Nothing to hide

Every line of code is public. Every transaction is traceable.
You don't have to trust us, you can verify everything yourself.

Audited code

Analyzed by Hashlock AI, SolidityScan, Slither (Trail of Bits), internal security review, and mathematical verification. Zero critical vulnerabilities.

Open source

Smart contracts are public on BaseScan. Anyone can read the code, check the logic, and confirm there are no hidden functions.

Art on IPFS

All 297 artworks and metadata are stored on IPFS — a decentralized, permanent storage network. No server, no single point of failure.

Browse on IPFS

Chainlink oracle

The ETH/USD price that triggers destruction comes from Chainlink — the most trusted decentralized oracle. No manipulation possible.

0 Critical
vulnerabilities
60 Tests
passing
4 Independent
audits
540+ Lines of
Solidity

Verified Contracts

Built on Base L2 mainnet. Source code verified on BaseScan.

InnerModelsNFT.sol ✔ Verified
ERC-721 token — 97 lines — Transfers locked to PoolManager only
View verified source on BaseScan →
PoolManager.sol ✔ Verified
Core logic — 540 lines — Two-pool system, Smart Tickets, marketplace, trigger, distribution
View verified source on BaseScan →

Dependencies: OpenZeppelin v5.4 (ERC721, Ownable, ReentrancyGuard, Strings) — Chainlink v1.5 (AggregatorV3Interface)

Security Audits

Hashlock

Hashlock AI

AI-powered audit from a leading Web3 security firm. Deep analysis of access control, economic logic, oracle interactions, and reentrancy vectors.

0 confirmed vulnerabilities
SolidityScan

SolidityScan

Cloud-based static analysis with 700+ modules. Full scan of both contracts. NFT: 87/100, PoolManager: 60/100.

0 real vulnerabilities

Internal Review

10-point manual audit: reentrancy, integer safety, access control, DoS, front-running, oracle manipulation, fund safety, edge cases.

4 issues found and fixed

Math Verification

Formal verification of pool invariants, ETH solvency, rounding dust, edge cases (0/1/297 tokens), and overflow analysis.

Invariants proven correct

Issues Found & Fixed

1 Internal Review
2 Hashlock AI
3 SolidityScan
4 Math Audit
5 60 Tests
HIGH

Seller payment failure blocks buy() transaction

If seller is a contract that rejects ETH, the entire buy() reverts — DoS on that listing.

FIXED
HIGH

Trigger stuck in Initiated state after cooldown

If ETH hit $10K briefly then dropped back during the 15-minute cooldown, the marketplace was permanently frozen — cancelTrigger() failed (cooldown passed) and finalizeTrigger() failed (price too low). Added resetTrigger() to unblock after cooldown if price dropped.

FIXED
MEDIUM

sweepDust() could drain pendingWithdrawals

Sweep function didn't check for unclaimed pending withdrawals before sending balance to creator.

FIXED
MEDIUM

cancelTrigger() silently no-ops

Function succeeded without doing anything if price was still above trigger, wasting gas.

FIXED
LOW

Missing PoolManager validation in NFT _update

No check that poolManager was set before enforcing transfer restriction.

FIXED
LOW

Missing event on ticket awards

Internal _addTickets() didn't emit events for off-chain tracking.

FIXED

Data we can't manipulate. Can't fake, can't hide.

Chainlink Live on Base Don't trust us, verify yourself
Vault -- ETH
Bonus Pool -- ETH
Collected 0 / 297
ETH Price $--
Trigger $10,000

Report generated February 25, 2026 for Inner Models v2 (Solidity 0.8.24, Hardhat, Base L2). Combines Hashlock AI, internal security review, and mathematical verification. No audit can guarantee the absence of all vulnerabilities. DYOR.

Explore the collection →