OVERVIEW
Audit Summary
A time-boxed independent security assessment of the Kunji Finance Contract was done by Samrat Gupta( @Sm4rty-), Rohan Jha( @rohan16_ ) and Team DetectBox, with a focus on the security aspects of the application's implementation.
We performed the security assessment based on the agreed scope, following our approach and methodology. Based on our scope and our performed activities, our security assessment revealed 6 Medium severity, 8 Low severity, 8 Informational and 4 Gas Optimisation security issues.
Audit Timeline: 30th July'23 - 11th August'23
Code Repository: https://qithub.com/Kunji-Finance/KF-Contract (opens in a new tab)
Review commit hash:
29e4fb07cb3a4eOeba477b8a7504846c2a600adf
Audit Methodology
During our security assessments, we uphold a rigorous approach to maintain high-quality standards. Our methodology encompasses thorough functional testing and meticulous manual code reviews. To ensure comprehensive issue coverage, we employ checklists derived from industry best practices and widely recognized concerns, specifically tailored to Solidity smart contract assessment. Throughout the smart contract audit process, we prioritize the following aspects to uphold excellence:
- Code Quality: We diligently evaluate the overall quality of the code, aiming to identify any potential vulnerabilities or weaknesses.
- Best Practices: Our assessments emphasize adherence to established best practices, ensuring that the smart contract follows industry-accepted guidelines and standards.
- Documentation and Comments: We meticulously review code documentation and comments to ensure they accurately reflect the underlying logic and expected behaviour of the contract.
Auditing smart contracts involves a comprehensive analysis of the code to identify potential vulnerabilities and security risks. To achieve comprehensive coverage, we employ a series of security checklist tables, each addressing specific areas of concern. These include:
- System / Platform
- Access Control
- Storage
- Gas Issues and Efficiency
- Code Issues
- Error Handling and Exception Handling:
- Transaction Handling
- Entrypoint Validation
- Administration and Operator Functions
- Additional Topics and Test Cases
Vulnerability Summary
Severity classification
| Severity | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likehood: High | Critical | High | Medium |
| Likehood: Medium | High | Medium | Low |
| Likehood: Low | Medium | Low | Low |
Findings Summary
| Severity | No of Issue Found |
|---|---|
| High | 0 Issue |
| Medium | 6 Issue |
| Low | 8 Issue |
| Informational | 8 Issue |
| Gas Optimization | 4 Issue |
Audit Scope
The code under review is composed of multiple smart contracts written in the Solidity language and includes 3580 nLOC- normalized source lines of code (only source-code lines).
| File | nLines | nSLOC | Complex. Score |
|---|---|---|---|
| contracts/UsersVault.soI | 709 | 557 | 256 |
| contracts/ContractsFactory.soI | 305 | 223 | 247 |
| contracts/adapters/Lens.sol | 890 | 490 | 298 |
| contracts/adapters/gmx/GMXAdapter.sol | 6 | 668 | 268 |
| contracts/adapters/gmx/interfaces/lGmxPositionManagersol | 20 | 3 | 9 |
| contracts/adapters/gmx/interfaces/lGmxAdapter.sol | 6 | 15 | 21 |
| contracts/adapters/gmx/interfaces/lGmxReader.sol | 40 | 3 | 9 |
| contracts/adapters/gmx/interfaces/lGmxRouter.sol | 6 | 33 | 38 |
| contracts/adapters/gmx/interfaces/lVaultPriceFeed.sol | 32 | 3 | 33 |
| contracts/adapters/gmx/interfaces/lGmxOrderBook.soI | 6 | 27 | 49 |
| contracts/adapters/gmx/interfaces/lGmxVauIt.soI | 149 | 3 | 21 |
| contracts/Observers/GMXObserver.sol | 112 | 129 | 87 |
| contracts/adapters/uniswap/librariesofBytesLib.sol | 287 | 65 | 141 |
| contracts/adapters/uniswap/UniswapV3Adapter.sol | 51 | 234 | 101 |
| contracts/adapters/uniswap/interfaces/lQuoterV2sol | 35 | 45 | 9 |
| contracts/adapters/uniswap/interfaces/lUniswapV3Router.soI | 131 | 49 | 23 |
| contracts/adapters/uniswap/interfaces/lUniswapV3Factory.sol | 9 | 27 | 13 |
| contracts/adapters/uniswap/interfaces/lNonfungiblePositionManager.sol | 23 | 119 | 28 |
| contracts/adapters/uniswap/interfaces/IUniswapV3Adapter.sol | 7 | 3 | 9 |
| contracts/adapters/uniswap/interfaces/lUniswapV3Pool.sol | 11 | 6 | 37 |
| contracts/TraderWallet.sol | 507 | 374 | 252 |
| contracts/DynamicValuation.sol | 193 | 148 | 94 |
| contracts/BaseVault.sol | 180 | 133 | 80 |
| contracts/interfaces/1BaseVault.sol | 6 | 3 | 15 |
| contracts/interfaces/BDynamicValuation.sol | 29 | 19 | 21 |
| contracts/interfaces/1TraderWallet.sol | 9 | 5 | 63 |
| contracts/interfaces/BObserver.sol | 6 | 3 | 5 |
| contracts/interfaces/lAdaptersRegistry.sol | 6 | 3 | 5 |
| contracts/interfaces/BAdapter.sol | 54 | 7 | 3 |
| contracts/interfaces/IContractsFactory.sol | 21 | 49 | 77 |
| contracts/interfaces/BLens.sol | 37 | 17 | 3 |
| contracts/interfaces/Errors.sol | 19 | 33 | 1 |
| contracts/interfaces/UsersVault.sol | 14 | 13 | 39 |
| contracts/interfaces/BPlatformAdapter.sol | 4632 | 9 | 5 |
| contracts/interfaces/Events.sol | 3580 | 62 | 2361 |
| Totals | 62 | 3580 | 2361 |
Auditors Involved :
Main Auditor -
Samrat Gupta - https://app.detectbox.io/profile/sm4rty (opens in a new tab)
Detect Warden -
Rohan Jha - https://app.detectbox.io/profile/Rohan16 (opens in a new tab)