◼️Security & Auditing Guidelines

Building on ZONA means having access to powerful tools from fast EVM execution to modular SDK-level control. However, with great power comes great responsibility: security must be a top priority in every deployment.

This section outlines best practices, audit preparation tips, and key threat vectors to watch out for when developing on ZONA Protocol.

✅ General Best Practices

1. Use Battle-Tested Libraries

Prefer audited libraries like OpenZeppelin for ERC standards, access control, math, and token logic.
For SDK modules, reuse ZONA/ZONA standard patterns where possible.

2. Follow the Principle of Least Privilege

Restrict access to sensitive functions using onlyOwner, onlyRole, or validator checks.
Avoid unnecessary public or external modifiers on internal logic.

3. Limit delegatecall and call Usage

Avoid low-level calls unless absolutely required these are common vectors for reentrancy and external dependency exploits.

4. Ensure Upgrade Safety

If using proxies or upgradable contracts, implement transparent proxy patterns.
Lock admin functions or upgradeability once live on mainnet.

🔍 Smart Contract Audit Checklist

Before deploying to ZONA Testnet or Mainnet, ensure the following:

✅ All critical logic is unit tested
✅ All contracts pass static analysis (e.g., Slither, MythX)
✅ No hardcoded addresses or insecure randomness
✅ Ownership, pausing, minting, and withdraw logic are clearly scoped
✅ Gas usage is efficient (especially for high-frequency functions)
✅ Events are emitted for all important state changes
✅ Fallbacks and reentrancy guards are handled correctly

🔐 Common Vulnerabilities to Avoid

Issue

Risk Example

Prevention

Reentrancy

Token drains via recursive fallback

Use nonReentrant modifier

Access Control Flaws

Unrestricted admin/mint/transfer functions

Use Ownable / AccessControl

Integer Overflows

Incorrect token math

Use Solidity ^0.8.x versions

Gas Griefing

Unbounded loops in user-facing calls

Limit iteration or cache state

Timestamp Dependency

Time manipulation via block.timestamp

Use block height instead where possible

🛡️ SDK Module Security (Advanced)

If building native modules using ZONA SDK:

Validate all message inputs in MsgServer
Always define ValidateBasic() for message types
Use parameter stores (ParamStore) for upgradable config
Protect cross-module communication (e.g., between bank, staking, evm)
Implement tests for every transaction and handler path

📄 Recommended Tools

Static Analysis: Slither, MythX, Securify
Test Coverage: Hardhat Coverage Plugin
Formal Verification: Certora (for large-scale protocols)
Audit Partners: Contact certified firms for full ZONA/EVM support audits

📝 Audit Readiness

When preparing for a third-party audit:

Freeze all core logic before the audit begins
Provide complete test coverage and deployment scripts
Include full documentation and assumptions for your system
Disclose prior vulnerabilities or known limitations

🚨 Security is not a one-time effort it’s a continuous process. Audit early. Test often. Launch safely.

PreviousCustom Modules with ZONA SDK

Last updated 2 months ago