Platform: Code4rena
Start Date: 20/11/2023
End Date: 18/12/2023
Period: 28 days
Status: Awarded
Pot Size: $150,000 USDC
Participants: 30
Id: 304
League: COSMOS
berndartmueller | 1/30 | $41,909.65 | 25 | 7 | 1 | 18 | 8 | 0 | 0 | 0 |
ChristiansWhoHack | 2/30 | $26,632.27 | 11 | 6 | 2 | 5 | 3 | 0 | 0 | 0 |
oakcobalt | 3/30 | $9,692.06 | 7 | 1 | 1 | 5 | 1 | - | 0 | 0 |
ciphermarco | 4/30 | $8,786.14 | 6 | 3 | 0 | 2 | 1 | - | 0 | 0 |
MevSec | 5/30 | $8,173.61 | 7 | 2 | 0 | 4 | 2 | - | 0 | 0 |
dontonka | 6/30 | $6,998.08 | 8 | 2 | 0 | 5 | 1 | - | 0 | 0 |
p0wd3r | 7/30 | $6,080.22 | 9 | 1 | 0 | 7 | 1 | - | 0 | 0 |
zhaojie | 8/30 | $3,338.94 | 7 | 1 | 0 | 6 | 0 | 0 | 0 | 0 |
deliriusz | 9/30 | $3,150.56 | 6 | 1 | 0 | 5 | 0 | 0 | 0 | 0 |
QiuhaoLi | 10/30 | $2,414.89 | 3 | 1 | 0 | 1 | 0 | - | 0 | 0 |
Auditor per page
❗️Note for C4 wardens: For this contest, analysis and gas optimizations are out of scope. ZetaChain will not be awarding prize funds for analysis or gas-specific submissions.
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in the 4naly3er or in the previous audits is considered a publicly known issue and is ineligible for awards.
ZetaChain protocol is composed of two repositories:
node: ZetaChain source code based on Cosmos-SDKprotocol-contracts: Smart contracts deployed on ZetaChain or external chains to support interoperabilityPrior to this competitive audit, 3 teams of Code4rena wardens competed to produce a set of resources to help accelerate wardens’ ability to compete. Wardens unfamiliar with ZetaChain and/or Cosmos SDK are recommended to review the materials created by each team:
In each team's workspace, you'll find:
Teams ZetaLotus and 032 also produced:
The consolidated threat models, and links to additional resoures, can be viewed here.
ZetaChain is based on Cosmos-SDK - see here our usage of the framework
Overview of the architecture of the node can be found here
The main sections of the source code are:
x (modules): contains the source code of the Cosmos-SDK modules of the blockchain
zetaclient: contains the code for the observer client validating cross-chain transactions on ZetaChainsmoketests: contains utilities to run smoke tests of the protocol, and local experimentationThe protocol contracts are separated into two sections:
zevm: contains contracts deployed on ZetaChainevm: contains contracts deployed on external EVM chains to be supported by ZetaChainnodeBuild the zetacored (blockchain node binary), and zetacliend (ZetaClient binary)
make install
Run the unit tests
make test
Run a standalone local blockchain node
make init make run
Run the smoke tests
make start-smoketest make stop-smoketest
protocol-contractsCompile the smart contracts
yarn yarn compile
Run the unit tests
yarn test
The smoke tests under contrib allow testing of the different workflow of cross-chain functionalities on an E2E basis.
It also allows to experimentation of the protocol in a local environment. Running the smoke tests create several containers including:
zetacore0: a ZetaChain nodezetaclient0: a observer ZetaClienteth: a local Ethereum network connected to ZetaChainbitcoin: a local Bitcoin network connected to ZetaChainorchestrator: smoke tests runnnerAfter starting the networks with:
make start-smoketest
The user can connect to the zetacore0 and directly use the node CLI with the zetacored binary with a funded account:
docker exec -it zetacore0 sh /usr/local/bin # zetacored q bank balances zeta172uf5cwptuhllf6n4qsncd9v6xh59waxnu83kq balances: - amount: "4199000000000000000000000" denom: azeta
The user can interact with the local Ethereum node with the exposed RPC on http://0.0.0.0:8545.
The following testing account is funded:
Address: 0xE5C5367B8224807Ac2207d350E60e1b6F27a7ecC Private key: d87baf7bf6dc560a252596678c12e41f7d1682837f05b29d411bc3f78ae2c263
Examples with the cast CLI:
cast balance 0xE5C5367B8224807Ac2207d350E60e1b6F27a7ecC --rpc-url http://0.0.0.0:8545 98897999997945970464 cast send 0x9fd96203f7b22bCF72d9DCb40ff98302376cE09c --value 42 --rpc-url http://0.0.0.0:8545 --private-key "d87baf7bf6dc560a252596678c12e41f7d1682837f05b29d411bc3f78ae2c263"
The smoketest package contains an API to interact programmatically with the different network:
type SmokeTest struct { zetaTxServer ZetaTxServer cctxClient crosschaintypes.QueryClient fungibleClient fungibletypes.QueryClient authClient authtypes.QueryClient bankClient banktypes.QueryClient observerClient observertypes.QueryClient goerliAuth *bind.TransactOpts zevmAuth *bind.TransactOpts }
The user can use this API for custom testing on the networks and insert custom tests in smoketest/main.go (and commenting out unnecessary tests), the tests will automatically run upon starting the smoke tests. Current existing smoke tests are a good source to learn how to implement custom tests.
Please note that ALL the files are in scope, but the files listed in the previous section are where you should actually looks for bugs.
- If you have a public code repo, please share it here: https://github.com/zeta-chain/node and https://github.com/zeta-chain/protocol-contracts/tree/main/contracts - How many contracts are in scope?: 13 - Total SLoC for these contracts?: 0 - How many external imports are there?: - How many separate interfaces and struct definitions are there for the contracts within scope?: - Does most of your code generally use composition or inheritance?: Inheritance - How many external calls?: 0 - What is the overall line coverage percentage provided by your tests?: - Is this an upgrade of an existing system?: False - Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): ERC-20 Token, Multi-Chain - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: Yes - Please describe required context: You need to understand how the protocol works to understand how the cross chain elements come into play. - Does it use an oracle?: No - Describe any novel or unique curve logic or mathematical models your code uses: Protocol using shared TSS key to manage assets using decentralized validators - Is this either a fork of or an alternate implementation of another project?: True, Some concepts borrowed from ThorChain and Evmos - Does it use a side-chain?: False - Describe any specific areas you would like addressed: Try to break cross-chain elements, ZRC20, accounting between external chain state and Zetachain state