SOST DEX

Decentralized exchange of PoPC (Proof of Personal Custody) contracts for tokenized and/or physical gold.

Buy, sell, split and track gold-referenced positions through client-side signed offers + end-to-end encrypted relay messages + on-chain Ethereum smart-contract escrow. The AI assistant only helps you fill the form; you sign every action yourself. Passkey & biometric authentication stay on your device.

BUY POSITION SELL POSITION SELL REWARD RIGHT OTC REQUEST 🔑 CREATE IDENTITY 📥 IMPORT BACKUP
HOW IT WORKS
1.Create or register a position — a gold-linked contract enters the SOST system 2.Choose what to trade — sell the full position or only the reward right 3.Settle through signed private deal flow — offers and accepts are signed and encrypted 4.Track the full lifecycle — from settlement to maturity, withdraw and reward distribution

PoPC creates the position. The SOST DEX trades it. The settlement layer verifies and updates rights across SOST and Ethereum.

LIMITED ALPHA OPERATOR-ASSISTED SIGNED & ENCRYPTED 743 TESTS PASSING
// NON-CUSTODIAL DEX SAFETY NOTICE READ FIRST
  • SOST DEX does not custody user funds or gold. Your SOST balance stays in your own wallet. Your gold (XAUT / PAXG) stays in your own Ethereum wallet or in the on-chain SOSTEscrow smart contract you yourself interact with.
  • SOST DEX is not a centralized escrow or broker. Any escrow mentioned on this page refers to the on-chain Ethereum smart contract (SOSTEscrow). SOST Protocol does not operate, hold keys to, or manually release any escrow.
  • SOST DEX does not guarantee counterparties, prices, delivery, or outcomes. Every offer is between two users, signed and encrypted client-side. SOST cannot reverse, force, or verify off-chain promises.

The relay can transport encrypted envelopes between users but cannot read or alter the content. SOST never sees your private keys, your private trade content, or your biometrics. The full rationale and safety guide is below.

// WHY NON-CUSTODIAL

Why SOST DEX does not intervene

SOST DEX is a non-custodial software interface. Trades are between users. The protocol's role is to host the interface and transport encrypted messages, not to broker or settle deals.

  • Users create and sign offers client-side. The ED25519 signing key + X25519 encryption key live in your browser, encrypted with Argon2id from your passphrase. The DEX UI composes the offer; you sign it.
  • The relay transports encrypted envelopes but cannot read them. Server-side SOST infrastructure never sees the cleartext of any offer, message, address negotiation, or settlement instruction.
  • On-chain escrow is a smart contract (SOSTEscrow on Ethereum), not a SOST-operated escrow. SOST Protocol does not hold keys to the smart contract's funds. Releases happen by on-chain logic the counterparties trigger themselves.
  • SOST cannot recover funds. If a user sends SOST or gold to the wrong address, signs the wrong offer, or trusts a fake counterparty, SOST has no key, no privilege, and no legal authority to reverse it.
  • SOST cannot force delivery. If a counterparty agrees to send something and then disappears, SOST cannot compel them. The remedy is a separate matter between the users (civil dispute, police report, on-chain forensic tracing).
  • SOST cannot verify off-chain promises. A counterparty claiming "I sent the wire" or "the metals are warehoused" is making an off-chain statement SOST has no way to validate. The user must verify independently.
// VERIFICATION LIMITS

What SOST DEX can  and  cannot verify

✓ THE DEX CAN VERIFY
  • Structural integrity of a signed offer payload (fields present, signature shape valid).
  • Local key ownership: the browser-side wallet holds the private key that signed an offer.
  • Transaction and capsule hashes if a record has been published on-chain.
  • Public explorer data (block heights, confirmations, txid existence) for any SOST or Ethereum transaction you point to.
  • That a relayed envelope has not been tampered with in transit (MAC verification client-side).
⚠ THE DEX CANNOT VERIFY
  • Off-chain identity. The counterparty's real name, KYC, age, jurisdiction, etc. SOST has no identity database.
  • Future delivery promises. Whether the other side will actually do what they signed an offer to do.
  • Private agreements outside signed payloads. Anything agreed in DMs, voice calls, or external chats is unverifiable by SOST.
  • Screenshots. A screenshot of a payment, balance, or transfer is not cryptographic proof. Always verify directly in your bank / wallet / explorer.
  • Third-party Telegram, X, Discord accounts. SOST cannot validate any external social media identity claiming to represent SOST or any counterparty.
  • External payment rails. Whether a fiat transfer, credit-card payment, or third-party stablecoin transfer has actually settled. You verify in the rail itself.
// PATTERN RECOGNITION

Honest DEX counterparty vs scammer

Specific to the DEX context (positions, reward rights, OTC requests, smart-contract escrow). If your counterparty matches the right column, stop the trade.

✓ HONEST DEX COUNTERPARTY
  • Insists on using the official DEX URL (sostcore.com/sost-dex.html) only.
  • Accepts the signed offer terms BEFORE any action — reads the fields, asks questions, then signs.
  • Never asks for your seed phrase, private key, or wallet passphrase.
  • Agrees to a small test transaction first.
  • Verifies on-chain txids in sost-explorer.html or Etherscan.
  • Keeps communication in signed and relayed payloads where possible.
  • Respects your verification timeline, no urgency.
  • Does not change addresses or amounts after the offer is signed.
⚠ SCAMMER PATTERN
  • Asks you to move to a private DM on Telegram / Signal / WhatsApp / Discord.
  • Sends a lookalike DEX URL (e.g. sost-dex[.]net, sost-dex[.]app, sostdex.io).
  • Requests your seed phrase / private key / passphrase "to validate the trade".
  • Asks for a screen share / TeamViewer / AnyDesk to "help".
  • Demands an advance "activation fee", "escrow fee", or "unlock fee".
  • Sends a screenshot of payment and pressures you to release.
  • Rushes with urgency: "release fast", "listing closes in 5 min", "limited time".
  • Changes the receiving address or amount after the offer is signed.
  • Promises guaranteed profit, exchange listing access, treasury access, or insider info.
// LEARN BY EXAMPLE

Realistic DEX scam examples

Five common attack patterns adapted to the DEX context, with warning signs and the safe response for each.

SCAM 1 — Fake PoPC contract

Pattern: a counterparty sends you a link to a "PoPC contract" on Ethereum that looks legitimate (same ABI, similar address). Their version of the contract has a hidden backdoor that lets them drain after deposit.

Warning signs: the contract address differs from the official SOSTEscrow address published in the SOST docs. The counterparty insists on "my version" or "the new test contract". The bytecode has not been verified on Etherscan, or shows unfamiliar admin/owner functions.

Safe response: only use the SOSTEscrow contract address documented in sost-popc-contracts.html. Verify the contract is open-source-verified on Etherscan. Refuse any "alternative" contract.

SCAM 2 — Fake SOST DEX mirror URL

Pattern: a counterparty in a chat or social media post sends you a URL that looks like the DEX but is hosted elsewhere: sost-dex[.]net, sostdex[.]app, sostcore[.]io/dex. The clone page steals your passphrase / seed when you "Create Identity" or "Import Backup".

Warning signs: URL is not exactly sostcore.com/sost-dex.html or sostprotocol.com/sost-dex.html. Page asks for your seed phrase. Page looks identical but is on a different domain.

Safe response: only ever load the DEX from sostcore.com or sostprotocol.com. Type the URL yourself; do not click links from DMs / Telegram / X. If in doubt, navigate from the nav of sostcore.com itself. No legitimate process EVER asks for your seed phrase or passphrase.

SCAM 3 — Advance-fee escrow release

Pattern: a seller claims their position is "locked in escrow" and to release it you must first pay an "activation fee" / "gas top-up" / "unlock fee" of N SOST or N USDT to a third address. The escrow does not exist; the "fee" is the scam.

Warning signs: any request to pay something small first to unlock something bigger. References to a "SOST escrow procedure" or "admin verification fee" that does not appear in any official SOST documentation. Pressure to pay before reading.

Safe response: SOST has no fees beyond normal network transaction fees and protocol-defined PoPC settlement fees. Anyone asking for an out-of-process "activation fee", "release fee", or "tax fee" is running an advance-fee scam.

SCAM 4 — Screenshot-as-payment-proof

Pattern: a buyer claims to have paid (in SOST, ETH, USDT or fiat) and sends a screenshot. Pressures the seller to release the position or reward right immediately. The transaction either does not exist or went to a different address.

Warning signs: screenshot instead of a verifiable txid. Refusal or delay when asked for the txid. Urgency: "release now, I have another deal waiting". The screenshot's address differs from your receiving address.

Safe response: never release based on a screenshot. Always require the txid, verify it on sost-explorer.html (for SOST) or Etherscan (for ETH/ERC-20), confirm the destination is YOUR address, and wait for the configured number of confirmations.

SCAM 5 — Address substitution after agreement

Pattern: after the offer is signed and you are about to send funds, the counterparty asks you to send to a different address than the one in the signed offer ("my main wallet was compromised", "use this temporary address instead", "send to my friend who is closer"). The new address is the attacker's.

Warning signs: a request to deviate from the signed offer payload. Last-minute address change. Excuse story attached.

Safe response: send ONLY to the address in the signed offer. If the counterparty needs to change anything, cancel the offer and sign a new one with the new terms. Never trust a verbal / chat amendment to a signed payload.

⚠ IF YOU HAVE BEEN SCAMMED ON THE DEX

SOST cannot reverse on-chain transactions, force counterparties, or recover funds. What you can still do, in order:

  1. Stop sending funds. Do not send more in the hope of recovering what you already sent.
  2. Save the evidence. Txids, signed payload JSON, URLs, screenshots of the chat, the counterparty's handle, the addresses involved. Keep a local copy.
  3. Revoke / rotate any compromised keys. If you entered a seed phrase or passphrase into a phishing site, assume the wallet is fully compromised. Move any remaining funds to a brand-new wallet (new seed) immediately. The old wallet is permanently unsafe.
  4. Report fake domains / accounts. Submit the lookalike URL to your browser's phishing report, the registrar abuse contact, and the social platform where the impersonator operates.
  5. Warn the community without doxxing. Post the pattern (the scam method) in the OTC Reputation room in SOST Talk. Do not post the counterparty's personal data; share their on-chain address and their chat handle only.
  6. File a police report in your jurisdiction. Crypto fraud is increasingly investigated, and your report adds to the pattern.
  7. Do NOT pay any "recovery agent" that contacts you afterwards offering to recover funds for a fee. That is a follow-up scam.
  8. Understand: SOST cannot reverse the transaction, force the counterparty to deliver, or arbitrate the dispute. The protocol is non-custodial and software-only.

SOST DEX disclaimer. SOST DEX is non-custodial software. It does not provide financial, legal, custody, brokerage, escrow, investment, or dispute-resolution services. Users are responsible for their own trades, keys, counterparties, taxes, compliance, and local-law obligations. Any reference to "escrow" on this page denotes the on-chain Ethereum smart contract (SOSTEscrow); SOST Protocol does not operate, hold keys to, or manually release any escrow. The relay transports encrypted envelopes between users and cannot read their content. SOST cannot reverse transactions, recover funds, force delivery, or arbitrate disputes.

HOW DOES THIS WORK? ?
SOST DEX — Complete Guide

🔒 Identity & Wallet
The DEX uses a local browser wallet — your cryptographic identity (ED25519 signing + X25519 encryption keys) is created and stored in your browser using IndexedDB, encrypted with Argon2id from a passphrase you choose.
Create Identity — generates a new keypair locally. No server registration.
Import Backup — restore a previously exported encrypted identity JSON.
Export — save your identity as encrypted backup (always do this!).
Lock/Unlock — session auto-locks after 5 min inactivity.
• Your keys never leave your browser. The relay cannot read your deals.

🔓 Passkey / Biometric Authentication
If your device supports WebAuthn, you can use fingerprint, Face ID, or secure device PIN for faster and safer access.
Register Passkey — one-time setup on your device.
Login with Passkey — unlock your session with biometrics instead of typing passphrase.
Re-authenticate — sensitive actions (sign offer, accept deal, export) ask for biometric confirmation.
• Your biometrics never leave your device — the DEX only receives yes/no from your secure enclave.
• Passkey is optional — passphrase-only mode always works.

🤖 AI Form Assistant
The AI helps you fill the Trade Composer by understanding what you want to do in plain language.
• Type something like: "Sell my full XAUT position for 9.7 SOST, expire in 6 hours"
• The AI parses your intent and fills the form fields automatically.
• It shows "What the assistant understood" — action, position, price, expiry, what changes.
• It flags risks: suspicious price, wrong position, expiry too short, missing fields.
• It compares options: full sale vs reward-only, sell now vs hold to maturity.
• It explains lifecycle: maturity progress, withdraw status, reward remaining.
The AI does NOT sign, send, or execute anything. You always review and authorize.

📩 Private Encrypted Inbox
When your wallet is unlocked, you can receive encrypted messages from counterparts.
• Messages are fetched from the blind relay and decrypted locally in your browser.
• The relay transports encrypted envelopes but cannot read the content.
• You see: offers, acceptances, cancellations, settlement notices.
• Delivery tracking: sent → delivered → acknowledged → processed.

📈 Public vs Private Mode
Public — anyone can see market summary, positions, stats. No login needed.
Private — unlock your wallet to access: AI assistant, encrypted inbox, trade composer (sign+encrypt+send), deal channels, OTC.

Note: device biometrics (passkey) belong to the browser/user authentication layer. P2P node encryption (X25519 + ChaCha20 between nodes) is a separate machine-to-machine layer.
Active Positions
...
loading
Gold Locked
...
XAUT + PAXG
Active Deals
...
loading
Next Maturity
...
earliest expiry
Trading Fee
0%
free trading · PoPC fee 3%A/8%B on rewards
SOST DEX — POSITIONS & GOLD
Live position data from PoPC escrow on Sepolia
● SOST Rewards ● Gold (oz)
GOLD LOCKED
SOST REWARDS
outstanding
POSITIONS
ESCROW
SOSTEscrow V2
// TRADE
Trade Composer
SIMPLE PRO ?
Simple Mode vs Pro Mode

Simple Mode — for regular users. Shows only the essential fields with safe defaults. Best for quick trades.

Pro Mode — for advanced users who want full control. Shows all technical fields.

What Pro adds:
Position ID — manually type a position ID instead of selecting from dropdown
Pair selector — choose between SOST/XAUT or SOST/PAXG (Simple defaults to SOST/XAUT)
Trading fee display — shows the fee calculation (currently 0% — no trading fee)
JSON Preview — see the raw signed offer JSON before sending. In Simple you only see the human-readable outcome preview

Both modes include:
• Action selection (buy/sell/reward/OTC)
• Position selection
• Maker addresses (SOST + ETH)
• Amount, price, expiry, asset type
• Outcome preview + Create Signed Offer

Tip: start with Simple. Switch to Pro only if you need to see the raw JSON or override defaults.
1 What do you want to do? ?
Choose the type of trade you want to make:

Buy Full Position: You want to buy someone's entire position — you get the principal ownership, the reward rights, and become the gold escrow beneficiary. You pay SOST.

Sell Full Position: You own a position and want to sell everything — principal, rewards, and escrow beneficiary — in exchange for SOST.

Sell Reward Right: You keep your position's principal and gold, but sell only the right to receive the SOST mining rewards.

Buy Reward Right: You want to buy only the reward stream from someone's position, without the gold or principal.

OTC Request: A custom request — use this for anything that doesn't fit the above categories.
Buy Full Position
Sell Full Position
Sell Reward Right
Buy Reward Right
OTC Request
2 Select Position
What is a Position ID?
A unique identifier for a gold-referenced position in the SOST system. Each position represents a PoPC commitment — gold locked in escrow that generates SOST rewards.

Where do I find it? If you already have a position, select it from the dropdown. If you're creating a new offer, type the position ID that the seller gave you.

Example: POS-2026-0001-XAUT-NeoB
Format: POS-[year]-[number]-[gold type]-[owner name]
3 Parameters
Your SOST wallet address. This is the address where you receive or send SOST tokens. It starts with sost1 followed by 40 hex characters.

Where do I find it? Open your SOST wallet or run sost-cli getaddress in the terminal.

Example: sost1a9c6fe1de076fc31c8e74ee084f8e5025d2bb4d
Your Ethereum wallet address. This is used for the gold escrow side — it's the address that holds your XAUT/PAXG tokens and interacts with the SOSTEscrow contract.

Where do I find it? Open MetaMask or your Ethereum wallet and copy your address.

Example: 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18
How many SOST tokens are involved in this trade.

If you're buying a position: this is how much SOST you're willing to pay.
If you're selling: this is the SOST value of the position you're offering.

Example: 150.00000000 means 150 SOST tokens. Use up to 8 decimal places.
How many troy ounces of gold are locked in this position's escrow.

This is the physical gold backing — the XAUT or PAXG tokens deposited in the SOSTEscrow contract. 1 oz = 1 XAUT = 1 PAXG.

Example: 0.0500 means 0.05 troy ounces of gold (about $150 at current prices).
The asking or bid price for this trade, in SOST tokens.

If you're selling: this is the minimum SOST you want to receive.
If you're buying: this is the maximum SOST you're offering to pay.

Tip: Check the market tab to see what others are asking. There's no AMM — you negotiate directly.

Example: 120.00000000 means you want 120 SOST for this position.
How long your offer stays valid. After this time, the offer expires automatically and cannot be accepted.

1 hour: For quick trades when both parties are online.
6 hours: Good for same-day trading.
24 hours: Default. Gives the other party time to review and respond.
What exactly you're trading:

POSITION_FULL: The entire position — principal ownership, reward rights, AND the gold escrow beneficiary. The buyer gets everything.

POSITION_REWARD_RIGHT: Only the reward rights. The seller keeps the principal and the gold, but the buyer receives the SOST mining rewards from this position.

GOLD: Direct gold-token trade (XAUT or PAXG) without a PoPC position involved.
4 Outcome Preview
What changes if you confirm:
Select an action and position to see the preview.
Limited alpha. Operator-assisted. Not financial advice.
// PORTFOLIO
Positions & Deals
Position ID Model Token Amount (oz) Reward Maturity Status Value Est. Actions
Loading positions...
Position ID Owner Model Token Amount (oz) Reward Maturity Status Value Est. Discount Action
Loading market positions...
Deal ID Type Status Counterpart Price (SOST) Created Settled
Loading deals...
// LIFECYCLE
Deal Timeline

Most recent deal lifecycle progression.

Waiting for deal data...
Open Deal Channel →
🎮