Vault, Cosmos & EVM Contracts - NUVA

1. Introduction

NUVA Foundation engaged Halborn to conduct a comprehensive security assessment of the Vault Module on Provenance Blockchain beginning on December 9th, 2025, and concluding on December 26th, 2025. The scope of this assessment was limited to the smart contracts and Cosmos-SDK Vault module provided to the Halborn team. Commit hashes, scope boundaries, and additional technical details are documented in the Scope section of this report. '

The Vault Module is a public, permissionless, proof-of-stake blockchain, purpose-built to modernize financial infrastructure. It is more than just a general-purpose ledger; it's an integrated ecosystem designed for finance.

2. Assessment Summary

Halborn assigned a full-time security engineer to perform a comprehensive review of the contracts. The engineer is a blockchain and smart contract and blockchain security expert with extensive experience in penetration testing, vulnerability research, and auditing across multiple blockchain ecosystems.

The purpose of this assessment was to:

• Identify potential security issues and vulnerabilities within the EVM and Cosmos Vault smart contracts along with the Integration of a specific Cosmos-SDK vault module.

• Ensure that all contract components function as intended under expected and edge-case conditions.

In summary, Halborn identified several areas for improvement to minimize both the likelihood and potential impact of security risks, which were mostly acknowledged by the NUVA Foundation. The primary recommendations included:

• Reject SwapOut requests where the computed redeemable assets are zero (return a clear “amount too small” error), or treat zero-asset conversions as a recoverable failure in payout processing and refund shares instead of burning.

• Introduce a separate per-block scan budget that counts skipped paused entries, or move paused-vault jobs out of the due-walk path.

• Remove the hardcoded uylds.fcc 1:1 path and always use Marker NAV for conversions.

3. Test Approach and Methodology

Halborn performed a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is essential to uncover flaws in logic, process, and implementation, automated testing techniques enhance coverage of smart contracts and can quickly identify issues that do not follow security best practices.

The following phases and associated tools were used throughout the assessment:

• Research into the architecture, purpose, and use of the platform.

• Manual code review and walkthrough of the smart contracts to identify potential logic issues.

• Manual testing of all core functions, including deposit, withdraw, vault creation, etc., to validate expected behavior and identify edge-case vulnerabilities.

• Local testing to simulate contract interactions and validate functional and security assumptions.

• Fuzz testing with the golang's integrated Fuzzer.