Open, and verifiable
You don't have to take our word for any of this. The whole protocol, nine Anchor programs, is open source under Apache 2.0. Read the rule logic, derive the program addresses, verify the deployed bytecode on-chain. The code is the spec.
View the source on GitHubHonest status: this is pre-mainnet, and unaudited.
Stede runs on devnet today and the code has not yet been through an independent security review. That review is a required milestone before any mainnet launch with real funds, and it hasn't happened yet. We're telling you plainly rather than burying it: don't put money you can't lose behind unaudited code. Found something? Report it responsibly via the GitHub repo and we'll act on it.