Zano Trade is a non-custodial web UI where you post or accept swap proposals for ZANO and confidential assets.
For more information about Zano, please visit https://zano.org/ and Zano Trade https://trade.zano.org/dex
Live
Triaged by Immunefi
Step-by-step PoC Required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Build Commands, Test Commands, and How to Run Them
-
Postgres database is required
-
.env file example PGUSER="postgres" PGPASSWORD="root" PGHOST="127.0.0.1" PGDATABASE="zano_trade" PGPORT="5432" JWT_SECRET="any_string" OWNER_ALIAS="leave empty, this functionality it out of testing scope"
-
Run commands npm i npm run build npm start
-
app will be accessible here: http://localhost:3000/
Previous Audits
- Zano Trade has no audit report as of 18 June 2025.
Where might Security Researchers confuse out-of-scope code to be in-scope?
- In-scope code is everything under /dex and all subpages (/dex/) in frontend. In the backend in-scope are all routes that can be called from /dex/ pages. All routes in provided backend files are also in-scope, as some of them can be called using API, not directly from frontend.
Is this an upgrade of an existing system? If so, which? And what are the main differences?
- No. It's a new web app in beta.
Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?
- Most important potential vulnerabilities:
- Need to ensure database security as users' trade history is sensitive data. Make sure we don't expose it.
- Need to ensure user can't be tricked to sign unexpected ionic swap transaction (with different amount or assets from what is in their order)
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?
- Not Applicable, As it's based off confidential assets https://docs.zano.org/docs/build/confidential-assets/overview
What external dependencies are there?
- It's a standard next js app, so most external dependencies could be considered.
What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)
-
Main url: https://trade.zano.org
-
Swap process explained: https://docs.zano.org/docs/build/confidential-assets/ionic-swaps
-
How does web ui work: https://docs.zano.org/docs/use/zano-trade
-
Api documentation: https://docs.zano.org/docs/build/zano-trade-api/overview
Scope
Backend routes:
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/auth.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/dex.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/orders.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/transactions.router.ts
- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/user.router.ts
Frontend pages:
- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex (https://trade.zano.org/dex)
- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex/trading (https://trade.zano.org/dex/trading/<PAIR_ID>)
- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex/orders (https://trade.zano.org/dex/orders)
Subdomain takeover with already-connected wallet interaction
Direct theft of user funds
Malicious interactions with an already-connected wallet, such as:
- Modifying transaction arguments or parameters
- Substituting contract addresses
- Submitting malicious transactions
Injection of malicious HTML or XSS through metadata
Execute arbitrary system commands
Retrieve sensitive data/files from a running server, such as:
- /etc/shadow
- database passwords
- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)
Taking down the application/website
Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
- Changing registration information
- Commenting
- Voting
- Making trades
- Withdrawals, etc.
Injecting/modifying the static content on the target application without JavaScript (persistent), such as:
- HTML injection without JavaScript
- Replacing existing text with arbitrary text
- Arbitrary file uploads, etc.
Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
- Password of the victim etc.
Improperly disclosing confidential user information, such as:
- Email address
- Phone number
- Physical address, etc.
Subdomain takeover without already-connected wallet interaction
Out of scope
Web & App specific
- Theoretical impacts without any proof or demonstration
- Impacts involving attacks requiring physical access to the victim device
- Impacts involving attacks requiring access to the local network of the victim
- Reflected plain text injection (e.g. url parameters, path, etc.)
- This does not exclude reflected HTML injection with or without JavaScript
- This does not exclude persistent plain text injection
- Any impacts involving self-XSS
- Captcha bypass using OCR without impact demonstration
- CSRF with no state modifying security impact (e.g. logout CSRF)
- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
- Impacts causing only the enumeration or confirmation of the existence of users or tenants
- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
- Lack of SSL/TLS best practices
- Impacts that only require DDoS
- UX and UI impacts that do not materially disrupt use of the platform
- Impacts primarily caused by browser/plugin defects
- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
- SPF/DMARC misconfigured records)
- Missing HTTP Headers without demonstrated impact
- Automated scanner reports without demonstrated impact
- UI/UX best practice recommendations
- Non-future-proof NFT rendering
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers