Kamino Lend · DeFi Risk

DeploymentsSolana · —

Risk profile at a glance

1 red · 2 yellow · 9 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 14 25 of 25

RD-F-001 yellow Audit scope mismatch Latest deployed version v1.19.0 (commit 95d694b, April 23 2026) not covered by any publicly accessible audit; most recent audits cover v1.16.0/v1.17.0 (OtterSec) and v1.17.0 (Certora Feb 2025), leaving two incremental versions unaudited. RD-F-003 yellow Resolved-without-proof findings Certora identified precision loss bug; confirmed fixed via Mul-Div pattern. OtterSec initial audit had 13 findings; individual resolution verification requires PDF parsing not completed. RD-F-009 yellow Formal verification coverage Certora Prover applied across 7 version-specific engagements (v1.13.0–v1.17.0) focusing on solvency invariants; OSEC also performed formal verification. Coverage % of all declared critical invariants not publicly quantified. RD-F-016 yellow Divide-before-multiply pattern Certora audit identified a precision loss bug in exchange rate calculations (divide-before-multiply rounding); confirmed patched via Mul-Div pattern. v1.18.0 and v1.19.0 not re-audited for arithmetic paths. RD-F-024 yellow Code complexity vs audit coverage Code complexity not precisely measured (Rust LOC metrics require tool run); audit coverage density (5 firms, 7+ versions, FV + fuzz) is strong but exact LOC-per-audit-day cannot be computed from public sources. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program has 17 assets in scope; program description covers lending but specific klend program address (KLend2g3cP87fffoy8q1mQqGKjrxjC8boSyAYavgmjD) inclusion not independently verified from scope tab. RD-F-010 gray Static-analyzer high-severity count EVM static analysis tools (Slither, Mythril, Semgrep) not applicable to Rust/Anchor. Solana-equivalent tools (Sec3 X-Ray, Ackee fuzz) were applied but specific finding counts not publicly extractable without PDF parsing. RD-F-011 n/a SELFDESTRUCT reachable from non-admin path SELFDESTRUCT opcode does not exist in Solana BPF instruction set. Factor is not applicable to non-EVM Rust/Anchor programs. RD-F-012 n/a delegatecall with user-controlled target EVM delegatecall opcode does not exist in Solana BPF. Anchor uses CPIs with explicit program IDs. Factor N/A. RD-F-013 n/a Arbitrary call with user-controlled target EVM arbitrary .call(target, data) pattern does not exist in Solana BPF. Anchor CPIs use explicit account constraints. Factor N/A. RD-F-014 n/a Reentrancy guard on external-calling functions EVM reentrancy via callback does not apply to Solana. Solana runtime prevents recursive CPIs into the same program within a single instruction. Factor N/A for Solana substrate. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard ERC-777/ERC-1155/ERC-721 callback standards are EVM-specific. Solana uses SPL Token (no callback hooks). Factor N/A. RD-F-019 n/a ecrecover zero-address return unchecked EVM ecrecover is not used in Solana programs. Ed25519 signature verification uses Solana native instructions. Factor N/A. RD-F-020 n/a EIP-712 domain separator missing chainId EIP-712 is an EVM-specific standard. Solana does not use EIP-712 domain separators or chainId. Factor N/A. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned UUPS is an EVM proxy pattern. Solana uses BPF Loader upgrade authority. Factor N/A. RD-F-022 n/a Public initialize() without initializer modifier OpenZeppelin initializer modifier is EVM-specific. Anchor programs use account discriminators for init safety. Factor N/A for Solana/Rust substrate. RD-F-023 n/a Constructor calls _disableInitializers() OZ _disableInitializers() is an EVM proxy anti-reinit pattern. N/A for Solana/Anchor.

RD-F-002 green Audit recency OtterSec v1.16.0/v1.17.0 audit appears to be from March 2026; Certora report dated February 24 2025; both within 365-day recency threshold for the most recent audit covering any deployed klend version.

RD-F-004 green Audit count At least 7 distinct audit entities confirmed for klend: OtterSec, Offside Labs, Certora, Sec3, Ackee Blockchain (fuzz), OSEC (formal verification), RX, Min Value — well above the ≥2 firm green threshold.

RD-F-005 green Audit firm tier OtterSec (Tier-1 Solana) and Certora (Tier-1 FV specialist) both audited klend. Offside Labs and Sec3 are established Tier-2 Solana security firms.

RD-F-006 green Audit-to-deploy gap Per-version audit model — each version has corresponding audit(s) named by version number; audit-to-deploy gap appears within days/weeks per version, well within the 60-day green threshold.

RD-F-007 green Bug bounty presence & max payout Active Immunefi bug bounty program confirmed, max payout $1,500,000 (Critical smart contract), live since October 6 2025.

RD-F-008 green Ignored bounty disclosure No prior exploits at Kamino Lend; no evidence of ignored disclosures. Certora precision loss bug was found through formal audit engagement and patched before any exploitation.

RD-F-017 green Mixed-decimals math without explicit scaling Certora formally verified exchange rate arithmetic through v1.17.0; the precision loss (decimal math) bug was caught and fixed. No public evidence of decimal math issues in v1.18.0/v1.19.0.

RD-F-018 green Signed/unsigned arithmetic confusion No signed/unsigned arithmetic issues disclosed across all audits. Rust type system enforces type safety; strum dependency uses checked_arithmetics branch providing additional protection.

Governance & admin Red 51 24 of 24

RD-F-028 red Low-threshold multisig vs TVL Exponential.fi (April 2026 archived snapshot) attested: 'Multisig consists of less than 4 signers'. At $1.5B TVL, peer norm is >=5-of-8. <4 signers is critically low threshold relative to TVL. Exact threshold unknown but worst case 2-of-3 or even 1-of-1. NOTE: source page was repurposed in May 2026 to a generic 'YO' risk-engine page; original attestation preserved in Wayback Machine snapshot. Kamino's own docs and governance forum do not publicly disclose admin multisig configuration as of v1.1 closeout. RD-F-032 red Timelock duration on upgrades No on-chain timelock for BPF program upgrades. Squads multisig executes upgrades immediately upon threshold signers signing. Effective delay = 0 hours. RD-F-033 red Timelock on sensitive actions All sensitive actions (upgrade, emergency mode toggle, borrow limit changes, oracle config, parameter updates) callable by lending_market_owner or upgrade authority with no timelock. 0 of applicable sensitive action types are timelocked. RD-F-038 red Proposal execution delay < 24h No governance proposal mechanism. Squads multisig transactions execute immediately upon threshold signatures. Effective proposal-to-execution delay = 0. No delay enforced between decision and execution. RD-F-040 red Emergency-veto multisig present No veto/cancel mechanism for upgrades. Upgrades execute immediately upon Squads threshold signing. No separate emergency-veto multisig exists to cancel malicious proposals. RD-F-025 yellow Admin key custody type Upgrade authority is a Squads multisig (A9rQoX1sictAQkyXxaZA8nz674xutHwoqpK2mwLyexCZ). Classified as multisig without timelock. No timelock layer confirmed. Lending market owner is a separate role, address unconfirmed. RD-F-027 yellow Single admin EOA Upgrade authority is a Squads multisig, not a bare EOA. However signer count is confirmed <4 per Exponential.fi. Not a single EOA but effective centralization risk is high. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader Documentation describes an emergency_council role separate from lending_market_owner for enabling emergency mode. Whether these are distinct addresses is unconfirmed. Partial separation exists in design. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Upgrade authority (Squads multisig) is distinct from lending_market_owner. But oracle config and fee config appear controlled by same lending_market_owner. Two of three roles separated, not all three. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No EVM-style rescue function. lending_market_owner can immediately toggle emergency mode, modify borrow limits, and change liquidation params without timelock. Not a single-tx fund drain, but powerful emergency config control without delay. RD-F-026 gray Upgrade multisig signer configuration (M/N) At minimum: (1) upgrade authority = Squads multisig A9rQoX1sictAQkyXxaZA8nz674xutHwoqpK2mwLyexCZ; (2) lending_market_owner (unconfirmed address); (3) emergency_council (unconfirmed address). Full enumeration requires Solana RPC access not available. RD-F-029 gray Multisig signers co-hosted Signer identities for the Squads multisig are not publicly disclosed. Cannot determine infrastructure independence. RD-F-030 gray Hot-wallet signer flag Signer addresses for the Squads multisig are not publicly known. Cannot assess hot-wallet behavior. RD-F-031 gray Signer rotation recency No public record of signer-set changes on the Kamino Squads multisig. Squads emits on-chain events but these are not indexed in available public sources. RD-F-036 n/a Flash-loanable voting weight No on-chain governance contract for program upgrades. Upgrade authority is Squads multisig, not token-weighted governor. Flash-loan voting attacks require governor contract — inapplicable. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain governor contract. Quorum concept inapplicable to Squads multisig upgrade path. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain governance executor contract. delegatecall is an EVM primitive; not applicable to Solana Rust/Anchor program. RD-F-042 n/a Admin has mint() with unlimited max Kamino Lend lending program does not have a mint function. KMNO governance token is a separate program. No admin-callable unlimited mint in klend scope. RD-F-044 gray Admin wallet interacts with flagged addresses Squads multisig signer addresses not publicly known. Solscan access blocked (403). Cannot assess flagged-address interactions. RD-F-045 n/a Constructor args match governance proposal Solana programs do not have EVM-style constructor args. Anchor program initialization is handled via account init constraints. No governance proposal for constructor args applicable. RD-F-047 gray Governance token concentration (Gini) KMNO token exists on Solana. Gini coefficient not computed (requires Solana on-chain holder analysis). No Snapshot space found. Token distribution data not retrieved.

RD-F-043 green Admin = deployer EOA after 7 days Protocol live since Nov 2023 (~17 months). Squads multisig confirmed as upgrade authority. Deployer EOA is not the current upgrade authority. squads-kamino-cli npm package confirms operational Squads usage.

RD-F-046 green Contract unverified on Etherscan/Sourcify Source code publicly available at github.com/Kamino-Finance/klend (Rust/Anchor). IDL published. Solana does not have Etherscan/Sourcify but the code is open-source and verifiable.

RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated Kamino Lend contracts identified that still hold value and are paused by a live admin. has_legacy_v1 flag relates to separate vault product (slug: kamino), not klend lending program.

Oracle & external dependencies Yellow 23 17 of 17

RD-F-049 yellow Oracle role per asset Pyth primary for major tokens; Switchboard secondary; Chainlink for RWA/xStocks via ChainlinkNAV/X; DEX pool types for kToken collateral. Exact per-reserve assignment not enumerable without on-chain account reads. RD-F-051 yellow Fallback behavior on oracle failure Fallback available via Scope MostRecentOf composite (selects freshest non-stale source from configured set). Per-asset fallback depends on admin reserve configuration. Single-source Scope feeds have no automatic fallback; freeze_price is manual admin tool. RD-F-052 yellow Breakage analysis per dependency Scope failure halts all klend price operations. Pyth stale on single-feed reserve halts that reserve. MostRecentOf reserves fall back if secondary within staleness. kToken DEX pool oracle manipulation possible for thin pools. RD-F-054 yellow TWAP window duration TWAP variants available: 1h (60 min), 8h (480 min), 24h (1440 min), 7d — all above the 30-min exploit threshold. EWMA pricing also referenced. Per-reserve TWAP configuration not individually confirmed. RD-F-055 yellow Oracle pool depth (USD) Pyth/Chainlink sources: provider-level aggregation across multiple publishers/nodes — not single-pool depth. DEX pool oracle types for kToken: pool depth varies by asset. Major Orca/Raydium SOL/USDC pools: deep. Thin kToken collateral pools: unknown. RD-F-056 yellow Single-pool oracle (no medianization) MostRecentOf composite uses multiple sources — not single-venue. Single Pyth or Chainlink feed reserves use a single source (though Pyth itself aggregates internally). DEX pool types are single-venue by nature. RD-F-057 yellow Circuit breaker on price deviation Circuit breaker at Scope level: MostRecentOf enforces max_divergence_bps (source divergence triggers error not price acceptance). Price-band protection for stable assets referenced. Specific bps thresholds not confirmed. freeze_price is manual admin tool, not automatic. RD-F-058 yellow Max-deviation threshold (bps) MostRecentOf max_divergence_bps confirmed to exist and be validated (1–10,000 bps range enforced in code). Specific configured values per reserve not confirmed without on-chain account reads. RD-F-062 yellow External keeper/relayer not redundant Pyth uses decentralized publisher set (not single keeper). Switchboard On Demand is pull model. Chainlink Data Streams pull model. Kamino maintains own Switchboard feeds as supplementary. No confirmed single-keeper dependency. Relayer redundancy for Chainlink pull not fully confirmed. RD-F-180 yellow Immutable oracle address [★ CRITICAL — F180] Oracle address stored in mutable Reserve data account (not BPF binary immutable). Admin can update via lending_market_owner authority using update-reserve-config. Direct Rust struct verification not achieved (GitHub 404). Score yellow pending source confirmation. RD-F-181 yellow Permissionless-pool lending oracle Kamino Lend V2 allows permissionless creation of lending markets with custom oracle parameters. Scope pre-validation provides some protection. Rhea Finance-class risk (thin permissionless pool oracle) exists but partially mitigated by Scope's validation layer and isolation market design. RD-F-060 gray Chainlink aggregator min/max bound misconfig N/A — EVM Chainlink aggregator min/max bound pattern does not apply to Solana. Kamino uses Chainlink Data Streams (pull model) via Scope, not EVM AggregatorV3 contracts with minAnswer/maxAnswer circuit breakers.

RD-F-048 green Oracle providers used Three providers: Pyth Network (primary), Switchboard On Demand (secondary), Chainlink Data Streams (integrated April 2025). All mediated via Scope oracle aggregator program (Kamino-Finance/scope).

RD-F-050 green Dependency graph (protocols depended upon) Dependencies: Scope oracle program (Kamino-controlled), Pyth Network, Switchboard, Chainlink Data Streams, Solana SPL Token Program (native), Solana System Program (native). No external AMM/vault dependencies in klend core.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL — NOT TRIGGERED] No raw spot DEX pool primary oracle for core lending assets. Scope aggregates Pyth/Switchboard/Chainlink. DEX pool oracle types (OrcaWhirlpool etc.) used for kToken collateral with TWAP/CappedMostRecentOf mitigants available.

RD-F-059 green Oracle staleness check present Staleness checks confirmed: Pyth adapter enforces 10-minute max staleness; ChainlinkNAV rejects reports older than 1 week (per Certora recommendation); MostRecentOf enforces sources_max_age_s for all configured sources.

RD-F-061 green LP token balanceOf used for pricing kToken pricing derived from on-chain AMM pool state (pool reserves/liquidity math) via Scope DEX oracle types — NOT from balanceOf of LP tokens. Not donation-manipulable via direct transfer.

Economic risk Yellow 26 13 of 13

RD-F-064 yellow TVL concentration (top-10 wallet share) No on-chain top-10 depositor scan performed (Solana non-EVM). Gov reports flagged single whale $120M SOL deposit and USDC supply concentration risk. Top-10 share unknown. RD-F-065 yellow Liquidity depth per major asset No 2%/5% slippage depth data retrieved for collateral basket. SOL is deep-liquidity; LSTs and JLP are shallower. Liquidation stress tests show system functioned in -21% SOL drawdown. RD-F-066 yellow Utilization rate (lending protocols) Overall utilization 65.36% (data cache). SOL market 80–83% (gov reports). High SOL utilization creates liquidation capital scarcity risk in a rapid drawdown. Stablecoin markets ~58%. RD-F-068 yellow Collateralization under stress No formal curator simulation. Gov stress tests: -10% shock = $0 bad debt, -30% shock = $23–50M bad debt (~2–5% of debt). Real -21% SOL drawdown survived. Estimated net collateralization well above 110% normally. RD-F-071 yellow Seed-deposit requirement for new market listing Deployment docs require admin-level reserve initialization before borrow-enable. No specific minimum seed deposit amount documented publicly. V2 permissionless market creation reduces barriers. Details not confirmed. RD-F-072 yellow Market-listing governance threshold V1: admin/governance-gated listing. V2 (2025): permissionless isolated market creation by curators. Any curator can launch with custom parameters — lower threshold than high-approval governance. Borrow caps and curator accountability as controls. RD-F-073 yellow Oracle-manipulation-proof borrow cap Borrow caps exist per asset (E-mode docs confirm PYUSD cap at $0 for non-SOL/wBTC collateral). Advanced Oracle Risk Engine (EWMA, multi-source) adds manipulation resistance. Specific cap vs. pool-depth calculations not publicly enumerated. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Kamino Lend is a peer-to-pool lending protocol, not an algorithmic or under-collateralized stablecoin. All collateral is exogenous. Factor does not apply. RD-F-070 gray Empty cToken-style market (zero supply/borrow) Not a Compound V2 fork. Per taxonomy PD-024, F070 is N/A for non-Compound-fork protocols. klend is original Rust/Anchor on Solana. All active markets have substantial supply. Precision-loss bug (cToken exchange rate) fixed pre-exploitation by Certora (March 2025). RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) Kamino Lend is a Solana native Rust/Anchor program, not an EVM ERC-4626 vault. OpenZeppelin virtual-share offset pattern does not apply to Solana architecture. RD-F-075 n/a First-depositor / share-inflation guard ERC-4626 / Compound V2 seed-deposit criterion does not apply to Solana native protocol. Certora formally verified solvency invariants post precision-loss fix (March 2025). All active markets have substantial existing supply.

RD-F-063 green TVL (current + 30d trend) TVL $981M (DeFiLlama 2026-04-27); data cache $1.51B same date. 30d change -16.53%. 12-month peak $1.9B. Downtrend since Sep 2025 but well above $100M floor.

RD-F-067 green Historical bad-debt events Zero bad debt since inception across $10B+ in loans. Multiple stress tests (Apr 2025 -21% SOL, Feb 2026 crash) produced zero realized bad debt. DeFiLlama hacks and Rekt DB both empty.

Operational history Green 15 15 of 15

RD-F-089 red Insurance coverage active No active coverage found on Nexus Mutual, Sherlock, or Unslashed for Kamino Lend. TVL ~$1B–$1.5B. Red per methodology (no active coverage). RD-F-084 yellow TVL stability (CoV over 90d) 30-day TVL change = -16.53% per data cache. Full 90-day CoV not computed (requires daily time-series pull). Scored yellow conservatively given magnitude of decline. RD-F-081 gray Post-exploit response score No prior exploits. N/A per methodology: gray = no prior incidents. RD-F-082 gray Post-mortem published within 30 days No prior exploits. Gray per methodology (N/A when no incidents). Near-miss Certora disclosure was timely but not scoreable here. RD-F-083 gray Auditor re-engaged after last exploit No prior exploits. Gray per methodology (N/A = no prior incidents to trigger re-audit requirement). RD-F-085 gray Incident response time (minutes) No prior incidents. Gray per methodology (N/A when no incidents). RD-F-086 gray Pause activations (trailing 12 months) Solana BPF program — EVM-standard Paused/Unpaused event enumeration not applicable. Emergency pause capability exists per docs but activation history requires Solana-native RPC query. Gray. RD-F-087 gray Pause > 7 consecutive days Same Solana tooling gap as F086. Cannot enumerate pause duration events without Solana-native RPC. Gray.

RD-F-076 green Protocol age (days) Kamino Lend launched 2023-11-10 (DeFiLlama listedAt = 1699615528). As of 2026-04-27 that is ~504 days live. Meets >=365 day threshold for green.

RD-F-077 green Prior exploit count 0 confirmed exploits against Kamino Lend. Searched hacksdatabase (23 batches), DeFiLlama hacks API (0 results), Rekt leaderboard (Kamino absent), web search 2023-2026.

RD-F-078 green Chronic-exploit flag (≥3 incidents) 0 incidents confirmed. Chronic-exploit threshold (>=3) not reached. Green.

RD-F-079 green Same-root-cause repeat exploit 0 incidents. No same-root-cause repeat possible with zero incidents.

RD-F-080 green Days since last exploit No incidents on record. Methodology: green = >365 days or no incidents. No incidents = green.

RD-F-088 green Re-deployed to new addresses in last year No redeployment to new addresses in last 12 months. klend program upgrades are in-place via BPF loader at stable address KLend2g3cP87fffoy8q1mQqGKjrxjC8boSyAYavgmjD. 41 releases confirm versioned upgrades without address migration.

RD-F-166 green Deprecated contracts still holding value No deprecated Kamino Lend contracts found. has_legacy_v1 cache flag references separate kamino vault product, not a deprecated lending program. klend is active at stable address.

Real-time signals Green 4 22 of 22

RD-F-098 yellow TVL anomaly — % drop in <1h Signal not firing today but TVL trajectory is declining (-16.5% 30d). Headroom to Tier-A threshold (<70% of 30d baseline in 1h) is reduced. Feb 5-6 2026 event (SOL -18%) produced 55,649 liquidations and $19.36M seized but no bad debt — system handled market stress cleanly. RD-F-182 yellow Security-Council threshold reduction (RT) Signal not firing today but posture is elevated: Squads multisig threshold is 'less than 4 signers' per Exponential.fi — already below peer-norm. Drift Protocol April 2026 ($285M DPRK exploit) was preceded by exactly this signal class (3/5->2/5 threshold reduction + timelock removal 6 days before exploit). Kamino uses identical Squads multisig architecture. Curator must verify current threshold via on-chain read. RD-F-090 gray Mixer withdrawal → protocol interaction No confirmed mixer-funded wallet interaction with klend identified from public sources. Requires Chainalysis/TRM Solana cluster feed. Public-proxy OSINT finds no flagged interaction. RD-F-093 gray Abnormal gas-price willingness from attacker wallet Not applicable in EVM form on Solana. Compute unit priority fee monitoring is the Solana equivalent. Signal not configured for Solana substrate. RD-F-096 gray New ERC-20 approval to unverified contract from whale Not applicable in EVM ERC-20 form on Solana. SPL Token delegate authority is the Solana equivalent. Signal not configured for Solana substrate. RD-F-103 n/a Bridge signer-set change proposed/executed Not applicable. Kamino Lend is Solana-only with no bridge surface, no LayerZero OFT, no cross-chain messaging. RD-F-106 n/a Cross-chain bridge unverified mint pattern Not applicable. No bridge surface. Solana-only protocol. RD-F-107 gray Admin EOA signing from new geography/device Gray — off-chain signing telemetry requires team opt-in. Admin is Squads multisig not single EOA. Signal practically always gray for team-opt-in dependent monitoring. RD-F-110 gray Unusual pending/executed proposal ratio Gray — no EVM on-chain governor contract. Kamino governance runs via KMNO signaling + Squads multisig. Ratio anomaly not computable without Squads API integration.

RD-F-091 green Partial-drain test transactions Signal not firing. No partial-drain test transaction pattern detected. Protocol has zero prior exploits so no baseline drain pattern exists to anchor a template.

RD-F-092 green Unusual mempool pattern from deployer wallet Signal not firing. Deployer wallet unknown; upgrade authority is Squads multisig. Last upgrade v1.19.0 on 2026-04-23 corresponds to documented release. No unusual mempool pattern.

RD-F-094 green New contract with similar bytecode to exploit template Signal not firing. No newly deployed Solana program with bytecode similarity to a known Kamino-class exploit template identified. Zero prior exploits means no protocol-specific exploit template exists.

RD-F-095 green Known-exploit function-selector replay Signal not firing. No known Kamino-class exploit replay template exists. Solana uses Anchor instruction discriminators (8-byte) not 4-byte EVM selectors. Zero prior exploits.

RD-F-097 green Sybil surge of identical-pattern transactions Signal not firing. No sybil surge of identical-pattern transactions targeting klend identified in available data.

RD-F-099 green Oracle price deviation >X% from secondary Signal not firing. Kamino uses Pyth + Switchboard + Chainlink Data Streams with EWMA cross-validation. No primary-secondary price divergence reported.

RD-F-100 green Flash loan >$10M targeting protocol tokens Signal not firing. Solana lacks EVM-style flash loans. Kamino Multiply uses leverage loops not flash loans. Flash-loan-based oracle manipulation is structurally less accessible on Solana.

RD-F-101 green Large governance proposal queued Signal not firing. Kamino Forum (gov.kamino.finance) is active. No flagged-pattern proposals queued. Governance is KMNO signaling + Squads operational execution; no EVM GovernorAlpha/Bravo contract exists.

RD-F-102 green Admin/upgrade transaction in mempool Signal not firing. Last upgrade v1.19.0 on 2026-04-23 matches documented release. Upgrade authority is Squads multisig. No unannounced admin/upgrade transaction detected.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue Signal not firing. No stablecoin depeg >2% detected as of 2026-04-27. Kamino accepts USDC/USDT as collateral. SOL/JLP correlation is greater systemic risk than stablecoin depeg.

RD-F-105 green DNS/CDN/frontend hash drift Signal not firing. No unannounced DNS change or frontend hash drift detected for kamino.com. Curator must establish baseline JS bundle hash before production alerting.

RD-F-108 green GitHub force-push to sensitive branch Signal not firing. GitHub repo shows 0 security advisories. Last commit 2026-04-23 corresponds to v1.19.0 documented release. No unauthorized push detected.

RD-F-109 green Social-media impersonation scam spike Signal not firing. No coordinated scam impersonation campaign detected targeting Kamino on social media. Normal background noise level.

Dev identity & insider risk Green 7 16 of 16

RD-F-116 yellow Contributor tenure at admin-permissioned PR GitHub org has no public members. Cannot confirm PR author tenure for most recent admin-permissioned change. 41 releases over 17 months suggests established team cadence (likely ≥180 days tenure for core committers), but this cannot be verified without GitHub API access to PR authors. Scored yellow per scoring discipline (default yellow on insufficient evidence). RD-F-119 yellow Commit timezone consistent with stated geography Team publicly based in Israel (Asaf Meir, Tel Aviv-Yafo per LinkedIn) and UK (Marius Ciubotariu, London per LinkedIn). No anomalous timezone pattern flagged. Commit-hour histogram not programmatically generated (no Bash/API tool available). Scored yellow (cautious) per scoring discipline — stated geographies are Western-friendly and consistent, reducing DPRK TZ anomaly risk. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion v1.13.1 (Feb 9, 2024) introduced Emergency council ACL role and removed 'update entire reserve config' handler — material ACL changes. Covered by 3 audit firms (OtterSec, Certora, Offside). No pre-change governance forum discussion found (gov.kamino.finance appears to post-date this release). Emergency council membership remains undisclosed. v1.18.0 (Apr 2024) adds 'reserve emergency mode' — also audited. No silent unannounced admin rescue events found in last 180 days. Scored yellow: change disclosed and audited, but pre-change forum discussion absent and council composition opaque. RD-F-117 n/a ENS/NameStone identity bound to deployer ENS/NameStone is Ethereum-specific. Kamino Lend is Solana-only. No EVM deployments exist. Factor is structurally inapplicable for Solana-native protocols.

RD-F-111 green Team doxx status 4+ core team members are real-name doxxed: Marius Ciubotariu (LinkedIn, podcast, Bloomberg prior employer), Asaf Meir (LinkedIn, Twitter @asafmeir, ConsenSys/Orbs prior), Tal Zelig (Bancor/Orbs), Roy Keyes (Hubble Protocol/Orbs). Meets ≥2 real-name with verifiable prior professional history threshold.

RD-F-112 green Team public accountability surface ≥3 verifiable public trails per core team member. Marius Ciubotariu: LinkedIn (employment history), Blockworks podcast (Dec 2023), Breakpoint 2021 video, Bloomberg LP prior employer, GitHub @y2kappa. Asaf Meir: LinkedIn, Twitter @asafmeir, ConsenSys/Orbs prior, The Org profile. Others: named across multiple independent news articles with named prior employers.

RD-F-113 green Team other-protocol involvement history All confirmed team members have clean prior protocol history. Hubble Protocol (Marius, Roy) — live Solana DeFi, not rugged. Orbs (Asaf, Tal, Roy) — live infrastructure protocol. Bancor (Tal) — established DEX. ConsenSys (Asaf) — major Ethereum developer org. No rug-pull or exit-scam history found for any team member across multiple independent sources.

RD-F-114 green Deployer address prior on-chain history Solana-native program; no EVM deployer EOA wallet. Upgrade authority is Squads multisig (A9rQoX1sictAQkyXxaZA8nz674xutHwoqpK2mwLyexCZ). 41 releases over 17 months indicating normal dev cadence. No rug-deployer cluster label found. Institutional investor backing (Multicoin, Jump Capital) corroborates clean provenance.

RD-F-115 green Prior rug/exit-scam affiliation No rug or exit-scam affiliation found for any team member. All prior protocols (Hubble, Orbs, Bancor, ConsenSys) are verifiable non-rugged protocols. Rug-deployer database check: no Kamino team member appears. Rekt.news incidents: zero for Kamino Finance. Data cache rekt.incidents: empty array.

RD-F-118 green Handle reuse across failed/rugged projects No handle reuse across failed/rugged projects detected. @y2kappa (Marius Ciubotariu) has consistent Kamino/Hubble identity. @asafmeir (Asaf Meir) has consistent ConsenSys/Orbs/Kamino identity. OSINT search yields no prior-rug associations for known team handles.

RD-F-120 green Video-off/voice-consistency flag Marius Ciubotariu and Mark Hull appeared on-camera in the Blockworks Lightspeed podcast (Dec 2023) and SolanaCompass video. Asaf Meir has a photo-backed LinkedIn profile. Multiple on-camera public appearances confirmed for ≥2 core founders. No video-declined or voice-consistency concern flagged.

RD-F-121 green Contributor OSINT depth score Marius Ciubotariu: OSINT depth score 5 (LinkedIn full history, Bloomberg prior, podcast/conference, GitHub @y2kappa). Asaf Meir: score 4 (LinkedIn, Twitter, ConsenSys/Orbs, The Org). Tal Zelig, Roy Keyes: score 3 each (named, prior employers stated, multiple news corroboration). Average ~3.75, meets green threshold (≥4 average across lead founders).

RD-F-122 green Contributor paid to DPRK-cluster wallet No contributor wallet payment traced to DPRK/Lazarus cluster found. Multisig treasury (Squads) controls outflows. No Chainalysis or TRM public report links Kamino Finance contributor payments to DPRK cluster. April 2026 DPRK attack was on Drift Protocol, not Kamino; hacksdatabase entry cites Kamino positively. OFAC SDN: no Kamino match.

RD-F-124 green Deployer wallet mixer-funded within 30 days Solana-native program: no EVM-style deployer EOA wallet. Program upgrade authority is Squads multisig (A9rQoX1sictAQkyXxaZA8nz674xutHwoqpK2mwLyexCZ). No Tornado Cash or Railgun interaction attributable. Institutional investor funding trail is clean (Multicoin-led $5M round + Jump Capital + others). No mixer-equivalent interaction found on Solana for the upgrade authority.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus linkage found for Kamino Finance. Web search for Kamino + DPRK/Lazarus: zero results. April 2026 Solana DPRK attack (UNC4736/TraderTraitor) targeted Drift Protocol specifically — hacksdatabase entry cites Kamino as a positive security comparator. No Chainalysis, TRM, US Treasury, or OFAC SDN attribution to Kamino. ESCALATION NOT REQUIRED.

RD-F-184 green Real-capital social-engineering persona No curator-flagged social-engineering persona with ≥$1M real-capital deposits found for Kamino Finance. Protocol is cited as a positive comparator in the Drift DPRK attack (attackers targeted Drift, not Kamino). No OSINT flag of suspicious external contributor with large deposits. Institutional investor base and established doxxed team reduce implantation plausibility.

Fork / dependency lineage Green 8 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions Anchor/SPL/core libs pinned exactly or via patch-range (~); three custom git dependencies (scope, sbod-itf, strum fork) have no semver pinning — only branch/git references. RD-F-127 n/a Upstream patch not merged No upstream fork identified. Factor does not apply — there is no upstream codebase whose patches could be missed. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork. No upstream vulnerability disclosures applicable. Factor N/A. RD-F-129 n/a Code divergence from upstream (%) No upstream to compute divergence from. Factor N/A for original protocol. RD-F-130 n/a Fork depth (generations from original audit) Not a fork. Fork depth = 0 generations removed from any derived upstream. The protocol is an original codebase. RD-F-131 n/a Fork retains upstream audit coverage Not a fork. Klend has independent audit coverage as an original protocol. No upstream audit to inherit from. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork. No upstream audited-default parameters to compare against. Factor N/A.

RD-F-126 green Is-a-fork-of Not a fork. Original Rust/Anchor implementation. OtterSec noted functional similarity to Solend/SPL Lending but no code fork. Repo is entirely Rust, not derived from any EVM Solidity codebase.

RD-F-134 green Dependency had malicious-release incident (last 90d) No known malicious-release advisory affecting Anchor 0.29.0, SPL token 3.5.0, or Solana core ~1.17.18 in the trailing 90 days. Git dependencies are Kamino-controlled, not public registry packages.

RD-F-135 green Shared-library version with known-vuln status No known high/critical CVEs or GHSA advisories for Anchor 0.29.0, SPL token 3.5.0, Solana ~1.17.18, pyth-solana-receiver-sdk 0.3.1, or fixed 1.23.1.

Post-deploy hygiene & change mgmt Green 19 13 of 13

RD-F-137 yellow Upgrade frequency (per 90 days) 5 upgrades in trailing 90 days: v1.15.0 (Mar 13), v1.16.0 (Mar 23), v1.17.0 (Mar 31), v1.18.0 (Apr 13), v1.19.0 (Apr 23, 2026). Yellow threshold is 3-5 upgrades in 90d. RD-F-138 yellow Hot-patch deploys without timelock (last 30 days) v1.18.0 (Apr 13) and v1.19.0 (Apr 23) occurred in last 30 days, both without timelock (none exists). Neither described as emergency hot-patch; both claim audit coverage. No timelock path exists for any upgrade. RD-F-139 yellow Post-audit code changes without re-audit Audit PDFs confirmed through v1.17.0 (OtterSec + Certora). v1.18.0 and v1.19.0 release notes assert 'Audited by OtterSec, Certora' but no corresponding PDFs visible in audits repo commits as of 2026-04-27. Cannot confirm or deny coverage. RD-F-145 yellow Deployed bytecode reproducibility Source code public at github.com/Kamino-Finance/klend. Anchor/Rust build framework documented. No curator attestation of successful bytecode reproduction from declared toolchain. RD-F-136 gray Deployed bytecode matches signed release tag GitHub releases exist (v1.19.0 latest). Solana programs do not have Etherscan-verifiable bytecode. GPG-signed tags not confirmed. Cannot verify bytecode-to-tag match without Solana program dump + local build. RD-F-142 n/a Storage-layout collision risk across upgrades Solana programs do not use EVM storage layout / OZ upgrades plugin. Anchor programs use typed account structs. Upgrades replace entire program binary. No EVM-style storage collision risk. RD-F-143 n/a Reinitializable implementation (no _disableInitializers) EVM-only concern. Kamino Lend is a Rust/Anchor Solana program with no proxy/implementation pattern. _disableInitializers() is an OpenZeppelin EVM pattern. N/A. RD-F-144 n/a CREATE2 factory permits same-address redeploy EVM-only. Solana programs are not deployed via CREATE2. No same-address redeploy vulnerability applicable. RD-F-168 n/a Stale-approval exposure on deprecated router Solana does not use ERC-20 allowance pattern. No deprecated router contracts identified for klend. SPL Token delegateAmount model differs from ERC-20 allowance. Factor inapplicable. RD-F-185 n/a Bridge rate-limiter / chain-pause as positive mitigant Kamino Lend has no bridge component. coverage_flags.layerzero_bridge = false. N/A.

RD-F-140 green Fix-merged-but-not-deployed gap No known security fix with a merged PR not reflected in current deployed version. No CVE/advisory with pending undeployed fix identified.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified. Deployment docs warn against test-mode in production. Admin is Squads multisig, not deployer EOA.

RD-F-146 green New contract deploys in last 30 days Solana programs upgrade in-place (same program address). v1.18.0 and v1.19.0 are in-place upgrades of KLend2g3cP87fffoy8q1mQqGKjrxjC8boSyAYavgmjD. No new contract deployments to new addresses identified.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Green 10 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol No confirmed Lazarus/attacker-cluster wallet interaction with klend identified from public sources. Elevated ambient threat: Drift ($285M) and KelpDAO ($292M) both DPRK-attributed in April 2026. Kamino is highest-TVL Solana lending protocol — a logical high-value target. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Peer-class evidence: Drift Protocol 6-month DPRK social engineering before April 2026 exploit; USPD pattern averages ~78 days. Kamino as largest Solana lending protocol is a plausible high-value DPRK target. No Kamino-specific reconnaissance evidence identified. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) Gray — no Solana validator log access or CTI-feed transaction pattern monitoring available. Public proxy: no reports of unusual failing tx pattern on klend in OSINT.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps Signal not firing. GitHub shows 0 security advisories for klend. No GitHub security advisory flagging a malicious release in Kamino's Rust/Anchor dependency tree identified.

RD-F-161 green Protocol-impersonator domain registered (typosquat) Signal not firing. No typosquat of kamino.com or kamino.finance detected via public OSINT. No recently registered impersonator domain identified.

RD-F-162 green Known-exploit-template selector deployed by any address Signal not firing. No known-exploit-template selector/discriminator deployed against Kamino. Zero prior exploits means no protocol-specific template exists.

RD-F-164 green Leaked credential on paste/sentry site Signal not firing. No public paste-site or Sentry/credential dump referencing kamino.finance infra identified. GitHub repo shows 0 security advisories. Immunefi bounty active.

RD-F-165 green Protocol social channel has scam-coordinator flag Signal not firing. No Kamino Discord/Telegram admin flagged on public scam-coordinator watchlist. Twitter @kamino_finance active with no flagged admin.

Tooling / compiler / AI Green 0 5 of 5

RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation No audited upstream to compare against (original protocol). AI-copy-from-upstream bytecode deviation pattern does not apply. Factor N/A.

RD-F-170 green Solc version used (known-bug versions flagged) No Solidity compiler used (Rust/Anchor codebase). Rust stable toolchain with Anchor 0.29.0 has no known critical bugs. Data cache confirms solidity_version = null.

RD-F-172 green Repo shows AI-tool co-authorship in critical files Commit history shows no AI co-authorship markers. Two multi-author commits use human-human author pairs. No Copilot, ChatGPT, or equivalent AI-tool co-authored-by trailers found.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure by Kamino Finance team of AI-generated code in production security-critical paths. Security docs, deployment docs, and GitHub make no mention of AI code generation.

RD-F-174 green Dependency tree uses EOL Solidity version No Solidity in the dependency tree. Rust/Anchor with Anchor 0.29.0 and Solana ~1.17.18 are supported, non-EOL versions. No EOL compiler or language version in use.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No Kamino-specific acknowledgment-time SLA (e.g., 72h ack) found in Immunefi program or Kamino docs. Immunefi platform defaults apply but are not Kamino-specific commitments. Yellow.

RD-F-175 green Disclosure channel exists Immunefi program live since October 6, 2025 with KLend in scope. security@kamino.finance confirmed. Active monitored channel.

RD-F-177 green Prior known-ignored disclosure No prior incidents; no evidence of ignored disclosure. Certora precision-loss finding was actioned before any exploitation. Green.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against Kamino Lend or the klend GitHub repository. All known findings disclosed via coordinated audit report, not formal CVE process.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol kamino-lend