Zoth logo filled

QuillAudits Elevates Protection, Strengthens Zoth's Onchain Financial Ecosystem

Through a detailed 15-day audit, QuillAudits identifies and resolves critical vulnerabilities within Zoth's smart contracts, significantly improving the security and functionality of their financial ecosystem.

Before QuillAudits

  • No checks on _withdrawPenaltyPercent, allowing penalty-free withdrawals
  • Inconsistency and confusion in rate settings and validation
  • Inadequate checks on locking periods and end date calculations
  • Rewards calculated even during inactive pool periods, risking overpayment
  • Unrestricted modification of crucial pool parameters by Pool Managers

After QuillAudits

  • Implemented checks to ensure penalties are applied, securing withdrawals
  • Clarified and corrected rate representation and validation rules
  • Enhanced validation to ensure logical consistency and secure operations
  • Adjusted to cease reward payouts when pool is inactive, ensuring fairness
  • Restricted modifications, aligning changes with transparency and control

Headquarters

India

Chain

Polygon, Ethereum

See how QuillAudits is a trusted partner in 1000+ Audit stories

Zoth is a company that connects Traditional Finance (TradFi) and Onchain Finance, enabling new opportunities for enhanced liquidity and efficient tokenization mechanisms for Real World Assets (RWAs). The company's mutualized and robust pools are designed to tokenize and create liquidity for high-quality RWAs on-chain. Zoth's first product is a Lending Protocol that provides Crypto Lenders access to Insured & secured High Yield Trade finance & private credit products from emerging markets.



Transforming Global Finance: Bridging the Gap Between Traditional Assets and Onchain Finance


Zoth bridges Traditional Finance and Onchain Finance, accelerating the movement of assets and capital between these sectors. It does so with its Institutional Grade Fixed Income Marketplace, ZOTH-FI. This platform offers investors access to high-quality fixed-income assets such as Cross Border Trade Finance, Sovereign Government Bonds, and Corporate Credit via Stablecoins. Aimed at channeling trillions into sustainable Real World Assets (RWAs), Zoth enhances liquidity and facilitates efficient tokenization through robust, mutualized pools. The company prioritizes stringent regulatory compliance, ensuring secure and equitable access to finance globally across multiple jurisdictions.






Enhancing ZothPool V3 for Robust Financial Operations

Before a detailed security audit, Zoth's development team highlighted the ZothPool V3 module as a critical area for scrutiny. This module, built on the OpenZeppelin ERC-721 token standard, extends its capabilities to manage a lending pool where users can deposit funds, earn rewards, and influence pool parameters over specified periods. Given its central role in Zoth's operations, any vulnerabilities could severely impact the ecosystem. The audit was rigorously designed to probe for potential security breaches, including attack vectors and logical flaws, underscoring the importance of safeguarding financial processes. Comprehensive findings from the audit aimed to rectify immediate issues and fortify the overall resilience and efficiency of the ZothPool V3, ensuring its alignment with the financial stakes at hand.


Zoth's Journey Through our Audit Process

  1. Information Gathering:
    1. Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
    2. Obtained a clear understanding of the taiko platform's functionality, Bridge, Vault, and intended user interactions.
    3. Discussed client concerns and specific areas of focus for the audit.

       
  2. Manual Code Review:
    1. Conducted a line-by-line review of the smart contract code, focusing on:
      1. Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
      2. Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
      3. Solidity best practices: Compliance with secure coding standards and adherence to established guidelines.

         
  3. Functional Testing:

    1. Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
    2. Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.

      Highlights of Tests we carried out in Functional Testing

    To ensure all functionalities of the Zoth ecosystem are working as expected; we conducted a series of functional tests. Here are the tests that were performed:

    Ownership and Permissions:

  4. Owner Control: Verified that only the contract owner can update referral fees and add sub-collections. Tests ensured these actions fail for unauthorized addresses.

    Minting and Whitelisting:

  5. Whitelist Enforcement: Confirmed that minting requires proof during whitelist periods, reverting for unauthorized attempts.
  6. Pseudo-Random Minting: Verified that minted tokens receive pseudo-randomly assigned IDs.
  7. Whitelist Disabling: Ensured the ability to disable whitelist minting and allow minting without proof.

    Supply and Sales:

  8. Token Limits: Verified that minting reverts when exceeding available main supply or individual address limits.
  9. Selling Functionality: Confirmed the ability to sell all tokens using the designated function.

    Token Management:

  10. Minting and Assignment: Verified successful minting of tokens and their assignment to the sender's address.
  11. Token Transfers: Confirmed the ability to transfer tokens between addresses, with appropriate checks and reverts for exceeding limits.

    Advanced Features:

  12. Trusted Forwarder: Verified the ability to set a trusted forwarder address for meta-transactions.
  13. Price and Limits: Confirmed the ability to set the mint price, maximum mints per address, and whitelist minting option.
  14. Burning: Verified the ability to enable/disable the burning functionality for tokens.
  15. Royalty Information: Confirmed the ability to set royalty information for creators.
  16. Sub-Collection Management: Verified retrieval of the correct sub-collection ID for a given token ID.
  17. Blacklist Enforcement: Confirmed that transfers to/from blacklisted addresses and approvals for blacklisted addresses are reverted.
  18. Nested Collections: Verified proper handling of scenarios with or without nested collections.

    Additional Functionalities:

  19. Pool Management: Verified the ability to set project details, register owner pools, process referrals with discounts, distribute funds based on owner pools, and remove owner pools.

    4. Automated Testing:

  20. Employed static analysis tools like Slither to identify vulnerabilities through automated code scanning.
  21. Utilized symbolic execution tools like Mythril to explore various code execution paths and uncover potential attack vectors.

    5. Reporting & Remediation:

  22. Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
  23. Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
  24. Collaborated with the Taiko team to prioritize and address the identified issues.
  25. Conducted additional verification testing after vulnerability fixes were implemented.

QuillAudits' Strategic Approach to Zoth’s Security Audits

We initiated the audit with threat modelling, prioritizing areas based on the specific risks and potential attack vectors relevant to Zoth's Smart Contracts. Adopting a security-first approach, we focused on identifying and mitigating vulnerabilities beyond mere functionality testing. We conducted a thorough vulnerability assessment by integrating white-box and black-box testing methods. Throughout the audit process, we maintained transparent and open communication with the Zoth team, ensuring that all findings were clearly understood and recommendations were actionable. Emphasizing clarity, we concisely presented vulnerability descriptions and remediation steps to facilitate effective resolution.


Comprehensive Audit Discoveries

Our focused audit identified key issues across high and medium severity categories, with additional lower severity and informational issues not detailed here. Key findings include:



  1. Emergency Withdrawal Logic Flaw: The emergencyWithdraw function lacked necessary checks for _withdrawPenaltyPercent, enabling penalty-free premature fund withdrawals. This flaw could potentially destabilize the protocol’s financial mechanisms and disincentivize long-term investment.
  2. Rate Setting Inconsistency: The changeBaseRates and setWithdrawRate functions exhibited inconsistencies in rate validation, leading to potential misconfigurations and operational confusion due to ambiguous rate representations.
  3. Locking Duration and End Date Validation Issues: New deposit entries were found to have inadequate validation for locking periods and end date calculations, risking misaligned contractual timelines and logical inconsistencies.
  4. Reward Calculations in Inactive Periods: The _calculateFormula function failed to account for inactive pool periods when calculating rewards, leading to potential unwarranted payouts that could impact the financial integrity of the pool.
  5. Unrestricted Modifications of Pool Variables: The setContractVariables function permitted modifications to critical pool parameters without adequate restrictions, posing risks of operational discrepancies and potential manipulation.

These findings underscore the need for stringent checks and improved validation mechanisms to ensure the security and stability of the platform.

Conclusion

In conclusion, the Zoth audit served as a crucial step in enhancing there Smart Contracts security and operational efficiency. The identified issues, ranging from high to low severity, were systematically addressed, reinforcing the project’s commitment to user safety and protocol stability. The audit’s success underscores the importance of continuous security practices and collaborative efforts in maintaining a secure and reliable platform for users.




Subscribe to our Newsletter

Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!