What are tokenized index funds?

Tokenized index funds are blockchain-based investment products that represent a diversified portfolio of assets. Each token you hold represents ownership in a basket of cryptocurrencies managed by smart contracts, similar to traditional index funds but fully on-chain and transparent.

What's the minimum investment amount?

You can start investing with as little as $1 USD worth of USDC. There are no minimum investment requirements, making QINV accessible to everyone regardless of portfolio size.

How do I get portfolio tokens?

Simply connect your Web3 wallet, deposit USDC into the vault, and mint QIndex tokens at the current NAV (Net Asset Value). You'll receive tokens representing proportional ownership of the underlying basket. You'll need a small amount of ETH for gas fees. The entire process is seamless and takes just a few clicks.

What wallets are supported?

We support popular wallets including Coinbase Wallet, MetaMask, Trust Wallet, OKX Wallet, and Phantom.

QINV charges a 5% annual management fee that is accrued daily and incorporated into the token's value—your token balance remains unchanged. Additionally, standard blockchain gas fees apply when minting and burning tokens, which are paid to the BASE network. Our smart contracts are optimized to keep these network costs low.

How is security ensured?

Security is our top priority. Our smart contracts follow industry best practices and are open-source, deployed on BASE, Coinbase's secure Layer 2 network. QINV is 100% non-custodial - your assets are always in your control through your wallet's private keys. We never have custody of your funds.

How can I track my portfolio performance?

QINV provides a comprehensive real-time dashboard where you can monitor your total portfolio value across all tokens or track individual token performance. The dashboard displays live price updates, earnings history, and detailed analytics to help you make informed investment decisions.

How often are portfolios rebalanced?

QINV follows a low-frequency trading strategy focused on swing trading rather than day trading. Portfolios are rebalanced as needed based on market conditions, risk factors, and algorithmic signals - not on a fixed schedule. This approach minimizes trading costs while maintaining optimal diversification.

Can I withdraw my investment anytime?

Yes! You can burn your QIndex tokens anytime to redeem the underlying assets proportionally from the vault at the current NAV. There are no lock-up periods or withdrawal restrictions.

Can I use other stablecoins besides USDC?

Currently, QINV only supports USDC for purchasing portfolio tokens on the BASE network. We're actively working on adding support for additional stablecoins in the future to provide more flexibility for our users.

What blockchain network is supported?

QINV operates exclusively on BASE, Coinbase's Layer 2 network built on Ethereum. BASE offers fast, secure, and low-cost transactions, providing the best experience for our users with institutional-grade reliability.

How are portfolio compositions determined?

Portfolio compositions are algorithmically balanced based on market capitalization, liquidity, and risk factors. The smart contracts automatically rebalance to maintain optimal diversification.

What should I know about risks?

Cryptocurrency markets are inherently volatile, and asset prices can fluctuate. QINV mitigates technical risks through audited smart contracts and deployment on BASE's secure Layer 2 network. Since you maintain full custody of your assets through your wallet, you're responsible for securing your private keys. As with any investment, past performance doesn't guarantee future results.

What is NAV and how does pricing work?

NAV (Net Asset Value) is calculated by dividing the total value of all assets in the vault by the token supply. When you mint or redeem tokens, the price is always based on the current NAV, ensuring your token price directly reflects the real-time value and composition of the underlying portfolio. This eliminates pricing inefficiencies common in secondary markets.

How does the AI management work?

QINV uses proprietary quantitative models built on mathematical and statistical algorithms proven in traditional hedge funds. Our system analyzes market data, volatility, correlations, and risk factors to systematically determine optimal portfolio allocations. The models have been refined over 8 years of research and backtesting, combining institutional-grade quantitative methods with on-chain execution transparency.

What happens to my tokens if I lose access to my wallet?

QINV tokens are self-custodial, meaning only you control them through your wallet's private keys. If you lose access to your wallet, the tokens will remain locked in that wallet permanently with no way to recover them. We strongly recommend backing up your seed phrase securely and considering using a hardware wallet for larger holdings.

Is QINV audited? How to verify its smart contracts on-chain

Name: QINV Portfolio Tokens
Brand: QINV
Availability: InStock

Quick answer: QINV's smart contracts are deployed on the Base network and can be verified by anyone using BaseScan, Base's public blockchain explorer. On-chain deployment means the contract code, transaction history, and vault holdings are permanently visible without relying on QINV's own disclosures. This guide shows you exactly what to check and what the results mean.

This is the right question to ask before investing in any DeFi protocol. The FTX collapse reminded the industry that trusting a platform's word is not enough. On-chain verification gives you independent evidence.

What does a smart contract audit mean?

A smart contract audit is a formal security review conducted by an independent firm before a protocol goes live. Auditors examine the contract code line by line, looking for vulnerabilities that could let attackers drain funds, manipulate prices, or bypass access controls.

Audits typically cover:

Reentrancy attacks: a vulnerability where an external call re-enters the contract before the first execution completes, allowing repeated withdrawals
Integer overflow and underflow: arithmetic errors that produce unexpected values, potentially inflating balances
Access control flaws: functions that should be restricted to the protocol owner but are incorrectly callable by anyone
Logic errors: bugs in the business logic that produce incorrect outcomes even without malicious intent
Oracle manipulation: exploits that feed false price data to trick the contract into mispricing assets

Audit firms such as CertiK, Trail of Bits, Halborn, and OpenZeppelin are among the most recognized in DeFi. Their reports are typically published publicly so anyone can review the findings and their resolution status.

Key insight: an audit is a point-in-time review. It confirms the code was examined at deployment. It does not guarantee that no vulnerability exists, but it significantly raises the bar for an attacker compared to unreviewed code.

To understand how smart contracts work before checking the audit, see what are smart contracts and how do they power DeFi.

Why audit status matters before investing in DeFi

The financial stakes of skipping due diligence are well documented. According to Chainalysis, $2.2 billion was stolen from crypto platforms in 2024, a 21% increase compared to 2023, across 303 separate hacking incidents. In the years from 2021 to 2023, decentralized finance platforms were the primary targets in most quarters, largely because developers prioritized speed to market over thorough security reviews.

Private key compromises accounted for 43.8% of stolen crypto in 2024 (Chainalysis, 2025), while smart contract exploits accounted for a significant portion of the remaining losses. The pattern is consistent: protocols that skip rigorous security reviews or launch with unverified code face substantially higher risk.

Immunefi, the leading Web3 bug bounty platform that helps protect over $100 billion in user funds, publishes quarterly loss reports that show the same pattern: protocols with active bug bounty programs and verified code suffer far fewer catastrophic losses than those without.

For a broader look at the risk landscape, see is DeFi safe? Real risks every investor should know.

The takeaway for investors: checking audit status and on-chain verification is not optional due diligence. It is the baseline.

QINV's security model: non-custodial vaults on Base

QINV (qinv.ai) operates as a non-custodial index fund on the Base network. When you deposit capital, it enters a shared smart contract vault. QINV's AI allocation engine manages the index composition, but the vault logic is governed by code deployed on-chain, not by any company's internal server.

Non-custodial means QINV the company never holds your private keys. The smart contract holds the assets. This is the structural difference between QINV and a centralized exchange: if QINV's operations ceased tomorrow, the contract would continue to exist on Base, and users could withdraw their share of the vault directly by interacting with the contract.

The Base network adds a layer of credibility here. Base is an Ethereum Layer 2 developed by Coinbase, built with security-first infrastructure and a large developer community. All transactions settle on Ethereum's mainnet, giving them Ethereum-grade finality. To understand the infrastructure, see what is the Base network? A complete beginner's guide.

This architecture means QINV's security posture can be verified at three levels:

The smart contract code (is it audited and verified?)
The current vault holdings (what assets are held, in what proportions?)
The transaction history (all deposits, withdrawals, and rebalances are on-chain)

How to verify QINV's smart contracts on BaseScan: step by step

BaseScan is the official blockchain explorer for the Base network, equivalent to Etherscan for Ethereum. Every contract deployed on Base has a permanent address and a public page on BaseScan.

Step 1: Find the contract address The QINV contract address is published in the QINV app and documentation at qinv.ai. Copy the address directly from an official source. Never use an address shared by a third party in Discord, Telegram, or Twitter without cross-referencing it with the official app.

Step 2: Search on BaseScan Go to basescan.org and paste the contract address into the search bar. The contract page will show the address, its ETH balance, the creation date, and recent transactions.

Step 3: Check the Contract tab Click the "Contract" tab. If you see a green checkmark next to "Contract Source Code Verified", the source code has been published and confirmed to match the bytecode deployed on-chain. Unverified contracts show only bytecode, which is machine code that cannot be meaningfully reviewed.

Step 4: Review the source code Verified contracts display the full Solidity source code. Look for:

Comments explaining each function
Access modifiers restricting who can call sensitive functions (e.g., onlyOwner)
References to audit reports in the code comments

Step 5: Check the Read Contract section Under "Read Contract", you can call view functions without paying gas. Functions like totalAssets(), pricePerShare(), and asset balance lookups show you the live vault state. This is the most direct way to confirm what QINV currently holds.

Step 6: Verify the transaction history The Transactions tab shows every on-chain interaction with the contract. Deposits, withdrawals, and rebalancing transactions are all recorded permanently. If a large, unexplained outflow occurred, it would be visible here.

What to check	Where to find it	What it tells you
Source code verification	Contract tab, green checkmark	Code is readable and matches deployed bytecode
Audit references	Code comments or linked docs	Third-party security review was performed
Current holdings	Read Contract > totalAssets	What the vault holds right now
Rebalancing history	Transactions tab	How often and when the AI has rebalanced
Contract creation date	Overview section	When the protocol was deployed

How to read an audit report: what the findings mean

When a protocol publishes an audit report, the findings are categorized by severity. Understanding this scale helps you assess how seriously the auditors took the review and how the team responded.

Severity	Definition	Acceptable resolution
Critical	Exploitable vulnerability that could lead to total loss of funds	Must be fixed before launch
High	Significant risk, may not be immediately exploitable	Should be fixed before launch
Medium	Potential risk under specific conditions	Should be addressed; mitigations acceptable
Low	Minor issue with negligible financial impact	Acknowledged or fixed
Informational	Best practices, not a security risk	Optional improvement

A clean audit report is not one with zero findings. It is one where all critical and high findings have been resolved and the team has acknowledged or addressed lower-severity items. Be skeptical of any protocol that claims it passed an audit without a public report to review.

Practical tip: always read the "Scope" section of an audit report. It lists exactly which contracts and functions were reviewed. Contracts deployed after the audit date or outside the stated scope were not examined.

On-chain holdings: verifying what QINV actually holds

One of DeFi's strongest trust signals is that you do not need to ask a fund manager what they hold. You can look it up yourself.

For QINV, the vault contract exposes its holdings through public on-chain state. You can verify:

The list of assets currently held in the index
The quantity of each token
The proportional weight of each asset
The total value locked (calculated from current prices)

This is structurally different from a traditional fund. When you invest in a mutual fund, the manager reports holdings quarterly with a 60-day lag. On-chain, the same information is available in real time, from any device, with no login required.

What this means in practice: QINV cannot misrepresent its holdings. There is no off-chain system that could show you one thing while the contract holds another. The contract state is the ground truth.

DeFi transparency vs centralized exchange custody

For context, here is how QINV's on-chain model compares to holding the equivalent assets on a centralized exchange (CEX).

Factor	QINV (non-custodial, on-chain)	Centralized exchange
Who holds your assets	Smart contract (code)	The exchange company
Asset verification	Public, real-time on BaseScan	Private, reported periodically
Risk if platform closes	Assets remain in contract, withdrawable	Assets may be frozen or lost
Audit requirement	Smart contract code	Internal systems and reserves
Key custody	User retains wallet keys	Exchange holds keys
Regulatory protection	Varies by jurisdiction	Varies by exchange and jurisdiction

The FTX collapse in 2022 illustrated the consequence of the centralized model at scale: when the exchange failed, approximately $8 billion in user funds were inaccessible. The non-custodial model does not eliminate risk, but it removes the specific risk of counterparty failure.

If you want diversified crypto exposure without the complexity of managing individual assets, QINV offers AI-managed on-chain index fund tokens on Base network. Connect your wallet and get started in minutes.

Frequently asked questions

Is QINV's smart contract audited?

QINV's smart contracts are deployed on the Base network, where the source code can be verified on BaseScan. For the current audit status and links to any published audit reports, check qinv.ai directly. For any DeFi protocol, the audit report should be publicly available, listing the auditor, scope, findings, and resolution status.

What does it mean for a smart contract to be "verified" on BaseScan?

A verified smart contract on BaseScan means the developer submitted the original Solidity source code and it was confirmed to match the compiled bytecode deployed on-chain. This makes the contract readable by security researchers, auditors, and users. An unverified contract shows only machine code, making independent review effectively impossible.

Can I lose money even if a smart contract is audited?

Yes. An audit reduces risk significantly but does not eliminate it. Audits are point-in-time reviews that cover the code as written at a specific moment. New vulnerabilities can emerge, economic attacks (like oracle manipulation) can target logic that passed the audit, and any upgrades to the contract require a new review. Audits are necessary but not sufficient for complete security.

How is QINV different from keeping crypto on an exchange?

QINV is non-custodial: the smart contract holds the assets, not the company. You retain your wallet keys and can verify your holdings on-chain at any time. A centralized exchange holds your assets on your behalf, creating counterparty risk. If the exchange fails or freezes withdrawals, your funds may be inaccessible. With QINV, the contract continues to exist and function regardless of the company's operational status.

What is the difference between a bug bounty and a formal audit?

A formal audit is a comprehensive one-time review of the codebase by a security firm before launch. A bug bounty is an ongoing program that rewards independent researchers for finding vulnerabilities after deployment. The two complement each other: an audit catches issues pre-launch, while a bug bounty creates continuous incentive to find issues that slipped through. Protocols that invest in both demonstrate a long-term security commitment.

This article is for educational purposes only and does not constitute financial or investment advice.