Case Study: Building FilmFund, a Compliant On-Chain Film Financing Platform

The short version

Independent film has a money problem that has nothing to do with talent. The scripts exist. The directors exist. The audience exists. What rarely exists is a clean, legal, transparent way for ordinary people to put a little money behind a movie they believe in and actually see where that money goes.

FilmFund set out to fix exactly that. It is a platform where filmmakers raise capital from a crowd of small investors, where every dollar of funding is escrowed and accounted for on-chain, where investors hold a real legal stake in the film through a regulated security token, and where the fans who help promote a project earn rewards for the marketing work they do.

We built the whole thing: the smart contracts, the database, the dashboards, the compliance flows, and a layer of AI tooling that helps creators get from “I have an idea” to “I have a screenplay.” This is the story of how the pieces fit together and the decisions that made it work.

The problem we were actually solving

If you have ever looked at film financing up close, you know it is a tangle. Money comes from a patchwork of grants, tax incentives, private equity, and favors. Investors hand over capital and then wait, often with very little visibility into how the production is spending or whether they will ever see a return. Crowdfunding platforms solved the access problem but created a new one: backers usually get a t-shirt and a thank-you, not equity.

So FilmFund had three goals that pulled in different directions:

Let anyone invest small amounts in a film they like.
Give those investors a genuine, enforceable economic interest in the film, not a perk.
Stay inside the lines legally, because the moment you sell people a share of future profit, you are selling a security.

Reconciling those three is the entire engineering and product challenge. A pure crypto token would have been easy and useless. A traditional fund would have been compliant and inaccessible. The interesting work lived in the middle.

The architecture at a glance

The platform runs as a hybrid system. Anything that needs to be trustless, permanent, or financially binding lives on-chain. Anything that needs to be fast, searchable, private, or rich (think profiles, project pages, KYC documents, analytics) lives off-chain in a managed backend. The two halves talk constantly, and most of the genuinely hard problems came from keeping them honest with each other.

Here is the shape of it:

Frontend: A React 18 single-page app built with Vite and TypeScript, styled with Tailwind, routed with React Router 7, and kept in sync with server state through TanStack Query. It ships in six languages out of the box (English, Spanish, German, French, Korean, and Chinese) using i18next.
Wallet and chain layer: wagmi, viem, ethers v6, and RainbowKit handle wallet connection and contract calls. The contracts are deployed on Base, Coinbase’s Ethereum layer-2, which keeps transaction fees low enough that micro-investing and reward claims actually make sense.
Backend: Supabase provides Postgres, authentication, file storage, and serverless edge functions written in Deno. The database alone went through 61 migrations as the data model matured.
Smart contracts: Twelve Solidity contracts compiled with Hardhat, built on OpenZeppelin’s upgradeable libraries, and structured so the financial logic is auditable and the legal logic is enforced in code.
AI services: Edge functions that call out to language models for screenplay generation and script analysis.

The codebase that ties this together runs to roughly 246 TypeScript files and 154 React components, with a test suite spanning Jest unit tests, integration tests, and Cypress end-to-end runs.

The token system, and why there are three of them

This is the heart of the design, so it is worth slowing down. FilmFund uses three distinct tokens, and each one exists because the other two could not do its job.

FFA: the access and staking token

FilmFund Access (FFA) is the platform’s main ERC20 token, with a fixed total supply of 100 million. It is what you stake to participate. When you stake FFA, you unlock the right to invest in film pools, with a rule baked into the contract that you can commit up to 75 percent of your staked balance to active investments. Staking also carries tiers, which feed into reward multipliers elsewhere in the system.

FFA is the financial gravity of the platform. It has a public market price (set at $0.20 at the token generation event, putting the fully diluted valuation at $20 million), and its allocation is split across the things a real venture needs to survive: seed and private rounds, a public sale, team and advisors, an ecosystem fund, a treasury, a liquidity reserve, a DAO governance pool, and a sizeable 26 million token allocation reserved specifically for rewarding film promotion. That last bucket is not decoration. It funds the second token.

FPP: promotion points that cannot be gamed

Here is a problem every creative platform faces. The people who help a project succeed are not only the investors. They are the fans who share the trailer, post about it, and bring their friends. That promotional work has real value, but how do you reward it without minting a speculative coin that bots farm into the ground?

The answer was FilmFund Promotion Points (FPP). On paper it is an ERC20 token, but it behaves nothing like one. FPP is non-transferable. You cannot sell it, trade it, or move it to another wallet. You can only earn it through verified promotion activity, and you can only convert it into FFA through a tightly controlled monthly window.

The contract enforces several guardrails to keep it fair:

A hard daily cap of 300 FPP per user, so no single account can flood the system.
An anti-Sybil requirement tied to staking, so reward farming has a real cost.
A per-user reputation score, starting at 50 out of 100, that tracks anomalous behavior and adjusts trust over time.
Staking-tier multipliers, so committed long-term participants earn at a higher rate.

The effect is a marketing engine where the incentive flows to genuine humans doing genuine promotion, not to whoever can spin up the most wallets.

JV tokens: the actual investment

When you invest in a film and that film gets funded, you do not receive FFA back or some generic share token. You receive a JV token, and this is where compliance stops being a buzzword.

Each JV token is a per-film security token built to the ERC1404 standard. ERC1404 exists precisely for regulated assets: it lets a token carry transfer restrictions so that ownership can only move between authorized, KYC-cleared parties, and so transfers can be halted or blocked when the law requires it. A JV token represents your stake in a specific joint venture for a specific movie. It carries the film’s name, budget, soft cap, hard cap, and deadline as on-chain metadata, and it supports dividend distribution so that when the film earns, holders get paid through the contract.

In other words, the speculative layer (FFA) and the regulated investment layer (JV tokens) are deliberately separated. You speculate on the platform with one instrument and you hold a real, restricted security with another. Keeping those concerns apart is what let the whole thing stay defensible.

Funding a film, step by step

The investment flow reads like Kickstarter, except the escrow is a smart contract and the reward is equity. It runs through a factory pattern for gas efficiency, where each new film pool and each new JV token is a cheap ERC1167 clone of a master implementation rather than a fresh deployment.

The lifecycle of a film pool looks like this:

A filmmaker creates a pool with a soft cap, a hard cap, and a deadline.
Stakers invest their FFA into the pool, up to their 75 percent limit.
FFA committed to the pool gets swapped to stablecoins, so the production is funded in dollars rather than a volatile asset.
If the soft cap is reached by the deadline, the pool locks, JV tokens are minted and distributed to investors in proportion to their stake, and the stablecoins are released to the filmmaker.
If the soft cap is not reached, investors claim a full refund. No one is left holding a stake in a film that never got made.

There is one more gate, and it is the part I am proudest of. The film pool contract carries a legal status field with five states: none, pending, yellow (needs revision), red (rejected), and green (approved). JV tokens cannot be minted until a project reaches green. That status is not a label in a database that someone can quietly flip. It is enforced in the contract, and it is driven by a dedicated legal advisor role inside the platform.

This is the bridge between code and law. A human legal advisor reviews the project’s structure and the joint venture agreement, and only their approval, written on-chain, unlocks the security token. We even generate the joint venture agreement itself as a templated PDF, populated with the investor’s KYC details and the filmmaker’s company information, so the paperwork that backs the token actually exists as a document.

Proof of Promotion: aggregating off-chain, settling on-chain

The promotion economy created an interesting scaling problem. Thousands of fans clicking referral links and earning points throughout the month generate a huge number of tiny events. Writing every one of those to the blockchain would be slow and absurdly expensive, even on a cheap layer-2.

So we did not. Promotion activity is tracked off-chain in Postgres as it happens, deduplicated, scored, and verified. Then, on a schedule, an edge function aggregates an entire period’s worth of activity into a single Merkle tree and submits only the root hash to the Proof of Promotion manager contract.

When a user wants to claim their earned FPP for a period, the backend hands them a Merkle proof. They submit that proof to the contract, which verifies it against the stored root for that period and credits their tokens. The contract tracks claimed periods per user so nothing can be claimed twice, supports batch claims across up to 30 periods to save gas, and lives behind reentrancy guards and a pause switch.

The pattern is worth internalizing because it generalizes well beyond film: do the heavy, high-volume bookkeeping in a fast database, and use the chain only as the final source of truth for settlement. One cheap on-chain write stands in for thousands of off-chain events, and the cryptography guarantees nobody can claim more than they earned.

The Dynamic Conversion Framework

Converting promotion points into a tradeable token is where a naive design quietly explodes. If everyone can dump FPP into FFA at a fixed rate whenever they like, you get bank runs, front-running, and a death spiral on the FFA price the moment rewards outpace demand.

The Promotion Pool contract handles this with what we called the Dynamic Conversion Framework. The rules:

Conversion only happens during a seven-day redemption window each month.
The pool releases at most 400,000 FFA per month, drawn from a total promotion allocation of 22 million FFA.
The conversion rate floats with the FFA price, targeting roughly $0.20 of value per FPP but capped at a maximum of 0.1 FFA per point so the pool cannot be drained when the price is low.
Submitting FPP for redemption starts a 24-hour lock before you can complete the conversion, which kills front-running.
If demand in a given month exceeds the cap, the available FFA is distributed pro-rata across everyone who submitted.

The price itself is protected too: it can move at most 20 percent per update and no more than once an hour. The result is a reward system that pays out predictably, resists manipulation, and will not nuke its own economy in a bad month.

FFA per FPP = min( $0.20 / FFA_price , 0.1 )

A simple formula, but every term in it is a guardrail learned the hard way.

The AI writers’ room

Financing is only half of a filmmaker’s problem. The other half is the work itself. FilmFund folds in a set of AI tools, built as Supabase edge functions calling language models, that meet creators where they are.

A filmmaker can start from a single sentence and use the idea-to-script function to generate a structured outline broken into acts and beats, then expand that into a draft. They can upload an existing script and run it through a cloud analysis pipeline that estimates page count, runtime category (short, medium, or feature), and gives structured feedback. There is a script marketplace where screenplays can be listed, a casting recommender that matches actors to roles from submitted profiles and media, and a product placement marketplace where brands can request to feature their products in films, complete with a budgeting and approval workflow.

None of this is the headline feature, and that is the point. The AI is plumbing that removes friction, not a gimmick bolted on for a press release.

The parts nobody sees but everybody depends on

A platform that handles money and identity lives or dies on the unglamorous stuff. FilmFund carries a real compliance and operations spine:

KYC and identity flows so that JV token holders are verified people, which is non-negotiable for a security.
Role-based access across admins, filmmakers, investors, legal advisors, moderators, and general users, with each role landing in a purpose-built dashboard.
Row-level security in Postgres so the database itself enforces who can read and write what, rather than trusting the application layer alone.
Audit logs and hardened delete behavior, including soft deletes, so sensitive records leave a trail and cannot simply vanish.
A full analytics layer for filmmakers and admins, a community feed with posts, ratings, and favorites, a notifications system, support tickets, and a governance proposals table for the DAO side of the house.
SEO and discoverability done properly, with generated sitemaps, structured JSON-LD data, and social card metadata, because a platform that depends on fan promotion had better be shareable.

The whole thing deploys on Vercel, with the database, auth, storage, and serverless functions managed through Supabase.

What was genuinely hard

A few problems deserve an honest accounting, because they are the ones that will bite anyone building in this space.

Keeping two sources of truth in agreement. The single most persistent class of bugs came from the seam between the chain and the database. A redeployed contract resets its internal clock, and suddenly the period numbers in Postgres no longer line up with the period numbers the contract believes in. Claims that look valid in the database become unclaimable on-chain. We learned to treat the contract as the authority on anything financial and to reconcile the database to it, never the other way around.

Designing rewards that survive contact with humans. Every incentive on the platform was eventually probed for an exploit, because that is what incentives invite. The non-transferable points, the daily caps, the staking requirement, the reputation scoring, the 24-hour redemption lock, the monthly cap, and the price-change limits are all scar tissue. Each one closes a door that someone would otherwise walk through.

Making compliance executable. It is easy to write “a lawyer must approve this” in a spec. It is much harder to make that approval a precondition that a smart contract physically enforces before it will mint a security. Wiring the legal advisor role through to an on-chain status gate, and generating the underlying legal agreement as a real document, was the work that turned a crypto demo into something a regulator could look at without flinching.

Gas as a product constraint. Choosing Base over Ethereum mainnet, batching claims, and using clone factories instead of full deployments were not optimizations we did at the end. They were design constraints from day one, because a platform built on small investments and small rewards cannot ask users to pay twenty dollars in fees to claim two dollars in tokens.

Where it landed

What shipped is a working, multi-sided marketplace rather than a proof of concept. Filmmakers can raise money and get help writing. Investors can stake, fund films, hold a real regulated stake, and get refunded when a project falls short. Fans can promote projects and earn convertible rewards. Brands can buy their way into productions. Legal advisors can gate the riskiest step. Admins can see all of it.

The token economy is internally consistent: a fixed-supply access token, a non-transferable promotion layer that feeds back into it through a manipulation-resistant conversion, and a per-film security token that keeps the regulated investment cleanly separated from the speculation. The contracts are upgradeable, guarded, and pausable. The off-chain system is fast, multilingual, and observable. The seam between them is reconciled in the direction that keeps the money honest.

What we took away from it

If you are building anything that puts real value on-chain, a few lessons from FilmFund travel well:

Use the chain for settlement, not for bookkeeping. Aggregate off-chain and prove on-chain. Merkle roots turn thousands of events into one trustworthy write.
Separate your speculative asset from your regulated one. Conflating them is how good platforms end up on the wrong side of a securities regulator.
Treat every incentive as an attack surface. If a reward can be farmed, it will be. Build the caps and locks before launch, not after the exploit.
Make compliance a function of your code, not a promise in your terms of service. An on-chain gate that a human must unlock is worth more than any disclaimer.
Pick your chain for your unit economics. When your product is built on small amounts, fees are not a detail. They are the product.

FilmFund is proof that “tokenized” does not have to mean “unregulated,” and that you can build something genuinely new for an old industry without abandoning the rules that protect the people using it. The crowd gets in, the filmmaker gets funded, the law gets respected, and the chain keeps everyone honest. That was the whole idea.

Want a system like this thought through and built end to end, from the contracts to the dashboards to the compliance flows? That is the kind of work we do at Fluxa Labs. Get in touch.