BIGPOT
Trust model

NO HIDDEN DRAW. NO EMPTY PIXEL WIN. ON-CHAIN CHECKS.

This page is written for users who want to know what BigPot can and cannot manipulate. The short version: the website is not the source of truth; the Solana program, VRF account, Merkle proofs, and public events are the verification surface.

Devnet program

9Yi9zFwgMHCXvzfUTK9bck9oUMWNhZ7rBfezhQKepZN7

Mainnet status

Not live until guarded-beta gates pass

Launch policy

Invite-only, low cap, distributor dry-run

Guarantee

Frontend ownership is never trusted

The UI can display, select, or preview pixels, but ownership comes from signature-verified buy records and on-chain settlement. A browser cannot self-assign a winning pixel.

Guarantee

Empty pixels cannot win

The reveal path ranks winners from sold pixels only. Product copy must never imply that a random empty canvas coordinate can receive the Grand prize.

Guarantee

Randomness is on-chain validated

The program reads the Switchboard randomness account directly and checks the expected account, owner, reveal slot after lock, freshness, and non-zero result.

Guarantee

Proofs are heist-bound

Claim leaves bind day id, heist address, wallet, rank, amount, and receipt data. Domain-separated Merkle hashing prevents legacy non-prefixed proof formats from passing.

Guarantee

Operators cannot silently swap winners

The off-chain oracle can submit transactions, but the program enforces state transitions and proof verification. On mainnet, authority is expected to sit behind Squads multisig gates.

Guarantee

Refund mode is explicit

Below the 5,001 sold-pixel threshold, the heist cancels and claim-root/refund accounting moves through the cancelled status instead of pretending a draw happened.

Trust boundaries

On-chain program

Enforces heist state, escrow/pot movement, VRF invariants, claim proof verification, and NFT eligibility.

API service

Verifies buy signatures, deduplicates nonces, records read models, and coordinates managed settlement without trusting frontend-selected ownership.

Indexer

Mirrors Helius events into Supabase for fast UI reads. It is a read model, not the source of payout truth.

Oracle

Initializes, locks, reveals or cancels, commits claim roots, and advances the daily lifecycle. Mainnet authority must be multisig controlled.

Frontend

Presents state and collects user intent. It cannot mint winners, change VRF, or bypass claim proof checks.

How to verify
  1. 1. Open the heist account and confirm status, lock time, pot, and roots.
  2. 2. Confirm sold pixel count is at least 5,001 before reveal.
  3. 3. Inspect the Switchboard randomness account used by reveal.
  4. 4. Verify claim proof against the published claim root.
  5. 5. Confirm the Grand NFT mint only follows a Grand winner receipt.
Read the lifecycle