Skip to main content

What is a Vault?

A vault is an on-chain address that holds your deposited ZEC (or BTC/DOGE when those chains join NEXUS). When you deposit, your coins go into the vault on L1 (the original blockchain). NEXUS credits you with an equal amount of vZEC (or vSAT/vDOGE) on the NEXUS layer. When you withdraw, your vTokens are burned and your real coins come out of the vault. Your L1 vault balance always equals your NEXUS balance — 1:1, verifiable by anyone at any time. Zcash vaults are live now. Bitcoin and Dogecoin vaults are fully implemented and will go live when those chains join the NEXUS execution layer.

Two Spending Paths

Every vault has two ways it can be spent: 
Your Vault Address

├── Normal Path — requires you + NEXUS together
│   └── Instant processing — standard deposits and withdrawals

└── Escape Path — requires only you, after a waiting period
    └── Emergency exit — works even if NEXUS is completely offline
This design means NEXUS cannot steal your funds (needs your key) and you cannot lose access to them (escape path is always available after the timelock).

Vault Structure by Chain

Zcash Vault (Transparent P2SH) ✅ Live

Zcash vaults use P2SH (Pay-to-Script-Hash) — a standard multisig address type. This is the active vault type on NEXUS today. 
Zcash Transparent Vault (t-addr)
├── Normal: <ProtocolKey> + <YourKey> (2-of-2, instant)
└── Escape: <16128-block timelock> + <YourKey> (unilateral, ~2 weeks wait)

Bitcoin Vault (Taproot / P2TR) 🔄 Coming soon

Bitcoin vaults use Taproot — Bitcoin’s modern address format that supports multiple spending conditions. 
Bitcoin Taproot Vault
├── Normal: <ProtocolKey> + <YourKey> (2-of-2, instant)
└── Escape: <2016-block timelock> + <YourKey> (unilateral, ~2 weeks wait)

Dogecoin Vault (P2PKH + CLTV) 🔄 Coming soon

Dogecoin vaults use the standard P2PKH format with a CheckLockTimeVerify (CLTV) escape: 
Dogecoin P2PKH Vault
├── Normal: <ProtocolKey> + <YourKey> (2-of-2, instant)
└── Escape: <20160-block timelock> + <YourKey> (unilateral, ~2 weeks wait)

Escape Hatch Waiting Periods

All chains use the same ~2-week security window, calibrated to each chain’s block time:
ChainBlocksBlock TimeApproximate Time
Zcash16,12875 sec~2 weeks
Bitcoin 🔄2,01610 min~2 weeks
Dogecoin 🔄20,1601 min~2 weeks
The waiting period gives the protocol time to detect and dispute fraudulent state before funds leave. This is the same principle used by Lightning Network payment channels.

Deposit Flow

1. Get your vault address (Zcash t-addr)
   → SDK: client.getVaultAddress()
   → CLI: nexus wallet vault-address --chain zcash

2. Send ZEC to that address (standard zcash-cli transaction)

3. NEXUS detects your deposit after confirmations:
   - Zcash:    10 blocks (~12.5 min) ✅ Live
   - Bitcoin:   6 blocks (~60 min)   🔄 Coming soon
   - Dogecoin:  3 blocks (~3 min)    🔄 Coming soon

4. vZEC (or vSAT / vDOGE) credited to your NEXUS account

Code Example

import { NexusClient } from '@yattacorp/nexus-sdk';

// Get your Zcash vault address
const vaultInfo = await client.getVaultAddress();
console.log('Send ZEC to:', vaultInfo.vaultAddress);
// e.g. "tmXxx..." on regtest, "t1xxx..." on mainnet

// After sending 10 confirmations (~12.5 min), check balance
const balance = await client.getBalance();
console.log('vZEC balance:', balance);

Withdrawal Flow

1. Request withdrawal on NEXUS
   → Your vSAT/vZEC/vDOGE are burned immediately

2. Withdrawal queued for batch processing
   → Batches improve on-chain efficiency and reduce fees

3. Protocol signs and broadcasts the L1 transaction

4. You receive BTC/ZEC/DOGE in your specified address

Code Example

// Withdraw ZEC to a Zcash transparent address
// Returns: { success, txid, status, path, confirmed? }
const result = await client.withdrawFunds(
  'tmXxx...',  // destination Zcash t-addr (regtest) or t1xxx (mainnet)
  10_000_000,  // amount in zatoshi (0.1 ZEC)
  { waitForConfirmation: true }
);
console.log('Withdrawal txid:', result.txid);

Vault Address Derivation

Your vault address is derived from your public key combined with the protocol’s public key. This means:
  • Your vault address is unique to you — nobody else can deposit into your vault
  • The address is deterministic — you can always re-derive it from your key
  • The protocol can always verify which vault belongs to which user
// Vault addresses are derived server-side via the NEXUS node
// Uses nexus_deriveVaultFromPubkey RPC internally
const vaultInfo = await client.getVaultAddress(); // timelock: 16,128 blocks (~2 weeks on Zcash)
const vaultAddress = vaultInfo.vaultAddress; // e.g. "tmXxx..." on regtest, "t1xxx..." on mainnet

Security Properties

PropertyHow It’s Achieved
Protocol can’t steal fundsVault requires both your key and protocol key
You can’t lose accessEscape hatch requires only your key (after timelock)
1:1 backing guaranteedL1 vault balance tracked continuously
No fractional reserveWithdrawals always backed by real L1 funds
TransparentAll vault operations are on-chain and publicly auditable
NEXUS does not hold your private key. You hold it. The vault is a 2-of-2 multisig — NEXUS holds one key, you hold the other. Neither party alone can move funds.