Audits and Bug Bounty Program
Audits and Bug Bounty Program
zkSync Era takes security seriously and as such, we have completed multiple audits in all different parts of the protocol. On top of that, there is an ongoing massive bug bounty program.
We always ensure that all code deployed to production has been thoroughly tested before release. Our auditing and review processes begin well before any code is deployed. We conduct internal audits, followed by independent external audits from reputable auditors. If applicable, we also hold a public auditing contest and top it off with another independent external audit.
Here is the list of completed audits:
- Layer 1 Smart Contracts, Internal Audit, from 2022-14-06 to 2022-08-17.
- Layer 1 Smart Contracts, OpenZeppelin, from 2022-09-05 to 2022-09-30.
- Layer 1 Diff Audit (Upgrade Audit), OpenZeppelin, from 2022-11-21 to 2022-11-25.
- Layer 1 Diff Audit (Upgrade Audit), OpenZeppelin, from 2023-02-06 to 2023-02-17 (not published yet).
- Layer 1 Public Contest, Code4rena, from 2022-10-28 to 2022-11-09.
- Layer 1 Smart Contracts, Secure3, from 2022-10-22 to 2022-11-06.
- Layer 2, Internal Audit, from 2022-08-17 to 2022-10-24.
- Layer 2 Bootloader, OpenZeppelin, from 2022-11-28 to 2022-12-23.
- Layer 2 Fee Model and Token Bridge, OpenZeppelin, from 2023-01-23 to 2023-02-17 (not published yet).
- Layer 2 System Contracts Public Contest, Code4rena, from 2023-03-10 to 2023-03-19.
- ZK Proof System, Internal Audit, from 2022-10-24 to 2022-11-18.
- ZK Proof System, Halborn, from 2023-01-09 to 2023-03-08 (not published yet).
We've also scheduled the following audits:
- Layer 1 and Layer 2 Smart Contracts, April 2023, more details to follow.
- ZK Proof System, April 2023, more details to follow.
Bug Bounty Program
zkSync Era has a very detailed Bug bounty Program on Immunefi. In the listing, you can find all the information related to assets in scope, reporting, and the payout process.
The bug bounty program for zkSync Era aims to identify and resolve security vulnerabilities in our system before they can be exploited by malicious actors. The program is open to all individuals and teams who are interested in participating and are willing to comply with the program's rules and guidelines. The scope of the program covers all aspects of our blockchain products, including smart contracts, protocols, portals, and any other components that are part of our ecosystem.
- Eligibility: The bug bounty program is open to anyone who is interested in participating and who complies with the program's rules and guidelines.
- Responsible Disclosure: All participants must agree to follow the responsible disclosure policy and report any security vulnerabilities they discover to our security team in a timely and responsible manner.
- Rewards: The bug bounty program offers rewards to participants who discover and report security vulnerabilities. The rewards are determined based on the severity of the vulnerability and are paid in USDC.
- Reporting Guidelines: Participants must follow the reporting guidelines specified by the program.
- No Public Disclosure: Participants must not publicly disclose any vulnerabilities they discover until after they have been resolved by our security team.
- No Exploitation: Attacks that the reporter has already exploited themselves, leading to damage are not eligible for a reward.
- Legal Compliance: Participants must comply with all applicable laws and regulations, including data privacy and security laws.
- Program Changes: We reserve the right to modify or terminate the program at any time and without prior notice. We also reserve the right to disqualify any participant who violates the program's rules and guidelines.
If you think you have found a critical or major bug that is not covered by our existing bug bounty, please report it to us via the Immunefi program regardless. We will seriously consider the impact of any issues and may award a bounty even for out of scope assets or impacts.