# security Durianfun's smart contracts went through a comprehensive internal audit with both manual review and on-chain simulation. All findings categorized as Critical, High, or Medium were fixed before mainnet deployment. ## Audit result at a glance | Severity | Count | Status | | --------------- | :---: | :-----------------------: | | 🔴 Critical | 0 | — | | 🟠 High | 0 | — | | 🟡 Medium | 5 | ✅ **All fixed** | | 🔵 Low | 2 | ℹ️ acceptable / by design | | ⚪ Informational | 3 | ℹ️ noted | ## Fixed findings (Medium severity) ### M-1 — Creator DOS at graduation (fixed) **Risk:** A token creator who deployed from a gas-heavy / misbehaving contract could block their own token's graduation by making the 10 KUB bonus transfer fail. **Fix applied:** The creator reward transfer now uses a 30k-gas-capped `.call()`. If the creator wallet fails to receive, the reward is redirected to treasury and graduation proceeds normally. An explicit `CreatorRewardFallback` event is emitted. ### M-2 — Owner could raise bonding fee to 10% (fixed) **Risk:** The original `MAX_FEE_PPM` allowed the factory owner to raise bonding fees to 10%, creating a rug-pull vector. **Fix applied:** Hard-capped at **2% (`MAX_FEE_PPM = 20,000`)**. Attempting to set higher reverts at the contract level. ### M-3 — Rescue without transparency (fixed) **Risk:** The `rescueStuckTokens` function allowed owner to withdraw stuck tokens/KUB without emitting an on-chain event, reducing transparency. **Fix applied:** Added `StuckTokensRescued` event logging the recipient + amounts. Added zero-address check (owner cannot accidentally rescue to the void). ### MED-1 — Treasury gas griefing (fixed) **Risk:** If treasury is set to a gas-heavy contract, it could DOS all trades (sender runs out of gas before fee transfer completes). **Fix applied:** `_sendKub` helper now uses a 50k-gas-capped `.call()` on all treasury/creator transfers. Sufficient for EOAs and standard multisigs like Gnosis Safe; insufficient for gas-burners. ### MED-2 — Creator gas griefing on bonding trades (fixed) **Risk:** Same griefing vector as MED-1 but for creator wallets — malicious creator could DOS their own token's trading. **Fix applied:** Same 50k gas cap covers creator fee transfers. ## Remaining Low-severity / by-design * **Integer rounding drift** — constant product invariant can drift downward by vanishingly small amounts due to integer math. Per-trade drift ≈ 4×10⁻²⁷ — not exploitable. * **Last-buyer graduation tax** — the buyer whose transaction triggers graduation pays for the AMM deployment gas (\~2.5M extra gas). Accepted as inherent to curve→AMM patterns. * **Stuck tokens at graduation** — price-aligned AMM seeding leaves a small % of supply in the market contract. Rescuable via owner; on-chain event logged. ## What the contracts DON'T have (by design) * ❌ No proxy / upgrade mechanism * ❌ No owner mint / burn / pause on individual tokens * ❌ No blacklist / whitelist * ❌ No trading tax (only the stated fees) * ❌ No admin-controllable curve parameters (immutable after deploy) * ❌ No LP withdrawal paths (AMM is sealed) ## Copyright & IP protection Smart contract source code is published under **UNLICENSED** (proprietary license, all rights reserved). Contracts are publicly visible on Kubscan because blockchain bytecode is inherently public — this is **not** a license to copy, fork, or redeploy. Enforcement is under applicable international copyright law and treaties (Berne Convention / WIPO / TRIPS Agreement). Licensing inquiries: ## External audit For external validation, the full audit report is available on request to qualified auditors / partners. Contact: See also: [Audit Summary](file:///4899262/resources/audit-summary.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://durianandfun.gitbook.io/durianfun/durian-launchpad/resources/contracts/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.