Drip Help & Reliability

Trust, Safety, and SLAs

Snapshot of our audit posture, core invariants, operational circuit breakers, ownership controls, and customer-facing service targets.

← Back to home

Audits

Independent review and in-flight work

In progress

Core contracts lean on audited Safe/ZeroDev account components. A full-stack audit (BillingModule + SecurityDeposit) is underway; we will publish the report and mitigation notes as soon as it lands. Until then, production deployment runs with reduced surface area and aggressive monitoring.

  • Scope: BillingModule, SecurityDepositModule, session key guards, and paymaster wiring.
  • Testing: invariant fuzzing around balance enforcement, slashing caps, and charge idempotency.
  • Publication plan: redact secrets, publish full findings + fixes, and tag the commit hash deployed.

Invariants

Safety properties we enforce

Charge reconciliation guide →

Deterministic charging

Every usage event maps to a single charge with a deterministic formula (quantity × unit price) and fixed-point math.

Balance enforcement

Charges fail closed if balances plus grace fall short; paused accounts cannot be charged until reactivated.

On-chain settlement trail

All confirmed charges carry tx hashes and block numbers; failed settlements keep the charge record and failure reason.

Deposit safety rails

Security deposits are locked during active sessions and slashing is capped per event to limit loss radius.

Full invariant catalog lives in engineering docs and is mirrored in automated tests; violating any listed invariant fails CI and blocks release.

Pause & drain posture

Circuit breakers and exit ramps

  • Billing and SecurityDeposit modules are pausable; pause blocks new charges and deposits immediately.
  • Drain/runway: treasury withdrawals are allowlisted to the owner address; emergency scripts unwind open settlements before pausing.
  • Monitoring: on-call alerts on failed settlements, pause toggles, and abnormal slashing activity.

Ownership & multisig

Admin surface area

  • Owner role governs pause/unpause, slasher authorization, and treasury withdrawals; intended to be a Safe multisig in production.
  • No upgradable proxies in the billing path; owner can only toggle guarded controls, not rewrite logic.
  • Operational changes (API keys, webhooks, manual overrides) are mirrored in the Audit & Search dashboard.

SLAs

Support targets (beta)

Published response and mitigation targets while we are in beta; contracts include bespoke SLAs if needed.

Target-only
SeverityResponseResolution/MitigationChannel
P0 — loss of funds / charges blocked< 15 minutes (pager rotation)Mitigate or fail-closed within 4 hoursPagerDuty + Slack bridge
P1 — degraded throughput / delayed settlement< 1 hour during business hoursWorkaround or clear backlog within 1 business dayEmail + Slack #oncall thread
P2 — analytics / dashboard defects< 1 business dayPatch or provide ETA within 3 business daysEmail support