Security

Security is foundational to CK Finance. Every design decision prioritizes user fund safety.

Core Principles

Principle	Implementation
Non-Custodial	CK App never holds private keys or user funds. All transactions are signed locally in your wallet.
No Backend	Swap and bridge operations are executed client-side via LI.FI SDK. No CK server touches your funds.
Open Source	All CK App code is publicly available for review.
Battle-Tested Dependencies	Built on OpenZeppelin contracts, LI.FI protocol, and wagmi — all widely audited.

Smart Contract Security

CK Token (ERC-20)

Property	Detail
Base	OpenZeppelin v5 ERC20 + ERC20Burnable + ERC20Permit
Supply	Fixed 21,000,000 — no mint function exists
Admin	Owner can only transfer initial allocation, no privileged mint/pause
Permit	EIP-2612 for gasless approvals

CK Presale

Property	Detail
Base	OpenZeppelin v5 ReentrancyGuard + Pausable + SafeERC20
Reentrancy	All buy/claim functions protected by ReentrancyGuard
Pause	Owner can pause in emergencies, cannot access user funds
Token Safety	Uses SafeERC20 for all token transfers
Claim	Tokens locked until owner enables claim (TGE)

Underlying Protocols

CK App routes all swaps and bridges through established protocols via LI.FI:

Protocol	Auditors
LI.FI Diamond	Multiple audits, active bug bounty
Uniswap	Trail of Bits, ABDK Consulting
Aave	Certora, SigmaPrime, Trail of Bits
Curve	Trail of Bits
Stargate	Quantstamp, Zellic
Lido	Multiple independent audits

Architecture Security

Frontend

No private key storage — Keys never leave your wallet
No server communication for transactions — Direct blockchain interaction
Content Security Policy — XSS protection headers
Subresource Integrity — Verifying loaded scripts
HTTPS only — All communication encrypted via TLS

Infrastructure

Vercel deployment — DDoS protection, edge caching, automatic HTTPS
No database — No user data to breach
Environment variables — Secrets never exposed to client
Dependency scanning — Regular npm audit for vulnerable packages

Audit Status

Component	Status	Details
CK Token Contract	Internal review complete	OpenZeppelin standard, minimal custom code
CK Presale Contract	Internal review complete	Tested with Foundry (15/15 tests passing)
Frontend	Continuous	Automated dependency scanning
Formal Audit	Planned	Before mainnet presale launch

We recommend an independent formal audit before any mainnet deployment involving user funds. CK Finance is committed to completing this before the presale goes live on mainnet.

Bug Bounty Program

CK Finance maintains a responsible disclosure program:

Severity	Reward	Examples
Critical	Up to $10,000	Fund theft, unauthorized minting, contract takeover
High	Up to $5,000	Token approval exploits, presale logic bypass
Medium	Up to $2,000	Frontend manipulation, incorrect pricing display
Low	Up to $500	UI bugs, non-critical information disclosure

Rules

Report vulnerabilities privately before public disclosure
Do not exploit vulnerabilities on mainnet
Provide clear reproduction steps
Allow reasonable time for remediation
Contact: security@ck.finance

Best Practices for Users

Wallet Safety

Use a hardware wallet (Ledger, Trezor) for large holdings
Never share your recovery phrase or private keys with anyone
Create a separate wallet for testing/small transactions

Transaction Safety

Always verify you're on ck.app (check the URL)
Review transaction details in your wallet before confirming
Start with small amounts when using a new feature
Check gas estimates — unusually high gas may indicate a problem

Phishing Prevention

CK Finance will never DM you asking for funds or keys
Official domains: ck.app, ck.finance, docs.ck.app
Verify smart contract addresses on the official documentation
Be cautious of fake tokens with similar names

General

Keep your browser and wallet extensions updated
Use a dedicated browser profile for DeFi
Enable 2FA on accounts linked to your crypto activities

Security

On this page