Petra Vault

We express our gratitude to the Petra Vault team for the collaborative engagement that enabled the execution of this dApp Security Assessment.

Petra Vault is a decentralized custody solution built on the Aptos blockchain. Theyprovides a secure, multi‑party computation (MPC) based multisig wallet for enterprise and advanced individual users.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• The repository includes a high-level README.md that covers installation, setup, and basic usage of the Petra Vault application. However:

• Clear getting-started instructions for developers (prerequisites, installation commands, environment variables).

• Links to key external resources (Aptos documentation, Petra Vault guides).

• Monorepo structure is summarized with folder descriptions.

Code quality

• Maintainability Issues: Widespread nested ternary expressions leading to cognitive complexity (multiple files, critical in proposal creation flow); repeated ESLint/Sonar complaints (unnecessary assertions, multiple imports of the same module, and unused variables); lack of readonly typings for React props (risk of unintended mutation).

• Consistency: Frequent use of || instead of the safer ?? operator across many components; inconsistent key usage in React lists (use of array indices).

• Reliability & Accessibility: Missing lang prop on <html> and missing title on iframes; non‑interactive elements attached to click handlers without keyboard listeners.

• Performance: Inline component definitions causing re‑renders; array index‑based key props in lists.

Petra Vault is a web-based custody solution built on the Aptos blockchain, offering a threshold-based, MPC multisig wallet. Through an intuitive Next.js interface and robust Move modules, Petra Vault enables users to:

• Create or import vaults with configurable signing policies.

• Draft and simulate multisig transactions before submission.

• Collect approvals from multiple signers in accordance with defined thresholds.

• Execute on-chain transactions securely and transparently.

The platform targets enterprise and power-users who require enhanced security guarantees and collaborative fund management.

Project Overview

• Frontend (apps/web)

• • Next.js App Router separates public marketing pages from authenticated vault workflows.

  • Contexts (ActiveVaultProvider, OnboardingProvider) manage vault state and user roles.

  • Key flows: Onboarding, Dashboard, Proposal creation/simulation, and Transaction history.

• Wallet API (**packages/wallet-api/src**)

• • Lightweight TypeScript client for Aptos interactions:

  • Error handling (errors/)

  • BCS/json serialization (serialization/)

  • Connection & account management

  • Transaction signing & submission

  • Signature aggregation & approval orchestration (signatures/, types/)

The scope of the project includes the following:

Assets in Scope