ZKCross - Penetration Test - ZKCross

1. Introduction

ZKCross engaged Halborn to conduct a security assessment for the off-chain side of components of their cross-chain bridge. Halborn was provided access to the testing environment for testing and performed whitebox testing to identify and validate potential security vulnerabilities. The engagement was designed to identify vulnerabilities, validate security controls, and ensure the robustness of the bridge against both traditional application threats and bridge-specific business logic risks. Testing was performed using both blackbox and greybox methodologies to balance coverage and depth, and all findings were documented and reported at the conclusion of the engagement.

2. Assessment Summary

The team at Halborn was provided a timeline for the engagement and assigned a full-time security engineer to verify the security of the assets in scope. The security engineer is a penetration testing expert with advanced knowledge in web, mobile, blockchain, recon, discovery & infrastructure penetration testing. The engineer conducted in-depth testing of transaction flows, API endpoints, and supporting infrastructure.

The assessment identified multiple vulnerabilities affecting transaction handling, withdrawal rights assignment, nonce-based authentication, event processing, token resolution, API design, and dependency management. Business-logic flaws such as duplicate processing of bridge transactions and missing verification before fund release were noted as particularly impactful. Additional weaknesses included unauthenticated initialization endpoints, lack of rate limits, cacheable HTTPS responses, and persistence of token prices without safeguards. Observations also highlighted risks from outdated dependencies and exposed secrets in code history.

The findings underscore the importance of remediating key logic and API weaknesses to improve resilience while maintaining the strong baseline already present in secure operational practices.

The client addressed all identified issues, where one issue was partially resolved and will be completely addressed in future releases of the application.

3. Scope

The following repository was part of the scope:

• Repository: https://github.com/zkCross-Network/zkcross_release_handler

• Commit: 750bd14d295d23e2be655be070e8d0a8ade8216f

• Branch: audit-approach-2

4. Test Approach and Methodology

Halborn followed whitebox methodology as per the scope and performed a combination of manual and automated security testing with both to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it.

The assessment methodology covered a range of phases and employed various tools, including but not limited to the following:

- Mapping bridge workflows (lock → index → execute → release)

- Validating chain and token configuration

- Testing concurrency and race conditions in worker scheduling

- Verifying RPC reliability and alt-RPC fallback logic

- Assessing price feed caching and persistence

- Reviewing funder detection and withdrawal authorization flows

- Evaluating session, nonce, and authentication mechanisms in API endpoints

- Testing role assignment and liquidity wallet access controls

- Fuzzing endpoints for injection or misuse

- Dependency analysis for outdated or vulnerable third-party libraries

- Analysis for hardcoded credentials or API keys