This article serves as a case study as to how zkSync partnered with Cantina - a transparent, efficient, and industry-leading security marketplace for protocols incubated by Spearbit to conduct security reviews on zkSync’s Lido bridge.
zkSynczkSync is cutting-edge zero-knowledge (ZK) technology to scale Ethereum and bring crypto to the mainstream — reaching millions of developers and billions of people in need of a technological solution for achieving progress and prosperity. Deeply rooted in its mission to advance personal freedom for all, the zkSync blockchain network makes digital self-ownership universally available. It is trustless, secure, reliable, censorship-resistant, privacy-preserving, and hyper scalable. To learn more about zkSync, visit www.zksync.io.
SpearbitSpearbit is a distributed industry-leading blockchain security services firm pairing protocols with top security researchers having deep subject matter expertise in Web3 security to identify vulnerabilities in an ever-evolving landscape. Spearbit serves as a node in the ever-expanding Cantina network.
CantinaCantina is an efficient security marketplace incubated by Spearbit that provides protocols with access to leading security service providers, high-signal crowdsourced security reviews called competitions, and dynamic price transparency across Web3 security’s top talent pool.
zkSync embodies Cantina’s ethos of scaling the web3 ecosystem while preserving core security principles. As a security-forward protocol that optimizes its security posture optimistically without cutting corners, zkSync is the ideal client by which to provide a bespoke security review experience tailored to their unique needs with the best security talent Web3 has to offer.
The review phase was initiated on August 2, 2023, concluded on August 18, 2023, and was followed up with a 2-week fix period. The security review was conducted by the following team of 3 security researchers:
Noah Marconi - Lead Security Researcher (LSR)
cccz - Security Researcher (SR)
Sujith Somraaj - Associate Security Researcher (ASR)
During the above-mentioned period of time, the team identified a total of 15 issues in the following risk categories:
Critical Risk: 0
High Risk: 0
Medium Risk: 0
Low Risk: 5
Gas Optimizations: 5
Informational: 5
The security researchers praised zkSync for their documentation, promptness of communication, and support from the zkSync team during the review process. Noah, an LSR at Spearbit and now serving as the Head of Security Reviews at Cantina said the following regarding the codebase in-scope:
The quality of the codebase along with the provisioning within it of proper specifications, comments, test cases, and clear structure enabled the security researchers to allocate their time effectively and maximize their time-to-value during the security review. We highly encourage protocol teams to follow zkSync’s example before providing the codebase for review to their security researchers and ensure that code quality and clarity are up to par.
Another key aspect the security review team highlighted was the depth of knowledge and responsiveness of the zkSync team demonstrated during the review process. One of the security researchers, cccz, encapsulated this best in his words below:
The experience of the zkSync team along with their commitment to providing swift communication, feedback, and insights into the codebase when inquired by the security review team was instrumental in the success of the review. We highly recommend protocols follow suit and take after this example put forth by the zkSync team.
Lastly, we’d like to highlight the robust documentation provided by the zkSync team regarding the in-scope code. All 3 security researchers participating had unanimous praise for the level of documentation provided by the zkSync team. Proper documentation and information on the architecture of the protocol and in-scope codebase are crucial to the success of the security review.
Cantina's approach to the zkSync security review, was marked by meticulous attention to detail and a deep understanding of the nuances that are intricately unique to blockchain security. Cantina’s audit significantly contributed to enhancing the robustness of zkSync. Their methodical and thorough analysis, coupled with a comprehensive evaluation strategy, allowed for a holistic assessment of our system's security posture.
We were particularly impressed by the proactive communication and collaborative spirit shown by Cantina's team. Their ability to articulate complex security concepts in an accessible and actionable manner facilitated a seamless and productive dialogue between our teams. This not only expedited the review process but also provided us with valuable insights into potential areas for improvement.
The depth of experience and specialized knowledge that Cantina brought to the table was evident in their handling of the audit. Their team's proficiency in identifying and addressing potential vulnerabilities, and their suggestions for strategic improvements, underscored their status as leaders in the field of blockchain security.
Lastly, Cantina excelled at expert selection for the audit. Novel, cutting-edge systems such as zkSync have many components and parts for which security needs to be audited and assessed. Assigning the right experts with the right skills is critical to ensure the quality of the audit.
The responsiveness, knowledge, and documentation by the zkSync team was a key factor in enabling the security review team to tackle the complexity of the codebase with the comprehensive coverage it needs. The zkSync team also demonstrated consistent alignment in their objectives and expectations concerning the security reviews with Cantina. zkSync’s cooperative approach ensured that the evaluations were conducted following shared standards and goals, thereby ensuring a productive and insightful review process.
Cantina is your one-stop shop for comprehensive end-to-end security. Looking to secure your protocol today? Let’s talk - we’ll get you a full quote turned around within 24 hours catered uniquely to your project’s needs:Request a Quote