Learn how KhipuVault secures your funds through non-custodial design, audited smart contracts, multi-signature controls, time-locks, and comprehensive security practices.

Security

Security is KhipuVault's top priority. This guide explains how we protect your funds through multiple layers of security measures.

Core Security Principles

KhipuVault is built on three fundamental security principles:

1. Non-Custodial Design

You control your keys. We never hold your funds.

Traditional Bank:
Your Money → Bank's Vault → Bank Controls
            (you trust the bank)

KhipuVault:
Your Keys → Smart Contracts → You Control
           (you trust the code)

What this means:

✅ Your private keys stay in your wallet (MetaMask)
✅ Only you can authorize transactions
✅ KhipuVault team cannot access your funds
✅ No one can freeze your account
✅ Withdraw anytime (no permission needed)

Your Keys, Your Bitcoin

The phrase "not your keys, not your coins" is fundamental in crypto. KhipuVault follows this principle strictly.

2. Transparent & Audited

All code is public and professionally audited.

📖 Open source: Every line of code on GitHub
🔍 Audited: Multiple security firms reviewed our contracts
👁️ Verifiable: Anyone can inspect the code
🐛 Bug bounties: Rewards for finding vulnerabilities

View our code →

3. Decentralized

No single point of failure.

🌐 Smart contracts run on thousands of Mezo nodes
🔗 Secured by Bitcoin's decentralized network
👥 Multi-signature controls (not one person)
⏰ Time-locked upgrades (community can exit)

Learn about decentralization →

Layer 1: Your Wallet Security

Your responsibility: Protecting your private keys.

Private Key Protection

Your private key is like the password to your bank vault:

Best Practices:

✅ Use a hardware wallet (Ledger, Trezor) for large amounts ✅ Write down seed phrase on paper (not digital) ✅ Store in safe place (fireproof safe, bank deposit box) ✅ Never share your seed phrase or private key ✅ Use strong passwords for MetaMask encryption

❌ Never screenshot your seed phrase ❌ Don't store on cloud (Google Drive, iCloud) ❌ Don't email or message your keys ❌ Don't type into websites (only MetaMask)

Critical Warning

If someone gets your private key, they can steal ALL your crypto.

No one from KhipuVault will ever ask for your seed phrase or private key. It's a scam if they do.

MetaMask Security

Recommended MetaMask settings:

Enable password lock (lock after 5 minutes)
Hardware wallet integration (for large amounts)
Revoke unlimited approvals (check regularly)
Verify contract addresses (before approving)
Use separate accounts (one for testing, one for mainnet)

Phishing Protection

Common scams:

❌ Fake KhipuVault websites (always check URL: khipuvault.com) ❌ DMs asking for seed phrases ("support" scams) ❌ Pop-ups asking to "reconnect wallet" ❌ Emails with malicious links ❌ Discord/Telegram imposters

How to stay safe:

✅ Bookmark official URL ✅ Verify contract addresses on block explorer ✅ Never click email links (go directly to site) ✅ Join official Discord/Telegram (verify in footer) ✅ Enable 2FA everywhere possible

Phishing guide →

Layer 2: Smart Contract Security

Our responsibility: Writing secure, audited code.

Security Audits

KhipuVault contracts are audited by:

1. Automated Tools

Slither (Trail of Bits):

Static analysis
Detects common vulnerabilities
Runs on every commit

Aderyn (Cyfrin):

Rust-based analyzer
Advanced pattern detection
Gas optimization suggestions

Mythril (ConsenSys):

Symbolic execution
Detects complex bugs
Formal verification

2. Third-Party Auditors

We've engaged:

Cyfrin - Smart contract auditors
OpenZeppelin - Security experts
Community auditors - Public reviews

View audit reports →

3. Bug Bounty Program

Earn up to $50,000 for finding vulnerabilities:

Severity	Reward
Critical (funds at risk)	$10,000 - $50,000
High (protocol broken)	$5,000 - $10,000
Medium (logic errors)	$1,000 - $5,000
Low (minor issues)	$100 - $1,000

Submit bugs →

Battle-Tested Libraries

We use industry-standard, audited libraries:

OpenZeppelin Contracts:

Used by Aave, Compound, Uniswap
Securing $100B+ in DeFi
Continuously audited and updated

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
import "@openzeppelin/contracts/security/Pausable.sol";
import "@openzeppelin/contracts/access/AccessControl.sol";

Why this matters: We don't reinvent the wheel. We use code that's protected billions in production.

Common Vulnerabilities (How We Prevent)

Reentrancy Attacks

Attack: Malicious contract calls back before state updates.

Prevention:

// Bad (vulnerable)
function withdraw(uint256 amount) public {
    msg.sender.call{value: amount}(""); // Call first
    balances[msg.sender] -= amount;      // Update after (BAD!)
}

// Good (KhipuVault way)
function withdraw(uint256 amount) public nonReentrant {
    balances[msg.sender] -= amount;      // Update first
    msg.sender.call{value: amount}("");  // Call after (GOOD!)
}

We use OpenZeppelin's ReentrancyGuard on all state-changing functions.

Integer Overflow/Underflow

Attack: Math operations that wrap around (e.g., 255 + 1 = 0).

Prevention:

// Solidity 0.8+ has built-in overflow protection
uint256 balance = 100;
balance += amount; // Reverts if overflow (safe!)

We use Solidity 0.8.20+ with automatic overflow checks.

Access Control Issues

Attack: Unauthorized users calling admin functions.

Prevention:

// Only authorized roles can call critical functions
function pause() public onlyRole(PAUSER_ROLE) {
    _pause();
}

function upgrade(address newImpl) public onlyRole(UPGRADER_ROLE) {
    _upgradeTo(newImpl);
}

We use role-based access control (RBAC) with multi-signature requirements.

Oracle Manipulation

Attack: Flash loan attacks to manipulate price oracles.

Prevention:

Use time-weighted average prices (TWAP)
Multiple oracle sources (Chainlink, Band, Pyth)
Sanity checks (reject outliers)
Reentrancy guards on oracle reads

Testing Strategy

Before deployment, contracts undergo rigorous testing:

Unit Tests: 500+ tests covering every function

✓ Should deposit successfully (42ms)
✓ Should fail on insufficient balance (38ms)
✓ Should calculate yields correctly (51ms)
...
Coverage: 98.7%

Integration Tests: Full user flows

Scenario: User deposits → earns yields → withdraws
Expected: Balance increases, events emitted
Result: ✅ Pass

Fuzzing: Random inputs to find edge cases

forge test --fuzz-runs 10000
[PASS] testFuzz_deposit (runs: 10000, μ: 52341 gas)

Formal Verification: Mathematical proofs of correctness

Property: User balance never exceeds total pool balance
Proof: ✅ Verified

See test results →

Layer 3: Protocol Security

Our responsibility: Governance and operational security.

Multi-Signature Controls

Critical actions require 3 of 5 signatures:

Action: Upgrade smart contract
Required: 3 signers approve

Signers:
1. Founder (Bolivia) ✅
2. CTO (Argentina) ✅
3. Security Lead (Peru) ⏳
4. Advisor (USA) ⏳
5. Community Rep (Mexico) ⏳

Status: 2/3 - waiting for one more signature

Protected actions:

Smart contract upgrades
Fee changes (greater than 5%)
Pause/unpause
Treasury withdrawals
Emergency responses

Benefits:

No single person can act alone
Geographic distribution (harder to coerce)
Transparent on-chain (anyone can monitor)

View multi-sig →

Time-Locked Upgrades

All upgrades have a 48-hour delay:

Day 0: Team proposes upgrade
       ↓
       Public announcement (Discord, Twitter, Email)
       ↓
Day 0-2: Community review period
       ↓
       Users can exit if they disagree
       ↓
Day 2: Upgrade executes automatically

Why this matters:

Community has time to review
Security researchers can audit changes
Users can withdraw if uncomfortable
No surprise changes

Exception: Critical security fixes can be expedited (still requires multi-sig).

Emergency Pause

If a vulnerability is discovered:

Security team: "Potential exploit detected!"
       ↓
Multi-sig holders: Emergency pause
       ↓
All deposits/withdrawals frozen (funds safe)
       ↓
Team fixes bug and deploys patch
       ↓
Time-locked unpause (48 hours)
       ↓
Normal operations resume

Past examples (other protocols):

Compound (2021): Paused when distribution bug found
Cream Finance (2021): Paused during oracle attack
Poly Network (2021): Paused after $600M hack

Pausability is controversial (centralization risk), but we believe it's necessary for early-stage protocols. As KhipuVault matures, we'll transition to more decentralized governance.

Rate Limits & Safeguards

To prevent attacks:

Deposit limits:

Max 100,000 MUSD per transaction
Max 500,000 MUSD per address per day

Withdrawal limits:

No limits on Individual Pools
Large Community Pool withdrawals (greater than 50,000 MUSD) require 24-hour notice

Why: Prevents flash loan attacks and gives time to respond to anomalies.

Layer 4: Blockchain Security

Mezo's responsibility: Network security.

Bitcoin Consensus

Mezo inherits Bitcoin's security:

15,000+ nodes worldwide
$800B+ market cap (attack cost)
15+ years unbroken operation
Decentralized (no single owner)

To hack KhipuVault, attacker would need to:

Hack Mezo (secured by Bitcoin)
Control 51% of Bitcoin hashrate (impossible)
Bypass our smart contracts (audited)

In practice: KhipuVault is as secure as Bitcoin itself.

Learn more →

Network Monitoring

We monitor blockchain health 24/7:

Metrics tracked:

Block production (is Mezo online?)
Validator set (decentralization)
Gas prices (network congestion)
Bridge health (Bitcoin ↔ Mezo)

Alerts:

Abnormal transaction patterns
Large withdrawals (manual review)
Smart contract interactions (unexpected calls)
Price oracle deviations

System status →

Insurance & Risk Mitigation

DeFi Insurance (Coming Soon)

We're integrating with insurance protocols:

Nexus Mutual:

Covers smart contract exploits
Community-driven underwriting
Claims paid in NXM tokens

InsurAce:

Multi-chain coverage
Lower premiums
Faster claims

How it works:

You deposit 10,000 MUSD
↓
KhipuVault pays 0.5% insurance premium (50 MUSD)
↓
If contract hacked → Insurance pays you back

Emergency Fund

KhipuVault maintains a reserve fund:

10% of all deposits
Used for unexpected losses
Multi-sig controlled
Transparent reserves (on-chain)

Use cases:

Smart contract bugs (cover losses)
Oracle failures (make users whole)
Bridge issues (compensate users)

Gradual Rollout

We launch conservatively:

Phase 1: Testnet (current)

Free test tokens
Find bugs safely
Community testing

Phase 2: Mainnet Soft Launch

Low deposit caps (max 10,000 MUSD)
Limited users (whitelist)
24/7 monitoring

Phase 3: Public Launch

Gradual cap increases
Multi-month observation
Full decentralization

Phase 4: Mature Protocol

No caps
Fully decentralized
Governance by community

We don't rush. Security > speed. We'd rather launch slowly and safely than quickly and recklessly.

Security Best Practices for Users

Do's ✅

Use hardware wallets (Ledger, Trezor) for large amounts
Test on testnet first before mainnet
Start small (deposit 10-100 MUSD initially)
Verify contract addresses on block explorer
Enable all security features (2FA, password lock)
Keep software updated (MetaMask, browser)
Bookmark official URL (khipuvault.com)
Join official channels (Discord, Twitter)

Don'ts ❌

Never share seed phrase (not even with "support")
Don't use public WiFi for transactions
Don't click email links (go directly to site)
Don't trust DMs (we never DM first)
Don't approve unlimited spending (use exact amounts)
Don't use weak passwords
Don't store keys digitally (paper only)
Don't rush (scammers create urgency)

Wallet Hygiene

Regular maintenance:

Check approvals monthly (revoke unused)
- Visit revoke.cash
- Revoke old approvals
Update software (MetaMask, OS, browser)
Review transactions (check block explorer)
Test recovery (write seed phrase, restore wallet)
Separate hot/cold storage:
- Hot wallet (MetaMask): Small amounts for daily use
- Cold wallet (Ledger): Large amounts, long-term storage

Incident Response Plan

If something goes wrong, we have a plan:

Detection

Automated monitoring alerts team to:

Abnormal transactions
Smart contract errors
Oracle deviations
Large withdrawals

Response

Within 15 minutes:

Security team alerted (24/7 on-call)
Assess severity (critical/high/medium/low)
If critical: Execute emergency pause (multi-sig)

Within 1 hour: 4. Public announcement (Discord, Twitter, Website) 5. Begin investigation (logs, transactions, code review) 6. Engage auditors (if needed)

Within 24 hours: 7. Root cause identified 8. Patch developed and tested 9. User impact assessed 10. Compensation plan (if losses occurred)

Post-incident: 11. Full transparency report published 12. Lessons learned 13. Process improvements