How QuillAudits Covers All the Gaps in your zkSync contracts?

Updated at: April 8, 20257 minutes

Author: QuillAudits Team

ZkSync is a layer 2 scaling solution for Ethereum, which aims to improve the network's scalability and reduce transaction costs. It is based on zk-rollups, a technology that allows for bundling multiple transactions into a single transaction, reducing the amount of data that needs to be processed on the Ethereum blockchain.

ZkSync uses zero-knowledge proofs to enable fast and cheap transactions while maintaining the security and decentralization of the Ethereum network. Zero-knowledge proofs allow for the verification of transactions without revealing any information about the transactions themselves, ensuring users' privacy and security.

It supports Ethereum smart contracts, which can be executed off-chain to reduce gas costs and improve efficiency. Smart contracts on ZkSync are written in Solidity, the same programming language used for Ethereum smart contracts.

Why Do We Need ZKSync Smart Contracts Auditing?

ZkSync is based on the Ethereum blockchain, and its smart contracts are written in Solidity, the primary programming language for writing smart contracts on the Ethereum network.

In addition to Solidity, ZkSync uses other technologies, such as zk-rollups and zero-knowledge proofs, to achieve transaction scalability and privacy. These technologies work with Solidity smart contracts to enable fast and efficient transactions on the Ethereum network.

Over the past three years, the Web3 ecosystem has experienced significant financial losses due to security breaches, underscoring the critical need for robust smart contract security audits.
 

2022: Escalating Threats

In 2022, the Web3 space witnessed approximately $3.7 billion in losses across various security incidents. This surge in attacks highlighted vulnerabilities in decentralized finance (DeFi) platforms and cross-chain bridges, emphasizing the necessity for comprehensive security measures.
 

2023: A Decline with Persistent Risks

The following year saw a decline in total losses to about $1.84 billion from 751 incidents, representing a 51% decrease compared to 2022. Despite this reduction, the average loss per incident remained substantial at $2.45 million. Notably, private key compromises accounted for nearly half of the financial losses, totaling $880.9 million in just 47 incidents. This period underscored that while overall losses decreased, significant risks persisted, particularly concerning private key security.
 

2024: Resurgence of Attacks

In 2024, the trend reversed with losses escalating to approximately $2.36 billion across 760 on-chain security incidents, marking a 31.6% increase in value stolen compared to 2023. Phishing attacks emerged as the most costly vector, responsible for $1.05 billion in losses over 296 incidents, accounting for nearly half of the total value stolen. Additionally, private key compromises resulted in $855.4 million in losses across 65 incidents. Ethereum remained the most targeted blockchain, experiencing 403 incidents that led to $748.7 million in losses.
 

The Imperative for Smart Contract Security Audits

These statistics from 2022 to 2024 highlight the evolving and persistent threats within the Web3 ecosystem. The substantial financial losses, particularly from phishing and private key compromises, demonstrate that malicious actors continually adapt their strategies to exploit vulnerabilities. Implementing rigorous smart contract security audits is essential to identify and mitigate these vulnerabilities proactively. Regular audits not only enhance the resilience of smart contracts against known attack vectors but also bolster investor confidence, contributing to the sustainable growth of decentralized technologies.
 

Annual Financial LossesSecurity IncidentsFinancial Pie Chart


Our audit service covers a wide range of security aspects including, but not limited to:

  • Security Flaws and Vulnerabilities
  • Code Quality and Readability
  • Gas Optimization
  • Correct Usage of zkEVM
  • Compliance with the Latest Standards
     

Methodology

Our auditing methodology is based on the best practices and guidelines of the industry. It involves a multi-layered approach which includes:

  • Reviewing the smart contract codebase.
  • Analyzing the architecture and design of the smart contract.
  • Testing the smart contract with various scenarios and use cases.
  • Conducting a formal verification of the smart contract using a sound and complete set of tools and techniques.

Audit Process

Things We Cover in the Audit Process :

  • Business Logic’s Review
  • Functionality Checks
  • Access Control & Authorization
  • Escrow Manipulation
  • Token Supply Manipulation
  • User Balances Manipulation
  • Data Consistency Manipulation
  • Kill-Switch Mechanism
  • Operation Trails & Event Generation

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Let's dive deep into it and explore more.

Multi layer audit process

Step 1 - Specification Gathering / Prepare For a Security Audit

This is the most crucial stage because the detail is key for a successful smart contract security audit. Here is how you can prepare for it:

Code quality 

  • Remove dead code and comments. 
  • Consistent coding style. 
  • Follow the Solidity / Rust (Solana) style guide.

Use comments to document complex parts of the code and ensure these are consistent with the code.

Test the code

  • Make sure the contracts can be compiled and fully tested. 
  • Perform high coverage and high-quality unit tests.

This will maximize focus on the difficult parts of the code. Auditing should not discover that some functions are uncallable or do not perform their expected function under entirely straightforward inputs. Optimal auditing should focus on unexpected, corner-case, and adversarial behaviour.

Code freeze 

  • Freeze the code and specify the commit hash. Or, deploy the code on testnet and share the link.

After freezing the code, we will gather the specifications from you to know the intended behaviour of the smart contract through the 'Smart Contract Specification' document.

How can you help? 
Please ask your developers to fill out the specification doc - It would help us to understand & verify the business logic and facilitate confirming everything thoroughly.
 

Step 2 - Manual Review

Here we would look for undefined, unexpected behaviour and common security vulnerabilities. The goal is to get as many skilled eyes on contract code as possible. Aims of manual review:

  • Focus on issues regarding security, attacks, mathematical errors, logical issues, etc.
  • Check the code for any vulnerabilities that can be exploited.
  • Verify that every detail in the specification is implemented in the smart contract.
  • Verify that the contract does not have any behaviour that is not stated in the specifications.
  • Verify that the contract does not violate the intended behaviour of specifications.
     

Step 3 - Functional Testing

  • The smart contract will be manually deployed in a sandbox environment like testnet/mainnet forks, hardhat, ganache, etc.
  • Smart contract functions will be tested on multiple parameters and under various conditions to ensure that all paths of functions are operating as intended.
  • In this phase, the intended behaviour of the smart contract is verified.
  • In this phase, we would also ensure that smart contract functions are not consuming unnecessary gas.
  • Gas limits of functions will be verified in this stage.
     

Step 4 - Testing over Latest Attack Vectors

The team researches newly discovered attacks (like market manipulation, LP pricing, front running vectors, and more) and tries to replicate them to ensure the project is safe from those attacks.

  • Solidity attack vectors
  • NFT attack vectors
  • DeFi attack vectors
  • DAO attack vectors
  • Blockchain attack vectors
  • Web2 attack vectors
  • If the current implementation is vulnerable to those newly discovered attacks, we recommend the project team switch to a safer implementation.
     

Step 5 - Testing with Automated Tools

Testing with automated tools is important to catch those bugs that humans miss. Some of the tools we would use are (based on the requirement/auditor preference, we use specific tools) :

  • Mythril / Mythx
  • Solgraph
  • Solidity Coverage
  • Slither
  • Solidity Visual Developer
     

Step 6 - Initial Audit Report

In the end, we will provide you with a comprehensive report, which we call an Initial Audit Report (IAR):

How can you help? You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.

  • A comprehensive audit report.
  • Encapsulate details of the audit & solutions to the vulnerabilities (if we found any) in your contracts.
  • We expect you to resolve the identified bugs & make suitable changes to the code, or we will connect with development partners for issues.

Note - Please acknowledge that we start the Audit Process once the Audit Scope is frozen (commit hash or explorer link). If you make any changes to the code in between the process, we can check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.
 

Step 7 - Final Audit Report

After initial audit fixes, the process is repeated, and the final audit report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.

So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is.
 

Step 8: Quill Vigilant Squad*

Following the completion of the second audit review, the Fixed codebase, along with the comprehensive audit report, will be formally delivered to our dedicated Vigilant Squad. This elite team is comprised of world-class security researchers, each possessing extensive experience and expertise in identifying and analyzing vulnerabilities within complex systems. The Vigilant Squad will undertake a meticulous and in-depth review of both the codebase itself and the accompanying report. They will dedicate their full time and resources to this critical task, leveraging their specialized skills to proactively search for and uncover any potential security issues, however subtle they may be. In the event that the Vigilant Squad discovers any vulnerability, security flaw, or other issue, we will be notified immediately, ensuring swift action can be taken to mitigate any potential risks.

How you can help - You have to prepare an 'Updation Summary' or 'Comment Report' with details of the changes in case, if you get any New issues from our side; this would help us identify the differences and test them rigorously.
 

Step 9 - Delivery

After getting the green light from the previous step, we send the report to our designers to generate a PDF version of the Audit Report, displaying all the necessary details of the auditing process.

Then, the report is uploaded to our official GitHub Repository, after which we share the link to the Audit Report and Certificate of Compliance from QuillAudits.

Step 10 - Post-Audit

After the Final Audit report, we take your project in front of the masses through :

Social Media Announcements

  • As per your requests, we will make an audit announcement from our social media handles to mark the completion of the Audit.

LinkedIn - X (Twitter) - Telegram - Reddit - Medium

Magpie Audit

The completion of this step totally depends on the calendar availability of our marketing team. Therefore, this step might take some time to complete.

  • Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners)

AMA Sessions

  • Expert auditors will explain the nuances of the audit report.
  • Q&A and direct interaction with your audience to build trust in your project.

Niche Targeted PR Services

  • Articles & guest posts in renowned publications.
  • Cross-platform promotions to give more exposure to the project.

Organize Product Launches, Community Meetups, etc.

  • QuillAudits team will help you in your product launch in India.
  • Set up community meetups, product workshops and web3 events for you.
  • QuillAudits expert team and partners will handle everything from content creation to marketing and event location to event coordination.

What Can the Project Team Expect From Us?

  • Delivery of initial report within the agreed timeline (considering a margin of ±2 days due to unforeseen circumstances).
  • Reviewing the final version of the code before concluding the audit.
  • Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.
  • Publishing audit reports and making post-audit announcements based on agreed-upon terms.

What Do We Expect From the Project Team?

  • A working test suite (all tests written are executable) covering at least 90% of the project code and edge-case scenarios.
  • Structured code following reasonable naming conventions and consistent coding style.
  • Well-documented contracts/functions and updated whitepaper.
  • Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.
  • Reviewing the final report so that QuillAudits can conclude the audit.

About us

QuillAudits is a leading blockchain security firm with 7 years of experience, securing $30B in TVL with multi-layered audit framework, across 1400+ projects in DeFi, GameFi, NFT, Gaming, and all blockchain layers.

Our senior auditors conduct line-by-line code reviews, combining manual & AI-driven audits for smart contracts on 20+ chains including Ethereum, BSC, Arbitrum, Algorand, Tron, Polygon, Polkadot, Fantom, NEAR, & Solana. We also offer token risk assessments & real-time monitoring tools to fortify Web3 security. 

Beyond audits, we’ve hosted 50+ global events and 300+ workshops to educate and support the Web3 community.

QuillAudits about us

Loading...
Loading...
Loading...
Telegram