Audits & Security
Audit Program
Kaskad's smart contracts have been independently audited prior to mainnet launch.
Sherlock
Kaskad partnered with Sherlock for its primary security audit. Sherlock's model provides:
- Contest-based audits — multiple independent security researchers review the codebase simultaneously
- Audit coverage — financial backing for any missed vulnerabilities found post-audit
- Continuous review — ongoing security monitoring as the protocol evolves
Sherlock Audit — Completed
Auditors: hildingr, TessKimy
Audit period: February 16 – March 9, 2026
Final report date: April 30, 2026
Repository: Kaskad-Lending/kaskad-squashed
Final commit: 28307ddb107874a1309d50897b975cde2c3ee41c
Findings Summary
| Severity | Found | Unresolved |
|---|---|---|
| High | 9 | 0 |
| Medium | 8 | 0 |
| Low / Informational | 4 | 0 |
All High and Medium issues were resolved or acknowledged before the final commit. Zero issues remain unaddressed.
Audit Scope
The following contracts were audited:
| Contract | Description |
|---|---|
KaskadRewardsController.sol | Reward distribution and index management |
KaskadActivityTracker.sol | Epoch-based supply/borrow uptime tracking |
EmissionManager.sol | Epoch emission scheduling and distribution |
KaskadGovernor.sol | Bounded governance and voting logic |
KaskadStrategy.sol | Voting weight calculation |
KSKDEmissionVault.sol | Emission vault and pull mechanics |
KSKD.sol | Protocol token |
StKSKDVault.sol | Staking vault and entry time logic |
GrowthPool.sol | Growth pool mechanics |
BasketRevenueSplitter.sol | Revenue distribution |
DaoRevenueSplitter.sol | DAO revenue routing |
Basket4626.sol | ERC-4626 basket utility |
DecisionParams.sol | Governance parameter bounds |
SupplyAdjustment.sol | Supply adjustment logic |
CommunityRoundVesting.sol | Community vesting contracts |
TeamVesting.sol | Team vesting contracts |
EpochConfig.sol | Epoch configuration |
| + 3 interfaces | IEmissionManager, IKaskadActivityTracker, IKaskadStrategy |
Bug Bounty Program
A formal bug bounty program will be launched alongside mainnet deployment, covering:
- Smart contract vulnerabilities (critical, high, medium, low)
- Oracle manipulation vectors
- Cross-chain message integrity issues
- Governance attack surfaces
Details and reward tiers will be published before mainnet launch.
Security Practices
- Multi-sig governance — all protocol upgrades require multi-signature approval
- Timelock delays — parameter changes are subject to time delays for community review
- Circuit breakers — automated halting mechanisms for anomalous market conditions
- Formal verification — planned for critical contract paths (liquidation, oracle)