Back to Archive
BA-2023-001

Zebra Dex

Independent Security Assessment

Network
Scroll (zk-EVM)
Date
October 20, 2023
Commit
0f4d...9
Result
Secure

01
Executive Summary

Security evaluation of the Zebra DEX, a concentrated liquidity and composable AMM built on the Scroll L2. The audit focused on the core factory-pair architecture and the innovative dynamic fee system.
Findings Classification
Critical0
High0
Medium0
Low1
Informational1

02
Disclaimer

Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.

The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.

Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.

To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.

FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.

03
Audit Methodology

The above files' code was studied in detail in order to acquire a clear impression of how its specifications were implemented. The codebase was then subject to deep analysis and scrutiny, resulting in a series of observations. The problems and their potential solutions are discussed in this document and, whenever possible, we identify common sources for such problems and comment on them as well.

1. Code Review

Project Diagnosis

Understanding the size, scope and functionality of your project’s source code based on the specifications, sources, and instructions provided.

Manual Code Review

Reading your source code line-by-line to identify potential vulnerabilities.

Specification Comparison

Determining whether your project’s code successfully and efficiently accomplishes or executes its functions according to the specifications.

2. Testing and Automated Analysis

Test Coverage Analysis

Determining whether the test cases cover your code and how much of your code is exercised.

Symbolic Execution

Analyzing a program to determine the specific input that causes different parts of a program to execute its functions.

3. Best Practices Review

Reviewing the source code to improve maintainability, security, and control based on the latest established industry and academic practices, recommendations, and research.

04
Coverage of Issues

Access Control
Admin Rights
Arithmetic Precision
Code Improvement
Contract Upgrade/Migration
Delete Trap
Design Vulnerability
DoS Attack
EOA Call Trap
Fake Deposit
Function Visibility
Gas Consumption
Implementation Vulnerability
Inappropriate Callback Function
Injection Attack
Integer Overflow/Underflow
IsContract Trap
Miner's Advantage
Misc
Price Manipulation
Proxy selector clashing
Pseudo Random Number
Re-entrancy Attack
Replay Attack
Rollback Attack
Shadow Variable
Slot Conflict
Token Issuance
Tx.origin Authentication
Uninitialized Storage Pointer

05
Finding Detailed Analysis

BA-ZEBRA-01
Low

Lack of Max Value for Protocol Fees

Fixed
Description

The 'setFeeToRate' function in ZebraFactory.sol lacks an upper bound constraint, allowing for theoretically infinite fee rates.

Recommendation

Implement a hard cap (e.g., 50%) to prevent arithmetic disruption and build user trust.

Technical Exploit Scenario

A compromised administrator sets the protocol fee rate to 100%. Every single swap interaction in the associated ZebraPair contracts then triggers 'mintFee', where the resulting arithmetic for the protocol's share overflows or consumes all expected output. This results in a persistent Denial of Service (DoS) for all pool users, effectively locking their funds within the pool until the rate is reset.

BA-ZEBRA-02
Informational

Ambiguous Decimal Parameter Naming

Fixed
Description

Use of 'baseDecimal' in price calculations representing 10^18 instead of the exponent 18.

Recommendation

Rename parameters to 'unitMultiplier' to avoid integration confusion with external protocols.

Technical Exploit Scenario

An external yield aggregator or lending protocol integrates Zebra as a price oracle. The developers misinterpret 'baseDecimal' as the exponent (18). Consequently, the price data is processed incorrectly by a factor of 1e18, leading to mass liquidations or catastrophic protocol insolvency for any users relying on the misinterpreted Zebra price feed.

Standard of Integrity

BACKCODE ANALYTICS

Formal verification & cryptographic audit lab. We provide the mathematical certainty required for the decentralized future.

BACKCODE.ORGVERIFIED REPORT