Prepared by:
HALBORN
Last Updated 09/12/2025
Date of Engagement: August 14th, 2025 - August 20th, 2025
100% of all REPORTED Findings have been addressed
All findings
17
Critical
2
High
7
Medium
7
Low
1
Informational
0
ZKCross engaged Halborn to conduct a security assessment for the off-chain side of components of their cross-chain bridge. Halborn was provided access to the testing environment for testing and performed whitebox testing to identify and validate potential security vulnerabilities. The engagement was designed to identify vulnerabilities, validate security controls, and ensure the robustness of the bridge against both traditional application threats and bridge-specific business logic risks. Testing was performed using both blackbox and greybox methodologies to balance coverage and depth, and all findings were documented and reported at the conclusion of the engagement.
The team at Halborn was provided a timeline for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile, blockchain, recon, discovery & infrastructure penetration testing. The engineer conducted in-depth testing of transaction flows, API endpoints, and supporting infrastructure.
The assessment identified multiple vulnerabilities affecting transaction handling, withdrawal rights assignment, nonce-based authentication, event processing, token resolution, API design, and dependency management. Business-logic flaws such as duplicate processing of bridge transactions and missing verification before fund release were noted as particularly impactful. Additional weaknesses included unauthenticated initialization endpoints, lack of rate limits, cacheable HTTPS responses, and persistence of token prices without safeguards. Observations also highlighted risks from outdated dependencies and exposed secrets in code history.
The findings underscore the importance of remediating key logic and API weaknesses to improve resilience while maintaining the strong baseline already present in secure operational practices.
The client addressed all identified issues, where one issue was partially resolved and will be completely addressed in future releases of the application.
The following repository was part of the scope:
Repository: https://github.com/zkCross-Network/zkcross_release_handler
Commit: 750bd14d295d23e2be655be070e8d0a8ade8216f
Branch: audit-approach-2
Halborn followed whitebox methodology as per the scope and performed a combination of manual and automated security testing with both to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it.
The assessment methodology covered a range of phases and employed various tools, including but not limited to the following:
- Mapping bridge workflows (lock → index → execute → release)
- Validating chain and token configuration
- Testing concurrency and race conditions in worker scheduling
- Verifying RPC reliability and alt-RPC fallback logic
- Assessing price feed caching and persistence
- Reviewing funder detection and withdrawal authorization flows
- Evaluating session, nonce, and authentication mechanisms in API endpoints
- Testing role assignment and liquidity wallet access controls
- Fuzzing endpoints for injection or misuse
- Dependency analysis for outdated or vulnerable third-party libraries
- Analysis for hardcoded credentials or API keys
Critical
2
High
7
Medium
7
Low
1
Informational
0
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Race condition allows duplicate bridge transactions for same lockId | Critical | Solved - 09/12/2025 |
| First depositor can gain withdraw rights | Critical | Solved - 09/11/2025 |
| Missing re-verification before fund release | High | Solved - 09/11/2025 |
| Nonce auth message is weak and volatile | High | Solved - 09/11/2025 |
| Bridge Initialization Endpoint Accessible Without Authentication | High | Solved - 09/11/2025 |
| Concurrency may cause resource exhaustion & duplicate worker processing | High | Solved - 09/11/2025 |
| Alt-RPC verification fails open when secondary is unset | High | Solved - 09/11/2025 |
| Price worker persists values without safeguards | High | Solved - 09/12/2025 |
| API Endpoints Served Over Insecure HTTP | High | Solved - 09/11/2025 |
| Event processing at head block may skip events on reorgs | Medium | Solved - 09/11/2025 |
| Outdated third party dependencies introduce risk | Medium | Partially Solved - 09/11/2025 |
| Token resolution inconsistencies can cause wrong contract selection | Medium | Solved - 09/11/2025 |
| Hardcoded Secret Git History | Medium | Solved - 09/11/2025 |
| Lack of Rate Limits in API | Medium | Solved - 09/11/2025 |
| Block sync pointer may update incorrectly could lead to race conditions | Medium | Solved - 09/11/2025 |
| Risk Of Supply Chain Attack Due To Unpinned Dependencies | Medium | Solved - 09/11/2025 |
| Cacheable Https API Responses | Low | Solved - 09/11/2025 |
//Critical
//Critical
//High
//High
//High
//High
//High
//High
//High
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Low
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
ZKCross - Penetration Test
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
