New Book: The Bitcoin Economy , Read free online or get your own copy. Read Now Buy on Amazon
AttestoScript demo

Contract receipts, bound to a signer identity.

AttestoScript is a bounded, deterministic contract runtime. Every receipt carries the caller's identity state and is signed under ML-DSA-87. Without identity, a contract output is just bytes. With identity, it is a proof.

See identity core See record layer 3-min Script ↓
Call
Contracttoken_transfer
CallerKERI-bound
Nonce42
Caller subjectEDl3VS8x...
Caller bindingsha3-512:6c6a...a49c
Program digestsha3-512:2c18...ae31
Receipt
Statusaccepted
Gas used4,210
Output1 event
Receipt digestsha3-512:9e44...dd71
Recordmemory_block:1284308
Anchornot_requested
Receipt packet

A contract call is not trusted until the caller is.

The receipt ties the program digest, the call arguments, and the deterministic output to the caller's Proofnet identity binding. The receipt is then written as a memory-block record.

{
  "type": "proofnet_script_receipt_v0",
  "attesto_type": "script_receipt",
  "contract": "token_transfer",
  "program_digest": "sha3-512:2c18...ae31",
  "caller_identity": {
    "adapter": "KERI",
    "subject": "EDl3VS8xBlDp-x9RU4HEDE0n6cum4PW9HI9tEEnsf483",
    "binding_digest": "sha3-512:6c6a...a49c"
  },
  "call_nonce": 42,
  "output_digest": "sha3-512:9e44...dd71",
  "proofnet_pq_algorithm": "ML-DSA-87",
  "canonical_digest": "SHA3-512",
  "record_home": "proofnet_memory_block",
  "public_safe": true
}
Why bounded

Deterministic, auditable, identity-bound.

01

Bounded runtime

AttestoScript programs run in a constrained VM with deterministic outputs and explicit gas.

02

Identity bound

Every call cites the caller's identity binding digest.

03

PQ signed

The receipt is digested with SHA3-512 and signed under ML-DSA-87.

04

Replayable

Auditors replay program, inputs, and identity state to re-derive the same output digest.