A practical, ordered path through everything in this workspace: concept → how Gateway does it → the best practice → the interview question. Read top to bottom; revisit out of order.
What a chain is, and what it costs
Gateway The chain is the slow async edge; everything regulated/private stays off-chain with an accountable party.
Best practice Ask of every datum: does this need shared tamper-evident truth, or is a DB better? Anchor hashes, not data.
Interview "When is a blockchain genuinely the right tool over Postgres?"
EOA (key) vs contract account (code, passive). view reads are free; state writes cost gas. Failed tx reverts atomically.
Gateway Contracts are passive → the connector (an account) must trigger every action; nothing self-executes.
Best practice "Costs gas" = "writes state." Push large/voluminous data off-chain; storage is the dearest resource.
Interview "What happens to state when a tx reverts halfway through?"
Why a security needs more than ERC-20
ERC-20 is an interface; its transfer gates on balance only — permissionless, disqualifying for a regulated asset. Events are the on→off-chain bridge.
Gateway Uses custom ERC-20 variants (ERC20F/ERC20MN01) + a separate AllowList for whitelisting.
Best practice Never use a plain ERC-20 for a security. Build reconciliation off the Transfer event log.
Interview "Why can't we use a standard ERC-20 for fund shares?" / "How do you scope & revoke approvals?"
Gate transfer on WHO may hold (identity) + WHETHER allowed (compliance); plus an agent with freeze/forced-transfer/recovery/mint/burn.
Gateway AllowList = the WHO gate; agent powers = connector actions; maps onto Solana Token-2022 too.
Best practice "Not trustless — accountable." Compliance enforced atomically by revert, not by back-office cleanup.
Interview "Walk me through the two checks an ERC-3643 transfer performs before moving tokens."
The whole system, and how it's secured
Lifecycle: issuance → registry/TA → custody → secondary → redemption. The architect's core call is the on/off-chain boundary.
Gateway token-service/asset-adapter orchestrate; listener events feed reconciliation; recon checks drift.
Best practice On-chain only what benefits from shared tamper-evident truth; keep identity docs/keys/NAV off.
Interview "Where would you NOT put data on-chain, and why?" / "Walk a subscription end-to-end."
Two attack surfaces: keys (custody: single→multisig→MPC→HSM) and code (OWASP: access control #1, reentrancy, logic, oracle). Upgradeability = key risk.
Gateway All keys in Fireblocks MPC; the connector requests signatures, never holds keys.
Best practice Enumerate every privileged function + who calls it. Crown-jewel keys → multisig + timelock + policy.
Interview "Our token is upgradeable — the risks, and how would you govern the upgrade key?"
"Tokenized X" spans a backing spectrum: fully-backed-redeemable → SPV → synthetic perp. Solana's Transfer Hook = the ERC-3643 compliance gate.
Gateway Solana support is Token-2022; the multi-chain model treats each chain's permissioning natively.
Best practice Reflex: "what backs this, who holds it, what can I redeem for?" Verify backing; don't trust a label.
Interview "Explain the risk difference between SPCX, an SPV token, and a SpaceX perp."
A reserve-backed token (equity stablecoin). The invariant: supply ≡ custodied shares. Token-2022: default-frozen, transfer hook, permanent delegate (clawback).
Gateway Solana freeze/thaw + ATA creation are connector actions; mint/burn map to escrow points.
Best practice Wire proof-of-reserve into mint logic → over-minting impossible even with a stolen mint key.
Interview "How do you guarantee an issuer can never mint more tokens than shares it holds?"
No oracle pushes the price. Creation/redemption arbitrage (the ETF mechanism) anchors it. Drifts (premium/discount) when the underlying market is closed.
Gateway Relevant to how prices are displayed/sourced and how DvP settlement values legs.
Best practice Tight tracking = low fees + fast settlement + deep liquidity + many permitted arbitrageurs. Disclose the weekend gap.
Interview "What makes a tokenized stock trade at a weekend premium, and how would you minimise it?"
Reading both sides of the boundary
Solidity (contract) ⟶ ABI ⟶ TypeScript client. Provider = read (free); Signer = write (key + gas). Web3.js is sunset; use ethers/viem.
Gateway EVM library is viem; the connector's Signer is Fireblocks-backed; listener uses viem WS subscriptions.
Best practice A server-side Signer with mint/freeze power wraps the agent key → route via custody, never an env var.
Interview "Walk me through, end to end, what happens when a user clicks 'transfer'." / "ethers vs viem?"
Frontend never signs. One writer (connector → Fireblocks → chain), one reader (listener → DB/topic). Async write/read paths over Azure Service Bus.
Gateway This is Gateway. Everything else is detail hanging off this frame.
Best practice Idempotency keys for at-least-once queues; persistent checkpoint + reorg handling for listeners.
Interview "Why one writer and one reader?" / "Why must the connector be idempotent?"
Ahead (planned): L12 four services · L13 ERC20F/MN01 + proxy · L14 multi-chain (EVM events vs XRPL/Stellar trustlines vs Solana) · L15 escrow/DvP · L16 the 6.5 collapse, judged
| Area | The practice |
|---|
| On/off-chain | On-chain only shared tamper-evident truth; anchor hashes; keep PII/keys/NAV off. |
| Permissioning | Gate transfer on identity (WHO) + compliance (WHETHER); enforce by revert, not back-office. |
| Backing | Invariant supply ≡ reserves; wire proof-of-reserve into mint ("secure mint"). |
| Pricing | Backed tokens track by arbitrage, not oracle; expect & disclose weekend drift. |
| Custody | Keys in MPC; crown-jewel keys (mint, clawback, upgrade) → multisig + timelock + policy engine. |
| Code (Solidity) | Checks-effects-interactions (reentrancy); enumerate privileged functions (access control = #1 loss). |
| Code (client) | viem/ethers (not Web3.js); never hold a privileged key in app code/env. |
| Queues | Idempotency keys for at-least-once; queue decouples UI from the slow chain edge. |
| Listeners | Persistent sync checkpoint (block# + hash) + reorg handling; recon detects drift but doesn't prevent it. |
| Audits | Check severity counts, fixed+re-audited, scope/commit-hash = deployed code, centralisation notes. |