__Code Freeze Assurance__

Code of the assets in scope is frozen while the program is live.

Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.

The project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.

__Insight Reporting__

Insight reports may be reported to this program and do not require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).

__Asset Accuracy Assurance__

Bugs found on assets incorrectly listed in-scope are valid.

__Private Known Issues Reward Policy__

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

__Eligibility Criteria__

Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:
- On OFACs SDN list 
- Official contributor, both past or present
- Employees and/or individuals closely associated with the project 
- Security auditors that directly or indirectly participated in the audit review

__Dispute Resolution__

If there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.

__Responsible Publication Policy__

Immunefi will publish bug reports, earnings, and a leaderboard for this Invite Only Program. Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.

Zano Trade is a non-custodial web UI where you post or accept swap proposals for ZANO and confidential assets.

For more information about Zano, please visit https://zano.org/ and Zano Trade https://trade.zano.org/dex

Subdomain takeover with already-connected wallet interaction

Direct theft of user funds

Malicious interactions with an already-connected wallet, such as:
- Modifying transaction arguments or parameters
- Substituting contract addresses
- Submitting malicious transactions

Injection of malicious HTML or XSS through metadata

Injecting/modifying the static content on the target application without JavaScript (persistent), such as:
- HTML injection without JavaScript
- Replacing existing text with arbitrary text
- Arbitrary file uploads, etc.

Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
- Email
- Password of the victim etc.

Improperly disclosing confidential user information, such as:
- Email address
- Phone number
- Physical address, etc.

Subdomain takeover without already-connected wallet interaction

Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
- Changing the first/last name of user
- Enabling/disabling notifications

Injecting/modifying the static content on the target application without JavaScript (reflected), such as:
- Reflected HTML Injection
- Loading external site data

Redirecting users to malicious websites (open redirect)

Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:
- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)

Taking over broken or expired outgoing links, such as:
- Social media handles, etc.

Temporarily disabling user to access target site, such as:
- Locking up the victim from login
- Cookie bombing, etc.

Execute arbitrary system commands

Retrieve sensitive data/files from a running server, such as:
- /etc/shadow
- database passwords
- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)

Taking down the application/website

Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
- Changing registration information
- Commenting
- Voting
- Making trades
- Withdrawals, etc.

__Build Commands, Test Commands, and How to Run Them__

1. Postgres database is required

2. .env file example
PGUSER="postgres"
PGPASSWORD="root"
PGHOST="127.0.0.1"
PGDATABASE="zano_trade"
PGPORT="5432"
JWT_SECRET="any_string"
OWNER_ALIAS="leave empty, this functionality it out of testing scope"

3. Run commands
npm i
npm run build
npm start

4. app will be accessible here: http://localhost:3000/


__Previous Audits__

- Zano Trade has no audit report as of 18 June 2025.


__Where might Security Researchers confuse out-of-scope code to be in-scope?__

- In-scope code is everything under /dex and all subpages (/dex/) in frontend. In the backend in-scope are all routes that can be called from /dex/ pages. All routes in provided backend files are also in-scope, as some of them can be called using API, not directly from frontend.


__Is this an upgrade of an existing system? If so, which? And what are the main differences?__

- No. It's a new web app in beta. 

__Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?__

- Most important potential vulnerabilities:
1. Need to ensure database security as users' trade history is sensitive data. Make sure we don't expose it.
2. Need to ensure user can't be tricked to sign unexpected ionic swap transaction (with different amount or assets from what is in their order)


__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?__

- Not Applicable, As it's based off confidential assets https://docs.zano.org/docs/build/confidential-assets/overview


__What external dependencies are there?__

- It's a standard next js app, so most external dependencies could be considered. 


__What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)__

- Main url: https://trade.zano.org
 
- Swap process explained: https://docs.zano.org/docs/build/confidential-assets/ionic-swaps
 
- How does web ui work: https://docs.zano.org/docs/use/zano-trade
 
- Api documentation: https://docs.zano.org/docs/build/zano-trade-api/overview
 
**Scope**

Backend routes:
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/auth.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/dex.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/orders.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/transactions.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/user.router.ts
 
Frontend pages:
- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex (https://trade.zano.org/dex)
- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex/trading (https://trade.zano.org/dex/trading/<PAIR_ID>)
- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex/orders  (https://trade.zano.org/dex/orders)

Swap process

Web UI

Api Documentation

__Rewards Terms__

Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).

Rewards are denominated in USD and distributed in USDC on Ethereum.

The reward pool is **$14,000 USD** if any bug is found.

If not a single bug is found (Insights do not count as bugs) the reward pool is $1,260 USD

On top of this, each participating SR will receive a guaranteed reward of $2,000 USD.

**Proof of Concept (PoC) Requirements**

For this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.

__Insight Rewards Payment Terms__

Insight Rewards: Portion of the Rewards Pool

*The "Insight" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. "Insights" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)

Duplicates of Insight reports are not eligible for a reward.

IOP | Zano Trade

Live

Live

Documentation

Title	Description	Link
Swap process	Explainer
Web UI	How does web UI work
Api Documentation	Documentation