Horizen Migration - Code Review - The Horizen Foundation

Prepared by:

HALBORN

Last Updated 06/20/2025

Date of Engagement: June 11th, 2025 - June 13th, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

Critical

High

Medium

Low

Informational

1. Introduction
2. Summary
3. Test approach and methodology
4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Eon dump allows silent address re-use
7.2 No two-step ownership transfer
7.3 Locked unclaimed stake in vaults
7.4 Unnecessary satoshi-level rounding
7.5 Unsorted eon_vault_results array used
7.6 Signature zero r and s not explicitly rejected
7.7 Signature v-byte range not asserted

1. Introduction

The Horizen Foundation engaged Halborn to conduct a security assessment on their smart contracts on June 11th, 2025 to June 13th, 2025. The security assessment was scoped to the smart contracts and scripts provided to the Halborn team.

The Horizen Foundation prepared a migration from all funds of the ZEND and EON blockchains to an ERC20 smart contract on the BASE blockchain and the reviewed scope provided balances dump scripts as well as the BASE smart contracts used to load and claim the migrated balances.

2. SUMMARY

The team at Halborn was provided 3 days for the engagement and assigned a security engineer to evaluate the security of the smart contract. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

Ensure that smart contract and scripts functions operate as intended.
Identify potential security issues with the smart contracts or scripts.

In summary, Halborn identified some minor improvements to reduce the likelihood and impact of risks, which have been completely addressed by the Horizen Foundation team. The main ones were the following:

Implement two step ownership transfer process.
Catch signature bad formats before reverting with a generic error.

3. TEST APPROACH AND METHODOLOGY

Halborn performed a combination of manual review of the code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the smart contract assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of smart contracts and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the assessment:

Research into the architecture, purpose, and use of the platform.
Smart contract manual code review and walkthrough to identify any logic issue.
Thorough assessment of safety and usage of critical Move variables and functions in scope that could lead to arithmetic related vulnerabilities.
Manual testing by custom scripts.

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.

The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.

The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.

The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.

The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):

Captures whether the attack requires compromising a specific account.

Attack Cost (AC):

Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.

Attack Complexity (AX):

Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.

Metrics:

EXPLOITABILITY METRIC ( $m_e$ )	METRIC VALUE	NUMERICAL VALUE
Attack Origin (AO)	Arbitrary (AO:A) Specific (AO:S)	1 0.2
Attack Cost (AC)	Low (AC:L) Medium (AC:M) High (AC:H)	1 0.67 0.33
Attack Complexity (AX)	Low (AX:L) Medium (AX:M) High (AX:H)	1 0.67 0.33

Exploitability

E

is calculated using the following formula:

$E = \prod m_e$

4.2 IMPACT

Confidentiality (C):

Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.

Integrity (I):

Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.

Availability (A):

Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.

Deposit (D):

Measures the impact to the deposits made to the contract by either users or owners.

Yield (Y):

Measures the impact to the yield generated by the contract for either users or owners.

Metrics:

IMPACT METRIC ( $m_I$ )	METRIC VALUE	NUMERICAL VALUE
Confidentiality (C)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Integrity (I)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Availability (A)	None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C)	0 0.25 0.5 0.75 1
Deposit (D)	None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C)	0 0.25 0.5 0.75 1
Yield (Y)	None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C)	0 0.25 0.5 0.75 1

Impact

I

is calculated using the following formula:

$I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}$

4.3 SEVERITY COEFFICIENT

Reversibility (R):

Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.

Scope (S):

Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.

Metrics:

SEVERITY COEFFICIENT ( $C$ )	COEFFICIENT VALUE	NUMERICAL VALUE
Reversibility ( $r$ )	None (R:N) Partial (R:P) Full (R:F)	1 0.5 0.25
Scope ( $s$ )	Changed (S:C) Unchanged (S:U)	1.25 1

Severity Coefficient

C

is obtained by the following product:

$C = rs$

The Vulnerability Severity Score

S

is obtained by:

$S = min(10, EIC * 10)$

The score is rounded up to 1 decimal places.

Severity	Score Value Range
Critical	9 - 10
High	7 - 8.9
Medium	4.5 - 6.9
Low	2 - 4.4
Informational	0 - 1.9

5. SCOPE

Files and Repository

(a) Repository: horizen-migration

(b) Assessed Commit ID: https://github.com/HorizenOfficial/horizen-migration/tree/1.3.0-RC1

dump-scripts/python/horizen_dump_scripts/setup_eon2_json.py
dump-scripts/python/horizen_dump_scripts/zend_to_horizen.py
erc20-migration/contracts/EONBackupVault.sol

↓ Expand ↓

Out-of-Scope: Economic attacks and external dependencies.

Files and Repository

(a) Repository: horizen-migration-check

(b) Assessed Commit ID: https://github.com/HorizenOfficial/horizen-migration-check/tree/1.3.0

check.js

Out-of-Scope: Economic attacks and external dependencies.

Remediation Commit ID:

b5d2a80

Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

High

Medium

Low

Informational

Security analysis	Risk level	Remediation Date
EON Dump Allows Silent Address Re-use	Informational	Acknowledged - 06/12/2025
No Two-Step Ownership Transfer	Informational	Acknowledged - 06/13/2025
Locked Unclaimed Stake In Vaults	Informational	Acknowledged - 06/13/2025
Unnecessary Satoshi-Level Rounding	Informational	Acknowledged - 06/13/2025
Unsorted eon_vault_results Array Used	Informational	Acknowledged - 06/13/2025
Signature Zero r And s Not Explicitly Rejected	Informational	Solved - 06/13/2025
Signature v-Byte Range Not Asserted	Informational	Solved - 06/13/2025

7. Findings & Tech Details

7.1 EON Dump Allows Silent Address Re-use

Informational

Description

The balances[…] mapping within EONBackupVault.batchInsert() is overwritten if the same address appears in multiple batches. The overall hash calculation will still succeed if the off-chain tool includes the final cumulative value; therefore, this issue may go unnoticed.

In the EONBackupVault contract, funds to distribute are loaded into the contract through the batchInsert method. There is an assumption that the input list of (address, value) does not have duplicate addresses, but if that assumption was broken, the contract would overwrite the balance of that address silently:

function batchInsert(bytes32 expectedCumulativeHash, AddressValue[] memory addressValues) public onlyOwner {
    if (cumulativeHashCheckpoint == bytes32(0)) revert CumulativeHashCheckpointNotSet();  
    if(_cumulativeHash == cumulativeHashCheckpoint) revert CumulativeHashCheckpointReached();
    uint256 i;
    bytes32 auxHash = _cumulativeHash;
    while (i != addressValues.length) {
        balances[addressValues[i].addr] = addressValues[i].value;
        addressList.push(addressValues[i].addr);
        auxHash = keccak256(abi.encode(auxHash, addressValues[i].addr, addressValues[i].value));
        unchecked { ++i; }
    }
    _cumulativeHash = auxHash;
    if (expectedCumulativeHash != _cumulativeHash) revert CumulativeHashNotValid();   
}

BVSS

AO:A/AC:L/AX:M/R:N/S:U/C:N/A:N/I:N/D:L/Y:N (1.7)

Recommendation

Implement a temporary in-memory mapping within batchInsert to track and reject duplicate addresses by reverting on detection, thereby preventing silent balance overwrites.

Remediation Comment

ACKNOWLEDGED: The Horizen Foundation team acknowledged this finding, mentioning that the list is aggregated and does not contain duplicates.

7.2 No Two-Step Ownership Transfer

Informational

Description

All contracts that inherit from OpenZeppelin Ownable (EONBackupVault.sol, ZendBackupVault.sol, LinearTokenVesting.sol, ZenMigrationFactory.sol) employ the single-step transferOwnership(newOwner) pattern: the current owner designates the new owner, and the transfer is finalized within the same transaction.

A typographical or copy-paste error could irreversibly relinquish administrative control, rendering this pattern unsafe. It could be improved by implementing a two-step process to enhance security.

BVSS

AO:S/AC:L/AX:M/R:N/S:U/C:N/A:H/I:N/D:N/Y:N (1.0)

Recommendation

Use OpenZeppelin’s Ownable2Step contract instead of Ownable, replacing direct transferOwnership calls with a two-step handover process: first, call transferOwnership(newOwner), then require newOwner to invoke acceptOwnership() to complete the ownership transfer.

Remediation Comment

ACKNOWLEDGED: The Horizen Foundation team acknowledged this finding.

7.3 Locked Unclaimed Stake In Vaults

Informational

Description

The Zend backup vault currently lacks a recovery mechanism to forward unclaimed tokens to the DAO or the foundation after the designated grace period.

Such unclaimed funds may result from lost wallets or errors during multisig creation, leading to tokens remaining permanently locked in the vault contract. Consequently, these tokens are effectively removed from the total supply of ZEN tokens.

BVSS

AO:A/AC:L/AX:M/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Implement a recoverUnclaimed() function within the vault contract. This function should verify the block timestamp against the grace period and, once expired, transfer any remaining ZEN tokens to the DAO multisig.

Remediation Comment

ACKNOWLEDGED: The Horizen Foundation team acknowledged this finding, mentioning that residual balances in the vaults that are never claimed should remain locked forever, slightly reducing effective supply.

7.4 Unnecessary Satoshi-Level Rounding

Informational

Description

In the zend_to_horizen.py dump script the conversion function calls round(), but the call is redundant, multiplying by 10**10 already produces an integer for any satoshi amount:

SATOSHI_TO_WEI_MULTIPLIER = 10 ** 10

def satoshi_2_wei(value_in_satoshi):
	return int(round(SATOSHI_TO_WEI_MULTIPLIER * value_in_satoshi))

The extra rounding has no effect on the result and can be removed without altering precision or behaviour.

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Eliminate the redundant round() call in satoshi_2_wei and refactor it to return SATOSHI_TO_WEI_MULTIPLIER * value_in_satoshi directly (or wrap this multiplication in int() if necessary) to preserve precision without unnecessary rounding.

Remediation Comment

ACKNOWLEDGED: The Horizen Foundation team acknowledged this finding.

7.5 Unsorted eon_vault_results Array Used

Informational

Description

In the zend_to_horizen.py dump script, the eon_vault_results variable, which tracks the balances in ZEND mapped to EON addresses, is sorted into the sorted_eon_vault_accounts variable. However, only the eon_vault_results is ultimately used to generate the intermediary artifact, which is then utilized by the setup_eon2_json.py script to produce the final address-to-value list.

if eon_vault_result_file_name is not None:
	sorted_eon_vault_accounts = collections.OrderedDict(sorted(eon_vault_results.items()))

	with open(eon_vault_result_file_name, "w") as jsonFile:
		json.dump(eon_vault_results, jsonFile, indent=4)

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Update the json.dump call in zend_to_horizen.py to write sorted_eon_vault_accounts instead of eon_vault_results, ensuring the output artifact maintains the intended sorted order.

Remediation Comment

ACKNOWLEDGED: The Horizen Foundation team acknowledged this issue, mentioning that the intermediary artifact did not have to be sorted to be ingested properly by the setup_eon2_json.py script.

7.6 Signature Zero r And s Not Explicitly Rejected

Informational

Description

The VerificationLibrary.sol::parseZendSignature function accepts zero values for the signature's s and r parameters. Signatures with these components cause ecrecover to return address(0), which could pose a security concern if the resulting address is not properly validated. The verifyZendSignatureBool function reverts if the recovered address is zero; however, capturing the specific reason for such a zero address could provide clearer diagnostic information rather than a generic revert message.

function parseZendSignature(bytes memory hexSignature) internal pure returns (Signature memory){
    if(hexSignature.length != 65) revert SignatureMustBe65Bytes();
    bytes32 r;
    bytes32 s;
    uint8 v = uint8(hexSignature[0]);
    assembly {       
        r := mload(add(hexSignature, 33)) // bytes 1-32; the first byte is the recovery identifier
        s := mload(add(hexSignature, 65)) // bytes 33-65
    }
    // Rejects the “high-s” malleability twin (s′ = n − s) that signs the same message, to prevent S-malleability issues
    if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0)
        revert InvalidSignature(); // @audit should also revert if r or s are 0
    return Signature({r: r, s: s, v: v});
}

function verifyZendSignatureBool(bytes32 messageHash, Signature memory signature, bytes32 pubKeyX, bytes32 pubKeyY) internal pure returns(bool) {
    uint8 v_ethereumFormat;
    if (signature.v == 31 || signature.v == 32){
        // Zend signature from compressed pubkey has +4 in the first byte, but Ethereum expects this to be removed
        v_ethereumFormat = signature.v - 4;
    } else { // @audit consider explicitly checking that v is 27 or 28
        v_ethereumFormat = signature.v;
    }
    address msgSigner = ecrecover(messageHash, v_ethereumFormat, signature.r, signature.s);
    if (msgSigner == address(0)) revert InvalidSignature();

    // Generate an Ethereum address from the public key components
    bytes32 hash = keccak256(abi.encodePacked(pubKeyX, pubKeyY));
    address ethAddress = address(uint160(uint256(hash)));

    return msgSigner == ethAddress; 
}

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Implement explicit non-zero checks in parseZendSignature by adding if (r == 0 || s == 0) revert InvalidSignature();. Additionally, enforce that signature.v == 27 || signature.v == 28 within verifyZendSignatureBool before calling ecrecover to prevent zero-address recoveries and enhance error diagnostics.

Remediation Comment

SOLVED: The Horizen Foundation team solved the issue in the specified commit, adding an assertion on the zero r and s values.

Remediation Hash

https://github.com/HorizenOfficial/horizen-migration/commit/b5d2a80a5f4652dd77e58cd3687ffd79831bc32c

7.7 Signature v-Byte Range Not Asserted

Informational

Description

The VerificationLibrary.sol::verifyZendSignatureBool function supports two valid encodings for the recovery byte v:

Uncompressed format: v ∈ {27, 28}
These values are directly accepted by the ecrecover precompile.
Compressed format: v ∈ {31, 32}
Horizen encodes compressed public-key signatures by adding 4 to the standard value.
The library subtracts 4 before invoking ecrecover.

function verifyZendSignatureBool(bytes32 messageHash, Signature memory signature, bytes32 pubKeyX, bytes32 pubKeyY) internal pure returns(bool) {
    uint8 v_ethereumFormat;
    if (signature.v == 31 || signature.v == 32){
        // Zend signature from compressed pubkey has +4 in the first byte, but Ethereum does not expect this
        v_ethereumFormat = signature.v - 4;
    }else{
        v_ethereumFormat = signature.v;
    }
    // ...
}

If signature.v does not fall within either {27, 28, 31, 32}, the function forwards the call to ecrecover. In this case, ecrecover will return address(0), resulting in a revert in the outer logic. However, this occurs only after incurring the cost of the precompile and without a clear error indication.

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

At the beginning of verifyZendSignatureBool, enforce that signature.v is one of the following values: 27, 28, 31, or 32 (e.g., require(v == 27 || v == 28 || v == 31 || v == 32, "Invalid v");). This ensures early reversion and prevents unsupported values from being passed to ecrecover.

Remediation Comment

SVOLED: The Horizen Foundation team solved the issue in the specified commit, adding an assertion on the allowed v range.

Remediation Hash

https://github.com/HorizenOfficial/horizen-migration/commit/b5d2a80a5f4652dd77e58cd3687ffd79831bc32c

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Summary
3. Test approach and methodology
4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Eon dump allows silent address re-use
7.2 No two-step ownership transfer
7.3 Locked unclaimed stake in vaults
7.4 Unnecessary satoshi-level rounding
7.5 Unsorted eon_vault_results array used
7.6 Signature zero r and s not explicitly rejected
7.7 Signature v-byte range not asserted

// Download the full report

Horizen Migration - Code Review

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed