The token that can
only give.
3% of every swap is taken in ETH, locked in an immutable vault and bridged straight to St. Jude’s public donation address. No owner, no pause, no mint — no one can redirect it. Not even us.
the path of every wei
Two public calls. Zero trusted parties.
The asset that leaves the trades and the asset St. Jude receives is the same ETH — no swaps, no custodians, no multisigs in between. Both steps of the journey are permissionless: anyone can push the money forward, no one can push it anywhere else.
- L2
A swap happens
Someone buys or sells $STJUDE against ETH in the pool on Robinhood Chain. Wallet-to-wallet transfers are free — the fee lives only on the trading leg.
- L2
3% is taken — in ETH
The fee hook skims 3% from the ETH side of the swap. The rate is a deploy-time constant with a hard cap of 5% — it cannot be raised, lowered or toggled after deployment. Same asset in, same asset out: no swaps anywhere in the chain.
- L2
ETH accumulates in the vault
Once the vault holds more than 0.1 ETH, anyone can call
withdraw(). The caller earns 0.25% for gas — the only outflow that isn’t the bridge. No owner key is involved, ever. - BRIDGE
Canonical bridge · 7-day challenge period
The ETH enters the canonical Arbitrum Orbit bridge via ArbSys, destination hard-set to the L1 payout contract. Withdrawal to mainnet takes 7days by design. We don’t use a fast bridge — that would add trust in a third party just to save a week. The delay is public and shown on the dashboard as its own status.
- L1
finalize() — claim and donate in one tx
After the challenge period, anyone calls
finalize(). It claims the withdrawal and forwards the entire balance to the beneficiary in the same transaction. The payout contract has one send function and one constant — no other destination exists in its bytecode. - L1
It arrives at St. Jude's own address
nft.stjude.eth— the donation address St. Jude publishes on stjude.org. The raw address is baked in as an immutable constant (not ENS — resolvers can change, constants can’t).
on-chain, verifiable, no backend truth
Donation dashboard
Every number here is the sum of on-chain events — Bridged on L2 and Donated on L1. Nothing is simulated: until the contracts are live, the counters honestly read zero.
Donation history
L2 withdraw tx · L1 donate tx · amount · dateNo donations yet — the first withdraw() will appear here the moment it lands on-chain.
this table reads events only · it cannot show anything that didn’t happen
trust the bytecode, not the team
What the team cannot do.
Most charity tokens ask you to trust a wallet. This one is built so there is nothing to trust — the dangerous functions simply don’t exist.
Drain the vault
There is no function that sends vault ETH to an arbitrary address. The only exits are the canonical bridge and the 0.25% caller reward.
Change the beneficiary
BENEFICIARY is an immutable constant in the L1 payout contract. Changing it requires deploying a new contract through full governance.
Pause the flow
withdraw() and finalize() have no pause switch, no whitelist, no owner check. If the chain is live, the money moves.
Raise the fee past 5%
The rate is fixed at deploy (3%) with a 5% hard cap compiled in. No dynamic setters exist.
Mint new tokens
Fixed supply, no mint function, no owner on the ERC-20. The token contract holds zero privileged logic.
What everyone can do
Call withdraw(), call finalize(), verify every event, read every constant. The protocol is operated by the public, for one recipient.
six contracts, one direction
The architecture
Each contract does one job. Addresses are published and verified on deployment; the vault and payout contracts go through an external audit first — the bridge is the main risk surface, and it is treated that way.
StJudeToken
ROBINHOOD L2ERC-20 with fixed supply. No mint function, no owner. The token itself holds zero privileged logic.
StJudeFeeHook
ROBINHOOD L2Takes the 3% fee in ETH on the ETH leg of every swap. Rate is a deploy-time constant with a 5% hard cap.
StJudeVault
ROBINHOOD L2Accumulates ETH. withdraw() pushes it into the canonical bridge via ArbSys. Destination changes only through governance.
StJudePayout
ETHEREUM L1finalize() claims the bridged ETH and forwards it to the immutable BENEFICIARY in a single transaction. No other destination exists in the bytecode.
StJudeGovernor
ROBINHOOD L2Proposals and voting for beneficiary changes. 7-day vote, 10% supply quorum, proof link required.
StJudeTimelock
ROBINHOOD L2Enforces a 14-day delay on any destination switch. Execution is public — no owner needed.
the only mutable thing — slowly, loudly, publicly
Changing the beneficiary takes 21+ days.
If St. Jude ever rotates its published address — or asks us to stop — governance is the only path to react. Four steps, no shortcuts, and the target address must be provably published by the organization itself.
Proposal
A new beneficiary can only be proposed with a proof link showing the organization itself published that address.
Vote
Token holders vote for 7 days. Quorum is 10% of total supply — a quiet change is impossible.
Timelock
A passed proposal waits 14 more days in the timelock. Two full weeks for anyone to inspect the new payout contract.
Execution
execute() is permissionless. A fresh StJudePayout is deployed and the vault's bridge destination switches — no owner key at any step.
asked, answered
Questions worth asking
No. This is an independent community project, not affiliated with, endorsed by, or operated by St. Jude Children’s Research Hospital or ALSAC. St. Jude publicly invites smart contracts to use its published donation address and asks to be notified at cryptocurrency@stjude.org — that notification is sent before deployment and the correspondence is kept. If the organization objects, the beneficiary is changed through governance. The project team can be reached at stjudetoken@gmail.com.