Security & Trust - The RWA Vault Market Place for Everyone

Purpose: RWA-specific trust layer (elevated priority)

3.1 Smart Contract Security - see section 5 for more detail

Security is a core attribute. NUVA leverages the highest standards, leveraging industry best practices and undergoing rigorous audits by leading security firms.

Audits - see section 5 for more detail

NUVA works with leading security firms like Sherlock and Halborn to ensure its smart contracts and vaults meet the highest security standards. Sherlock has completed the an audit of NUVA’s smart contracts as of December 2025, and Halborn is currently conducting an additional audit.

3.1.1 Audits by Sherlock

Sherlock is a leading blockchain security company and a marketplace for smart contract audits and coverage. They combine competitive audit contests with expert-led reviews to identify vulnerabilities in smart contracts and protect decentralized finance users from exploits.

Audit status: ✓ Completed
Audit date: January 14, 2026
Audit scope: Ethereum contracts, Provenance vault module
Link to audit report: [from Engineering] Date missing

3.1.3 Development Standards see section 5 for more detail

NUVA’s smart contracts are developed using proven frameworks and best practices:

OpenZeppelin: NUVA uses OpenZeppelin’s well-known ERC-20 implementations for Ethereum, ensuring a strong and secure foundation.
Cosmos SDK: The NUVA Vaults are implemented as a Cosmos SDK module which builds upon the Provenance Blockchain capabilities to create a flexible vault capability with a unique continuous compounding interest distribution.

NUVA’s architecture follows industry-standard patterns for token minting, yield distribution, and withdrawal mechanics. Once deployed, NUVA’s smart contracts cannot be altered, ensuring long-term security and trust.

On-Chain Proof of Reserves - see section 5 for more detail

Proof of Reserves (PoR) is an on-chain verification mechanism that lets anyone confirm a vault’s obligations to token holders are fully backed by reserves recorded on the blockchain. This replaces trust with verifiable truth, allowing users to independently verify:

Token Supply: The total number of tokens issued.
Backing Reserves: The underlying assets held in the vault.
Mint/Burn Activity: All token creation and destruction events.

How to Verify Underlying Assets

You can verify proof of reserves and underlying assets directly through blockchain explorers like Zonescan or Etherscan by navigating to the published vault contract addresses.

Transparency dashboard
Contract addresses: [NUVA contract addresses to be added for Ethereum Mainnet]

What On-Chain Proof Means for Your Security

Immutable ledger of assets: All vault holdings are recorded on the blockchain in an immutable ledger. Once assets are deposited into the vault, the transaction is permanently recorded and cannot be altered.
Real-time verification: You can verify vault holdings at any time by checking the blockchain directly. There are no delays or intermediaries between you and the proof of reserves.
Trustless verification: You don't need to trust NUVA, or any third-party. You can independently verify that the assets claimed by the vault are actually held in the smart contracts. This is trustless verification—proof without requiring trust in a middleman.

Custody

All NUVA vaults are non-custodial, which means that you at all times have full control over your funds and nvAsset tokens.

With self-custody of nvAsset tokens, your wallet functions as your personal bank. You have complete ownership but also complete responsibility for securing your private keys and wallet access.
When you deposit into a NUVA vault, you receive vault tokens that are sent directly to your wallet. You hold these tokens yourself—NUVA does not hold them for you and cannot access them at any time.
The vault smart contracts that manage deposits, yield distribution, and withdrawals cannot be changed or updated by NUVA or anyone else. Once deployed, the code is permanent and tamper-proof.

NUVA supports users’ custodians by integrating wallet-connection protocols that allow institution-grade qualified custodians — such as Fireblocks, Copper, Anchorage, or BitGo — to sign transactions on behalf of their clients while the platform remains fully non-custodial.

Safely Store Your Vault Tokens

The security of your vault tokens depends entirely on the security of your wallet. If your wallet is compromised, your tokens can be lost or stolen. Best practices for securing your wallet include:

Never share your private keys or seed phrases with anyone
Consider using a hardware or multi-signature wallet for large amounts or long-term holdings
Do not store private keys or seed phrases in digital files or email and keep backups of your seed phrase in a secure location
Enable all available security features on your wallet

Regulatory Compliance NUVA’s core stablecoin is nvYLDS

nvHELOC Deep Dive

NUVA’s flagship private credit asset vault nvHELOC provides exposure to a diversified pool of high quality home equity line of credit (HELOC) loans originated and managed by Figure Technology Solutions, Inc. through their Democratized Prime marketplace.

Yielding around 9%, nvHELOC tokens are among the most attractive assets in DeFi.

FAQs

What are liquidity options?

***nvHELOC can be created instantly, with redemptions processed within minutes, to up to 3 US business days for larger orders. This offers flexibility not available in any other high yield private credit product.

Are there minimums?

Is nuYLDS overcollateralized?

Yes. Both the loans and the HELOCs collateralizing the loans in the nvHELOC vault are visible on the Provenance Blockchain.

How does NUVA manage liquidity and redemption risk for nvHELOC?

All nvHELOC redemption requests will be routed through Figure’s Democratized Prime HELOC Pool and, in normal market conditions, converted to YLDS a the top of the hour of the redemption request. YLDS will then be converted to USDC and the redemption will be processed.

Figure’s Democratized Prime HELOC Pool has built in liquidity mechanisms supported by Figure’s balance sheet and their partnership with Sixth Street, which provides a dedicated guarantor and liquidity backstop. The 6th Street Fund, a vehicle capitalized with approximately US$200 million in equity, leverages up to US$1–2 billion to fulfill redemption requests if liquidity in the marketplace becomes constrained. This ensures continuous redemption capability even under adverse market conditions

In order to augment this process, NUVA adopts a three-layer liquidity framework to ensure timely redemptions and mitigate liquidity mismatch risks.

Primary Liquidity Buffer (On-Vault Reserves): Each nvHELOC vault maintains 5% to 10% of its total value in the YLDS liquid yield-bearing token. This serves as an immediate liquidity reserve, allowing redemptions of up to that threshold to be settled within two business days (T+2) directly from vault liquidity.
Secondary Liquidity via SuperNuva (DeFi Liquidity Layer): in 1Q 2026, NUVA will operate its proprietary SuperNuva vault, which seeds liquidity pools (e.g., nvHELOC token–USDC pairs) on decentralized exchanges such as Curve. This on-chain layer provides investors with additional redemption flexibility, enabling them to swap out of HELOC tokens into USDC when native vault liquidity is temporarily limited
Liquidity Backstop (Bilateral Facility): Beyond the Figure–6th Street arrangement, in 2026 NUVA will establish an independent bilateral backstop facility with a third-party liquidity provider. This facility starts at US$25–50 million, scales as AUM grows, and serves as capital of last resort—activated only if both vault reserves and market-based mechanisms are temporarily exhausted.

Together, these multiple layers of defense — spanning on-vault reserves, DeFi liquidity, institutional marketplaces, and bilateral backstops — enable NUVA to maintain T+2 redemption capability while minimizing liquidity mismatch risks.

nvHELOC Underlying Asset: HELOC-Backed Loans on Democratized Prime

HELOC-Backed Loans on Figure's Democratized Prime represent a pioneering on-chain senior lending facility where tokenized home equity lines of credit (HELOCs) serve as overcollateralized real-world assets (RWAs) to secure short-term funding for originators, enabling seamless access to capital via the Provenance Blockchain.

This DeFi marketplace democratizes prime-rate lending by allowing retail and institutional investors to participate in hourly Dutch auctions, bidding on rates to fund these loans and earn yields around 9% APY—far surpassing traditional treasuries—while borrowers like mortgage firms benefit from real-time warehouse lines with daily liquidity and reduced fees. Backed by Figure's Digital Asset Registry Technology for secure lien perfection, the platform enhances transparency and efficiency, bridging traditional finance with blockchain to unlock billions in tokenized loan assets for global participation.

FAQs

What is a Home Equity Line of Credit (HELOC)?

A HELOC is a revolving, secured credit line that lets homeowners borrow against the equity in their house. Rates are variable, based on factors like a borrower’s credit score and the loan-to-value ratio. Nevertheless, HELOCs are generally considered one of the cheapest ways to access large sums of cash for renovations, debt consolidation, emergencies, or investments. Lenders like Figure have made the process fully digital and blockchain-based, approving and funding in as little as 3–5 days, then tokenizing the loans to power on-chain private-credit pools.

What is the Democratized Prime platform?

Democratized Prime (DP) is a blockchain-based, decentralized lending marketplace launched in June 2025 by Figure Technology Solutions, designed to connect borrowers and lenders directly through tokenized real-world assets (RWAs) and digital collateral. Built on the Provenance Blockchain, it disrupts traditional warehouse lending by reducing intermediaries, providing hourly liquidity, and using smart contracts for transparent, immutable transactions—positioning it as the first RWA-backed DeFi financing pool for everyday users. General Terms and Conditions can be found here: https://www.figuremarkets.com/disclosures/democratized-prime-terms/

How does Democratized Prime work?

The mechanics of Democratized Prime are as follows, using the HELOC marketplace as an example:

A new Democratized Prime Marketplace for HELOC collateral is established:
Any borrower can contribute collateral and each borrower sets their maximum borrow rate
Lenders decide if they will participate in the market, evaluating collateral based on:
Lenders participate in an hourly dutch auction; winning bids earn interest over the next hour
Interest and repayment is managed by the smart contract
Risk management is executed by the smart contract

What is the Democratized Prime HELOC Pool?

The Democratized Prime HELOC Pool (”the DP HELOC pool”) was launched in June 2025 as a pioneering real-world asset (RWA) lending facility. The DP HELOC pool represents Figure's first tokenized, on-chain warehouse line for funding HELOC originations, blending traditional home equity lending with decentralized finance to provide efficient capital recycling for lenders and attractive yields for investors. It's backed exclusively by high-quality, performing HELOCs originated via Figure's platform, which uses Provenance Blockchain for tokenization and compliance.

What is Figure’s role?

Origination and Servicing. Figure and more than 175 originator partners issue HELOCs using Figure’s proprietary technology that creates digitally native loans on Provenance Blockchain. Loan proceeds are not used for Figure’s corporate purposes (e.g., operational costs or debt repayment) but are held in segregated SPV accounts. Figure earns fees for:

Loan origination (typically a percentage of the loan amount, e.g., 1-3%).
Servicing (ongoing administration of payments, ~0.5-1% annually).
Platform fees for managing the marketplace and blockchain operations.

Figure Technology Solutions has embedded its loan origination technology with over 175 partners, including a mix of mortgage lenders, fintechs, banks, and credit unions. Some notable examples include: Sixth Street, Victory Park Capital, Rate (formerly Guaranteed Rate): CrossCountry Mortgage, Movement Mortgage.

How is the interest rate determined ?

Rates are market-driven via reverse Dutch auction on the Figure Markets Exchange. Every hour, lenders submit bids in YLDS. The exchange matches the best bids with available borrowing capacity of the Demo Prime trust. The lowest rate that clears the market sets the interest rate for that hour — and all successful lenders earn that rate.

Demo Prime interest rate is calculated based on the Annual Applicable Rate divided by 8,640 (# of hours per year). The Applicable Rate for each Loan is determined via a Dutch auction on the Figure Markets Exchange at or immediately before the time said Loan is made. Interest is accrued hourly and paid when the loan is terminated.

How is loan ownership tracked?

DART is Figure’s lien and eNote registry technology that is built on Provenance Blockchain for originators and investors to manage and track the ownership of loans as they move throughout the capital markets. DART addresses a significant market pain point in the mortgage industry—the complexities associated with manual assignments and systems, such as the Mortgage Electronic Registration Systems (“MERS”). DART effectively “listens” to the immutable activity on Provenance Blockchain and automatically updates loan ownership information accordingly. Thus, by integrating this service into our proprietary technology platform, lenders can originate, pledge, and sell loans using Figure's secure technological framework, which includes the on-chain DART monitoring service, to ensure the efficient transfer of assets. For the six months ended June 30, 2025, 80% of loans originated through the LOS (including both Figure-branded and Partner-branded) were boarded onto DART

Is the Democratized Prime structure bankruptcy remote?

Yes, Democratized Prime operates through Special Purpose Vehicles or trusts that hold the tokenized assets. These SPVs are legally separate entities from Figure’s corporate balance sheet, meaning their assets are not available to Figure or its creditors in a bankruptcy scenario. This mirrors standard TradFi securitization practices, where collateral is ring-fenced, ensuring that the underlying assets are protected from the insolvency of the servicer, Figure Technology Solutions or its affiliates. In a bankruptcy scenario, the underlying loans (e.g., HELOCs) would continue to be serviced by third-party originators or a successor servicer appointed by the SPV’s trustee.

Yields from these assets would still flow to token holders meaning lenders retain their pro-rata share of the underlying assets. Similarly, The Dutch auction system for lending is automated via smart contracts, which would continue unless disrupted by a court order. A trustee could appoint a new operator to manage the marketplace.Assets used as collateral are tokenized on Provenance Blockchain, which uses UCC Article 8-compliant Security Entitlements to establish clear ownership.

Tokens represent beneficial interests in the SPV’s assets, not Figure’s direct obligations. Tokens on Provenance remain transferable or redeemable via the blockchain, independent of Figure’s corporate status. The platform’s decentralized custody (via MPC wallets) and on-chain settlement reduce reliance on Figure’s operations.

The platform uses YLDS, an SEC-registered yield-bearing stablecoin backed by prime money market-like securities, to ensure transparency. All YLDS are held in segregated accounts by qualified custodians, further isolating them from Figure’s balance sheet.

What legal rights do the vault token holders have with respect to the underlying assets?

NUVA SPC Ltd., for and on behalf of the relevant segregated portfolio, has all applicable legal rights to the underlying assets in each vault. NUVA users do not have any direct claim against the underlying assets. See each asset’s Deep Dive page for more information.

nvHELOC

The short-term loans secured by HELOCs in the nvHELOC vaults are originated on Democratized Prime (“Demo Prime”). Demo Prime is a decentralized lending marketplace operated by Figure Markets that directly connects lenders with borrowers seeking liquidity against their crypto assets through a real-time dutch auction engine.

nvHELOC users deposit USDC which is automatically swapped into YLDS and deposited into the Demo Prime HELOC pool. The Demo Prime HELOC pool then advances those YLDS pursuant to the Master Loan Agreement to Demo Prime 1 Trust, a Delaware statutory trust (as the "Borrower"), as short-term loans which are secured by HELOCs (Home Equity Lines of Credit) of underlying borrowers/mortgagors. The HELOC pool may contain any non-conforming HELOC that is owned by the Borrower, free and clear, and for which the mortgagor is not more than 60 days past due.

NUVA (BVI) SPC Ltd. has a Figure Markets Account (the “Account”) that has been accepted on the Figure Markets Exchange (the “Exchange”) and has entered into a Demo Prime Master Loan Agreement (“Agreement”) with Demo Prime 1 Trust, a Delaware statutory trust (the “Borrower”), and Figure Markets Inc., as administrative agent for the Lender (the “Agent”). The Democratized Prime Loan Terms and Conditions of Service are incorporated herein by reference and are applicable to all Borrowers and Lenders who enter into Loan transactions secured by Eligible Assets.

nvHELOC users do not have any direct claim against the Borrower, the underlying HELOC borrowers/mortgagor or any security granted by either them (where applicable); nvHELOC user rights are limited to the terms of the nvHELOC token (i.e. the right to receive the applicable amount of USDC proceeds following its 'withdrawal' of its nvHELOCs token holdings).

The Agreement is secured by the related Security Instrument.

Security Instrument Terms:

a Grant. The Borrower grants, pledges, and assigns to the Agent (on behalf of and for the ratable benefit of Lender) as security for the payment and performance by Borrower of its obligations herein, a security interest in all of the Borrower’s right, title, and interest in, to and under, in any case, whether now held or hereafter acquired: (i) the Eligible Assets in the Pool relating to such Loan; (ii) all such Eligible Asset documentation, including without limitation all electronic records relating to such Eligible Assets; (iii) all insurance policies and insurance proceeds relating to such Eligible Assets; (iv) all income related to the Eligible Assets; and (v) any and all replacements, substitutions, distributions on, or proceeds of any and all of the foregoing (collectively, the “Collateral”). In no event shall a Loan be cross-collateralized or secured by any Eligible Pool other than the Pool to which such Loan relates.

b. Further Assurances. The Borrower will promptly, at its expense, execute and deliver such instruments, financing and continuation statements, and documents and take such other actions as the Agent may reasonably request from time to time to maintain the security interest in and to the Collateral for the benefit of the Lender.

c. Release. Upon payment in full of any Loan, the Agent shall, and is hereby authorized on behalf of the Lender to, release the Lender’s security interests in the Collateral and take such other action as may reasonably be requested by the Borrower to evidence such release.

3.4.2 On-Chain AML Screening

NUVA performs automated on-chain Anti-Money Laundering (AML) screening to ensure compliance without compromising user privacy.

No Personal Information Required: Users can access NUVA vaults without providing KYC documentation.

Automated Screening

Wallet addresses are screened in real-time during transactions. High-risk addresses may be restricted from interacting with the platform.

3.4.3 Permissionless Access & Regulatory Constraints

All NUVA vaults are permissionless, allowing users to participate without KYC verification. As regulations evolve, NUVA may introduce additional verification requirements for certain vaults or jurisdictions while maintaining its core non-custodial principles. NUVA is designed to be flexible and adaptable to changing regulatory requirements. The protocol and interface can be updated to comply with local regulations while maintaining the core non-custodial, permissionless nature of the blockchain infrastructure.

3.4.4 Geographic Restrictions

Different countries and regions have varying regulatory approaches to cryptocurrency, tokenized assets, and DeFi platforms. See the disclaimer for the latest list of restricted jurisdictions.