β_orbIT

Orbital is an on-chain task marketplace that connects creators with real, verified people, solving two of the biggest problems in online task economies: bot abuse and slow payouts.

For creators, it's simple. You deposit funds into a secure smart contract and post a task with clear guidelines. For workers, you verify you're a unique person with World ID, complete the task, and submit it for approval. Once it's verified, payment is sent instantly from the secure escrow directly to your wallet. There are no middlemen and no waiting around.

We've designed the platform to be both safe and straightforward. All funds are held on the blockchain, meaning they're only released when a task is successfully done or returned if it's canceled. A guided, user-friendly flow helps prevent common mistakes and gives you live updates on everything from funding status to payout readiness.

World ID is the key to making this all work. It enforces a one-person, one-account rule, which dramatically reduces spam and ensures a fair system. For creators, this means your budget is spent on genuine engagement with real users. For workers, it means you're competing on a level playing field for predictable rewards.

Our architecture is built for security and simplicity. An on-chain escrow guarantees that money can't be misused and that payouts are automatic. Off-chain, we manage a smooth and human-friendly workflow, while our servers handle verification to keep the platform secure.

The end result is a marketplace that’s fast, safe, and resistant to manipulation. It’s easy enough for solo creators to use and scalable enough for larger campaigns.

Frontend (Next.js + React + TypeScript) App Router Structure: We use the Next.js App Router, leveraging server components for efficient data fetching and client components for interactivity.

Styling: Tailwind CSS is used for styling, supplemented by a small set of custom components (buttons, cards, modals) to ensure a consistent and fast user experience.

World App Mini-App Integration: As a World App mini-app, we leverage the native MiniKit SDK. To prove personhood, we invoke the verify command, which presents the user with the familiar, secure World App verification flow. Upon success, our app receives the ZKP payload (merkle_root, nullifier_hash, proof) to be sent to our backend.

Wallet & Contracts: We use a lightweight EVM client like viem to prepare and encode contract transaction data for operations like fund, release, or cancel. Instead of managing private keys, we pass this encoded data to the World App's native sendTransaction command. This prompts the user to securely sign and dispatch the transaction using their World App wallet, ensuring a seamless and non-custodial experience.

Data Fetching: We use the Supabase client and Next.js server routes for secure database interactions, featuring optimistic UI updates that roll back gracefully on server rejection.

Smart Contracts (Solidity + Foundry) Core Logic (TaskEscrow.sol): This contract implements the core state transitions for tasks:

fundTask(taskId, amount) called by the creator.

assignTask(taskId, worker) with optional locks and expiries.

submitProof(taskId, proofHash/metadata) which emits events for off-chain indexing.

release(taskId, worker) which can only be triggered after a server-verified condition is met.

cancel(taskId) or reclaim allows the creator to retrieve funds after expiry if there's no valid submission.

Security: The contract is built with robust security measures, including reentrancy guards, the checks-effects-interactions pattern, tight event emission for observability, and careful access controls.

Testing: We use Foundry for comprehensive testing, including unit tests for both happy paths and failure modes (like insufficient funding, wrong worker, and expiry handling).

Backend and Infra (Supabase + ngrok) Database: We use Postgres on Supabase with tables for apps, tasks, assignments, submissions, and verifications.

Authentication: Supabase Auth handles session management and role-based access control, differentiating between "creator" and "worker" capabilities.

Edge Functions:

verify-world-id: This function serves as the trusted verifier. It receives the proof payload from the client (obtained via the verify command) and makes a server-to-server call to the World ID Developer Portal's /api/v1/verify endpoint. A 200 OK response confirms the proof is valid.

claim-reward: This function acts as a final gatekeeper before a payout. It double-checks the task state, creator funding, and a valid prior World ID verification. If all conditions are met, it returns an authorization to the client to proceed with the payout transaction.

Deployment: The frontend is deployed on Vercel, while Supabase hosts the database and edge functions.

Verification and Abuse Prevention Sybil Resistance via World ID: World ID's Proof of Personhood is the core of our Sybil resistance. Verification relies on two key primitives:

Nullifier Hash: For each action, every person has a unique nullifier hash. Our backend records this hash upon its first valid use, making it impossible for the same person to complete the same task twice.

Signal: We use the worker's wallet address as the signal when verifying the proof. This cryptographically links the proof to the user performing the action, ensuring a proof generated by one person cannot be replayed by another.

Rate Limiting: We employ request throttles and submission cooldowns on top of World ID's guarantees to prevent other forms of automation abuse.

Funds and Payouts 💸 Non-Custodial: All task funds are held in the TaskEscrow smart contract. Payouts are executed on-chain directly to the worker’s address via the sendTransaction command.

Atomicity: The release function checks all preconditions and then transfers funds in the same transaction. Any failure causes the transaction to revert, keeping all funds safe.

Refunds: Creators can cancel tasks after they expire or if verification fails, and any unused balances are fully reclaimable.