WebisoftAudit Remediation SOW
Applying the Hacken Dual Defence findings against the KiiChain main branch — reviewed, prioritized, and delivered PR-by-PR.
Prepared by Utkarsh Varma, Webisoft Technologie Inc. — for Jhelison Uchoa, KiiChain.
The Opportunity
KiiChain has completed a Hacken Dual Defence audit — ten findings, stack-ranked by priority, ready to be applied against the KiiChain main branch. Five are HIGH severity, including a chain-halt panic and a native-supply inflation bug — so the clock matters.
You asked for a quote. Based on the Hacken Dual Defence findings and the priority ordering you provided, we are proposing a fixed price of $15,000 to remediate them end-to-end — no time-and-materials meter, no budget-envelope guessing. One number, the work scoped to fit it.
The engagement is delivered PR-by-PR against your main branch, every fix shipped with tests and an audit-trail entry, with Webisoft handling the re-audit liaison with Hacken. Billed 50% on kickoff and 50% on re-audit sign-off, so our incentive is closing findings — not logging hours.
Audit Findings
The Hacken Dual Defence report enumerates ten findings against the KiiChain main branch. The eight in initial scope were part of the first quote; two HIGH findings — KCNL1DDA-152 and -153 — were added after and are folded into this engagement. Every one maps to specific Cosmos-SDK / EVM module code.
10
Total findings
5
High
2
Medium
3
Low
| Finding ID | Severity | Finding |
|---|---|---|
| Initial scope · 8 findings | ||
| KCNL1DDA-1 | HIGH | EVM gas-refund math lets users consume block gas with zero net fee |
| KCNL1DDA-74 | HIGH | Small CosmWasm tokenfactory metadata rewrites force massive native store-write gas overruns and block-level DoS |
| KCNL1DDA-104 | HIGH | Feegrant denomination bypass via post-allowance fee conversion |
| KCNL1DDA-19 | MEDIUM | MsgVoteWeighted and nested Authz bypass governance vote-stake requirement |
| KCNL1DDA-89 | MEDIUM | CosmWasm→EVM query path enables repeatable undercharged internal EVM execution |
| KCNL1DDA-78 | LOW | Authz-wrapped expedited governance proposals bypass the antehandler whitelist |
| KCNL1DDA-32 | LOW | Any unprivileged wasm contract drives ~853× SDK-gas undercharge |
| KCNL1DDA-15 | LOW | TWAP overflow panic in CalculateTwaps causes permanent chain halt via validator-submitted extreme exchange rate |
| Added after initial quote · 2 findings | ||
| KCNL1DDA-152 | HIGH | Distribution precompile 32-byte withdraw address inflates native supply |
| KCNL1DDA-153 | HIGH | ICA authz MsgExec bypasses host allowlist and EVM ante for MsgEthereumTx |
Fixes are sequenced by severity, HIGH first — the five HIGH findings (chain-halt, supply inflation, fee-bypass, and DoS vectors) clear before MEDIUM and LOW. Each lands as its own PR with a confirm → fix → test cycle against KiiChain main.
What You'll Have When We're Done
Six concrete deliverables — the audit findings are closed, the trail is documented, and your main branch is in a re-audit-ready state.
Audit findings review
Every Hacken Dual Defence finding read in full, categorized by severity, effort estimate, and code-level dependency.
Prioritized fix sequencing
Implementation order that respects finding interdependencies, KiiChain's product roadmap, and audit re-verification windows.
PR-by-PR remediation
Each fix is a discrete pull request against KiiChain main — independently reviewable, testable, and mergeable. No giant change-everything branches.
Test coverage on every fix
Unit and integration tests added alongside each remediation — every closed finding ships with a regression guard.
Re-audit coordination
Webisoft liaises with Hacken / Dual Defence for re-verification of every closed finding. You don't manage the back-and-forth.
Audit-trail documentation
Markdown record per finding: finding ID → branch → commit → tests → reviewer → re-audit status. Auditor-friendly, board-friendly.
Investment Structure
One number, fixed up front. $15,000 flat covers the full audit remediation — review, PR-by-PR fixes, tests, audit-trail documentation, and Hacken re-audit coordination. No time-and-materials meter, no change orders for findings already in the report.
Audit remediation & re-audit
Flat fee · all findings · all-in
Everything included
- Full review and priority sequencing of every Hacken Dual Defence finding
- PR-by-PR implementation against KiiChain main
- Unit + integration tests for each remediated finding
- Code review with KiiChain engineering on every PR
- Re-audit coordination with Hacken once findings are closed
- Audit-trail documentation: finding ID → branch → tests → re-audit status
- Production deployment support if requested
Payment schedule
$7,500
On kickoff
$7,500
On Hacken re-audit sign-off
Why fixed-price works here: the findings are already enumerated in the Hacken report, so the scope is knowable up front. You carry no overrun risk — if a fix takes longer than estimated, that's on us, not your budget. Anything genuinely outside the report (newly discovered issues, net-new features) is quoted separately before any work begins.
Delivery Approach
Four phases inside one fixed-price engagement, scoped to roughly four weeks end-to-end. Review locks the sequence in week one, HIGH-severity fixes land first, and the Hacken re-audit is the final gate that triggers the closing payment.
Audit review & sequencing
Read every Hacken Dual Defence finding, map each to specific files in the Kiichain repo, and lock the fix sequence respecting interdependencies. Flag anything that needs a KiiChain product decision before code starts.
Remediation implementation
PRs flow through KiiChain main on the agreed sequence. Weekly check-ins, daily Slack visibility, every fix accompanied by tests and audit-trail entries.
Re-audit & verification
Webisoft coordinates with Hacken for re-verification of every closed finding. Final sign-off package handed back to KiiChain — the milestone that triggers the closing payment.
Optional security retainer
Periodic security reviews, future audit-cycle support, and standing capacity for newly discovered findings — available on retainer beyond this fixed-price engagement.
Why Webisoft
Six concrete reasons KiiChain and Webisoft fit for an audit-remediation engagement — not generic credentials.
Cosmos-SDK experience
Shipped Cosmos-SDK chains end-to-end. Comfortable across the SDK module tree, Tendermint, CometBFT, and IBC.
Familiar with Hacken's reports
We have read Hacken Dual Defence reports before. No ramp-up time deciphering format, severity conventions, or finding language.
Senior engineers on security work
Direct senior-engineer ownership end-to-end. No juniors writing the patches for critical findings. No hand-offs after sale.
PR-by-PR transparency
Every fix traceable: finding ID → branch → tests → review → merge. Your team sees every change before it lands on main.
Confidential from day one
NDA and air-gapped review environment. Audit reports and fix branches stay private — no public-repo leakage of unfixed vulnerabilities.
Mergeable, not monolithic
Small, independently reviewable PRs against KiiChain main. You can merge them on your own cadence — no all-or-nothing branches.
Next Steps
Book a call to align
We've reviewed the report — let's walk the findings, sequence, and timeline together. Book directly at utkarsh.webisoft.com.
Sign the fixed-price letter of engagement
$15,000 flat, billed 50% on kickoff and 50% on Hacken re-audit sign-off.
Kickoff begins immediately
Finding review and fix sequencing start day one. Daily Slack visibility, weekly check-ins.
Remediation flows PR-by-PR
Fixes land on KiiChain main on the agreed sequence — each with tests and an audit-trail entry, reviewed with your engineering team.
Happy to jump on a call to walk the findings together if that's faster.
Direct contact: utkarsh@webisoft.com · book a call
Webisoft · Montreal, QC · webisoft.com
Confidential — Prepared exclusively for KiiChain