Zero Name Se Security Smart Contract Audit

Summary

This report outlines the audit of the Zero Name Service (ZNS) protocol by Quantstamp. Zero Name Service offers a decentralized naming system on the Ethereum mainnet that grants human-readable names to entities. ZNS allows users to link their blockchain wallets, smart contracts, or on-chain data to their chosen name. The ZNS protocol allows users to register domains using either staking tokens or direct payment, as determined by the domain owner. The domain's pricing is set by a pricer contract designated by the domain owner. Furthermore, the domain owner can also specify an address resolver to correctly map the subdomain to its associated address. The audit identified a total of 18 findings. The audit highlighted issues such as domain impersonation because of inadequate label validation (ZNS-1) and domain spoofing due to the absence of on-chain label normalization (ZNS-2). Furthermore, the protocol risks fund insolvency due to potential token incompatibility (ZNS-3), and flaws in pricing calculations could lead to unexpected domain costs for users (ZNS-4). We found the test coverage to be extensive and high quality, but we recommend adding a test case for each high and medium issue identified in this report to verify the fixes. Additionally, we advise the client to update all documentation to align with the latest ZNS implementation and to address or consider all the findings provided in this report. **Fix Review**: The client addressed all issues from ZNS-1 to ZNS-18, implementing necessary fixes or providing detailed explanations for acknowledgments. For domain impersonation and spoofing issues (ZNS-1 and ZNS-2), strict label validation was added, limiting characters to a-z, 0-9, and hyphens. The protocol risk of fund insolvency due to potential token incompatibility (ZNS-3) was acknowledged, with explanations and updated user documentation highlighting the associated risks. Additionally, the flaws in pricing calculations (ZNS-4) were corrected. The client also provided test cases for each fix to ensure the effectiveness of the fixes.

Project

ZNS Token Upgrade

Ethereum

No active critical issues

Last audited on 2024/07/02

Auditor

144 audits on Trustblock

Multi-Tags

Issues (18)

	Low	Medium	High	Critical	Total
Not fixed	5	3	-	-	8
Fixed	6	3	1	-	10
Total	11	6	1	0	18

Contracts (129)

#	Github Repository	Commit Hash	File	Url
41	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	docs/contracts/registrar/ZNSSubRegistrar.md	Check on Github
42	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	tenderly.yaml	Check on Github
43	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	test/gas/gas-costs.json	Check on Github
44	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	contracts/treasury/IZNSTreasury.sol	Check on Github
45	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	contracts/token/mocks/IZeroTokenMock.sol	Check on Github
46	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	docs/flows.md	Check on Github
47	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	.releaserc	Check on Github
48	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	.eslintrc	Check on Github
49	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	test/helpers/constants.ts	Check on Github
50	zer0-os/zNS	46f632e6e4e5e3e74bf3552079d873f7b9866ec0	docs/contracts/distribution/ZNSTreasury.md	Check on Github

...

Zero Name Service (ZNS)

Summary

Issues (18)

Domain Pricer Contract Can Charge More than Expected when Purchasing Domain not_fixed/medium

Precision Loss Can Result in Lower than Expected Purchase Pricenot_fixed/medium

Risk of Insolvency Due to Inaccurate Accounting with Deflationary or Rebasing Tokensnot_fixed/medium

Deviation From Traditional Domain and Subdomain Representationnot_fixed/low

Missing Input Validationnot_fixed/low

Contracts (129)