IOP | Zano

Zano is the development of a scalable and secure coin, designed for use in e-commerce. The technology behind our blockchain provides reliability, security, and flexibility—a perfect option for P2P transactions.

For more information about Zano, please visit https://zano.org/.

Zano rewards are denominated in USD and distributed in USDC on Ethereum

Blockchain

C/C++

Live

8d: 22h remaining

Rewards Pool

$25,000

Vault TVL

To be determined

Started

17 February 2025

Ends

03 March 2025

Rewards Token

USDC

nSLOC

5,000

Arbitration

Live

8d: 22h remaining

PoC required
KYC required

Submit a Bug

Information Scope Resources

Select the category you'd like to explore

Assets in Scope

This is an invite-only audit competition. Therefore, in-scope assets are not publicly available.

Impacts in Scope

Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?

We are concerned the most about implementation of cryptography and core rules (Bulletproofs, CLSAG etc).

Most concerning attack vectors are:

Emission bugs (printing coins out of air)
Consensus bugs (double spend attack vectors, PoS grinding attacks)

What external dependencies are there?

Boost and OpenSSL

What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc

This repository contains papers that describe math behind the project: https://github.com/hyle-team/docs/tree/master/zano

Critical	Network not being able to confirm new transactions (total network shutdown)
Critical	Execute arbitrary system commands
Critical	Retrieve sensitive data/files from a running server, such as: /etc/shadow database passwords blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)
Critical	Taking down the application/website
Critical	Taking down the NFT URI
Critical	Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information Commenting Voting Making trades Withdrawals, etc.
Critical	Changing NFT metadata
Critical	Direct theft of user funds
Critical	Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions
Critical	Direct theft of user NFTs
Critical	Injection of malicious HTML or XSS through metadata
Critical	Direct loss of funds

Severity

Critical

Title

Network not being able to confirm new transactions (total network shutdown)

Severity

Critical

Title

Execute arbitrary system commands

Severity

Critical

Title

Retrieve sensitive data/files from a running server, such as:

/etc/shadow
database passwords
blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)

Severity

Critical

Title

Taking down the application/website

Severity

Critical

Title

Taking down the NFT URI

Severity

Critical

Title

Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:

Changing registration information
Commenting
Voting
Making trades
Withdrawals, etc.

Severity

Critical

Title

Changing NFT metadata

Severity

Critical

Title

Direct theft of user funds

Severity

Critical

Title

Malicious interactions with an already-connected wallet, such as:

Modifying transaction arguments or parameters
Substituting contract addresses
Submitting malicious transactions

Severity

Critical

Title

Direct theft of user NFTs

Severity

Critical

Title

Injection of malicious HTML or XSS through metadata

Severity

Critical

Title

Direct loss of funds

View rewards

Submit a Bug

Total Impacts in Scope