Audit

Kvants Security & Audits

This page explains what we audit, how we audit it, and how you can verify the deployed code. It will be updated as new reports are published and issues are retired.

At a Glance

  • Scope: Kvants on-chain vaults on Drift, Hyperliquid vault adapters, points and vesting modules, buyback and treasury programs, oracle adaptors, and the off-chain keeper network that relays signed instructions.

  • Objective: reduce smart-contract, market, and operational risk through independent review, economic stress testing, and live monitoring.

  • Status: Phase-by-phase audits prior to TGE and on an ongoing basis after launch. Public PDFs and issue trackers will be linked here when released.

What Gets Audited

  1. Drift Vault Programs (Solana)

    • Vault accounting and share math

    • Delta-hedge logic and rebalancing thresholds

    • Withdrawal cooldown and pro-rata exits

    • Fee accrual and performance-fee gating

    • Pause, circuit breaker, and kill-switch paths

  2. Hyperliquid Vault Adapters

    • Position sizing and risk limits

    • Oracle usage and price sanity checks

    • Failure handling during venue downtime

  3. Points, Airdrop, and Vesting

    • Time-weighted accrual math

    • Epoch multipliers and finalization

    • Linear vesting and claim windows

  4. Buyback and Treasury Programs (Solana)

    • Routing, slippage caps, and recipient logic

    • Accounting for burns or streams to stakers

  5. Keepers and Signing Layer

    • Message format and replay protection

    • Rate limits and permission scopes

    • Alerting and failover

Methodology

  • Static and manual review: line-by-line checks for access control, overflow, and state-machine errors.

  • Property testing and fuzzing: randomized inputs across boundary conditions for accounting and rebalancing logic.

  • Economic simulation: funding flips, volatile spreads, oracle lag, and extreme drawdowns to test circuit breakers.

  • Dependency review: authority checks for oracles, token programs, and any third-party libraries.

  • Deployment review: verify program IDs, initialization parameters, and admin keys.

Audits reduce risk but do not eliminate it. All critical paths also include runtime guards: delta bands, VaR ceilings, liquidity checks, and pausable execution.

Upgrade and Admin Controls

  • Time-locked upgrades: all upgradeable programs are gated by a timelock with on-chain announcements before activation.

  • Multisig control: admin actions require a multisig with separate keys for deploy, ops, and risk.

  • Emergency pause: restricted to a dedicated role and used only to protect user funds during anomalies.

  • No custody of user wallets: DeFi vaults hold only deposited assets; CeFi signals use trade-only API keys without withdrawal rights.

How You Can Verify

Solana (Drift vaults)

  1. Check the program ID and deployment slot on a public explorer.

  2. Compare the program ID against the value displayed in the Kvants app and docs.

  3. Inspect on-chain state: vault share mint, fee vault, and configuration accounts.

  4. Review emitted events for deposits, redemptions, hedges, and fee updates.

Hyperliquid

  1. Verify the vault adapter contract address from the app and docs.

  2. Confirm parameters: collateral asset, max leverage, delta bands, and oracle.

  3. Monitor the position feed and funding records exposed in the strategy dashboard.

We will add direct links to each verified deployment as they go live.

Bug Bounty and Responsible Disclosure

We operate a public vulnerability disclosure program. If you believe you have found a security issue:

  1. Email info@kvants.ai with a technical description, steps to reproduce, and impact.

  2. Do not publish details until we confirm a fix or mitigation.

  3. We will acknowledge receipt within two business days and keep you informed on remediation status.

  4. Bounty scope and rewards will be published with the formal program announcement; critical issues receive the highest priority.

Known Risks and Mitigations

  • Oracle divergence: dual-source pricing with deviation checks and automatic size reductions when feeds disagree.

  • Liquidity gaps: minimum order book depth checks and slippage caps on each leg.

  • Funding regime flips: rate monitors that flatten exposure if net carry turns negative after fees.

  • Program upgrade risk: timelock plus public notice before changes take effect.

  • Keeper failure: redundant keepers in multiple regions and a manual override path.

Release Timeline and Artifacts

We publish for each audit cycle:

  • Commit or build hash

  • Full PDF report from the auditor

  • Issue log with severity labels and remediation notes

  • Post-audit diff and retest results

Links to reports and hashes will appear here as each component completes review.

Contact

  • Security: info@kvants.ai

  • Status updates: the #security-updates channel in our community and the audits section of docs.kvants.ai

Kvants is committed to continuous security review, transparent reporting, and conservative risk controls so allocators can verify what runs in production and how it is protected.

PreviousRisk Factors & DisclosuresNextToken Migration

Last updated