Boost | ZeroLend

ZeroLend is a decentralized lending protocol built on zkSync Era.

ZeroLend's core product is its decentralized non-custodial liquidity market. ZeroLend is a fork of AAVE V3 with changes in the incentive mechanisms that make it similar to Radiant Capital.

For more information about ZeroLend, please visit https://zerolend.xyz

ZeroLend provides rewards in USDC, denominated in USD.

The following reward terms are a summary, for the full details read our Boost Reward Distribution Terms.

A reward pool of $200,000 USD will be distributed among participants, even if no valid bugs are found. Duplicates and private known issues are valid for a reward.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3.

Reward Payment Terms

Payouts are handled by the ZeroLend team directly and are denominated in USD. However, payments are done in USDC.

Rewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.

ZeroLend's deployed contracts can also be found here: https://docs.zerolend.xyz/security/deployed-addresses

ZeroLend’s up to date codebase can be found here https://github.com/zerolend

The zkSync contracts are the same as the Manta contracts. Where one’s deployed contract isn’t verified, it’s content can be known by referring to the deployment on the other chain, or by checking GitHub.

Whitehat Educational Resources & Technical Info

Documentation: https://docs.zerolend.xyz/

Is this an upgrade of an existing system? If so, which? And what are the main differences?

• ZeroLend is a fork of AAVE V3 with changes in the incentive mechanisms that make it very similar to Radiant Capital. The incentive mechanism is located in the governance repo https://github.com/zerolend/governance

• ZeroLend uses the same EVM as Aave and does not use zk code in itself, but does run on a different compiler which introduces complexity and the potential for novel bugs.

Where do you suspect there may be bugs?

• The incentive contracts (https://github.com/zerolend/governance) are custom-made code so this is an area of concern.
• Misconfigurations in the lending market (parameters, oracles, etc).
• Permission issues (like EOAs having admin access) and similar access issues.

Which part(s) of the system do you want whitehats to attempt to break the most?

• Everything already live on zkSync and Manta, such as:
  • Manipulation in terms of asset price
  • Manipulation that creates bad debt
  • Creating any other asset risk in the lending market.
• Any other hack which could bring down the protocol is a major concern.

Are there any assumed invariants that you want whitehats to attempt to break?

• All positions should have a health factor > 1.

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

• Only ERC20. Nothing else.

What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

• Same emergency actions as Aave; we can freeze the protocol, we can freeze an asset if it becomes more risky. We likely wouldn’t want to invalidate a bug on account of these, and may not downgrade it either. This would be based on the circumstances.

What Roles are there, and what capacities do they have?

• Same as aave: https://docs.aave.com/developers/core-contracts/aclmanager
• The ⅔ multisig used is trusted.

What external dependencies are there?

• The token assets used.

What is the test suite setup information?

• Tests are in Hardhat https://github.com/zerolend/governance/tree/main/test
• To run just do “yarn test.”

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

• There is a bug on flashloans, so as a precautionary measure they’re disabled and their bugs are considered out-of-scope: https://governance.aave.com/t/pre-cautionary-measures-on-three-aave-v3-assets/16037

Previous Audits

ZeroLend’s completed audit reports can be found at https://docs.zerolend.xyz/security/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Asset In Scope Policies

Asset Accuracy Assurance

Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

Private Known Issues Reward Policy

Private known issues, meaning known issues that were not publicly disclosed, are valid, but their rewards are downgraded one severity level.

Known Issue Assurance

ZeroLend commits to providing Known Issue Assurance to bug submissions through their program. This means that ZeroLend will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.

In a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.

Primacy of Impact vs Primacy of Rules

ZeroLend adheres to the Primacy of Impact for the following impacts:

• Smart Contract - Critical
• Smart Contract - High

Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact.

When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.

If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.

All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Temporary Freezing of Funds

If the minimum threshold of temporary freezing for at least 1 hour is not met then the report will be downgraded to Medium severity.

Miscellaneous Policies

Responsible Publication

Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:

• Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.

Immunefi may publish bug reports submitted to this boosted bug bounty and a leaderboard of the participants and their earnings.

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Immunefi Standard Badge

By adhering to Immunefi’s best practice recommendations, ZeroLend has satisfied the requirements for the Immunefi Standard Badge.

These impacts are out of scope for this bug bounty program.

All Categories:

• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
• Impacts caused by attacks requiring access to leaked keys/credentials
• Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
• Best practice recommendations
• Feature requests
• Impacts on test files and configuration files unless stated otherwise in the bug bounty program

Blockchain/DLT & Smart Contract Specific:

• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Impacts requiring basic economic and governance attacks (e.g. 51% attack)
• Lack of liquidity impacts
• Impacts from Sybil attacks
• Impacts involving centralization risks

Prohibited Activities:

• Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
• Any testing with pricing oracles or third-party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks that are executed against project assets
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty