Security

The vault is designed so that the operator cannot access depositor funds — by architecture, not by promise.

Trustless custody

The vault smart contract holds all deposited USDC. It creates a HyperCore account (the trading account on Hyperliquid's L1) that is owned by the contract itself. The operator has no direct access to this account or the funds in it.

Withdrawals are only possible through the ERC4626 redemption flow: share holders burn shares and receive their proportional USDC.

Agent wallet: trade-only

The vault delegates an agent wallet to execute trades on HyperCore. This wallet has a single permission: place and cancel orders. It cannot withdraw funds. This restriction is enforced at the HyperCore protocol level — it is not a software check that could be bypassed.

Roles and access control

All privileged actions by the owner go through a timelock — changes are announced on-chain before taking effect, giving depositors time to exit if they disagree.

Smart contract protections

Upgradeability

The vault uses a proxy pattern (UUPS) that allows implementation upgrades through the timelock. The roadmap:

1. Current (Phase 0): Proxy with timelock — allows bug fixes and improvements

2. Target (Phase 1+): Immutable — lock the proxy once the implementation is battle-tested

Audit status

The vault contracts have undergone internal review and testing. A formal third-party audit is planned for Phase 1. Source code is verified on-chain via Sourcify.

No smart contract is guaranteed to be bug-free. See Understanding Risks for a complete risk assessment.

Related links

• Understanding Risks — full risk breakdown

• Contract Addresses — verify contracts on-chain

• How It Works — fund flow and strategy overview