Audits

Kleidi has undergone rigorous security testing including external audits and formal verification.

Code4rena Audit (October 2024)

The Kleidi protocol was audited by Code4rena from October 15-25, 2024.

Results

High-severity issues: 0
Medium-severity issues: 3
Low/Non-critical issues: 11
Lines of code audited: 1,393
Auditors: 27 wardens

Key Findings

The audit found no critical or high-severity vulnerabilities, demonstrating the robustness of the system design.

Medium-Risk Finding - Gas Griefing: The primary concern identified was the potential for attackers to create numerous proposals with different salts if private keys are compromised, forcing victims to spend gas canceling them.

Recommended Mitigation: Implement epochs where advancing to a new epoch upon pause would automatically invalidate previous transactions without requiring individual cancellations.

View Full Code4rena Report →

Download Audit Report

Download Kleidi Audit Report (PDF)

Internal Audit Log

Throughout development, the Solidity Labs team conducted continuous internal security reviews.

Key Discoveries

08/26/24: While writing Certora specifications for pause functionality, discovered that pause duration could be extended after a pause, thus re-pausing an already unpaused contract. Fixed in commit f3752cb.

09/17/24: Identified that updateDelay should not extend or delay execution time of live proposals. Confirmed updatePauseDuration cannot re-pause the contract.

09/18/24: Fixed issues in RecoverySpell contract where single signer would be added twice, and added check to prevent zero address owners.

09/22/24: Fixed signature malleability vulnerability in RecoverySpell by using OpenZeppelin's ecrecover library.

09/23/24: Fixed calldata check logic to prevent duplicate AND checks and overlapping index ranges.

09/24/24: Fixed issue where empty checks could be added, making them impossible to fulfill.

View complete audit log in GitHub →

Formal Verification

Kleidi contracts have been formally verified using Certora, a leading formal verification tool.

Verified Properties

Timelock delay invariants
Pause functionality correctness
Access control restrictions
Proposal lifecycle management

The formal verification process mathematically proves that the contracts behave according to specification across all possible inputs.

Security Practices

Open Source

All Kleidi contracts are fully open source and available for review:

Continuous Monitoring

The team actively monitors for:

New security research
Discovered vulnerabilities in dependencies
Community-reported issues

Responsible Disclosure

If you discover a security issue, please report it responsibly:

Do not open a public GitHub issue
Email the team at [email protected]
Include details and steps to reproduce

Battle-Tested Components

Kleidi builds on proven, audited infrastructure:

Gnosis Safe: Secured hundreds of billions of dollars
OpenZeppelin Contracts: Industry-standard secure implementations
Established Patterns: Timelock, access control, pausability

Security Best Practices

While Kleidi has been thoroughly audited, users should:

Understand the system before deploying with significant funds
Test deployment on testnets first
Configure appropriate timelock delays for your threat model
Maintain operational security for all keys
Monitor your wallet for unexpected activity

Disclaimer

Audits reduce but do not eliminate all risks. You are ultimately responsible for the security of your funds.

Code4rena Audit (October 2024)​

Results​

Key Findings​

Download Audit Report​

Internal Audit Log​

Key Discoveries​

Formal Verification​

Verified Properties​

Security Practices​

Open Source​

Continuous Monitoring​

Responsible Disclosure​

Battle-Tested Components​

Security Best Practices​