ZKTokenV3 Review

<div align="center"> <center> <img src="https://avatars.githubusercontent.com/u/167952721" height="350" alt="@offbeatsecurity" style="margin-bottom: 20px;"> <h1>ZKTokenV3 Review</h1> <h3>July 11, 2025</h3> <p>Prepared for ZkSync</p> <p>Conducted by:</p> <p>Richie Humphrey (devtooligan)</p> </center> </div> ## About the **ZkSync ZKTokenV3 Review** ZKTokenV3 is an upgraded governance token contract that introduces token burning functionality. The contract extends the existing ZkTokenV2 implementation with two new burning mechanisms: a public `burn` function that allows users to destroy their own tokens, and a role-gated `burnFrom` function that enables authorized addresses to burn tokens from specified accounts. This upgrade represents a minimal extension to previously audited code and OpenZeppelin base contracts. ## About **Offbeat Security** Offbeat Security is a boutique security company providing unique security solutions for complex and novel crypto projects. Our mission is to elevate the blockchain security landscape through invention and collaboration. ## Summary & Scope The [l2-contracts/src](https://github.com/ScopeLift/zk-governance/tree/5c18bd1c7d18f17390bc6e2fc6e5d2167a326b30/l2-contracts/src) folder was reviewed at commit [5c18bd1](https://github.com/ScopeLift/zk-governance/tree/5c18bd1c7d18f17390bc6e2fc6e5d2167a326b30). The following **1 file** was in scope: - l2-contracts/src/ZkTokenV3.sol (19 SLOC) <br> <br> ## Summary of Findings The contract implements a straightforward upgrade to the existing ZkTokenV2, adding burning capabilities. The total new code under review was 19 SLOC. No security vulnerabilities were identified during the review. | Identifier | Title | Severity | Fixed | | --------------------- | -------------------------------------- | -------- | ----- | | - | No findings identified | - | - | ## Centralization Users should be aware that addresses with the `BURNER_ROLE` can burn tokens from any account using the `burnFrom` function. This represents a significant privilege that should be carefully managed and potentially controlled by a multisig or governance mechanism. ## Additional Note: Public Burn Function The contract includes a publicly accessible `burn` function that allows any token holder to permanently destroy their own tokens. While this is not a standard ERC20 feature, the project team has provided the following reasons for implementing this functionality: - Token holders to burn compromised tokens in case of a security incident - Correction of over-minted tokens if minting caps are exceeded - Forward compatibility with future protocol fee mechanisms that may require burning Users should be aware that calling this function will permanently and irrevocably destroy their tokens. ## Detailed Findings No security vulnerabilities were identified in the ZKTokenV3 contract during this review.