Five layers before your keys.
Zero trust in us.
Every line of the vault runs the audit stack of a production DeFi protocol. We're non-custodial by design — your assets stay safe even if HeirVault disappears tomorrow.
Security
Five layers before your keys. Zero trust in us.
Every line of the vault runs the same audit stack as a production DeFi protocol. And because we're non-custodial, your assets stay safe even if HeirVault disappears tomorrow.
Security review
OpenZeppelin libraries · public reports
Contracts use OpenZeppelin libraries where appropriate, with project review reports covering InheritanceVault, Factory, PremiumManager, MultiSig, CCIP relay, and the CRIT-02 guardian-collusion remediation.
Review reports in /docs/reviews
Formal verification
Halmos — 51 symbolic proofs
Mathematical proofs across 4 test files: invariants on heir shares, guardian caps, claim state machine, and pull-based withdrawal accounting.
halmos.toml · reproducible in 60 s
Static analysis
Slither · Aderyn · Mythril
CI gates every PR: no medium+ findings allowed to merge. All three tools run on every release candidate, reports are stored in /docs/reviews.
3 analyzers · 0 tolerated findings
Open source
MIT · GitHub · Verifiable bytecode
Every contract address links to Etherscan-verified source. You can fork the vault, audit it yourself, or run it from your own factory.
github.com/heirvault
Fuzz + invariant
10 000 runs · depth 64
Echidna-style invariant tests run 512 times at depth 64 before every mainnet deploy. Fuzz tests run 10 000 iterations per function.
forge test -vvv on every commit
Contract guarantees
Commit-reveal · pull-only · auto-unpause
20-minute commit-reveal blocks claim frontrunning. Pull-based withdrawals remove reentrancy risk. Vaults auto-unpause after 7 days so you can never be locked out.
See InheritanceVault.sol
0
Funds custodied by HeirVault
100%
Non-custodial
51
Formal proofs passing
9
Live vault networks
Audit log
Not a one-time audit. A continuous one.
- 2026-Q1
Security review
CompleteOpenZeppelin libraries + project review reports
InheritanceVault, Factory, PremiumManager, MultiSig, and CCIPRelay use OpenZeppelin libraries where appropriate. Project review reports cover the CRIT-02 guardian-collusion remediation and the commit-reveal anti-frontrun window.
- Continuous
Formal verification
Halmos — 51 symbolic proofs passing
Invariants on heir shares (Σ = 10_000 bps), guardian budget caps, claim state machine, pull-based withdrawal accounting. Reproducible in under 60s on any commit via `halmos`.
- Every PR
Static analysis
Slither + Aderyn + Mythril — no medium+ findings
CI gate blocks merge if any of the three flags a medium or higher issue. Reports archived in `/docs/reviews/` for every release candidate.
- Every release
Fuzz + invariant
10 000 fuzz runs · 512 invariant runs @ depth 64
forge test -vvv runs both suites before tagging a mainnet release. Any regression blocks deploy. Test harness mirrors the real factory deployment path end-to-end.
Contract guarantees
Written once. Enforced forever.
Pull-based withdrawals
Heirs pull their own share; the vault never pushes. Reentrancy is structurally impossible — there's no outward call in the claim path.
Commit-reveal (20 min)
Every claim has a two-step execution: commit, wait 20 minutes, reveal. Blocks MEV frontrunning even when a heir wallet is compromised.
Auto-unpause after 7 days
Safety pauses release themselves. You can't be locked out of your own vault by a bug, an operator error, or an extended dispute.
Guardian caps (90d / 180d)
Guardians can extend your deadline by 90 days per check-in cycle and 180 days across the vault's entire lifetime. Permanent, on-chain.
Immutable clones (V1 / V2)
Your V1 / V2 vault is a deployed clone of the reviewed implementation. Nothing to upgrade, nobody can push changes to it.
Upgradeable with timelock (V3)
V3 beacon proxy announces every upgrade 7 days in advance. You have a full week to review and exit to an immutable clone if you disagree.
Non-custody
Zero keys. Zero override. Zero exit risk.
HeirVault the company has no signing keys, no admin backdoor, no pause switch on your vault. We don't run a node you have to trust. We write the interface you use to configure the contract — nothing more. If we disappear, the contract keeps running. If we turn malicious, the contract still keeps running.
0
Funds held by HeirVault
Not now. Not in fiat. Not as custodian.
100 %
On-chain verifiable
Every vault address → Etherscan source.
9
Live vault networks
Each deployment path is reviewed separately.
Don't trust us. Read the proofs.
Source, audits, formal-verification outputs, and the recovery playbook are all public. Fork it, run it, replace us.