CertiK’s Cross-Chain DeFi Audit of Kava Labs CDP and Auction Modules

CertiK | Jul 14, 2020

Article's Poster

CertiK is proud to announce the second successful security audit of Kava, a cross-chain DeFi (Decentralized Finance) project built with the Cosmos SDK.

Overview

In a day and age where waves of security incidents have happened on DeFi protocols and millions of dollars have been lost, it's mission critical to identify security vulnerabilities that carry both intrinsic and extrinsic risks.To that end, the sole objective of this audit was to verify Kava's implementation of the CDP and Auction modules against the provided specifications.

CertiK was excited to work with the Kava team to secure additional modules in their code. In March 2020, the CertiK team audited the Kava Labs Validator Vesting module. That review confirmed that their code delivers an excellent level or protocol implementation and security.

In this particular audit of the CDP and Auction modules, a series of thorough security assessments have been carried out. The goal was to help Kava Labs protect their users by finding and fixing known vulnerabilities that could cause unauthorized access, loss of funds, cascading failures, and/or other vulnerabilities. Alongside each security finding, recommendations on fixes and best practices will also be given.

Previously In March 2020, CertiK completed a security audit for Kava Labs Validator Vesting Module. In summary, our review confirmed that their code delivered an excellent level of protocol implementation and security​. Again, after spending a combined six weeks working on the security of Kava’s CDP and Auction modules, we are proud to confirm the same level of security again.

What is Kava Labs?

Kava Labs is a cross-chain DeFi platform project built with the Cosmos SDK that offers collateralized loans and stablecoins for major crypto assets. The Kava Labs platform allows:

  1. Multicollateral Debt Positions: The platform accepts crypto assets like BTC, Atom, and XRP
  2. Self-issued Loans: Users can instruct the platform to issue loans to themselves
  3. Creates a stablecoin: Loans are issued to the user in a USD-pegged stable coin

Kava Labs is able to build and iterate more quickly than existing DeFi solutions by achieving reliability, interoperability, and speed with its unique architecture.

Scope of Work

The audit work was strictly scoped to a specific commit of the source code per the agreement, and the modules included the CDP module and Auction module.

The CDP (collateralized debt position) module allows users to collateralize loans against a basket of cryptocurrencies, such as BTC, XRP, ATOM and BNB. Kava stated they plan to support a multitude of whitelisted assets usable within the CDP. The Auction module implements three auction types that control the supply of bad debt and surplus in the CDP system.

State transitions in each module were carefully verified against their specification. Test code was analyzed and assumed to hold true for the purpose of auditing. Efforts on ensuring the correctness or effectiveness of the tests were beyond the scope of this audit. Additionally, Go programming best practices were enforced to improve general performance and minimize the chances of run-time panicking.

Audit Approach

The auditing was conducted by CertiK’s team of experienced security engineers and utilized a combination of static and dynamic analysis to assess the functional correctness, security and performances of the CDP and Auction modules in scope. The audit approach revolved around ensuring that the security model in Kava is done in a secure and functionally correct manner so that it aids the encapsulation of the modules of the blockchain and helps safeguard the application against unintentional state changes.

Following a modular design approach outlined in the SDK, we inspected each and every module within the scope to ensure that:

  1. Modules have their own message (or transaction) processors in place
  2. The SDK is utilized in a least-authority manner, primarily for routing messages to their intended modules
  3. Modules are properly aggregated into one functional application

Apart from assessing the security model, best practices in Go programming will also be applied. The practices include:

  1. Correct simulation implementation for fuzzy testing to avoid incorrect assumptions
  2. Secure module interdependency instantiation on a need-to-know basis

“After Kava’s internal testing, many peer reviews, and now passing both B-Harvest’s and CertiK’s thorough auditing process, we’re confident that Kava’s code is safe and works as intended.” Brian Kerr, CEO and Co-Founder of Kava.

"Kava's codebase displays a high degree of technical expertise and engineering discipline. Overall the source code is well organized, cleanly written, and accommodated by high quality design documentation and code comments. A series of assessments focused on identifying idioms and code patterns commonly associated with software vulnerabilities were carried out during the audit, and we are happy to conclude that Kava's codebase is of high security posture and exceptional quality." Jay Jie, Security Engineer

Check out the full audit report here!

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis, to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has served more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor. CertiK customizes its engineering tool kits, while applying cutting-edge research on smart contracts, for each client on its project to offer a high quality delivery. As it utilizes technologies from blockchain and smart contracts, CertiK team will continue to support the project as a service provider and collaborator.

To request an audit or verification of your smart contracts, please email us at audit@certik.org or visit certik.org

Remember to follow us on the platforms below to stay up-to-date with our latest updates and announcements.

Website: https://certik.io/blog#home

Twitter: https://twitter.com/certik_io

Linkedin: https://www.linkedin.com/company/certik/