Kava’s Comprehensive Audit for the Validator Vesting Module

CertiK | Mar 24, 2020

Article's Poster

In preparation for the launch of Kava’s Decentralized Finance platform, Kava decided to use CertiK to perform a comprehensive smart contract audit based on our trust within the crypto sector. Kava selected CertiK, out of all the other leading formal verification and audit firms, to perform their audit because we at CertiK are the most diligent in the industry.

The results are in: Kava is one of the best codebases CertiK has seen from a project to date, especially in the Decentralized Finance sector.

Decentralized Finance has become the buzzword of 2020 in crypto. Due to the limitations of Bitcoin’s speed, projects have emerged to extend the capabilities of the Bitcoin blockchain, but today, the decentralized finance (DeFi) trend is about developing cross-chain solutions that move Bitcoin onto other chains for use in DeFi.

One such protocol, Wrapped Bitcoin (WBTC) has many strengths, but still requires third-party-intervention and Know Your Customer checks for its users. While some may accept these tradeoffs as necessary for doing business, others will conclude that such concessions are overly centralizing and contrary to the spirit of digital currencies.

On the other hand, Ethereum is the platform leader in the DeFi sector as the majority of the developer community is built on their ERC20 protocol. Ethereum’s flexible platform allows for a plethora of applications ranging from payments, financial apps, and others like the popular app Crypto Kitties for example. Unfortunately, this flexibility results in serious network congestion and failures as these use cases compete for the same transaction space on the Ethereum blockchain. This poses a serious limitation especially because growth in other major blockchains continues to progress.

Kava aims to fill the gap and limitations where Bitcoin and Ethereum fall short to become the defacto DeFi platform so that all cryptocurrencies and tokens can be used natively as payment and staking collateral without the limitations of ERC20’s and WBTC’s.

Kava is the first DeFi platform for crypto assets offering collateralized loans and stablecoins for major crypto assets.

  1. Multicollateral Debt Positions: The Kava platform accepts crypto assets as collateral like BTC, XRP, ATOM, and BNB.
  2. Self-issue loans: Users can instruct the platform to issue loans to themselves, with no counterparty KYC or credit score needed.
  3. Creates a stablecoin: The loans are issued to the user in a USD-pegged stable coin called USDX.

Built from the ground up, Kava is able to build and iterate more quickly than existing DeFi solutions by achieving reliability, interoperability, and speed. The team is able to leverage Cosmos's proven Tendermint consensus protocol and multi-asset mindset to capture users of other major crypto assets

We were excited to work with the team to audit the implementation of their validator vesting mechanism.

The Audit Process and Review Concepts

The goal of the audit was to review Kava Labs implementation of its business model, general design and architecture, study potential security vulnerabilities, and uncover bugs that could compromise the software in production. The comprehensive audit process included Dynamic Analysis, Static Analysis, and Manual Review techniques to ensure a complete end-to-end review.

After a thorough review process, CertiK arrived at four major concepts that drove the understanding of Kava’s business model and general structure.

  1. The validator vesting module is responsible for managing Validator Vesting accounts, an account for which the release of coins is tied to the validation of the blockchain.
  2. Validator Vesting accounts introduce condition vesting or vesting accounts in which it’s possible for some or all of the vesting coins to fail or vest.
  3. For Validator Vesting accounts, vesting is broken down into user-specified vesting periods.
  4. For each vesting period, a signing threshold is specified which is the percentage of blocks that must be signed for the coins to successfully vest. After a period ends, coins that are successfully vested become freely spendable.

Summary

In summary, the review confirmed that the code delivers an excellent level of protocol implementation and security​, with only one recommendation, neither critical nor low-medium-high risk in nature.

Similarly, the use of the Go language code was found to have a very good readability, extensive testing casing, and extremely good code design and ethics. The use of the testify package and the variety of testing cases encapsulated every possible normal scenario -- showing a high level for their standard of code.

The CertiK team congratulates Kava for passing the rigorous verification process, and looks forward to working with them again!

About Kava:

Kava is a multi-asset DeFi platform that offers stablecoins, loans, and other financial services for users of major cryptocurrency assets including BTC, XRP, BNB and ATOM to name a few. The Kava platform has two types of tokens, the KAVA token and the USDX stablecoin where the KAVA token is the native token of the Kava blockchain integral in the security, governance, and mechanical functions of the platform. Users can collateralize their crypto assets in exchange for Kava’s stablecoin, USDX. Kava’s stablecoin provides a high interest yield earning users more than they would with a traditional cash or savings account at a bank, but unlike traditional savings accounts.

Twitter: http://twitter.com/kava_labs

Telegram: http://t.me/kavaofficial

LinkedIn: https://www.linkedin.com/company/kava-labs/

About CertiK

CertiK leads blockchain security by pioneering the use of cutting-edge Formal Verification technology on smart contracts and blockchains. Unlike traditional security audits, Formal Verification mathematically proves program correctness and hacker-resistance. CertiK was founded by Computer Science professors of Yale University and Columbia University, securing over $5B in assets, including many of the world’s top projects.

The research efforts of CertiK have received grants from IBM and the Ethereum Foundation, and notable investors include Binance Labs, Bitmain, Lightspeed Venture Partners, Matrix Partners, and NEO Global Capital, among others.

To request the audit/verification of your smart contracts, please email audit@certik.io or visit certik.io to submit the request.

Twitter: https://twitter.com/certik_io

Telegram: https://t.me/certikorg

LinkedIn: https://www.linkedin.com/company/certik