Kimia has been designed for audit readiness from the first commit:
- Pure Rust math in dedicated crates (
perps-math, kimia-math), with
property-based tests and boundary cases.
- Single-responsibility programs (no “god contracts”).
- Permissionless keeper paths, no privileged trust assumption beyond oracle
liveness.
Audit status
| Scope | Auditor | Status | Report |
|---|
kimia-perp | TBA | Scheduled | |
delta-vault + math | TBA | Scheduled | |
split-engine | TBA | Scheduled | |
yield-amm | TBA | Scheduled | |
intent-router | TBA | Scheduled | |
V1 is a devnet deployment. Mainnet release is gated on completion of
third-party audits and a minimum bug-bounty runtime. Until then, treat all
deployed contracts as unaudited code running on a testnet for
demonstration purposes only.
Internal reviews
- Math crates ship with unit + property tests covering:
- Funding rate sign and clamping across mark/oracle regimes.
- Unrealized PnL for long/short/flip scenarios.
- Exp/ln/pow_frac precision to 0.05% across the AMM operating range.
- Liquidation price derivation with varied collateral and margin settings.
- Orderbook matching is stress-tested against full books (32 bids × 32 asks),
self-trade-prevention scenarios, and partial fills.
- Oracle validation is audited against:
- Wrong-owner accounts (must reject).
- Wrong-feed accounts (must reject).
- Stale updates (must reject).
- Negative / zero prices (must reject).
- Excessive confidence spreads (must reject).
Bug bounty
A public bug bounty program will open on mainnet launch. Tentative structure:
| Severity | Bounty |
|---|
| Critical (funds drain, state corruption) | up to $100,000 |
| High (permanent freeze, bypass) | up to $25,000 |
| Medium (DoS, minor state issues) | up to $5,000 |
| Low (best-practice violations) | up to $1,000 |
Responsible disclosure
If you find a vulnerability:
- Do not exploit, tweet, or publicly document it.
- Email
security@kimia.live with a reproduction.
- Expect an initial response within 24 hours.
Security properties we check continuously
- Invariants.
total_long_base - total_short_base = protocol_net_position;
vault.nav = token_account_balance + (perps_equity); PT_supply = YT_supply = escrowed_shares.
- Monotonicity.
cumulative_funding_rate_* are monotonically non-decreasing
per period.
- Ownership. Every PDA’s authority is either the program, the user’s
authority, or a designated delegate.
- Oracle hygiene.
PriceUpdateV2 owner is always PYTH_RECEIVER_PROGRAM_ID.
Past incidents
None in V1 devnet. This section will be populated transparently if any issue
is found post-mainnet. 
