Security review & disclosures

Built for safety —
and honest about the risks.

A transparent security review of the INDEX8 vault contract against recognized standards, with the protections in place and the residual risks disclosed openly — so you can decide with full information.

Scope

Contract: Index8Vault.sol (Solidity 0.8.24, OpenZeppelin 5.x)
Chain: BNB Smart Chain (mainnet)
Address: 0xF1a70a58723EF1643573954F961858aFC4f15EBf
Type: tokenized index vault — the ERC-20 token and the custodian/LP
Review date: 2026-06-08 · Reviewer: project builder (self-review)

Standards & references used:

SWC RegistryOpenZeppelin secure patterns Common DeFi vault vulnerability classesChecks-Effects-Interactions Foundry test suite (24 tests + mainnet-fork)

Protections verified

These properties were reviewed and are enforced by the contract:

Reentrancy protected — every state-changing entry point (mint, redeem, rebalance) uses a reentrancy guard; redeem burns shares before transferring out (checks-effects-interactions); all token moves use SafeERC20.
The market-maker cannot drain the vault — rebalance swaps can only go between basket assets, output is hard-coded back to the vault (funds can't be sent elsewhere), each swap must clear an oracle-implied price floor, daily turnover is capped, and the router allowance is reset to zero after every swap.
Manipulation-resistant pricing — NAV is computed only from Chainlink oracles, with a staleness check and a positive-price check; charting/market feeds are never used for settlement.
Redemption is always open — pausing halts deposits and rebalancing but can never block redemptions, so holders can always exit.
Bounded fees — fees are hard-capped in code (≤5%); the treasury cut can never exceed the total fee.
Safe arithmetic — Solidity 0.8 overflow/underflow protection throughout.
Role separation — the autonomous keeper holds only rebalance permission, never owner powers; on mainnet it is a dedicated key, not the owner.

Findings

No vulnerability was found that lets an arbitrary user drain or steal funds. The items below are inherent design trade-offs and risks, disclosed in full.

#	Area	Severity	Status / mitigation
F1	Owner is a powerful, trusted role (can change fees, assets, keeper, guards, pause)	Centralization	Disclosed below. Recommend owner = multisig/timelock for production.
F2	First-deposit "inflation" attack on an empty vault	Medium	Mitigated operationally: the operator seeds the first mint. See below.
F3	Reliance on Chainlink oracles for all pricing	Low	Staleness + positive-price checks; Chainlink is industry standard.
F4	MEV / sandwiching on public rebalance swaps	Low	Loss bounded by the per-swap oracle slippage floor.
F5	Thin-liquidity coins may revert on rebalance	Low	No loss — the swap simply reverts; funds stay in the vault.
F6	removeAsset can strand up to a small dust value	Info	Bounded by a configurable dust threshold (~$1).
F7	Immutable contract (no upgrade proxy)	By design	No upgrade-key risk; bugs would require redeploy + migration.
F8	Drain by an arbitrary (non-owner) actor	Not found	The custody design prevents it.

Key disclosures (please read)

1 · The owner is trusted

The owner can change fees (≤5%), add/remove basket coins, set the keeper, whitelist DEX routers, adjust the swap guardrails, and pause. A malicious or compromised owner could, over time, leak value (e.g. by whitelisting a bad router and trading at the maximum allowed slippage). You are trusting the owner. For real scale, the owner key should be a multisig or timelock. Today this is a private friends' fund run by the builder.

2 · Don't be the first deposit into an empty vault

Like most vault contracts, an empty vault is theoretically exposed to a "first-deposit inflation" trick. We mitigate this by having the operator perform the first, seeding mint. As a depositor, only mint into a vault that already holds value (the app shows the basket and NAV).

3 · Pricing depends on Chainlink

NAV — and therefore every mint and redeem — is priced by Chainlink feeds. If a feed were wrong or compromised, NAV would be wrong. We use staleness and positive-price checks, and Chainlink is the industry standard, but this dependency is real.

4 · It is not professionally audited

The code is covered by 24 automated tests and a live mainnet-fork test, and was reviewed against the standards above — but it has not been audited by an independent security firm. Treat it accordingly: start small.

Recommendations (our roadmap)

Move the owner key to a multisig / timelock as the fund grows.
Commission an independent professional audit before opening beyond friends.
Add fuzz / invariant tests and consider an oracle deviation cross-check.
Keep per-deposit sizes modest during the beta.

Verify it yourself

Everything is on-chain and public. You don't have to trust this page:

Read the live contract on BscScan — holdings, every transaction, and the verified source.
The app reads NAV and the basket directly from the chain; you can cross-check any number.
Redemption is permissionless and always available — you can always exit on your own.

INDEX8 — SECURITY REVIEW (BUILDER SELF-ASSESSMENT) · 2026-06-08 · NOT AN INDEPENDENT AUDIT · NOT FINANCIAL ADVICE