> For the complete documentation index, see [llms.txt](https://docs.szns.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.szns.io/smart-contracts/audits.md). # Audits and Security SZNS largely relies on battle tested smart contracts that have been audited by Peckshield. ## Security Process We take digital assets seriously at SZNS. If you find flaws in our smart contract architecture or serious bugs in our application please don't hesitate to reach out to our email ****. For bugs found that hold assets at risk we will consider bug bounties up to 10% of the value at risk! Thanks for being part of the ecosystem. ## Updates Any security related reports will be included here. #### Bounty Board On August 4th, 2022, [Patrick Drotleff](https://ventral.digital/about), an IT consultant, discovered a vulnerability in the Bounty Board contract ([0x879d25dB71DD9ff94452C510C13347fb49175D9D](https://etherscan.io/address/0x879d25dB71DD9ff94452C510C13347fb49175D9D)). The vulnerability was that the function `batchFillOrder()` does not check whether the caller owns the NFTs with which they want to fill the order to give NFTs in exchange for collection tokens. Thus, an attacker could tribute the NFTs of a user who has given approval for an NFT contract in return for collection tokens. The issue was easily fixed by replacing `erc721.ownerOf(id)` with `msg.sender`. ```solidity function batchFillOrder( Order calldata order, ERC721Grouping[] calldata erc721Groupings ) internal { ... if (!order.validator.meetsCriteria(address(erc721), id)) { revert InvalidNftError(address(erc721), id); } // Forward NFT to benecifiary // NOTE: reentrancy should be safe here, since we're decrementing // the number of fills based on its later value. erc721.safeTransferFrom( erc721.ownerOf(id), order.nftBeneficiary, id ); } } // Should throw if underflow remainingFills[orderHash] -= tributeCounter; // Payout to order filler order.erc20.mint(msg.sender, order.tokensPerTribute * tributeCounter); } ``` To disable approvals to this contract, go to , connect your wallet, and revoke any allowances for the contract 0x879d25dB71DD9ff94452C510C13347fb49175D9D. Since we were contacted by Patrick, we have reached out to individuals with ENS names who were at risk. No individuals were exploited by this vulnerability. Patrick was awarded 1 ETH as a reward. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.szns.io/smart-contracts/audits.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.