{"id":531,"date":"2023-08-04T13:12:00","date_gmt":"2023-08-04T11:12:00","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=531"},"modified":"2024-05-16T12:16:33","modified_gmt":"2024-05-16T10:16:33","slug":"playground-labs-kapital-dao-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/playground-labs-kapital-dao-audit-summary\/","title":{"rendered":"Playground labs: Kapital DAO audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/www.kapital.gg\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Kapital DAO<\/span><\/a><span style=\"font-weight: 400;\"> builds SaaS tools used by the world\u2019s largest guilds and games to onboard players and improve asset management, all powered by the KAP token. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Playground Labs engaged <\/span><span style=\"font-weight: 400;\">Ackee Blockchain <\/span><span style=\"font-weight: 400;\">to conduct a security review of Kapital DAO with a total time donation of <\/span><b>10 engineering days<\/b><span style=\"font-weight: 400;\">. The review took place between<\/span><b> September 14, 2022<\/b><span style=\"font-weight: 400;\">, and <\/span><b>December 2, 2022<\/b><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review using static analysis tools, namely <\/span><span style=\"font-weight: 400;\">Slither<\/span><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">Woke <\/span><span style=\"font-weight: 400;\">and the <\/span><span style=\"font-weight: 400;\">solc <\/span><span style=\"font-weight: 400;\">compiler. We then took a deep dive into the logic of the contracts. Deployed the contracts using Brownie and tested them. During the review, we paid particular attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the interactions with the oracle are correct<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">checking voting weight calculation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">analysis of locking mechanisms<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">analysis of the upgrade process<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">simulation of the upgrade process<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies in the code<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues such as data validation.\u00a0<\/span><\/li>\n<\/ul>\n<h4><b>SCOPE <\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The scope was full-repository and the security review was focused on the GovernanceV2 deployment\/upgrade process and the reintroduction of staked UniswapV2 KAP\/ETH liquidity provider token voting.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The commit for the given scope was: <\/span><span style=\"font-weight: 400;\">a8fe3c9<\/span><span style=\"font-weight: 400;\">. <\/span><\/p>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1:<\/b><span style=\"font-weight: 400;\"> The VESTING_CREATOR role can vote multiple times<\/span><\/p>\n<p><b>M2: <\/b><span style=\"font-weight: 400;\">Governance can lock funds forever<\/span><\/p>\n<p><b>M3: <\/b><span style=\"font-weight: 400;\">Dynamic changes of the lock period\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><b>L1: <\/b><span style=\"font-weight: 400;\">Lack of project identifier for address validation\u00a0<\/span><\/p>\n<h5><b>Warning severity <\/b><\/h5>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Pitfalls of upgradeability\u00a0<\/span><\/p>\n<p><b>W2: <\/b><span style=\"font-weight: 400;\">Execute could not be triggered if there are burned a lot of KAP tokens\u00a0<\/span><\/p>\n<h5><b>Informational severity <\/b><\/h5>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Boost can only be turned off\u00a0<\/span><\/p>\n<p><b>I2:<\/b><span style=\"font-weight: 400;\"> Missing code comments <\/span><\/p>\n<p><b>I3:<\/b><span style=\"font-weight: 400;\"> Ambiguous error messages <\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in 9 findings, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Medium<\/span><\/i><span style=\"font-weight: 400;\"> severity. The more severe issues are connected to the <\/span><span style=\"font-weight: 400;\">Trust model<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We <\/span><span style=\"font-weight: 400;\">recommend Playground Labs to:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all reported issues.\u00a0<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Playgorund Labs<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/kapital-dao\/kapital-dao\/blob\/main\/audits\/ackee_audit_2022_12.pdf\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Playground Labs<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again with them.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kapital DAO builds SaaS tools used by the world\u2019s largest guilds and games to onboard players and improve asset management, all powered by the KAP token. Playground Labs engaged Ackee Blockchain to conduct a security review of Kapital DAO with a total time donation of 10 engineering days. The review took place between September 14, 2022, and December 2, 2022.\u00a0 METHODOLOGY We&hellip;<\/p>\n","protected":false},"author":15,"featured_media":532,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80],"tags":[21,24,117,68],"class_list":["post-531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","tag-audit","tag-ethereum","tag-kapital-dao","tag-solidity"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/08\/DAO-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/08\/DAO-1-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=531"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/531\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/532"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}