> For the complete documentation index, see [llms.txt](https://docs.kumbaya.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.kumbaya.xyz/help/audit-and-security.md). # Audit & security Kumbaya runs on contracts that have been audited by independent third parties. This page is the short version of who audited what, and what you do — and don't — control as a user. ## Two protocol layers, both audited Kumbaya has two protocol layers on top of each other: a DEX that's a fork of Uniswap V3, and the Kumbaya launchpad (whose smart contracts are prefixed `Fire*` — a campfire metaphor that fits the "Kumbaya" name). Each layer has its own audit history. ### 🔥 Kumbaya launchpad — BlockSec Every launchpad contract — `FireLaunch`, `FireToken`, `FireGraduator`, `FireRegistry`, `FireStream`, `FuelVault` — was reviewed by [BlockSec](https://blocksec.com/), a well-known smart-contract security firm. The audit covered the full launch → graduation → fee-streaming flow, the on-token vesting, and the tip-credit ledger. **No critical or high findings remain open.** The full signed report is published in the integrator-kit: [`blocksec_Kumbaya-xyz_Fire_v1.0-signed.pdf`](https://github.com/Kumbaya-xyz/integrator-kit/blob/main/audits/blocksec_Kumbaya-xyz_Fire_v1.0-signed.pdf). ### 💱 DEX — inherits Uniswap V3's audits Kumbaya's DEX is a fork of Uniswap V3, which has been live since May 2021 and is one of the most battle-tested AMMs in DeFi. The Kumbaya fork is bytecode-equivalent to the upstream Uniswap V3 code (verified by an automated check in our [`integrator-kit`](https://github.com/Kumbaya-xyz/integrator-kit)) — so it inherits every audit Uniswap V3 has had. The two formal V3 audits are public and live in Uniswap's v3-core repo: * **Trail of Bits** — [v3-core/audits/tob/audit.pdf](https://github.com/Uniswap/v3-core/blob/main/audits/tob/audit.pdf) * **ABDK Consulting** — [v3-core/audits/abdk/audit.pdf](https://github.com/Uniswap/v3-core/blob/main/audits/abdk/audit.pdf) * Index: [Uniswap/v3-core/audits](https://github.com/Uniswap/v3-core/tree/main/audits) Kumbaya's only protocol-level change to V3 is a wider protocol-fee range *at the contract level* (max 50% vs. upstream's 25%) — though in production Kumbaya runs within Uniswap's standard range (see [**Fees**](/liquidity/fees.md)). Pools, positions, the swap engine, and tick math are otherwise unchanged. ## What this means for you * **Your funds aren't held by Kumbaya.** When you swap, your tokens move directly between you and the pool contract. When you provide liquidity, your position is an NFT in your wallet. When you launch a token, the launchpad doesn't custody it. * **Kumbaya can't freeze, seize, or redirect your assets.** No admin function exists for that on the protocol contracts. * **Kumbaya can't reverse trades or refund mistakes.** Transactions are final once confirmed on-chain. * **Launchpad tokens are safe at the contract level.** Every token launched through the launchpad is a `FireToken` deployed by the audited `FireLaunch` contract — the same bytecode every time. There's no admin who can mint more, blacklist holders, freeze transfers, or take fees. Audit coverage extends to every launch. ## What's not audited * **Third-party tokens** deployed outside the launchpad (i.e. tokens you import manually by contract address — not launched via `kumbaya.xyz/launchpad/create`). Anyone can deploy an arbitrary ERC-20 with admin powers, transfer hooks, or hidden taxes. The audit doesn't extend to those. The Kumbaya UI flags these with an **Unknown** badge — see [**Swapping tokens → Unknown tokens carry real risk**](/trading/swap.md#-unknown-tokens-carry-real-risk). * **Off-chain services** (the website, the search service, the indexer). These can have bugs that affect what you see, but they can't move funds — only your wallet can, and only with your signature. ## If you find a security issue Email **** with details. Please don't disclose publicly until we've had a chance to fix it. ## Where to next * [**FAQ**](/help/faq.md) * [**Connect your wallet**](/getting-started/connect-your-wallet.md) — the non-custodial onboarding flow * [**Unknown tokens**](/trading/swap.md#-unknown-tokens-carry-real-risk) — the one place where you take on more risk than the protocol-level audits cover --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.kumbaya.xyz/help/audit-and-security.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.