ATAMO coin logo ATAMO

Verification Guide

This page defines how ATAMO should be verified using independent, public, and cryptographic sources. Verification should rely only on official references, signed Git tags, signed checksum manifests, verified contract source code, and on-chain data.

Verification principle

ATAMO verification is based on publicly verifiable data, not on trust, screenshots, direct messages, advertisements, or third-party claims.

If a claim cannot be verified through official sources, signed artifacts, verified source code, or blockchain data, it should be treated as untrusted.

If information conflicts across sources, verified on-chain data, verified contract source code, signed Git tags, and signed release artifacts take priority.

1. Authoritative sources of truth

The following sources define the official ATAMO system state:

  • official domain: atamo-atms.org
  • official GitHub repository: github.com/atamo-atms/atamo-project
  • signed Git release tag: v1.0.0
  • official token proxy: 0x38604c42c16e29BbFbc5479668453f18cB6cf335
  • verified smart contract addresses
  • verified contract source code
  • signed release checksum manifest: SHA256SUMS.asc
  • release checksum file: SHA256SUMS
  • machine-readable deployment manifest
  • full deployment records

2. Official mainnet addresses

Component Address Purpose
ATAMO Custodian Safe 0xe3b72bdb899364ce86949746D31CCba5f384b949 2-of-3 multisignature governance root
Timelock Proxy 0x2778BC96422AeD7D7Ac7CE21372Aa42c525A86B8 Delayed governance execution layer
Timelock Implementation 0xb0d8dc6a08Cb4F93a795c53867ac990C8ce4B0E0 Current Timelock logic implementation
SecureToken Proxy 0x38604c42c16e29BbFbc5479668453f18cB6cf335 Official user-facing ATMS ERC-20 token address
SecureToken Implementation 0xD0E06380aF1927c5d929625406d7E9896a80C09c Current token logic implementation
TokenActionRecorder 0xAA7152784479Ed53147A12514602968327c9965E Safe-only governance-action recording helper
ATMSParticipationVault 0x01273Ef57CE09C4Aa615E3bd95eF2b9DD54fd0E4 Staking, proposal, support, and rewards layer

3. Quick verification checklist

Minimum verification steps

  • confirm the official domain: atamo-atms.org
  • verify the official GitHub repository
  • verify signed Git tag v1.0.0
  • verify the signed checksum manifest SHA256SUMS.asc
  • verify release artifact hashes with SHA256SUMS
  • verify the token proxy from the official contracts page
  • confirm contract verification on Etherscan
  • confirm the token owner is the Timelock proxy
  • confirm the Timelock owner is the ATAMO Custodian Safe

Release verification

ATAMO release artifacts are verified using signed Git tags and PGP-signed checksum manifests. This allows independent verification that the release artifacts were produced by the ATAMO release authority.

Official PGP fingerprint:

7FF6 8D4A 2A54 F8CC 8641 E880 A4C7 575F 79C4 E1AC

View release verification guide

4. Step-by-step verification

1. Start from the official domain Only begin from atamo-atms.org. Avoid links copied from social media, chats, ads, direct messages, or screenshots.
2. Confirm the official token proxy Verify that the token proxy is 0x38604c42c16e29BbFbc5479668453f18cB6cf335 before interacting with any token, wallet, swap, or exchange flow.
3. Verify token contract values On Etherscan, open the SecureToken proxy and use Contract → Read as Proxy. Confirm name(), symbol(), decimals(), owner(), and timelock().
4. Verify timelock ownership and delay Open the Timelock proxy and confirm owner() equals the ATAMO Custodian Safe, minDelay() equals 172800, and gracePeriod() equals 5184000.
5. Verify Safe configuration Open the Safe interface and confirm the Safe address is 0xe3b72bdb899364ce86949746D31CCba5f384b949 and the threshold is 2 of 3.
6. Verify contract source code Ensure that implementation contracts are verified and match the expected Solidity compiler version, optimizer settings, source behavior, and deployment records.
7. Verify signed release artifacts Use the published ATAMO PGP key to verify SHA256SUMS.asc, then verify all listed release artifact hashes using SHA256SUMS.

5. Signed release verification

The signed release artifacts help users verify official contract addresses independently of the website.

Official release directory:

releases/v1.0.0/

Release integrity files:

  • deployment-manifest.mainnet.json
  • deployment-records-full.mainnet.json
  • ATAMO_DEPLOYMENT_STATEMENT_mainnet_2026-05-16.txt
  • SHA256SUMS
  • SHA256SUMS.asc
  • ATAMO_RELEASE_PGP_PUBLIC_KEY.asc

Example commands

gpg --import releases/v1.0.0/ATAMO_RELEASE_PGP_PUBLIC_KEY.asc

gpg --fingerprint [email protected]

git tag -v v1.0.0

gpg --verify releases/v1.0.0/SHA256SUMS.asc releases/v1.0.0/SHA256SUMS

sha256sum -c releases/v1.0.0/SHA256SUMS

6. Anti-phishing and impersonation

Attackers may attempt to impersonate ATAMO through fake websites, copied token symbols, fake contract addresses, fake swap links, fake exchange listings, or manipulated social media posts.

Untrusted sources

  • screenshots of contract addresses
  • messages in chats or direct messages
  • unverified social media links
  • search ads or unofficial landing pages
  • third-party websites without cross-verification
  • fake token pages using the same symbol

Verification rule

If a contract address or instruction does not match the official domain, signed release artifacts, and verified on-chain data, it should be treated as malicious or incorrect.

7. Reviewer and exchange guidance

How to verify ATAMO as an exchange

  • validate deployed contract addresses against official references
  • confirm the canonical token address is the SecureToken proxy
  • confirm proxy and implementation relationships
  • confirm contract verification and bytecode consistency
  • review Timelock and administrative-control configuration
  • confirm the Safe threshold is 2-of-3
  • verify signed Git tag and signed checksum manifest
  • cross-check documentation with on-chain behavior

How to interpret results

Verification should rely on blockchain data, signed artifacts, and verified contract source code. Documentation should support, not replace, technical validation.

The official user-facing token address is the SecureToken proxy, not the implementation contract.

Official Links

Community

𝕏 💬