What “Immutable v1” means
- No upgrades: the vault is not a proxy; no upgradeTo*, delegatecall, or selfdestruct.
- No owner withdraw: no function can transfer WBTC out except the two flow rules.
- Only two exits: repay() returns WBTC to the borrower; liquidate() if LTV is breached.
- Known tokens only: mainnet WBTC/USDC addresses are hard‑coded.
- Public proofs: Etherscan + Sourcify verification, pre‑committed code hash, and third‑party notes.
Plain‑English summary
“Your WBTC is locked by code. We can’t change the code or touch your collateral.”
Live Trust Monitor
Quick, best‑effort checks direct from chain. We use neutral badges with text labels; click “Run checks”.
Proxy check: —
Owner/timelock: —
Code present: —
(no report yet)
Heuristics: EIP‑1967 implementation/admin slots, optional owner(), and code size.
Build Market Trust
- Pre‑commit the vault code hash + CREATE2 salt (shown above).
- Link an independent review (Slither + short third‑party note).
- Run a public bug bounty; disclose the report address here.
- Post an on‑chain bond that slashes to users if a backdoor is proven.
- Publish a track record: 10+ successful loans with Etherscan links.
Quick checklist (for anyone)
- Contract address here matches Etherscan.
- Audit summary available and recent.
- Badges show “not a proxy” and “owner renounced/timelocked”.
- Try a tiny test first; use a hardware wallet for significant amounts.
Track record
- Loan #1 — (add Etherscan tx)
- Loan #2 — (add Etherscan tx)
- Loan #3 — (add Etherscan tx)
Risks we cannot remove
- Market risk: if BTC drops through the LTV threshold and you don’t act, liquidation happens.
- WBTC issuer risk: WBTC is a wrapped asset with external custodianship.
- Ethereum/oracle risk: mitigated with circuit‑breakers; collateral remains locked regardless.