Home The Vault About Security Proof of Yield News Terms
OPEN VAULT
NEXVAULT GUIDE
POWERED BY NEXVAULT
CONTRACT SECURITY

Security

NexVault smart contracts are open source, fully tested, and written with security as the first priority. Every critical property is enforced on-chain — not by trust.

174
PASSING TESTS
100%
NON-CUSTODIAL
OSS
OPEN SOURCE
0
ADMIN KEYS
SECURITY
174
TEST RESULTS · MARCH 2026
174 out of 174 unit tests passing across all four contracts. Tests cover deposits, withdrawals, yield calculations, lock periods, referral bonuses, genesis badges, compounding, and security edge cases.
174 / 174 PASSING · 0 FAILING
Test Coverage
Deployment
All 4 contracts deploy correctly
Non-owner deploy rejected on-chain
Owner constant verified across all contracts
Zero balances at deploy confirmed
Deposits
All 3 yield tiers accepted (1-Year, 3-Year, 5-Year)
Lock end timestamps verified per tier (365d, 1095d, 1825d)
Zero deposit reverts correctly
Emergency pause blocks deposits only
Genesis badge minted on first deposit
Withdrawals
LOCK_1YR, LOCK_3YR, LOCK_5YR enforced
Early withdrawal reverts before lock expires
Full principal returned on exit
Double-withdrawal rejected
Cross-user isolation confirmed
Yield & Compounding
Yield accrues correctly per tier APY
5YR > 3YR > 1YR ordering
No funds leave vault when compounding
Dev 10% cut calculated correctly
Unauthorized compound rejected
Referral Registry
Referral registered on first deposit
Self-referral silently blocked
Max 4 referrals cap enforced
+50 bps bonus per referral confirmed
Bonus reflected in yield earned
Security
Owner cannot touch user principal
Reentrancy guard verified
All admin functions owner-only
Withdrawals open while paused
Dev earnings capped by invariant
On-Chain Security Properties
🔒
Principal is mathematically protected
The owner can never withdraw user principal. The contract enforces that vault balance must always cover total deposits before any dev earnings can be claimed. This check cannot be bypassed.
Lock periods enforced by the blockchain
1-year, 3-year, and 5-year locks are enforced by on-chain timestamps. No one — including the owner — can unlock a deposit early.
🛡
Reentrancy protection on all state-changing functions
Every deposit, withdrawal, claim, and compound function uses OpenZeppelin's ReentrancyGuard. Follows the Checks-Effects-Interactions pattern throughout.
🔑
Hardcoded owner — no ownership transfer possible
The owner address is a compile-time constant. There is no transfer function, no proxy, and no upgradeable pattern. What is deployed is permanent.
🚨
Emergency pause only blocks deposits
If the owner activates emergency pause, new deposits stop. Withdrawals remain open at all times. Users can always retrieve their funds.
No flash loan surface, no price oracle
Yield is calculated on elapsed time only — no spot price, no oracle, no external dependency. Flash loans cannot manipulate yield calculations.
ZK-Verified Execution
Every transaction is ZK-proven by Nexus zkVM v3.0
NexVault deploys on NexusEVM — the EVM-compatible execution layer of Nexus blockchain. Every deposit, withdrawal, and yield calculation is automatically proven correct by the Nexus zkVM v3.0, a Stwo-backed zero-knowledge virtual machine running on every Nexus node. No additional code changes are required — ZK proofs are generated at the network layer automatically.
ZK proof pipeline — math enforces the rules
Solidity contracts execute on NexusEVM. Nexus zkVM generates a cryptographic proof of every execution. Proofs are aggregated into a Universal Proof across all nodes. Final on-chain state is ZK-verified. You do not need to trust execution — it is mathematically proven correct.
Stwo-backed prover — StarkWare-grade security
The Nexus zkVM is built on Stwo, StarkWare's next-generation STARK prover. This is production-grade zero-knowledge cryptography — the same technology stack powering the highest-security ZK systems in the industry.

Docs: docs.nexus.xyz/zkvm  ·  GitHub: nexus-xyz/nexus-zkvm

Open Source
NexVaultGH / nexvault-contracts
GITHUB · PUBLIC REPOSITORY · VIEW SOURCE CODE & TEST RESULTS

All contract source code, the full test suite, and raw test output are publicly available. Anyone can clone the repository, run the tests, and verify the results independently.

Audit Status
INDEPENDENT AUDIT — IN PROGRESS
NexVault will launch on Nexus mainnet before a formal third-party audit is complete. A professional security audit is actively being funded and will be published here publicly once complete.

The 174 passing tests above verify that the contracts behave as intended. An audit looks for unknown attack vectors beyond the test suite. We are transparent about this distinction.

Deposit only what you are comfortable with during this pre-audit period.