Blockchain security review

Atato has been contracted by Kulap.io for a smart contract security review. Kulap.io is developing a decentralized digital assets exchange and has applied for a digital asset Broker license under the definitions of The Kingdom of Thailand’s Royal Decree on Digital Assets Business. As part of the broker license attribution by the Securities and Exchange Commission of Thailand, a security assessment of some of the Ethereum smart-contracts should be conducted. Kulap.io has contracted atato
to conduct the initial security review.

To check the full report please see here:

Review Methodology

Overview

The security review conducted doesn’t replace a full security audit of the overall Kulap.io technology infrastructure. Its scope is limited to the KULAPDex.sol smart contract, and to some aspects of the smart contract itself. Security best practices strongly recommend that Kulap.io conduct a full security audit of the on-chain and off-chain components of their infrastructure, and the interaction between the two.

Scope

The security review covers the following components of the Kulap.io platform:

– Kulap.io smart contracts, in particular:

– KULAPDex.sol

– Commit deab1f6

– Reference file

https://github.com/kulapio/dex-smart-contract/blob/deab1f6c0d3b66056fb562a57bc031f38356b67d/contracts/KULAPDex.sol

– Imported associated smart contracts, in particular OpenZeppelin smart contracts:

– openzeppelin-solidity/contracts/utils/ReentrancyGuard.sol

– openzeppelin-solidity/contracts/math/SafeMath.sol

– openzeppelin-solidity/contracts/ownership/Ownable.sol

– Commit 58a3368

– Reference tree https://github.com/OpenZeppelin/openzeppelin-contracts/tree/v2.5.0

– Kulap.io helpers and interfaces, in particular:

– ./helper/ERC20Interface.sol

– ./interfaces/IKULAPTradingProxy.sol

– ./interfaces/IKULAPDex.sol

– Commit deab1f6

– Reference tree

https://github.com/kulapio/dex-smart-contract/tree/deab1f6c0d3b66056fb562a57bc031f38356b67d/contracts

– Compilation and testing environment, in particular:

– .mocharc.json

– .waffle.json

package.json

– Commit deab1f6

– Reference tree

https://github.com/kulapio/dex-smart-contract/tree/deab1f6c0d3b66056fb562a57bc031f38356b67d/contracts

The security review covers the following:

– Solidity best practices, including:

– Documentation

– Linting

– Compiler warnings

– Unused code sections

– Todo comments

– Test instructions

– Tests execution

– Testing dependencies

– Automated analysis, including:

– Assertions and property checking

– Byte-code safety

– Authorization controls

– Control flow

– ERC standards compliance

– Solidity coding best practices

Tools

The following tools and material were used in conducting the review:

– Smart Contract Weakness Classification and Test Cases

– ConsenSys Smart Contract Best Practices

– MythX Professional Edition Subscription

– MythX Python CLI

To check the full report please see here.