KAGURA 神楽

KAGURA is a continuous-time DeFi primitive on Solana. Two on-chain Anchor programs: a tick-attestation registry, and a USDC funding vault that compounds yield every block instead of every hour.

contact: hello@kagura.network
神楽KAGURA/ docs
v0.1.0 · pre-deployment← back to sitegithub →
security·audit status

audit status

kagura is in pre-deployment. neither program has been formally audited yet. this page is the honest state of security review.

what has been reviewed

  • internal review by the author against the anchor 0.31.1 best-practices guide.
  • 10/10 e2e tests pass: config init, register, invalid tick interval rejection, vault init, treasury top-up, deposit, multi-tick funding accrual, withdraw with yield, pause guard, funding rate ceiling.
  • 7/7 math unit tests cover accrual at varied principal/dt/rate combinations + share math edge cases.
  • overflow checks: all u128 intermediates, all u64 final results checked.
  • pda authority separation: principal_authority and treasury_authority are distinct pdas.

what has not been reviewed

  • no third-party audit (otterSec, sec3, ottersec, neodyme, halborn).
  • no formal verification.
  • no fuzzing campaign.
  • no economic modeling of the synthetic treasury under adversarial deposits.
  • no security bug bounty program.

disclosure timeline

Audit selection and engagement happen after the initial public release. Order:

  1. devnet deploy + 30-day public devnet bake.
  2. internal threat-model write-up (see threat model).
  3. audit engagement (firm tbd, est. 6-10 weeks).
  4. audit report published in the github repo + linked here.
  5. any findings are resolved + a re-review note is published.
  6. mainnet program ids published in /.well-known/kagura.json.

bug reporting

For any vulnerability or unexpected behavior, file an issue on github with the label security, or email security@kagura.network (placeholder). do not disclose publicly until 90 days have passed or the issue is fixed, whichever is sooner.