Drip Help & Reliability
Trust, Safety, and SLAs
Snapshot of our audit posture, core invariants, operational circuit breakers, ownership controls, and customer-facing service targets.
Audits
Independent review and in-flight work
Core contracts lean on audited Safe/ZeroDev account components. A full-stack audit (BillingModule + SecurityDeposit) is underway; we will publish the report and mitigation notes as soon as it lands. Until then, production deployment runs with reduced surface area and aggressive monitoring.
- Scope: BillingModule, SecurityDepositModule, session key guards, and paymaster wiring.
- Testing: invariant fuzzing around balance enforcement, slashing caps, and charge idempotency.
- Publication plan: redact secrets, publish full findings + fixes, and tag the commit hash deployed.
Invariants
Safety properties we enforce
Deterministic charging
Every usage event maps to a single charge with a deterministic formula (quantity × unit price) and fixed-point math.
Balance enforcement
Charges fail closed if balances plus grace fall short; paused accounts cannot be charged until reactivated.
On-chain settlement trail
All confirmed charges carry tx hashes and block numbers; failed settlements keep the charge record and failure reason.
Deposit safety rails
Security deposits are locked during active sessions and slashing is capped per event to limit loss radius.
Full invariant catalog lives in engineering docs and is mirrored in automated tests; violating any listed invariant fails CI and blocks release.
Pause & drain posture
Circuit breakers and exit ramps
- Billing and SecurityDeposit modules are pausable; pause blocks new charges and deposits immediately.
- Drain/runway: treasury withdrawals are allowlisted to the owner address; emergency scripts unwind open settlements before pausing.
- Monitoring: on-call alerts on failed settlements, pause toggles, and abnormal slashing activity.
Ownership & multisig
Admin surface area
- Owner role governs pause/unpause, slasher authorization, and treasury withdrawals; intended to be a Safe multisig in production.
- No upgradable proxies in the billing path; owner can only toggle guarded controls, not rewrite logic.
- Operational changes (API keys, webhooks, manual overrides) are mirrored in the Audit & Search dashboard.
Refunds
Refunds & Dispute Resolution
Drip's prepaid model eliminates chargebacks and payment failures. If you believe a charge was made in error or need a refund for another reason, we handle requests manually to ensure each case is reviewed fairly.
How to request a refund
Email support@drippay.dev with your account details and the charge in question.
Resolution time
Refund requests are reviewed and resolved within 2 business days.
Valid refund reasons include billing errors, duplicate charges, and service issues. Approved refunds are returned to your original funding source.
SLAs
Support targets (beta)
Published response and mitigation targets while we are in beta; contracts include bespoke SLAs if needed.
| Severity | Response | Resolution/Mitigation | Channel |
|---|---|---|---|
| P0 — loss of funds / charges blocked | < 15 minutes (pager rotation) | Mitigate or fail-closed within 4 hours | PagerDuty + Slack bridge |
| P1 — degraded throughput / delayed settlement | < 1 hour during business hours | Workaround or clear backlog within 1 business day | Email + Slack #oncall thread |
| P2 — analytics / dashboard defects | < 1 business day | Patch or provide ETA within 3 business days | Email support |