- Total Prize Pool: $150,000 USDC
- HM awards: $121,400 USDC
- QA awards: $3,100 USDC
- Judge awards: $15,000 USDC
- Lookout awards: $10,000 USDC
- Scout awards: $500 USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts November 20, 2023 20:00 UTC
- Ends December 18, 2023 20:00 UTC
❗️Note for C4 wardens: For this contest, analysis and gas optimizations are out of scope. ZetaChain will not be awarding prize funds for analysis or gas-specific submissions.
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in the 4naly3er or in the previous audits is considered a publicly known issue and is ineligible for awards.
ZetaChain protocol is composed of two repositories:
node: ZetaChain source code based on Cosmos-SDKprotocol-contracts: Smart contracts deployed on ZetaChain or external chains to support interoperability
Prior to this competitive audit, 3 teams of Code4rena wardens competed to produce a set of resources to help accelerate wardens’ ability to compete. Wardens unfamiliar with ZetaChain and/or Cosmos SDK are recommended to review the materials created by each team:
In each team's workspace, you'll find:
- Project 101/FAQ (“5 minutes to coding”)
- Testing 101/FAQ (“5 minutes to testing” plus best resources)
- A collection/documentation of classes of vulnerabilities
Teams ZetaLotus and 032 also produced:
- Threat models
- architecture diagrams
- functional call flows
The consolidated threat models, and links to additional resoures, can be viewed here.
ZetaChain is based on Cosmos-SDK - see here our usage of the framework
Overview of the architecture of the node can be found here
The main sections of the source code are:
x (modules): contains the source code of the Cosmos-SDK modules of the blockchainzetaclient: contains the code for the observer client validating cross-chain transactions on ZetaChainsmoketests: contains utilities to run smoke tests of the protocol, and local experimentation
The protocol contracts are separated into two sections:
zevm: contains contracts deployed on ZetaChainevm: contains contracts deployed on external EVM chains to be supported by ZetaChain
- Go 1.20 (ZetaChain can only be built with this version of Go specifically)
- Docker (for smoke tests)
- Yarn
Build the zetacored (blockchain node binary), and zetacliend (ZetaClient binary)
make install
Run the unit tests
make test
Run a standalone local blockchain node
make init
make run
Run the smoke tests
make start-smoketest
make stop-smoketest
Compile the smart contracts
yarn
yarn compile
Run the unit tests
yarn test
The smoke tests under contrib allow testing of the different workflow of cross-chain functionalities on an E2E basis.
It also allows to experimentation of the protocol in a local environment. Running the smoke tests create several containers including:
zetacore0: a ZetaChain nodezetaclient0: a observer ZetaClienteth: a local Ethereum network connected to ZetaChainbitcoin: a local Bitcoin network connected to ZetaChainorchestrator: smoke tests runnner
After starting the networks with:
make start-smoketest
The user can connect to the zetacore0 and directly use the node CLI with the zetacored binary with a funded account:
docker exec -it zetacore0 sh
/usr/local/bin # zetacored q bank balances zeta172uf5cwptuhllf6n4qsncd9v6xh59waxnu83kq
balances:
- amount: "4199000000000000000000000"
denom: azeta
The user can interact with the local Ethereum node with the exposed RPC on http://0.0.0.0:8545.
The following testing account is funded:
Address: 0xE5C5367B8224807Ac2207d350E60e1b6F27a7ecC
Private key: d87baf7bf6dc560a252596678c12e41f7d1682837f05b29d411bc3f78ae2c263
Examples with the cast CLI:
cast balance 0xE5C5367B8224807Ac2207d350E60e1b6F27a7ecC --rpc-url http://0.0.0.0:8545
98897999997945970464
cast send 0x9fd96203f7b22bCF72d9DCb40ff98302376cE09c --value 42 --rpc-url http://0.0.0.0:8545 --private-key "d87baf7bf6dc560a252596678c12e41f7d1682837f05b29d411bc3f78ae2c263"
The smoketest package contains an API to interact programmatically with the different network:
type SmokeTest struct {
zetaTxServer ZetaTxServer
cctxClient crosschaintypes.QueryClient
fungibleClient fungibletypes.QueryClient
authClient authtypes.QueryClient
bankClient banktypes.QueryClient
observerClient observertypes.QueryClient
goerliAuth *bind.TransactOpts
zevmAuth *bind.TransactOpts
}The user can use this API for custom testing on the networks and insert custom tests in smoketest/main.go (and commenting out unnecessary tests), the tests will automatically run upon starting the smoke tests. Current existing smoke tests are a good source to learn how to implement custom tests.
- Some of the areas of concern for the protocol security can be found here.
- Threat models from the ZetaChain Alpha competition can be viewed here.
- Previous audits: https://drive.google.com/drive/folders/10PFcoASYKhllalv5n1AW4mYD12urPgWJ
- Documentation: https://www.zetachain.com/docs/
- Website: https://www.zetachain.com/
- Twitter: https://twitter.com/zetablockchain
- Discord: https://discord.gg/zetachain
Please note that ALL the files are in scope, but the files listed in the previous section are where you should actually looks for bugs.
- If you have a public code repo, please share it here: https://github.com/zeta-chain/node and https://github.com/zeta-chain/protocol-contracts/tree/main/contracts
- How many contracts are in scope?: 13
- Total SLoC for these contracts?: 0
- How many external imports are there?:
- How many separate interfaces and struct definitions are there for the contracts within scope?:
- Does most of your code generally use composition or inheritance?: Inheritance
- How many external calls?: 0
- What is the overall line coverage percentage provided by your tests?:
- Is this an upgrade of an existing system?: False
- Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): ERC-20 Token, Multi-Chain
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: Yes
- Please describe required context: You need to understand how the protocol works to understand how the cross chain elements come into play.
- Does it use an oracle?: No
- Describe any novel or unique curve logic or mathematical models your code uses: Protocol using shared TSS key to manage assets using decentralized validators
- Is this either a fork of or an alternate implementation of another project?: True, Some concepts borrowed from ThorChain and Evmos
- Does it use a side-chain?: False
- Describe any specific areas you would like addressed: Try to break cross-chain elements, ZRC20, accounting between external chain state and Zetachain state