CONTRACT SECURITY
Built to be
Verified
NexVault smart contracts are open source, fully tested, and written with security as the first priority. Every critical property is enforced on-chain — not by trust.
Network Status
Test Coverage
Deployment
✓All 4 contracts deploy correctly
✓Non-owner deploy rejected on-chain
✓Owner constant verified across all contracts
✓Zero balances at deploy confirmed
Deposits
✓All 3 yield tiers accepted (1-Year, 3-Year, 5-Year)
✓Lock end timestamps verified per tier (365d, 1095d, 1825d)
✓Zero deposit reverts correctly
✓Emergency pause blocks deposits only
✓Genesis badge minted on first deposit
Withdrawals
✓LOCK_1YR, LOCK_3YR, LOCK_5YR enforced
✓Early withdrawal reverts before lock expires
✓Full principal returned on exit
✓Double-withdrawal rejected
✓Cross-user isolation confirmed
Yield & Compounding
✓Yield accrues correctly per tier APY
✓5YR > 3YR > 1YR ordering
✓No funds leave vault when compounding
✓Dev 10% cut calculated correctly
✓Unauthorized compound rejected
Referral Registry
✓Referral registered on first deposit
✓Self-referral silently blocked
✓Max 4 referrals cap enforced
✓+50 bps bonus per referral confirmed
✓Bonus reflected in yield earned
Security
✓Owner cannot touch user principal
✓Reentrancy guard verified
✓All admin functions owner-only
✓Withdrawals open while paused
✓Dev earnings capped by invariant
NexCredit (55 tests)
✓Score 0-1000 across 4 categories
✓Privacy: wallet can only see own score
✓Deposit strength, lock, loyalty, behavior verified
✓Elite requires 5YR lock (max without = 830)
✓Batch queries owner-only, capped at 25
On-Chain Security Properties
Principal is mathematically protected
The owner can never withdraw user principal. The contract enforces that vault balance must always cover total deposits before any dev earnings can be claimed. This check cannot be bypassed.
Lock periods enforced by the blockchain
1-year, 3-year, and 5-year locks are enforced by on-chain timestamps. No one — including the owner — can unlock a deposit early.
Reentrancy protection on all state-changing functions
Every deposit, withdrawal, claim, and compound function uses OpenZeppelin's ReentrancyGuard. Follows the Checks-Effects-Interactions pattern throughout.
Hardcoded owner — no ownership transfer possible
The owner address is a compile-time constant. There is no transfer function, no proxy, and no upgradeable pattern. What is deployed is permanent.
Emergency pause only blocks deposits
If the owner activates emergency pause, new deposits stop. Withdrawals remain open at all times. Users can always retrieve their funds.
No flash loan surface, no price oracle
Yield is calculated on elapsed time only — no spot price, no oracle, no external dependency. Flash loans cannot manipulate yield calculations.
Defense-in-Depth — Security Layer Structure
Security is enforced in five independent layers. A failure in any one layer does not
compromise user funds — each layer holds on its own. Controls are verifiable: HTTP
headers can be inspected with curl -I, script
integrity hashes are in page source, and the contracts are open and audited.
Layer 1
Transport
Transport
TLS / Edge
HTTPS-only with HSTS preload (2-year max-age, includeSubDomains). Apex redirect, TLS terminated at the Netlify edge. No plaintext path to origin.
Layer 2
Headers
Headers
OWASP Secure Headers + strict CSP
Content-Security-Policy with
default-src 'self', explicit script/style/font/img allowlists, and connect-src restricted to Nexus RPC + WalletConnect relays only. Plus X-Frame-Options DENY, nosniff, Referrer-Policy, a locked-down Permissions-Policy, COOP, CORP, and X-Permitted-Cross-Domain-Policies.Layer 3
Supply Chain
Supply Chain
Subresource Integrity (SRI)
Every third-party script (ethers.js, qrcodejs) is pinned with a
sha384 integrity hash and crossorigin. A tampered or swapped CDN file is rejected by the browser instead of executed.Layer 4
Application
Application
Wallet allowlist & key isolation
Wallets are detected by explicit EIP-6963 IDs (MetaMask, Coinbase) — never a blind window.ethereum, defeating spoofing. WalletConnect is scoped to Nexus. The site never handles seeds, keys, or passwords; authentication is the wallet signature alone.
Layer 5
Contracts
Contracts
Immutable, bounded, audited
Non-upgradeable, no proxy. Hardcoded owner that cannot touch user principal (reserve invariant); bounded admin functions. ReentrancyGuard + CEI + SafeERC20 throughout. 258/258 tests, internal audit, and the OWASP Smart Contract Top 10 mapping below.
OWASP Smart Contract Top 10 — 2025
Every NexVault contract is mapped, line-for-line, to the public OWASP Smart Contract Top 10 (SC01–SC10). The mapping below is checked at deploy time and re-verified on each contract change. Cyan rows indicate the class of vulnerability has been structurally eliminated, not merely mitigated.
SC01
Access Control
Owner address is a compile-time constant. No ownership transfer, no proxy, no upgradeable pattern. Admin functions are owner-only and bounded; owner cannot touch user principal.
SC02
Price Oracle Manipulation
Structurally eliminated. Yield is calculated on elapsed time only — no spot price, no TWAP, no oracle dependency. Nothing to manipulate.
SC03
Logic Errors
258 of 258 tests passing at 97.42% line coverage. Invariant: vault balance must cover total deposits before any dev earnings can be claimed — this check cannot be bypassed.
SC04
Lack of Input Validation
Zero-value deposits revert. Self-referrals silently blocked. Referral cap of 4 enforced. Tier selection validated against the LOCK_1YR, LOCK_3YR, LOCK_5YR constants.
SC05
Reentrancy
OpenZeppelin ReentrancyGuard on every state-changing function. Checks-Effects-Interactions pattern enforced throughout. Reentrancy guard tests pass in the 258-test suite.
SC06
Unchecked External Calls
All external calls have explicit success checks. ERC20 transfers use the SafeERC20 wrapper. No raw call() with discarded return values.
SC07
Flash Loan Attacks
Structurally eliminated. Yield does not depend on any pool state, spot price, or oracle. Flash-loaned capital cannot move the yield calculation by a basis point.
SC08
Integer Over and Underflow
Solidity 0.8.x checked arithmetic on all paths. No unchecked blocks containing user-influenced values.
SC09
Insecure Randomness
Not used. No raffle, no random allocation, no on-chain randomness dependency anywhere in the contract set.
SC10
Denial of Service
Withdrawals remain open even when emergency pause is active. NexCredit batch queries are capped at 25 to prevent gas-bomb griefing. No unbounded loops over user-controlled arrays.
OWASP Web Top 10 — 2021 — dApp surface
The non-chain web surface (nexvault.one, the app shell, dashboards) is mapped to the OWASP Web Top 10. Controls are enforced at the Netlify edge and in the static build — not at the contract layer.
A01
Broken Access Control
The dApp is read-only HTML or wallet-signed transactions. There is no server-side privileged endpoint to bypass. Withdrawals require the depositing wallet to sign.
A02
Cryptographic Failures
HTTPS-only with HSTS preload. No cleartext form submission. Wallet signing happens client-side; the app never sees a private key.
A03
Injection
No server-side templating with user input. All transaction payloads are constructed from typed ABI calls, not concatenated strings.
A05
Security Misconfiguration
Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS, COOP and CORP are all enforced via the Netlify edge configuration.
A06
Vulnerable and Outdated Components
Third-party libraries are pinned to specific versions. Contract dependencies are limited to audited OpenZeppelin contracts.
A07
Identification and Authentication Failures
Auth is the wallet signature, full stop. NexVault never holds passwords, never resets passwords, never sends magic links.
A08
Software and Data Integrity Failures
Contract source is open and the GitHub repo is the source of truth. Deployments are hash-verifiable against the public commit.
A09
Security Logging and Monitoring
Every contract state change emits an event. On-chain monitoring covers TVL movement, paused state changes, and dev-earnings claims.
A10
SSRF
No user-controlled URLs are fetched server-side. The site is fully static.
OWASP ZAP — Active Testing Instrument
OWASP ZAP (Zed Attack Proxy) is the standing DAST scanner used to verify Web Top 10 conformance on the NexVault dApp surface. The OWASP standards above describe what NexVault enforces; ZAP is how NexVault proves it.
ZAP 01
Baseline scan · passive
Spider plus traffic analysis against known patterns on every production deploy of nexvault.one. No active probing; safe on production. Confirms CSP, HSTS, headers, redirects, app shell, post pages, and PWA service-worker scope. 2–10 minutes.
ZAP 02
Full active scan
Monthly against a deploy-preview URL. Probes for XSS, command injection, path traversal, SSRF on the static dApp surface. Smart-contract layer is covered separately by the Smart Contract Top 10 mapping; ZAP scans the web surface only.
ZAP 03
Findings triage
High → halt deploy, fix before next push. Medium → in-cycle remediation. Low / informational → logged. False positives ignored with a one-line justification. Quarterly scan summaries published with each release.
ZAP 04
Reporting
Raw ZAP reports retained internally with the public commit they were run against. Aggregate posture (counts of high / medium findings, remediation status) is what surfaces in any client-facing or community summary — never raw findings, never internal URL structures.
Open Source
NexVaultGH / nexvault-contracts
GITHUB · PUBLIC REPOSITORY · VIEW SOURCE CODE & TEST RESULTS
↗
All contract source code, the full test suite, and raw test output are publicly available. Anyone can clone the repository, run the tests, and verify the results independently.
Audit Status
INTERNAL AUDIT COMPLETE — 100/100 — THIRD-PARTY AUDIT PENDING
An internal CertiK-style security audit has been completed (v2.0, post-hardening) and scored
100/100 (AAA) with zero open findings at any severity level (Critical, High, Medium, Low, or Informational).
Static analysis by Slither v0.11.5 reports zero medium+ findings on our contracts.
Audit highlights: 258/258 tests passing · 97.42% line coverage · all admin functions bounded · owner cannot touch user principal · non-upgradeable · no oracle · no flash-loan surface. Read the full audit report on GitHub →
Disclosure: This is an internal audit performed by the NexVault team applying CertiK's published methodology. It is not a paid third-party CertiK engagement. A formal third-party audit (CertiK or Trail of Bits) is recommended for mainnet TVL exceeding $25M and is on the roadmap.
Audit highlights: 258/258 tests passing · 97.42% line coverage · all admin functions bounded · owner cannot touch user principal · non-upgradeable · no oracle · no flash-loan surface. Read the full audit report on GitHub →
Disclosure: This is an internal audit performed by the NexVault team applying CertiK's published methodology. It is not a paid third-party CertiK engagement. A formal third-party audit (CertiK or Trail of Bits) is recommended for mainnet TVL exceeding $25M and is on the roadmap.