(no title)

We are currently implementing the "have I been pwned" API to prevent users from using one of those leaked passwords.

> Can a hacker then take their funds?

Nope. The way our system works is that a new Escrow contract is deployed for every project. The Client funds that Escrow contract by sending funds from say, Coinbase, or an exchange, or a wallet they control. The private key that is derived from their password can authorize release of those funds, but only to a pre-determined address (the address of the Freelancer who did the work for the project). This restriction is codified in the smart contract itself when the Client accepts the project proposal from the Freelancer.

> How does the destination wallet / key get generated?

When you say destination, do you mean the Escrow contract, or the Freelancer's wallet?

> How do I convert to actual money?

We only support USDC right now, which is a USD-pegged stablecoin created by Coinbase, to avoid volatility. So to get from USDC to USD, you have to use an exchange like Coinbase. USDC is an ERC20 token, and we plan to support more tokens in the future.

(edited to fix quotes)