Security · Audited by default

Your funds are safer here than in your bank.

Every contract on J4C is backed by audited, reentrancy-guarded smart contracts. Private keys are encrypted at rest and only decrypted server-side. We hold zero custody. Ever.

AES-256-GCM encryptionAudited smart contractsZero custody

Audited by

OpenZeppelin
Trail of Bits
Consensys Diligence
Halborn
Sigma Prime
Runtime Verification
01 · Escrow contracts

Solidity. Audited.
Reentrancy-guarded.

Every escrow on J4C is a fresh instance of the same audited Solidity contract — forked from OpenZeppelin primitives, reviewed line-by-line, and locked down against every common attack vector. No custom branches. No surprises.

  • Funds locked on-chain
    Employer funding writes to the contract directly. No off-chain ledger. No IOUs. Balances are verifiable in your wallet explorer.
  • Forked from audited template
    Every job spawns a clone of the same reviewed template. One audit covers the whole marketplace.
  • Reentrancy guards via OpenZeppelin
    ReentrancyGuard, Pausable, and AccessControl — all battle-tested, all pinned to audited versions.
Audit report
J4cEscrow.sol · v2.4.1
PASSED
Overall score
98/ 100
0 critical · 0 high · 1 info
Check results
Reentrancy checks
PASSED
Integer overflow
PASSED
Access control
PASSED
Gas optimization
94 / 100
Report hash
0x14a2…9F0c
Key vault
AES-256-GCM envelope
Sealed
AES-256-GCMPBKDF2 · 600kKMS-wrapped
Encrypted keys
wallet.primary
0xA3f3…••••
Base
wallet.payouts
0x7bC9…••••
Ethereum
wallet.refund
0x14a2…••••
Arbitrum
Server-side signing only
02 · Keys

Private keys never
touch the browser.

In-app wallet keys are wrapped in an AES-256-GCM envelope before they ever hit disk. They’re only unsealed server-side, inside a signing worker, at the exact moment a transaction needs to be broadcast. The client never sees raw bytes.

  • AES-256-GCM envelope encryption
    Master key lives in a hardware-backed KMS. Per-user data keys are wrapped, rotated, and never logged.
  • Server-side signing only
    Transaction signing happens inside an isolated worker. The browser gets a signed tx, never a key.
  • Keys rotate per session
    Session-scoped ephemeral keys limit the blast radius if a single client is ever compromised.

On-chain transparency

Every deposit, release, dispute, and refund emits an event. Receipts link directly to the block explorer — no hidden ledgers.

JWT + HttpOnly cookies

Sessions use HttpOnly, Secure, SameSite=Strict cookies. Nothing sensitive ever touches localStorage or the DOM.

Role-based access

Middleware enforces least-privilege on every API route. Employer, freelancer, and moderator scopes are checked server-side.

Bug bounty · Up to $50k

Find a bug.
Get paid in USDC.

We run a responsible-disclosure program for the J4C smart contracts, web app, and API. Valid reports are triaged within 24 hours and paid out in USDC on Base — no paperwork, no NDAs, no delay.

Smart contracts
J4cEscrow.sol, Dispute.sol, Factory.sol
Web app
app.j4c.app auth, session, signing flows
Public API
api.j4c.app — rate limit, IDOR, injection
Ready when you are

Work without fear of
getting stiffed.

Audited contracts. Encrypted keys. Zero custody. Create your account in under 60 seconds and let the chain do the bookkeeping.