Security & Compliance

The pause function exists as an emergency security mechanism to protect users in the event of a detected exploit or exchange listing coordination. The pause key is held exclusively by the founding entity (Kenostod Blockchain LLC, Wyoming). We have committed publicly that this function will not be invoked post-ICO except in a declared security emergency. A community governance vote is required for any extended pause beyond 72 hours — this policy is enforced operationally and will be encoded into a future governance upgrade. The contract cannot pause itself autonomously; it requires an explicit transaction from the owner key.

This is a standard OpenZeppelin function present in virtually all ERC-20/BEP-20 tokens. It is NOT a vulnerability — it only poses risk if the owner deliberately or accidentally calls it. We have no intent to call renounceOwnership() and have implemented internal multi-step confirmation policies before any ownership changes. The function's existence is actually a decentralization feature: it allows the community to verify that ownership can be fully renounced if the project ever transitions to a fully decentralized DAO structure.

This function is restricted to the owner address only — no external actor can call it. The DoS risk requires the attacker to already control the owner key, at which point they would have far more direct attack vectors. Our operational practice limits batch whitelist updates to arrays of 100 addresses maximum. This finding does not affect user funds, token transfers, or platform operations.

Burn operations destroy tokens (reduce supply) — they do not allow unauthorized transfers to other addresses. Whitelist mode is designed to control token distribution during presale/ICO phases. Allowing burn operations during this period is intentional: token holders who wish to burn their allocation should not be restricted from doing so. This does not create a risk of funds being diverted and is consistent with our tokenomic design for deflationary pressure.

As noted in the audit finding, tokens always reach the intended team wallet — front-running in this context cannot redirect funds. The maximum impact is a minor gas cost increase. Team token releases are pre-announced to the community with timestamps, so there is no information asymmetry that MEV bots could exploit for material gain. This is a known characteristic of time-locked vesting on public blockchains.

This is a code efficiency observation, not a security vulnerability. The extra SLOADs result in marginally higher gas costs per transfer (estimated ~400 gas units, approximately $0.0001 at current gas prices). This will be addressed in a future contract upgrade via proxy pattern or when deploying v2 of the KENO contract, which is planned post-ICO.