Overview
Project Summary
Project Summary: Zenith is the first perpetual future and options exchange built on the Tezos blockchain. It enables users to take long or short positions on perpetual contracts for their favorite assets, providing leverage of up to IOX in all market conditions.
Official Documentation: https://docs.payperfi.com/ (opens in a new tab)
Audit Summary
A time-boxed independent security assessment of the Zenith protocol was done by Caron Gogwim (@CGOx01) and Team DetectBox, with a focus on the security aspects of the application's implementation.
We performed the security assessment based on the agreed scope, following our approach and methodology. Based on our scope and our performed activities, our security assessment revealed 1 Medium severity and 4 Low severity security issues. Additionally, different informational and gas optimization suggestions were also made which, if resolved appropriately, may improve the quality of the Project's Smart contract. Audit Timeline: 16th June '23 - 20th June '23
Code Repository https://qithub.com/Zenith-FNO/Zenith-Smart-Contracts (opens in a new tab)
Review Commit Hash d9f97d4852ddee6fc47e4381ce1cfbdfa8c72ff4
Please note that the links provided above are not functional as they are meant to be placeholders. You should use the actual links from the respective sources for accessing the information.
Audit Methodology
During our security assessments, we uphold a rigorous approach to maintain high-quality standards. Our methodology encompasses thorough functional testing and meticulous manual code reviews. To ensure comprehensive issue coverage, we employ checklists derived from industry best practices and widely recognized concerns, specifically tailored to Tezos smart contract assessment.
Throughout the smart contract audit process, we prioritize the following aspects to uphold excellence:
-
Code Quality: We diligently evaluate the overall quality of the code, aiming to identify any potential vulnerabilities or weaknesses.
-
Best Practices: Our assessments emphasize adherence to established best practices, ensuring that the smart contract follows industry-accepted guidelines and standards.
-
Documentation and Comments: We meticulously review code documentation and comments to ensure they accurately reflect the underlying logic and expected behavior of the contract.
Auditing smart contracts involves a comprehensive analysis of the code to identify potential vulnerabilities and security risks. To achieve comprehensive coverage, we employ a series of security checklist tables, each addressing specific areas of concern. These include:
- System Platform
- Access Control
- Storage
- Gas Issues and Efficiency
- Code Issues
- Error Handling and Exception Handling
- Transaction Handling
- Entrypoint Validation
- Administration and Operator Functions
- Additional Topics and Test Cases
Vulnerability Summary
| Severity | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likehood: High | Critical | High | Medium |
| Likehood: Medium | High | Medium | Low |
| Likehood: Low | Medium | Low | Low |
Findings Summary
| High | 0 Issue |
|---|---|
| Medium | 1 Issue |
| Low | 4 Issue |
| Informational | 3 Issue |
| Gas Optimization | 0 Issue |
Audit Scope
The code under review is composed of multiple smart contracts written in the SmartPy language and includes 1311 SLOC- source lines of code (only source-code lines).
| Sl. No. | Lines | SLOC |
|---|---|---|
| contracts/vmm.py | 717 | 638 |
| contracts/usdt.py | 23 | 18 |
| contracts/utils/helpers.py | 104 | 88 |
| contracts/utils/fa2.py | 823 | 535 |
| contracts/utils/address.py | 22 | 20 |
| contracts/utils/errors.py | 23 | 12 |
Auditors Involved :
Main Auditor -
Caron Gogwim - https://app.detectbox.io/profile/CGAuditor (opens in a new tab) Rohan Jha - https://app.detectbox.io/profile/Rohan16 (opens in a new tab)