External audit
OpenZeppelin
Full-scope audit covering InheritanceVault, Factory, PremiumManager, MultiSig, and the CCIP cross-chain relay. Public report.
Read the reportProof
Receipts.Everything you can read, run, or verify.
Every promise on this site is backed by something concrete: an audit, a formal proof, a contract you can inspect, code you can build. Here it all is.
Formal verification
Halmos · 51 symbolic proofs
Properties proved across four test files: invariants on shares, claim flow correctness, recovery safety, and pause behavior.
Browse proofs on GitHubStatic analysis
Slither · Aderyn · Mythril
Three independent static analyzers run on every contract change. CI fails the build on any medium-or-higher finding.
See CI policyOpen-source
MIT-licensed, every line
Smart contracts, backend, frontend, indexers. All in one repo. You can build, run, and verify the bytecode for any chain.
View on GitHubContract addresses, every chain
The factory contract is the entry point on each chain. Vaults are deployed as clones from these addresses.
| Chain | Factory | |
|---|---|---|
| Ethereum | 0x0000000000000000000000000000000000000000 | View on explorer |
| Base | 0x0000000000000000000000000000000000000000 | View on explorer |
| Arbitrum | 0x0000000000000000000000000000000000000000 | View on explorer |
| Polygon | 0x0000000000000000000000000000000000000000 | View on explorer |
| BSC | 0x0000000000000000000000000000000000000000 | View on explorer |
| Avalanche | 0x0000000000000000000000000000000000000000 | View on explorer |
| Hyperliquid | 0x0000000000000000000000000000000000000000 | View on explorer |
Bitcoin uses a Taproot multisig (P2TR), Tron uses TRC20-compatible contracts, and Solana uses an Anchor program. Addresses for those chains are published in the README of the open-source repo.
Bug bounty
Up to $250,000 for critical findings on production contracts. Scoped, fair, and public. Disclosure timeline is 90 days from confirmed report.
security@heirvault.xyz