ZKSwap (ZKSync Era) Bug Bounty

ZKBase
ZKBase
Published in
4 min readJun 16, 2023

🎉ZKSwap is the first Layer 2 AMM DEX powered by ZK-Rollups, launched in February 2021. It allows users to list any ERC20 token pair, exchange tokens, and offers four fee token options, a 100% buyback and burn program for ZKS, and unique liquidity mining activities. In 2021, ZKSwap achieved tens of billions of dollars in trading volume, with a peak TVL of $2.50 billion. Today, ZKSwap is expanding to ZKSync Era and joining ZKSync’s mission to accelerate the mass adoption of crypto for personal sovereignty.

🔑At ZKSwap, the security of user funds is of utmost importance. We strive to provide the most secure platform, as we are committed to the long term success of this ecosystem. We’ve just finished a security audit with Secure3, an intelligent audit contest platform that has been recognised by industry leaders, including zkSync, Manta Network, IoTeX, ParaSpace, MirrorWorld, etc. As ZKSwap is currently in testnet, identifying and resolve ulnerabilities in this phase will ensure the highest security standard of the mainnet. As such, we are excited to launch the ZKSwap (ZKSync Era) Bug Bounty Program to reward responsible bug disclosure. By adding another layer of security checks, we want our users to feel safe and comfortable when interacting with our platform.

The Program includes vulnerabilities and bugs in the ZKSwap (ZKSync Era) contract and DAPP:

Contract:

ZksFactory: 0xDC7beAC4448756812F4EB8c31614f5d4A5F3c641

ZksRouter: 0x71228a3Ea6B7BBd50bb8721A0Fa4eD17eaa299fe

APP:

https://goerli.zksync.zks.app/

The following are not within the scope of the Program:

We warmly welcome you to help secure the ZKSwap platform by participating in the ZKSwap (ZKSync) Bug Bounty Program. By making a meaningful contribution to the platform’s overall security, you can expect broad recognition and rewards for your impact.

🎁Reward

Reward: up to 1,000,000 ZKS

Rewards will be given based on the severity as well as the likelihood of the bug being triggered or exploited, to be determined at the discretion of the ZKSpace team.

Report

Any vulnerability or bug discovered must be reported only to the following email: dev@l2lab.org. After submission, please await review by our team. We will notify you of our assessment as soon as we can.

The vulnerability must not be disclosed publicly or to any other person, entity or email address before ZKSpace team has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

Please provide as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.

Eligibility

To be eligible for a reward under this Program, you must:

  • Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program. Vulnerabilities must be distinct from the issues covered in the audits reports.
  • Be the first to disclose the unique vulnerability to dev@l2lab.org, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of the ZKSpace team.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability. Answer our additional questions about reported bugs within a reasonable amount of time.
  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Not publicize vulnerability in any way, other than through private reporting to us.
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of the assets in scope.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
  • Comply with all the eligibility requirements of the Program.

Other Terms

By submitting your report, you grant ZKSpace any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

The terms and conditions of this Program may be altered at any time.

Thank you for your support!

ZKSpace team

2023–6–16

About ZKSpace

The ZKSpace (formerly ZKSwap) platform consists of three main parts: ZKSwap, the first Layer 2 AMM DEX utilizing ZK-Rollups technology, payment service ZKSquare supporting fast and cheap Batch Transfer, and an NFT minting center and marketplace ZKSea. ZKSpace has been running since February 2021 with hundreds of function iterations, and no security incidents have ever occurred. With innovative NFT L1-L2 transfer, unlimited token listing, cheap and smooth deposit & withdrawal, and a Layer 2 domain name system ZNS, ZKSpace aims to implement EVM-compatible ZK-Rollups and bring the community more Layer 2-based products.

Stay Tuned

WebsiteWeb APPMobile APPTwitterTelegramDiscord | RedditForumMediumMirrorGitHub

--

--

ZKBase
ZKBase

ZKBase (https://zks.org) is an all-in-one layer2 platform, featuring ZKSwap-DEX, ZKSea-NFT, ZKSquare-payment and ZNS-DID.