ZetaChain / zetachain-protocol

ZetaChain is a L1 EVM compatible blockchain focused on connecting blockchains. Unlike other interoperability solutions in general that connect chains end-to-end, ZetaChain acts as a hub where developer can deploy their main DApp logic (called Universal Apps). Developers can interact and deposit assets on Universal Apps directly from connected chains, Universal Apps can withdraw assets to connected chains. ZetaChain relies on a observer/signer set to support messaging between blockchains (that we can simply call the observer set). The team has recently undertaken a major work to rewrite most smart contracts used in the protocol. The goal was:

• Simplifying the DevEX:
  • A single contract called Gateway is deployed once on ZetaChain and once on each connected chain for user interaction
  • A simpler interface for user interaction that uses only 3 functions for all types of interactions of the chain.
• Facilitate introduction of new future features by making the gateway contracts upgradable.
• Making access control between contracts more complete, documented and standardized using OpenZeppelin
• Better internal development practices, using Slither, Fuzz testing, complete code coverage, etc..
• Introduction of new features: doing arbitrary smart contract calls on Connected Chains from ZetaChain

The scope of this audit is focused on the security and correctness of the smart contracts implementation. In this audit, we make the assumption that the observer set correctly relays all messages between chains.

Prize distribution and scoring

• Total Prize Pool: $120,000

• Primary Prize Pool: $90,000

• Bonus in Zeta Tokens: $20,000

• Only High and Medium findings would be accepted for Primary Prize Pool.

• $10,000 of the prize pot is reserved for Low Severity findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.

  • 1st: $5k
  • 2nd: $2.5k
  • 3rd: $1.25k
  • 4th: $625
  • 5th: $625

• These additional bonus of $20,000 in Zeta tokens would be distributed among the top 5 from the leaderboard as follows:

  • $10k
  • $5k
  • $2.5k
  • $1.25k
  • $1.25k

• Scoring described in the competition scoring page.

• Findings Severities described in detail on our docs page.

Documentation

• Technical Documentation

Scope

• Protocol-contracts-Solidity-v2 Commit: 7e43787817a37e5bd228e2ad88c555448a9febf0
• Protocol-contracts-Solana Commit: 3bc8dad14ccc6d2cb26ccd633b73aa19036afc7b

Contracts

protocol-contracts/v2	Lines of Code
v2/contracts/evm/ERC20Custody.sol	113
v2/contracts/evm/GatewayEVM.sol	240
v2/contracts/evm/ZetaConnectorBase.sol	54
v2/contracts/evm/ZetaConnectorNative.sol	65
v2/contracts/evm/ZetaConnectorNonNative.sol	74
v2/contracts/zevm/GatewayZEVM.sol	252
v2/contracts/zevm/ZRC20.sol	184
v2/contracts/Revert.sol	16

protocol-contracts-solana	Lines of Code
protocol-contracts-solana/src/lib.rs	312

Code Overview

• High Level Overview of Smart Contracts V2 and their advantages - Video Walkthrough

Build Instructions

• Project is generated with Foundry, so all forge cli commands for building, testing etc. work as expected. Also, there are scripts in package.json wrapping these commands, most notably test script.

• Repository contains examples of unit tests and scripts written using Foundry, where tests and interactions between contracts are demonstrated and can be extended to test findings and more scenarios. Furthermore, to see PoC of using contracts in a bigger context, a simple example can be found here.

Out of scope

• Automated findings by Lightchaser

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.