Kapital DAO builds SaaS tools used by the world’s largest guilds and games to onboard players and improve asset management, all powered by the KAP token.
Playground Labs engaged Ackee Blockchain to conduct a security review of Kapital DAO with a total time donation of 10 engineering days. The review took place between September 14, 2022, and December 2, 2022.
We began our review using static analysis tools, namely Slither, Woke and the solc compiler. We then took a deep dive into the logic of the contracts. Deployed the contracts using Brownie and tested them. During the review, we paid particular attention to:
- ensuring the interactions with the oracle are correct
- checking voting weight calculation
- analysis of locking mechanisms
- analysis of the upgrade process
- simulation of the upgrade process
- detecting possible reentrancies in the code
- ensuring access controls are not too relaxed or too strict
- looking for common issues such as data validation.
The scope was full-repository and the security review was focused on the GovernanceV2 deployment/upgrade process and the reintroduction of staked UniswapV2 KAP/ETH liquidity provider token voting.
The commit for the given scope was: a8fe3c9.
Here we present our findings.
No critical severity issues were found.
No high severity issues were found.
M1: The VESTING_CREATOR role can vote multiple times
M2: Governance can lock funds forever
M3: Dynamic changes of the lock period
L1: Lack of project identifier for address validation
W1: Pitfalls of upgradeability
W2: Execute could not be triggered if there are burned a lot of KAP tokens
I1: Boost can only be turned off
I2: Missing code comments
I3: Ambiguous error messages
Our review resulted in 9 findings, ranging from Info to Medium severity. The more severe issues are connected to the Trust model.
We recommend Playground Labs to:
- address all reported issues.
Ackee Blockchain’s full Playgorund Labs audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Playground Labs and look forward to working with them again with them.