Summary
The most critical subjects covered in our audit are functional correctness, access control, and front-running. Security regarding functional correctness and access control is high. The two uncovered medium severity issues, that make the system vulnerable to front-running and sandwich attacks can potentially endanger users and 3rd party integrations, but do not pose an immediate risk for the ZkBob system itself.
The general subjects covered are trustworthiness, documentation, specification and code complexity. The security regarding these subjects is good. The acknowledged and not fixed issues are of low severity and don’t render the system unsafe.
In summary, we find that the codebase provides a good level of security. The remaining acknowledged but not fixed issues do not immediately impair the system, however, we still suggest addressing them in the future.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About zkBob smart contracts
BOB Protocol implements an application that uses zero-knowledge proofs (zk-SNARKs) for anonymous transfers of the BOB ERC20 stablecoin token.