Kinto is the safety-first L2 rollup designed to accelerate the transition to an on-chain financial system. It features user-owned KYC, AML, and native account abstraction to solve the biggest blockers to mainstream adoption: security and user experience.
TLDR: We released three security audits, our security methodology, and the process to report vulnerabilities.
🥇 Safety-First
I experienced how interconnected the industry is during my time at Babylon Finance. Learned first-hand to appreciate the importance of second-order effects after seeing how a hack in DeFi can trigger a chain-reaction that affects many ecosystem protocols. In our case, the hack in the Rari protocol eventually led us to close the project.
After suffering that traumatic loss, it was clear that users will not be able to receive any of the value created by blockchain technology if they are subject to hacks, scams, or rugs.
To that end, we have designed Kinto from the ground up to be a safe ecosystem for financial applications. Safety and security are the founding principles behind Kinto.
Some of our security features include:
-
Sybil resistance through user-owned KYC
-
Continuous AML monitoring.
-
Insurance provisioning.
-
Rolling External Security Audits.
-
Unit and Integration Tests.
-
On-chain monitoring through Hypernative & Defender.
The system was architected to be secure-by-design. Security is an ongoing process, you are never “done”. It is not a feature nor an add-on, and it’s not something you can patch later.
Due to recent security hacks in DeFi, teams are now aware of how critical it is to have cybersecurity skills within the core team. In Kinto, this isn’t an afterthought. The founding team members have many years of experience in blockchain development and security at companies like OpenZeppelin and Google.
💻 Kinto Security Process
A DeFi protocol needs external security audits to verify the architecture and security of the system. Kinto is already working with leading security firms including Certora, Mixbytes and Pessimistic.
Today, we are pleased to announce the publication of our Security process on GitHub.
We aim to give our users and partners more visibility, transparency, and trust before our phase IV launch on March 13th.
It is an important milestone for Kinto as it proves our dedication to securing the protocol before our public launch to our users. Transparency and trust are a must-have in DeFi; users and partners should check and verify the security process of a given protocol before using it.
Due to our security-by-design process, we continuously work to minimize the attack surface area at the infrastructure and smart contract levels. Due to our approach, you’ll see infrastructure’s audits together with smart contract’s audits.
🗒 Three Security audits (so far…)
We have already performed three security audits. For more information, please check the audit section.
We believe frequent audits are important, as protocols must change and evolve to find product-market fit. Auditors usually audit a specific (commit) version of the codebase, so the code they are auditing can quickly become outdated.
In Kinto, we have been doing audits since development started and working along with them to ensure all the issues found were fixed.
Kinto hired external auditors to increase coverage, get different opinions, and have multiple sets of eyes checking every line of code. At the same time, creating a long-term partnership with an audit firm is crucial so they develop a deep understanding of the protocol. Our suggestion is to have a mix of both.
Last but not least, internal security audits are usually not reported. We believe that this is an oversight. In our opinion, they are critical, especially given the fast pace of change. External audits by definition have limited scope. It can be because of budget, time, or resources. It is not common to see protocol internal security audits or even infrastructure security audits.
Infrastructure audits have been demonstrated to be very important given **recent attacks like BadgerDAO’s of $120M. **In this attack, the cloud provider was used to inject a malicious script into the dapp. That’s why we plan to include additional penetration testing and infrastructure audits.
⚔️ How to report vulnerabilities
Although 100% security does not exist, we believe optimal security can only be achieved by working with the best security researchers. In Kinto, we are committed to working with researchers who submit security vulnerability notifications to us. We commit to resolving those issues on an appropriate timeline and to perform a coordinated release, giving credit to the reporter if desired.
If you are one of them, please submit findings by using the following instructions and PGP key:
We follow the same de facto responsible disclosure standard used by many other DeFi protocols. Follow the initial contact and giving details’s guidelines.
In the coming weeks/months, we also plan to launch a **bug bounty program **through Immunefi and others.
🌊 Engen is here…
Engen marks the beginning of Kinto. We want to accelerate the transition to an on-chain financial system.
A system that can match the guarantees of traditional finance, increase availability 24/7, enhance security, and decrease the friction and costs associated with traditional asset issuance.
If you share our vision for a secure, open, decentralized financial system, help us realize it.
Join us!