Amulet Protocol is due to launch on the mainnet very shortly and we’re delighted to provide the report from Kudelski Security publically.
This report is part of our ongoing relationship with Kudelski, more information can be found here: https://amulet.org/blog/amulet-protocol-and-kudelski-security-announce-new-strategic-relationship-to-tighten-security-within-web3/
Following our successful AmuNation app campaign and TestNet, this is the next stage of our progress before our protocol is fully live. Amulet is a DeFi cover protocol built on Rust based ecosystems starting with Solana. We will provide simple, reliable cover options for everyone in web3 and therefore, it is imperative that we needed to make sure our solution is market ready.
This report from Kudelski, the first of several audits, is ready and allows us to feel confident that our code and security is where it should be for launch.
Kudelski Security performed a secure code assessment on the Amulet Protocol smart contract system.
The assessment was conducted remotely by the Kudelski Security Team. The source code review took place from 7/14 – 8/11, and focused on the following objectives:
- Provide the customer with an assessment of their overall security posture and any risks discovered within the environment during the engagement.
- To provide a professional opinion on code maturity, adequacy, and efficiency of the security measures in place.
- To identify potential issues and include improvement recommendations based on the results of our review and tests.
The issues found in the code were LOW or INFORMATIONAL findings. This shows that the overall risk profile of the application at the time of this assessment is low.The following are the major themes and issues identified during the testing period. These, along with other items, within the findings section, should be prioritized for remediation to reduce the risk they pose.
Safe math was used often, but should be used more consistently throughout the code to prevent potential vulnerabilities from being introduced in future updates.
Insurance policy coverage duration, claim expiration dates and claim payout dates may be affected by a lack of precision when dev Epochs are used in place of UNIX time.
Single administrator accounts have significant capabilities. These functions should be limited by requiring multiple signers to prevent collusion. We have been informed that this is currently occurring off-chain, but this should occur on-chain in the future for transparency.During the test, the following positive observations were noted regarding the scope of the engagement:
The code is well organized.
Client contacts were very amenable to conducting joint secure code reviews with the Kudelski Security smart contract auditing team.
Anchor framework usage is very consistent and follows the recommended syntax.
Critical issues in architecture or code logic were discussed immediately via teleconference.
To delve deeper into the technical aspects and further findings, we have made the report public for anyone to download.
Access the report here: https://files.amulet.org/public/AmuletGlobalMTRLabs.pdf
If you have any questions, feel free to contact us on Discord: discord.gg/amuletprotocol