Audit and Security Posture

Timeline

The full chronological record. Most recent first.

Adversarial Audit, May 8, 2026

An internal red team ran a 10-auditor parallel adversarial review of every Solidity file insrc/, applying a 20 to 30 vector adversarial checklist per cluster (reentrancy, oracle manipulation, share inflation, flash-loan price manipulation, MEV, replay, ERC-4626 invariants, access control, cross-chain bridge attacks, role boundary violations). The full report is preserved at docs/security/ADVERSARIAL_AUDIT_2026-05-08.md in the public repository.

Result: 201 findings across 80 contracts. 36 Critical, 51 High, 51 Medium, 37 Low, 26 Info. The audit identified the root cause of the live degraded WETH vault (KerneVault bucket-transition asymmetry:sweepToExchangeand three sibling functions decrement_trackedOnChainAssetsbut do not atomically incrementoffChainAssets, collapsingtotalAssets()between strategist updates and triggering the ERC-4626 1-wei-inflation case on the next deposit). It also catalogued cross-chain bridge triple-mint primitives, OFT V1/V2 single-key mint backdoors, withdrawal-queue stale-asset payment, KerneYieldStripper PT/YT pool insolvency, KerneVerificationNode threshold defaults to 1, KernePrime accounting-only ledger, KernePriceOracle slot0 fallback, six contracts with single-key recoverTokens or emergencyWithdraw drains, init front-run on factory clones, attacker-supplied calldata patterns on aggregator harvest paths, DarkPool RFQ permitting self-swap, ZINRouter pocketing surplus over minAmountOut, InsuranceFund socializeLoss with no cap or cooldown, Airdrop emergencyWithdraw draining locked balances, esKERNE vesting math broken on second emission, and the RWA adapter convertToShares round-trip ignoring receipt.

Remediation cadence. The audit's§1.18KerneStaking lock-bypass was patched in source the same day. Seven regression tests intest/unit/KerneStaking.t.soldemonstrate the exploit is now blocked (forge test reports 25 of 25 staking tests passing includingtest_stake_cannotShortenExistingLock_attackBlocked). The remaining findings are queued per the audit's§3triage order: Phase 1 live-exploitability items first (vault bucket atomicity, KernePrime ledger wiring, IntentExecutor V1 SOLVER_ROLE, OFT mint backdoor, oracle slot0 fallback), then Phase 2 launch-blocking (bridge replay, verification node threshold, yield system insolvency, attestation forgery, adapter clone init, RWA depeg surface), then Phase 3 capital-protective hardening, then Phase 4 code hygiene.

We commit to disclosing the open finding count on this page weekly until it converges to zero, and to engaging a professional external auditing firm before any TVL scaling beyond the Genesis Window phase.

Internal Security Assessment, April 9, 2026

Slither v0.11.3 (Trail of Bits) was run against the entire codebase, producing 692 total findings across all severity levels. Foundry test suite reports 949 of 951 tests passing. Of the 7 high-severity findings, 5 affect contracts that are not deployed on mainnet (KerneDarkPool, KerneMigrationRouter, KerneZINPool) and are flagged for pre-deployment review only. The two high-severity findings on deployed contracts (KerneVault, KerneFlashArbBot) are protected by role-based access control and were assessed as low actual risk after review.

No critical vulnerabilities were identified in deployed production contracts. This represents automated tooling output and internal analysis. It does not constitute a professional third-party security audit, and we are committed to engaging a professional auditing firm before scaling TVL beyond the genesis phase.

Security Sprint, April 17, 2026

Triggered by an internal incident in which 787 USDC was sent to a homoglyph vanity address (the visually similar but distinct address that had been hardcoded as the Hyperliquid bridge in the bot). The sprint produced 13 commits and eradicated five classes of bug across the bot, the Solidity surface, and the deployment scripts.

• Address-literal drift. The HL bridge fix, plus wstETH and cbETH homoglyphs in solver Python, plus a dead-EOA Aerodrome router constant, plus a wrong Uniswap router constant.
• Unchecked send paths. Receipt-status guards added on six call sites that had been logging success on tx hash return without verifying on-chain success.
• Server-supplied safeTxHash trust. Client-side recompute before Trezor signing; the RFQ server zero-byte signature fallback returns HTTP 503 instead of a fake signature.
• Over-permissive approvals. capital_router infinite approvals replaced with exact-amount approvals to an allowlisted Li.Fi Diamond; Hyperliquid withdrawals gated by an env-driven destination allowlist.
• Contract-level hardening. skUSD ERC-4626 inflation-attack mitigation via _decimalsOffset = 6, LayerZeroRelay refund routed to msg.sender for AA/EIP-7702 safety, IntentExecutor V1 and V2 typed revert if post-swap balance is insufficient.

The 787 USDC is unrecovered and treated as paid tuition. Every other instance of the same bug class was eliminated in the same sprint, plus a pre-commit secret scanner (gitleaks with two Kerne-specific rules) was added to prevent regression.

Frontend Security Audit, April 18, 2026

White-box static analysis plus live HTTP probe of both kerne.fi and app.kerne.fi. Verdict: 17 PASS, 5 WARN, 0 FAIL.

All 17 PASS items: no .env or .git/config exposed in production, HSTS plus subdomains delivered, X-Frame-Options DENY, X-Content-Type-Options nosniff, tight Permissions-Policy, strict Referrer-Policy, full CSP, no eval or innerHTML in the terminal app, only one dangerouslySetInnerHTML site-wide (sanitized, fed by static data), no open-redirect pattern, no client-side secret env exposure, contract addresses match the canonical registry exactly, OFAC sanctions coverage complete, geo-block enforced server-side, JSON.parse of untrusted data try-catch guarded, localStorage holds no sensitive data.

The 5 WARN items are documented accepted trade-offs: Next.js App Router CSP requires unsafe-inline and unsafe-eval for hydration, the marketing sanitizer is regex-based but only fed static repo data, /api/apy and /api/apy/history use Access-Control-Allow-Origin star for cross-site read, /api/stats falls back to public Base RPC if the env var is unset, and Ukraine is blocked at the country level as a Crimea proxy because Vercel does not expose region-level headers.

Orphan Role Revocation, April 17 to 18, 2026

The original deployer EOA at 0x57D400cED462a01Ed51a5De038F204Df49690A99was delegated to a drainer contract under EIP-7702 and could no longer sign transactions, but it still held six operational roles across four contracts. All six were revoked through the 2-of-3 Safe at Safe nonces 6 through 11.

• KerneVault PAUSER_ROLE (nonce 6)
• KerneToken PAUSER_ROLE (nonce 7)
• KerneInsuranceFund MANAGER_ROLE (nonce 8)
• KerneFlashArbBot EXECUTOR_ROLE (nonce 9)
• KerneFlashArbBot SENTINEL_ROLE (nonce 10)
• KerneVault STRATEGIST_ROLE (nonce 11; flagged post-sprint and revoked April 18)

Verified on chain at block 44,883,093. The drainer EOA now holds zero AccessControl roles across every Kerne contract.

Source Verification Status

10 of 12 deployed Kerne contracts have their source verified on both BaseScan and Sourcify. The remaining 2 are tracked with documented reasons and resolution paths.

External Audit Posture

External audit engagement is scoped and TVL-gated: it begins for the deployed core (KerneVault, kUSD v2, KUSDPSM, esKERNE, KerneYieldDistributor, KerneYieldOracle) before the protocol scales TVL beyond the Genesis-phase fee tier. The internal adversarial audit above (201 findings disclosed, full triage published) is the current authoritative finding set, and the operating commitment is to disclose the open finding count weekly until it converges to zero.

Target firms include those active in the delta-neutral category (Spearbit, Trail of Bits, Sherlock contests, Code4rena audits). Engagement status will be updated on this page when a contract is signed.

In the interim, the bug bounty program is the primary external verification channel.

Past Incidents