Audit Comp | ZeroLend
ZeroLend is a decentralized lending protocol built on zkSync Era. ZeroLend's core product is its decentralized non-custodial liquidity market. ZeroLend is a fork of AAVE V3 with changes in the incentive mechanisms that make it similar to Radiant Capital.
Status
ZeroLend's deployed contracts can also be found here: https://docs.zerolend.xyz/security/deployed-addresses
ZeroLend’s up to date codebase can be found here https://github.com/zerolend
The zkSync contracts are the same as the Manta contracts. Where one’s deployed contract isn’t verified, it’s content can be known by referring to the deployment on the other chain, or by checking GitHub.
Whitehat Educational Resources & Technical Info
Documentation: https://docs.zerolend.xyz/
Is this an upgrade of an existing system? If so, which? And what are the main differences?
-
ZeroLend is a fork of AAVE V3 with changes in the incentive mechanisms that make it very similar to Radiant Capital. The incentive mechanism is located in the governance repo https://github.com/zerolend/governance
-
ZeroLend uses the same EVM as Aave and does not use zk code in itself, but does run on a different compiler which introduces complexity and the potential for novel bugs.
Where do you suspect there may be bugs?
- The incentive contracts (https://github.com/zerolend/governance) are custom-made code so this is an area of concern.
- Misconfigurations in the lending market (parameters, oracles, etc).
- Permission issues (like EOAs having admin access) and similar access issues.
Which part(s) of the system do you want whitehats to attempt to break the most?
- Everything already live on zkSync and Manta, such as:
- Manipulation in terms of asset price
- Manipulation that creates bad debt
- Creating any other asset risk in the lending market.
- Any other hack which could bring down the protocol is a major concern.
Are there any assumed invariants that you want whitehats to attempt to break?
- All positions should have a health factor > 1.
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?
- Only ERC20. Nothing else.
What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?
- Same emergency actions as Aave; we can freeze the protocol, we can freeze an asset if it becomes more risky. We likely wouldn’t want to invalidate a bug on account of these, and may not downgrade it either. This would be based on the circumstances.
What Roles are there, and what capacities do they have?
- Same as aave: https://docs.aave.com/developers/core-contracts/aclmanager
- The ⅔ multisig used is trusted.
What external dependencies are there?
- The token assets used.
What is the test suite setup information?
- Tests are in Hardhat https://github.com/zerolend/governance/tree/main/test
- To run just do “yarn test.”
Public Disclosure of Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.
- There is a bug on flashloans, so as a precautionary measure they’re disabled and their bugs are considered out-of-scope: https://governance.aave.com/t/pre-cautionary-measures-on-three-aave-v3-assets/16037
Previous Audits
ZeroLend’s completed audit reports can be found at https://docs.zerolend.xyz/security/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Asset In Scope Policies
Asset Accuracy Assurance
Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.
Private Known Issues Reward Policy
Private known issues, meaning known issues that were not publicly disclosed, are valid, but their rewards are downgraded one severity level.
Known Issue Assurance
ZeroLend commits to providing Known Issue Assurance to bug submissions through their program. This means that ZeroLend will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.
In a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.
Primacy of Impact vs Primacy of Rules
ZeroLend adheres to the Primacy of Impact for the following impacts:
- Smart Contract - Critical
- Smart Contract - High
Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact.
When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.
If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.
All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.