Phase 1 — Mainnet Deployment
Coming SoonThe prerequisites, deployment sequence, and operational changes when AeternumVault goes live on Ethereum mainnet with real ETH.
Coming soon
Mainnet deployment follows the completion of the external security audit and the incentivized testnet phase. The contract will not be deployed to mainnet until all audit findings have been reviewed and addressed. No timeline is committed.
Prerequisites
Three conditions must all be satisfied before AeternumVault is deployed to Ethereum mainnet. None are negotiable.
External security audit — complete and findings addressed. The internal assessment (Revision 3, 7th July 2026) identified zero High and zero Medium severity findings — the one Medium finding present in the prior revision was resolved as a direct consequence of the migration to the current permissionless keeper architecture. An independent external audit by a professional security firm is required before any real ETH is placed under the contract's protection. The audit operates on the exact bytecode that will be deployed — not a branch, not a pre-audit candidate. Any findings from the audit are triaged, addressed, and re-reviewed before deployment proceeds.
Incentivized testnet — complete. The incentivized testnet phase validates the protocol under realistic multi-user load on Sepolia: keeper bot behaviour at scale (database scan volume, on-chain validation batching, and Multicall3 execution), Ponder indexer performance under concurrent event streams, and edge-case recovery paths. Any issues surfaced during that phase are resolved before the audit engagement begins, ensuring the audited contract matches what was tested at scale.
Operational infrastructure — verified. The Aeternum Labs keeper bot's signing
wallet must be funded with mainnet ETH to pay for triggerRecovery gas, the keeper bot
and Ponder indexer must both be pointed at the mainnet contract, and the indexer must be
confirmed synced before launch.
What Changes at Mainnet
The contract code is identical to the version that ran through the incentivized testnet and external audit. Nothing in the Solidity changes. What changes are the constructor parameters — the immutable values set at deployment time that are tuned for the real-world Ethereum environment rather than the testing environment.
Constructor Parameters — Mainnet vs Sepolia
| Constant | Sepolia | Mainnet |
|---|---|---|
MIN_INACTIVITY_PERIOD | 5 min | 180 days |
MAX_INACTIVITY_PERIOD | 3650 days | 3650 days |
MAX_RECOVERY_ATTEMPTS | 3 | 3 |
The 180-day minimum inactivity period is the most consequential change for users. The 5-minute Sepolia minimum exists solely to make the full recovery cycle observable in a single session. At mainnet gas prices, maintaining a 5-minute timer would require continuous on-chain transactions — an impossible condition for any real user.
The keeper bot's own configuration — KEEPER_POLL_INTERVAL_MS and KEEPER_BATCH_SIZE
— is separate from these constructor parameters entirely. It lives in the keeper bot's
own environment, not the contract, and doesn't need to change between Sepolia and
mainnet by default, though Aeternum Labs may tune it based on real registry size once
mainnet volume exists. See Keeper Network for the
full configuration reference.
Deployment Sequence
The deployment is executed as a single, scripted sequence. Manual steps are minimised to reduce the window during which the contract is live but not fully configured.
Deploy AeternumVault with mainnet constructor parameters
The Foundry deployment script (Deploy.s.sol) is run against Ethereum mainnet
with the production parameter values: MIN_INACTIVITY_PERIOD set to 180 days,
MAX_INACTIVITY_PERIOD to 3,650 days, and MAX_RECOVERY_ATTEMPTS to 3. The
deployer address has no ongoing privileged role after deployment — there is nothing
left to configure that grants any address special access.
Verify source code on Etherscan
The contract source is verified on Etherscan immediately after deployment, linking the deployed bytecode to the audited Solidity source. Verification is the on-chain trust signal — users can confirm what the contract does without trusting Aeternum Labs's documentation. The audit report is published alongside the verification.
Configure and deploy the keeper bot for mainnet
The Aeternum Labs keeper bot (apps/keeper in aeternum-infra) is pointed at the
deployed mainnet contract: CONTRACT_ADDRESS, CHAIN_ID, and RPC_URL are updated
for mainnet, and the Ponder indexer is redeployed against the mainnet deployment
block. The keeper's signing wallet (KEEPER_PRIVATE_KEY) is funded with mainnet ETH
to cover triggerRecovery gas costs — this wallet's balance is an ongoing
operational responsibility, not a one-time setup step (see Post-Deployment
Operations below).
Because triggerRecovery carries no access restriction, the keeper bot doesn't
need to be granted permission to call the contract; it simply starts calling a
function that was already open to any caller from the moment of deployment.
Update the frontend to point at the mainnet contract
The frontend is redeployed and the vault dashboard automatically connects to the mainnet contract for users on Ethereum mainnet, while remaining connected to Sepolia for users who want to continue testing.
Confirm the keeper bot is monitoring
Because the mainnet minimum inactivity period is 180 days, there is no fast
equivalent of Sepolia's 5-minute test cycle to observe end-to-end recovery before
launch — waiting for a real recovery event isn't a practical verification step here.
Instead, Aeternum Labs confirms the keeper bot's /health endpoint returns a healthy
status, confirms the Ponder indexer is synced to the mainnet chain head, and confirms
the keeper's signing wallet has a funded ETH balance. Combined with the audit and
incentivized testnet having already exercised the full recovery path on Sepolia,
this establishes that the infrastructure is live and correctly configured before the
deployment is announced publicly.
Publish the deployment announcement
The mainnet contract address, the Etherscan verification link, and the external audit report are published simultaneously. The announcement is not made before the deployment is confirmed working end-to-end.
An underfunded keeper wallet delays recovery — it never risks funds
If the keeper bot's signing wallet runs out of ETH for gas, it simply cannot submit
triggerRecovery transactions until it's topped up — no user's funds are ever at
risk, since triggerRecovery remains permissionless and any other address (a future
Gelato or CRE keeper, or an individual) could still call it.
What Users Need to Know Before Depositing Real ETH
The Sepolia experience is designed to be low-stakes and fast. Mainnet is neither. Every property that made Sepolia a good test environment — 5-minute timers, free test ETH, disposable wallets — becomes a liability if applied to real funds.
Choose your inactivity period carefully. The minimum on mainnet is 180 days. This exists for a reason: a shorter period creates a meaningful risk of accidental recovery during an extended trip, an unexpectedly busy or disruptive stretch of life, or any period of reduced crypto activity. Read Register Your Vault and the inactivity period guidance before setting your timer.
Test your backup address before registering. Send a small amount of real ETH to
your backup address from a separate wallet and confirm receipt before you use that
address in a registration. If your backup is a multisig or any smart contract, confirm
it is configured to accept plain ETH transfers. A contract that reverts on receive()
will cause recovery to fail, exhaust the three-attempt limit, and result in vault
abandonment. See Automatic Recovery for the
failure lifecycle.
Your backup address is your beneficiary. Give this decision the same weight as naming an heir in a will. It may be a family member, a trusted heir, or a separate wallet you control. It cannot be your own registered address. Think through what happens if recovery fires because your inactivity period elapses while you're still alive and in full control of your wallet — you simply went longer than expected without a transaction. Can you coordinate with your backup address to retrieve the funds in that case? Weigh that before committing to a backup address with real ETH involved.
Gas costs are real. Every on-chain interaction — register, deposit, send, ping, updateBackupAddress — costs real Ethereum gas. The gas estimates documented in Vault Actions give unit costs; the USD equivalent depends on current gas prices and ETH price at the time of the transaction.
Post-Deployment Operations
Keeper Bot Maintenance
The Aeternum Labs keeper bot's signing wallet requires a funded ETH balance to operate.
If the balance runs low, the bot's database scan and on-chain validation continue to
run normally — these cost nothing to the keeper, since one is a database query and the
other a batched view call — but it will not be able to submit triggerRecovery
transactions, and recovery executions will be delayed until the wallet is topped up.
Because triggerRecovery is permissionless, this delay is not a single point of
failure; any other party could still call triggerRecovery directly during that window.
In practice, Aeternum Labs monitors the keeper wallet balance and tops it up proactively
as part of running the protocol.
Source Availability and Licensing
AeternumVault has been source-available under
BUSL-1.1
since the repository was published — the license has been in effect throughout
the open testnet and incentivized testnet phases. Mainnet deployment starts the
Change Date countdown: the deployed contract address, constructor parameters, and
deployment timestamp are recorded in the aeternum-core repository, and the
calculated Change Date — four years from that timestamp or January 1, 2031,
whichever is earlier — is committed to LICENSE.md in the same deployment commit.
Immutability
The deployed mainnet contract cannot be modified, paused, or upgraded by anyone, including Aeternum Labs. Future versions of the protocol — including the Phase 2 Hybrid Wallet — are deployed as entirely new contracts. Users on the Phase 1 mainnet contract remain on that contract indefinitely unless they choose to migrate. Their recovery configuration, inactivity timer, and vault balance are governed by the rules that were fixed at deployment and will not change.
What Comes Next
Phase 1 mainnet establishes the foundational recovery primitive. ETH is protected. The contract is live and immutable. The keeper network is monitoring.
The next phase — Phase 2: Hybrid Wallet — removes the escrow model entirely. Assets stay in the user's own EOA. Multi-asset recovery expands protection to ERC-20 tokens. And passive activity detection eliminates the need for manual pings by treating any app interaction as a liveness signal. Phase 2 design work continues in parallel with the mainnet launch.