Defences, not promises.

Security at Timebank isn't a page on a marketing site — it's the database engine itself. Row-level locks, idempotency keys and two-entry ledgers mean money behaves predictably even when networks don't.

Transfer lifecycle

One transfer, four guarantees.

tx · transfer_v2 idempotent · atomic · audited

① Acquire lockSELECT … FOR UPDATE on both wallets

② Re-checkBalances revalidated under the lock

③ ApplyBoth balances updated in one transaction

④ LedgerTwo rows written · debit + credit

The ledger

Two rows, every time.

Every transfer writes two ledger entries — one debit, one credit, each stamped with balance before and balance after. Reconcile any wallet, on any day, down to the paisa.

TypeDescriptionΔBeforeAfter

CREDIT From Hamza · code 7714 +1,200 11,280 12,480

DEBIT Campus Cafe · qr −380 11,660 11,280

DEBIT To Ayesha · code 0192 −850 12,510 11,660

CREDIT Top-up · campus card +2,000 10,510 12,510

Defences

Four guarantees,
end to end.

Row-level locking

Both wallets are locked deterministically — lowest ID first — before any balance change. Two concurrent transfers can't race each other into a negative balance.

Idempotent retries

Every send carries a unique key generated client-side. Retry on bad Wi-Fi and you get the same receipt back — not a duplicate transfer.

Two-entry ledger

One debit row, one credit row — each carrying balance before, balance after. The whole wallet can be reconstructed by replaying its rows.

Row-level security

RLS policies gate every read and write to your own wallet. Money moves only through audited RPCs — never raw table updates from the client.

Token rotation

Live QR tokens rotate every 60 seconds. A screenshot from yesterday won't drain your wallet today.

Rate limits

Per-wallet send velocity is capped and visible. Anomalies — sudden bursts, unusual recipients — trigger a hold the user can release in-app.

Defences, not promises. 🔐