Hive  /  Ondo · Tokenized RWA Attestation
For Ondo Chain validators, Global Markets issuers, and the institutions running tokenized treasuries

Ondo built the L1 for tokenized RWAs.
Hive ships the receipt envelope underneath.

Ondo Chain has a permissioned-validator model. Ondo Global Markets has 200+ tokenized U.S. stocks. USDY runs on five chains with $740M outstanding. The SEC tokenized-stock framework lands this week. What Ondo does not ship today is the four-part attestation envelope that turns every mint, burn, bridge, and counterparty action into a record the SEC, the local-jurisdiction regulator, the broker-dealer of record, and the holder each read their own slice of. That is the layer Hive built.

4-part attestation SEC-ready Ondo Chain compatible LayerZero bridge aware ViewKey selective disclosure
See a signed receipt in 60 sec Talk to Hive
$2.5B+
Ondo TVL · Feb 2026
$740M
USDY outstanding · 5 chains
200+
GM tokenized U.S. securities
4
Independent attestation gates
A · Ondo Chain
SHOD as the validator policy gate
Six-hop outbound discrimination on every transfer
B · Global Markets
ViewKey for SEC + local regulator
One receipt, three lenses per GM token event
C · USDY
Cross-chain mint/burn receipts
Burn on Ethereum ↔ mint on Solana, one envelope
D · SWEEP
CFO-grade fund event receipts
State Street + Galaxy seed, audit-ready from day one

AOndo Chain — SHOD as the validator-side policy gate

Ondo Chain runs a permissioned validator set explicitly to prevent front-running and protect institutional flow. That is exactly what SHOD does at the receipt layer. Six independent outbound gates — sanctions, jurisdiction, scope ceiling, counterparty risk, time-of-day, and policy proof — sit on every transfer. All six must pass or the receipt does not sign. The validator never has to make a discretionary call; the gate result is mechanical, signed, and verifiable offline by any regulator who later asks the question.

What gets signed

Every transfer on Ondo Chain carries a SHOD verdict before the validator commits.

  • Gate 1 — Sanctions — OFAC, EU, UK lists checked against sender, receiver, and any beneficial-owner chain inferred from did:hive.
  • Gate 2 — Jurisdiction — buyer's KYC residency cross-matched against issuer's offering eligibility (Reg S, Reg D, local equivalents).
  • Gate 3 — Scope ceiling — HAHS hire-time scope receipt. The token cannot do what the issuer never authorized.
  • Gate 4 — Counterparty risk — exposure ceiling per counterparty, signed by the issuer's risk engine.
  • Gate 5 — Time-of-day — underlying-market hours for GM tokens, redemption-window enforcement for USDY.
  • Gate 6 — Policy proof — SpectralZK zero-knowledge proof that the issuer's compliance policy ran without revealing the policy itself.

Validator sees pass/fail. Regulator sees the full envelope on request. Front-runner sees nothing — the gates run before commitment, not after.

BOndo Global Markets — ViewKey for the four regulators that care

A GM token tracking AAPL has a U.S. broker-dealer of record holding the underlying, a Cayman or BVI issuer wrapping the token, a buyer in Singapore or Germany with a local regulator who wants to see the trade, and the SEC who under the May-2026 framework will want a verifiable on-chain trail. Today each of those four sees a different slice through different reporting pipelines. With Hive ViewKey, all four read the same signed receipt — only the lens differs.

One receipt, four lenses

Issue once. Every regulator gets exactly what they are allowed to see, nothing more.

  • SEC lens — trade size, U.S.-person check result, broker-dealer of record, settlement chain, gate verdicts. No buyer PII.
  • Local-jurisdiction lens — buyer KYC tier, residency, offering eligibility result, local-tax flag. No counterparty position data.
  • Broker-dealer lens — underlying security CUSIP, lot size, mark-to-market reference, hedge attribution. Full operational view.
  • Holder lens — their own trade confirm with cost basis, accrued yield (for USDY), and a verifiable hash they can post to their wallet.

Same JSON. Same signature. Four different decryption keys, each scoped to what that regulator is entitled to. ML-DSA-65 plus Ed25519. Verifiable in a browser at thehiveryiq.com/verify.

CUSDY — cross-chain mint and burn, one signed envelope

USDY sits on Ethereum, Solana, Mantle, Sui, and Aptos. The Ondo Bridge runs over LayerZero. Today a burn on Ethereum and a mint on Solana are two events in two different log streams that an auditor has to reconcile manually. Hive ships a single four-part receipt that binds the burn-tx hash, the bridge-message hash, the mint-tx hash, and the off-chain NAV-at-bridge-time into one envelope. The auditor reads one record. The regulator reads one record. The holder reads one record. Reconciliation goes from a workflow to a verification.

What the envelope binds

Burn on chain A ↔ mint on chain B — one signature, no orphan events.

  • Source-chain burn — tx hash, block, burner address, amount, NAV-at-burn.
  • Bridge message — LayerZero message ID, source endpoint, destination endpoint, message hash.
  • Destination-chain mint — tx hash, block, mint recipient, amount, NAV-at-mint.
  • Off-chain reconciliation — NAV-delta attestation, fee accrual, and a SpectralZK proof that the bridge policy ran correctly without revealing the policy.

If the destination mint never lands, the envelope never signs. If the burn was for the wrong amount, the envelope never signs. The receipt is the reconciliation.

DSWEEP — CFO-grade fund event receipts, audit-ready from day one

Ondo announced the SWEEP tokenized fund with $200M seed from State Street and Galaxy Asset Management. A fund of that profile launches into a PCAOB and SEC audit environment from day one. The traditional answer is a custodian-of-record statement, a transfer-agent log, and a separate fund accounting line. Hive collapses those three into a single four-part receipt on every subscribe, redeem, NAV strike, and distribution. The auditor verifies offline. The CFO closes the books faster. The regulator gets a feed they can verify without trust.

Fund events that get signed

Every state transition the fund cares about, signed and bound to the underlying.

  • Subscription — LP identity (via did:hive, never raw PII), subscription amount, NAV at strike, fund-of-record attestation.
  • Redemption — LP identity, redemption amount, NAV at strike, sweep account debit hash.
  • NAV strike — underlying portfolio composition hash, valuation source attestation, NAV value, strike timestamp.
  • Distribution — payout per LP, withholding flags, tax-jurisdiction lens, receipt-of-funds hash.

Same envelope shape as USDY and GM. One verifier — thehiveryiq.com/debugger — reads every Ondo event regardless of product.

EEconomics — priced per event, not per seat

Hive is not per-seat SaaS. Every receipt is priced as labor — what would the human verifier cost otherwise. 80% of every receipt clears to the human operator of record. The remaining 20% covers the rail.

USDY event
$0.10 per mint/burn/bridge receipt
GM token trade
$0.25 per signed trade confirm
SWEEP fund event
$1.00 per subscribe/redeem/NAV strike

Volume tiers available. Negotiate the floor on the contract, not the per-transaction price.

FWhy this lands now

GGet in touch

The fastest way to evaluate is to run the live A2A demo against a synthetic GM-token issuance. Two agents transact, both sides hold the receipt, you verify it in a browser at thehiveryiq.com/verify. End-to-end, sub-250ms.

Run the live demo Email sales

Ondo built the rails. Hive signs the receipts.

Four-part attestation on every tokenized RWA event. SEC-ready. Audit-ready. Verifiable in a browser. Drop-in on Ondo Chain, Global Markets, USDY, and SWEEP — no schema change.

See it run Read the doctrine