SEC Audit

Security Audit Report

Reliquary Protocol v1 · Base Mainnet · May 2026

Independent security assessment of Reliquary succession contracts deployed on Base. This report documents scope, methodology, identified issues, remediation status, and responsible disclosure policy.

Report ID

RLQ-AUD-2026-001

Commit reviewed

a3f8c21 · main

Network

Base (8453)

Review type

Manual + invariant fuzz

Contracts in scope

4 core + 2 libraries

Overall status

No critical / high open

✓

Launch readiness: All medium and low findings from the initial review cycle have been patched and verified on testnet. Mainnet deployment matches audited bytecode. Full PDF with proof-of-fix commits available on request via X.

In-scope contracts

Contract	LOC	Role
`ReliquaryWill.sol`	412	Plan creation, sealing, revocation
`ProofOfLife.sol`	186	Inactivity window + confirmation
`SuccessionExecutor.sol`	298	Trigger evaluation + asset routing
`CommunityVault.sol`	154	Mode M2 multisig handoff
`PlanRegistry.sol`	89	Plan indexing for agent layer
`BeneficiaryLib.sol`	67	Allocation validation helpers

Out of scope

Static marketing site, WalletConnect SDK, RPC providers
Third-party multisig implementations receiving vault handoff
Social engineering, key extraction, or end-user device security

Detailed findings

AUD-001 Medium · Resolved

Grace-period race condition in SuccessionExecutor.sol. A proof-of-life confirmation submitted in the same block as trigger evaluation could be ignored depending on transaction ordering.

Fix: Added lastPoLBlock guard and explicit PendingGrace state lock. Verified with Foundry fuzz (10k runs).

AUD-002 Low · Resolved

Missing zero-address check on optional final-message relay address during deployWill().

Fix: Revert on address(0) when message relay is enabled.

AUD-003 Low · Acknowledged

Event indexing gaps on PlanSealed - agent indexers required full log scan for beneficiary count.

Status: Indexed fields added in patch release. Legacy events remain parseable offchain.

AUD-004 Informational

Gas optimization: Beneficiary array iteration in executor can be short-circuited when single-beneficiary mode is set. Documented for v1.1; no security impact.

Severity summary

Severity	Found	Open	Resolved
Critical	0	0	-
High	0	0	-
Medium	1	0	1
Low	3	0	2 (+ 1 ack)
Informational	5	5	-

Review timeline

Apr 12, 2026

Scope finalized. Test harness deployed on Base Sepolia fork.

Apr 18 - 24, 2026

Manual review + invariant testing. AUD-001 identified and patch drafted.

Apr 28, 2026

Re-review of patched bytecode. All medium/low items closed.

May 2, 2026

Mainnet deployment. Report published.

Responsible disclosure

Report vulnerabilities privately before public disclosure. Do not exploit live plans or user funds. We aim to acknowledge reports within 48 hours.

Contact via X only:

@ReliquaryAI · x.com/ReliquaryAI