Permissions
Claims are address-bound.
Only the configured heir can activate inheritance for a vault after the required timing condition has matured.
Security model
The contract is the boundary.
The public site should explain the security posture without pretending to be a full audit report. These are the core ideas users need before using the dApp.
Timing
The clock is contract state.
The owner check-in timestamp, inactivity period, and grace period define whether the vault is active, in grace, or claimable.
Custody
No admin drain path.
User funds are controlled through owner and heir flows, not a centralized inheritance operator.
Edges
Where behavior changes.
Most user confusion happens around state transitions. These are the moments Vestige makes intentionally sharp.
Freeze
Owner actions stop when the vault becomes claimable.
Deposits, withdrawals, settings updates, and check-ins are no longer the normal owner path once inheritance timing has matured.
Granular
Token claims are split by asset.
ERC20 balances are claimed one token at a time, keeping claim transactions bounded and easier to reason about.
Cleanup
Empty vaults can be disabled.
After assets are drained, the vault can be cleaned up so the owner can create a fresh vault lifecycle.
Review
Wallet prompts still matter.
Users should verify addresses, amounts, network, and receiver details before signing any transaction.
Can Vestige decide to give assets to someone else?+
No. The claim path is defined by the vault state and configured heir address. A centralized operator should not be able to override that path.
What happens if the owner checks in during grace?+
A valid check-in refreshes the owner signal while the vault is not yet claimable. That moves the timing window forward and keeps heir claims locked.
Why are token claims individual?+
Granular token claims avoid one expensive or unusual token transfer blocking the whole inheritance flow.