7. Security and Audits

Security is a first-class priority for KTON. The smart-contract suite has undergone a comprehensive, independent security review by TonBit in April 2025. This chapter summarises the scope, methodology and findings of that audit.

7.1 Audit Overview

7.2 Scope of Review

TonBit analysed the core liquid staking contracts, controller logic, governance, pool storage, payout NFT modules and supporting libraries. A total of 25 source files (see Appendix A) were examined, with their SHA-1 hashes recorded to guarantee provenance.

7.3 Issue Statistics

No critical or major vulnerabilities were discovered. All identified issues were remediated by the KTON team before main-net deployment.

7.4 Key Findings & Resolutions

CON-1 Missing Fee Check in Balance Validation (Medium)

• Location: contracts/controller.func (lines 479-506)

• Risk: Potential under-funding of storage balance due to unaccounted gas/forwarding fees.

• Fix: Added explicit checks to include gas and forwarding fees in balance validation logic.

POO-1 Incorrect Rounding Direction (Medium)

• Location: contracts/pool.func (lines 410-416)

• Risk: Slight over-estimation of loanable funds in edge cases.

• Fix: Implemented conservative rounding that always favours protocol safety.

CON-2 Incorrect Comment (Informational)

• Location: contracts/controller.func (lines 153-157)

• Issue: Mismatched comment describing loan principal vs. profit share.

• Fix: Updated comment to accurately reflect logic.

7.5 Auditor Checklist

TonBit's review covered (but was not limited to) the following vectors:

• Transaction-ordering & timestamp dependencies

• Integer overflow / underflow and rounding errors

• Denial-of-service & logical oversights

• Access control & role separation

• Centralisation risks

• Compliance of business logic with specification

• Gas efficiency

• Protection against arbitrary token minting

7.6 Methodology

TonBit employed a blended approach of manual line-by-line review, unit testing and static analysis. Where necessary, code was deployed to TON test-net to emulate real transaction flows. All communications and fixes were tracked collaboratively with the KTON engineering team.

7.7 Conclusion

The TonBit audit concluded that the KTON V2 contract suite is sound and production-ready. With all medium and informational findings resolved, the protocol meets a high security standard appropriate for an institutional-grade liquid staking service.

7.8 Open-Source Transparency

KTON's entire smart-contract stack is 100 % open source under the MIT licence. Anyone can inspect, verify, and contribute to the codebase on GitHub, enabling continuous "crowd-audit" from the wider TON developer community.

• Public repository: https://github.com/KTON-IO/liquid-staking-contract

• Commit history and audit artefacts are permanently available for reproducibility.

7.9 Defence-in-Depth Improvements in V2

These upgrades were additionally cross-audited by two internal security teams ("Team A" & "Team B") to maximise coverage and minimise blind spots.

Last updated: May 2025

Appendix A – Files in Scope (SHA-1)

For transparency, the table below lists the file identifiers (as referenced by TonBit) and their corresponding SHA-1 hashes at the time of review.

Note: This appendix reproduces TonBit's identifiers for reference; readers need not reproduce the full table in downstream integrations.

Next: 8. DeFi Integrations