Kinto is the safety-first L2 rollup designed to accelerate the transition to an on-chain financial system. It features user-owned KYC, AML, and native account abstraction to solve the biggest blockers to mainstream adoption: security and user experience.
TLDR: We released three security audits, our security methodology, and the process to report vulnerabilities.
I experienced how interconnected the industry is during my time atĀ Babylon Finance. Learned first-hand to appreciate the importance ofĀ second-order effectsĀ after seeing how a hack in DeFi can trigger a chain-reaction that affects many ecosystem protocols. In our case, the hack in the Rari protocol eventually led us to close the project.
After suffering that traumatic loss, it was clear that users will not be able to receive any of the value created by blockchain technology if they are subject to hacks, scams, or rugs.
To that end, we have designed Kinto from the ground up to be a safe ecosystem for financial applications.Ā Safety and security are the founding principles behind Kinto.
Some of our security features include:
Sybil resistanceĀ throughĀ user-owned KYC
Continuous AML monitoring.
Insurance provisioning.
Rolling External Security Audits.
Unit and Integration Tests.
On-chain monitoring through Hypernative & Defender.
The system was architected to beĀ secure-by-design. Security is an ongoing process, you are never ādoneā. It is not a feature nor an add-on, and itās not something you can patch later.
Due to recentĀ security hacks in DeFi, teams are now aware of how critical it isĀ to have cybersecurity skills within the core team. In Kinto, this isnāt an afterthought. The founding team members have many years of experience in blockchain development and security at companies like OpenZeppelin and Google.
A DeFi protocol needsĀ external security auditsĀ to verify the architecture and security of the system. Kinto is already working with leading security firms including Certora, Mixbytes and Pessimistic.
Today, we are pleased to announce the publication of ourĀ Security process on GitHub.
GitHub - KintoXYZ/security: Security audits, disclosures and keys
Security audits, disclosures and keys. Contribute to KintoXYZ/security development by creating an account on GitHub.
We aim to giveĀ our users and partners more visibility, transparency, and trustĀ before ourĀ phase IV launch on March 13th.
It is an importantĀ milestoneĀ for Kinto as it proves our dedication to securing the protocol before our public launch to our users.Ā TransparencyĀ andĀ trust are a must-have in DeFi; usersĀ and partners should check and verify the security process of a given protocol before using it.
Due to ourĀ security-by-designĀ process, we continuously work toĀ minimize the attack surfaceĀ area at theĀ infrastructure and smart contractĀ levels. Due to our approach, youāll seeĀ infrastructureās auditsĀ together withĀ smart contractāsĀ audits.
We have already performed threeĀ security audits. For more information, please check theĀ audit section.
We believe frequent audits are important, as protocols must change and evolve to find product-market fit. Auditors usually audit a specific (commit) version of the codebase, so the code they are auditing can quickly become outdated.
In Kinto,Ā we have been doing audits since development started and working along with them to ensure all the issues found were fixed.
Kinto hired external auditorsĀ to increase coverage, get different opinions, and have multiple sets of eyes checking every line of code. At the same time, creating a long-term partnership with an audit firm is crucial so they develop a deep understanding of the protocol. Our suggestion is to haveĀ a mixĀ of both.
Last but not least,Ā internal security auditsĀ are usually not reported. We believe that thisĀ is an oversight. In our opinion, they are critical, especially given the fast pace of change. External audits by definition have limited scope. It can be because of budget, time, or resources. It is not common to seeĀ protocol internal security auditsĀ or evenĀ infrastructure security audits.
Infrastructure audits have been demonstrated to be very important givenĀ **recent attacks likeĀ BadgerDAOās of $120M.Ā **In this attack, the cloud provider was used to inject a malicious script into the dapp. Thatās whyĀ we plan to include additional penetration testing and infrastructure audits.
Although 100% security does not exist, we believe optimal security can only be achieved by workingĀ with the best security researchers. In Kinto, we are committed to working with researchers whoĀ submit security vulnerabilityĀ notifications to us. We commit to resolving those issues on an appropriate timeline and to perform a coordinated release, giving credit to the reporter if desired.
If you are one of them, please submit findings by using the followingĀ instructionsĀ and PGP key:
We follow the same de factoĀ responsible disclosure standardĀ used by many other DeFi protocols. Follow theĀ initial contactĀ andĀ giving detailsās guidelines.
In the coming weeks/months, we also plan to launch aĀ **bugĀ bounty programĀ **throughĀ ImmunefiĀ and others.
Engen marks the beginning of Kinto. We want to accelerate the transition to an on-chain financial system.
A system that can match the guarantees of traditional finance, increase availability 24/7, enhance security, and decrease the friction and costs associated with traditional asset issuance.
If you share our vision for a secure, open, decentralized financial system, help us realize it.
Join us!
š WebsiteĀ | šDocsĀ |Ā TwitterĀ |Ā Discord