EVM Stellar zkCrossDex - ZKCross

1. Introduction

The security assessment was commissioned by ZKCross, a cross-chain interoperability protocol focused on DeFi infrastructure, to assess the security and robustness of the Solidity-based EVM Swapper smart contract. The assessment was performed by Halborn’s experienced security team, focusing on the code released at commit 0264b30. The review covered all functionality in Swapper.sol between August 21st, 2025, and August 22nd, 2025. The primary objective of this engagement’s core purpose was to identify vulnerabilities, ensure protocol reliability and strengthen overall security.

2. Assessment Summary

The team at Halborn assigned a full-time security engineer to verify the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

• Ensure that smart contract functions operate as intended

• Identify potential security issues with the smart contract

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were properly addressed by the ZKCross team. The main recommendations were the following:

• Reinstate the check to ensure that the caller of the swap function is the one whose funds are being used.

• Use call() pattern with success check instead of transfer() when transferring funds.

• Add slippage control to the swap function.

• Measure the token balance before and after transfer, then approve the allowanceHolder for the actual amount received instead of the nominal amount.

3. Test Approach and Methodology

A layered and exhaustive approach was adopted. Initial research mapped contract design objectives and expected operating scenarios. Manual code reviews targeted privilege boundaries, fund flows, and feature completeness, with particular scrutiny of administrative and edge-case logic. Automated static analysis and dynamic on-chain test suites were executed to cover functional correctness, failure conditions, and integration with external token contracts.

The methodology balanced deep manual analysis with rigorous automated tools. Multiple stages were conducted: reconnaissance, manual threat modeling, static analysis, custom test building, and scenario-driven on-chain transaction simulations. This combination ensured broad and deep coverage, surfacing both logical flaws and implementation oversights across all critical paths.