KyberSwap Elastic is an automated market maker (AMM) implementation, that allows liquidity providers to concentrate the liquidity in a certain price range.
The most critical audit subjects are functional correctness, external dependency integration and protection against adversarial agents. We found some deviations from the functional correctness which were reported. Regarding external dependency integration, we found minor mismatch from standard. Lastly, bugs that limited the AntiSniping (aka JIT liquidity provision) protection were reported.
The general audit subjects covered include trustworthiness, documentation, and gas efficiency. Regarding trustworthiness, while pools are not upgradable, there are certain system parameters like whitelisted position managers that can be set only by privileged ConfigMaster role holder. We found certain parts of the documentation that could be improved so that other projects can better integrate with the Kyber Network protocol. Lastly, minor possible improvements to gas efficiency were reported.
In summary, we find that the codebase at last version commit in Scope provides provides a high level of security. It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. Since the protocol logic is quite sophisticated, techniques such as property based testing and formal verification can bring valuable additional assurance. They complement but don’t replace other vital measures to secure a project.