Kapital DAO builds SaaS tools used by the world’s largest guilds and games to onboard players and improve asset management, all powered by the KAP token.
Playground Labs engaged Ackee Blockchain to conduct a security review of Kapital DAO with a total time donation of 10 engineering days. The review took place between September 14, 2022, and December 2, 2022.
METHODOLOGY
We began our review using static analysis tools, namely Slither, Woke and the solc compiler. We then took a deep dive into the logic of the contracts. Deployed the contracts using Brownie and tested them. During the review, we paid particular attention to:
- ensuring the interactions with the oracle are correct
- checking voting weight calculation
- analysis of locking mechanisms
- analysis of the upgrade process
- simulation of the upgrade process
- detecting possible reentrancies in the code
- ensuring access controls are not too relaxed or too strict
- looking for common issues such as data validation.
SCOPE
The scope was full-repository and the security review was focused on the GovernanceV2 deployment/upgrade process and the reintroduction of staked UniswapV2 KAP/ETH liquidity provider token voting.
The commit for the given scope was: a8fe3c9.
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: The VESTING_CREATOR role can vote multiple times
M2: Governance can lock funds forever
M3: Dynamic changes of the lock period
Low severity
L1: Lack of project identifier for address validation
Warning severity
W1: Pitfalls of upgradeability
W2: Execute could not be triggered if there are burned a lot of KAP tokens
Informational severity
I1: Boost can only be turned off
I2: Missing code comments
I3: Ambiguous error messages
CONCLUSION
Our review resulted in 9 findings, ranging from Info to Medium severity. The more severe issues are connected to the Trust model.
We recommend Playground Labs to:
- address all reported issues.
Ackee Blockchain’s full Playgorund Labs audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Playground Labs and look forward to working with them again with them.
