Purpose: RWA-specific trust layer (elevated priority)

3.1 Smart Contract Security - see section 5 for more detail

Audits - see section 5 for more detail

3.1.1 Audits by Sherlock

Sherlock is a leading blockchain security company and a marketplace for smart contract audits and coverage. They combine competitive audit contests with expert-led reviews to identify vulnerabilities in smart contracts and protect decentralized finance users from exploits.

• Audit status: ✓ Completed

• Audit scope: Ethereum contracts, Provenance vault module

• Link to audit report: [from Engineering]

3.1.3 Development Standards see section 5 for more detail

NUVA’s smart contracts are developed using proven frameworks and best practices:

• OpenZeppelin: NUVA uses OpenZeppelin’s well-known ERC-20 implementations for Ethereum, ensuring a strong and secure foundation.

• Cosmos SDK: The NUVA Vaults are implemented as a Cosmos SDK module which builds upon the Provenance Blockchain capabilities to create a flexible vault capability with a unique continuous compounding interest distribution.

NUVA’s architecture follows industry-standard patterns for token minting, yield distribution, and withdrawal mechanics. Once deployed, NUVA’s smart contracts cannot be altered, ensuring long-term security and trust.

On-Chain Proof of Reserves - see section 5 for more detail

How to Verify Underlying Assets

What On-Chain Proof Means for Your Security

• Immutable ledger of assets: All vault holdings are recorded on the blockchain in an immutable ledger. Once assets are deposited into the vault, the transaction is permanently recorded and cannot be altered.

• Real-time verification: You can verify vault holdings at any time by checking the blockchain directly. There are no delays or intermediaries between you and the proof of reserves.

• Trustless verification: You don't need to trust NUVA, or any third-party. You can independently verify that the assets claimed by the vault are actually held in the smart contracts. This is trustless verification—proof without requiring trust in a middleman.

Custody

All NUVA vaults are non-custodial, which means that you at all times have full control over your funds and nvAsset tokens.

• With self-custody of nvAsset tokens, your wallet functions as your personal bank. You have complete ownership but also complete responsibility for securing your private keys and wallet access.

• When you deposit into a NUVA vault, you receive vault tokens that are sent directly to your wallet. You hold these tokens yourself—NUVA does not hold them for you and cannot access them at any time.

• The vault smart contracts that manage deposits, yield distribution, and withdrawals cannot be changed or updated by NUVA or anyone else. Once deployed, the code is permanent and tamper-proof.

NUVA supports users’ custodians by integrating wallet-connection protocols that allow institution-grade qualified custodians — such as Fireblocks, Copper, Anchorage, or BitGo — to sign transactions on behalf of their clients while the platform remains fully non-custodial.

Safely Store Your Vault Tokens

The security of your vault tokens depends entirely on the security of your wallet. If your wallet is compromised, your tokens can be lost or stolen. Best practices for securing your wallet include:

• Never share your private keys or seed phrases with anyone

• Consider using a hardware or multi-signature wallet for large amounts or long-term holdings

• Do not store private keys or seed phrases in digital files or email and keep backups of your seed phrase in a secure location

• Enable all available security features on your wallet

3.4 Regulatory Compliance

3.4.1 NUVA’s core stablecoin is nvYLDS

3.4.2 On-Chain AML Screening

NUVA performs automated on-chain Anti-Money Laundering (AML) screening to ensure compliance without compromising user privacy.

• No Personal Information Required: Users can access NUVA vaults without providing KYC documentation.

Automated Screening

Wallet addresses are screened in real-time during transactions. High-risk addresses may be restricted from interacting with the platform.

3.4.3 Permissionless Access & Regulatory Constraints

All NUVA vaults are permissionless, allowing users to participate without KYC verification. As regulations evolve, NUVA may introduce additional verification requirements for certain vaults or jurisdictions while maintaining its core non-custodial principles. NUVA is designed to be flexible and adaptable to changing regulatory requirements. The protocol and interface can be updated to comply with local regulations while maintaining the core non-custodial, permissionless nature of the blockchain infrastructure.

3.4.4 Geographic Restrictions

Different countries and regions have varying regulatory approaches to cryptocurrency, tokenized assets, and DeFi platforms. See the disclaimer for the latest list of restricted jurisdictions.