Back to Home

Security

Transparency about our security practices, audit status, and risks.

Last updated: December 2025

Mr Haven is designed with multiple layers of protection including non-custodial architecture, industry-standard vault contracts, and resilient execution. This page outlines our security practices and remaining risks. A formal third-party audit is planned for Late Q1 2026.

Audit Status

Public Beta

Mr Haven is currently in public beta. While core functionality is live, we continue to refine the system and complete a third-party security audit.

Internal testing and reviewCompleted

Comprehensive internal security review completed December 2025. A third-party audit is not yet complete.

Remediate internal findingsIn Progress
External security auditPlanned Late Q1 2026

Once completed, a public summary will be published here.

Public audit reportComing after audit

Findings shown here are based on our internal testing and review. A third-party security audit is planned for Late Q1 2026.

Public Verification

The system is live and publicly verifiable. All plan executions are recorded on-chain and can be independently verified.

✓ Live Execution Dashboard

View all automated plan executions with on-chain proof via BaseScan.

View Proofs →

Internal Review Scope: Smart contracts, backend services, API security, authentication flows, rate limiting, and on-chain interactions.

High-Level Outcomes: No critical or high-severity issues identified. Medium-severity findings documented and remediated. Low-severity items tracked for future hardening.

Remediation: All identified issues are tracked in our internal changelog. Material changes are reflected in the version history.

Note: This is an internal timeboxed review, not a formal third-party audit. A comprehensive external audit is planned for Late Q1 2026.

Protocol Governance

Mr Haven is administered by a multisig wallet requiring multiple signatures for any protocol changes. Smart contracts enforce strict limits on what administrators can do.

✓ Your Funds Are Protected

  • • Administrators cannot access, move, or redirect your deposited funds
  • • Administrators cannot cancel your plans or change your beneficiaries
  • • Administrators cannot execute plans early — timelock conditions must be met
  • • Your vault is yours — we never hold your assets or keys

What administrators can do:

  • Adjust protocol fees — Fee increases require a 48-hour waiting period and are capped at maximums enforced by smart contracts. Fee decreases take effect immediately.
  • Pause new deposits — In an emergency, new deposits can be temporarily paused. Pauses automatically expire after 7 days. Existing plans continue to execute normally.
  • Manage automation — Add or remove execution infrastructure to maintain system reliability. This does not affect user funds.

All constraints above are enforced by smart contracts. The multisig cannot bypass these limits.

How It Works

Mr Haven is built on proven, battle-tested infrastructure. Learn how it works.

  • Non-custodial design — You control your funds through your own smart wallet. We never hold your assets or private keys. Read more.
  • ERC-4626 vault standard — Industry-standard tokenized vault interface for transparent accounting.
  • Chainlink Automation — Decentralized execution infrastructure. Chainlink attempts execution first; if unavailable, execution becomes publicly callable after exactly 1 hour (grace period).
  • Aave V3 yield — Deposited USDC can earn yield through Aave V3 on Base, a widely used DeFi lending protocol. Aave's past performance and security track record do not guarantee future results.
  • Virtual share offset (1e6) — First-depositor inflation attack protection with precise yield tracking aligned to USDC decimals.
  • YieldStrategyManager — Protocol-agnostic registry and factory for yield strategies, enabling controlled strategy deployment.
  • PartnerClaimManager — Escrow system for partner fee distributions using pull payment pattern.

Protocol Security Controls

  • Multisig administration — Protocol changes require approval from multiple signers. Administrators cannot access user funds or bypass on-chain constraints.
  • Fee protection — Fee increases require 48 hours notice before taking effect. Fee decreases are immediate. All changes enforced on-chain.
  • Fee caps — Maximum fees enforced at smart contract level: 1% funding, 2% scheduled execution, 3% inactivity execution

Risk Disclosure

Using Mr Haven involves risks. Please understand these before depositing funds:

Smart Contract Risk

Smart contracts may contain bugs or vulnerabilities. While we have conducted internal testing, no external audit has been completed. Code defects could result in loss of funds.

DeFi Protocol Risk

Yield is generated through Aave. If Aave experiences issues, exploits, or becomes unavailable, it could affect your deposited funds.

Automation Risk

Plan execution relies on Chainlink Automation. While there is a fallback mechanism allowing public execution after ~1 hour, automation delays or failures could affect timing.

Blockchain Risk

Mr Haven operates on Base (Ethereum L2). Network congestion, outages, or issues with the underlying blockchain could affect service availability.

As with any smart contract system, only deposit funds you're comfortable managing on-chain. Review our terms of service for complete legal details.

Fees

Fee TypeAmount
Funding fee (on deposit)0.25%
Execution fee (scheduled plans)0.55%
Execution fee (inactivity plans)1.0%

APY varies based on Aave market conditions. Past performance does not guarantee future returns.

Execution Reliability

Plan execution is automated through Chainlink Automation, a decentralized network of node operators.

Fallback mechanism: If Chainlink is unavailable, plan execution becomes publicly callable after exactly 1 hour (grace period). Public executors receive a 0.1% reward as incentive for maintaining protocol liveness. This backup path helps ensure your plans can still execute even if the primary automation is temporarily unavailable.

Note: Extreme network congestion could still affect timing.

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly:

Email: security@mrhaven.io

Please include detailed steps to reproduce the issue. We aim to respond to security reports within 48 hours.

For more detail, see our complete guide, legal documentation, or contact us with questions.

Questions? Contact us at security@mrhaven.io