-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: adds community docs back and best practices (#58)
# What 💻 * Adds community docs back and best practices * removes outdates oracle # Why ✋ * Important info to keep * does not exist anymore # Evidence 📷 Include screenshots, screen recordings, or `console` output here demonstrating that your changes work as intended <!-- All sections below are optional. You can uncomment any section applicable to your Pull Request. --> <!-- # Notes 📝 * Any notes/thoughts that the reviewers should know prior to reviewing the code? -->
- Loading branch information
1 parent
3192f8c
commit 57399f1
Showing
8 changed files
with
674 additions
and
8 deletions.
There are no files selected for viewing
121 changes: 121 additions & 0 deletions
121
content/00.build/65.developer-reference/25..best-practices.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| --- | ||
| title: Security and best practices | ||
| description: | ||
| --- | ||
|
|
||
| Before diving into development on ZKsync Era, it's crucial to consider the following recommendations. These best | ||
| practices will help you optimize your code, ensure security, and align with the unique characteristics of ZKsync Era. | ||
|
|
||
| ## Use `call` over `.send` or `.transfer` | ||
|
|
||
| Avoid using `payable(addr).send(x)`/`payable(addr).transfer(x)` because the 2300 gas stipend may not be enough | ||
| for such calls, especially if it involves state changes that require a large amount of L2 gas for data. Instead, we recommend using `call`. | ||
|
|
||
| Instead of: | ||
|
|
||
| ```solidity | ||
| payable(addr).send(x) // or | ||
| payable(addr).transfer(x) | ||
| ``` | ||
|
|
||
| Use: | ||
|
|
||
| ```solidity | ||
| (bool s, ) = addr.call{value: x}(""); | ||
| require(s); | ||
| ``` | ||
|
|
||
| This converts the `send`/`transfer` functionality to `call` and [avoids potential security risks outlined here.](https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/). | ||
|
|
||
| While `.call` offers more flexibility compared to `.send` or `.transfer`, developers should be aware that `.call` | ||
| does not provide the same level of reentrancy protection as `.transfer`/`.send`. It's crucial to adhere to best | ||
| practices like the checks-effects-interactions pattern and/or use reentrancy guard protection to secure your | ||
| contracts against reentrancy attacks. It can help ensure the robustness and security of your smart contracts on the ZKSync VM, even under unexpected conditions. | ||
|
|
||
| ## Use the proxy pattern at the early stage of the protocol | ||
|
|
||
| ZKsync Era is based on the zk-friendly VM. Thus, we offer | ||
| [a dedicated compiler](/zk-stack/components/compiler/toolchain/overview) | ||
| responsible for transforming conventional Solidity and Vyper code into zkEVM bytecode. | ||
|
|
||
| While we have extensive test coverage to ensure EVM compatibility, issues may still appear. | ||
| We will implement the patches for these in a timely manner. | ||
|
|
||
| To integrate a compiler bug fix, you need to recompile and upgrade your smart contract. We recommend using the | ||
| Proxy pattern for a few months after your first deployment on ZKsync Era, even if you plan to migrate to an immutable | ||
| contract in the future. | ||
|
|
||
| ## Do not rely on EVM gas logic | ||
|
|
||
| ZKsync Era has a distinctive gas logic compared to Ethereum. There are two main drivers: | ||
|
|
||
| - We have a state-diff-based data availability, which means that the price for the execution depends on the L1 gas price. | ||
| - ZKsync VM has a different set of computational trade-offs compared to the standard computational model. In | ||
| practice, this means that the price for opcodes is different to Ethereum. Also, zkEVM contains a different set of | ||
| opcodes under the hood and so the “gas” metric of the same set of operations may be different on ZKsync Era and on Ethereum. | ||
|
|
||
| ::callout{icon="i-heroicons-exclamation-triangle" color="amber"} | ||
| Our fee model is being constantly improved and so it is highly recommended **NOT** to hardcode any constants since the fee | ||
| model changes in the future might be breaking for this constant. | ||
| :: | ||
|
|
||
| ## `gasPerPubdataByte` should be taken into account in development | ||
|
|
||
| Due to the state diff-based fee model of ZKsync Era, every transaction includes a constant called `gasPerPubdataByte`. | ||
|
|
||
| Presently, the operator has control over this value. However, in EIP712 transactions, users also sign an upper bound | ||
| on this value, but the operator is free to choose any value up to that upper bound. Note, that even if the value | ||
| is chosen by the protocol, it still fluctuates based on the L1 gas price. Therefore, relying solely on gas is inadequate. | ||
|
|
||
| A notable example is a Gnosis Safe’s `execTransaction` method: | ||
|
|
||
| ```solidity | ||
| // We require some gas to emit the events (at least 2500) after the execution and some to perform code until the execution (500) | ||
| // We also include the 1/64 in the check that is not send along with a call to counteract potential shortcomings because of EIP-150 | ||
| require(gasleft() >= ((safeTxGas * 64) / 63).max(safeTxGas + 2500) + 500, "GS010"); | ||
| // Use scope here to limit variable lifetime and prevent `stack too deep` errors | ||
| { | ||
| uint256 gasUsed = gasleft(); | ||
| // If the gasPrice is 0 we assume that nearly all available gas can be used (it is always more than safeTxGas) | ||
| // We only subtract 2500 (compared to the 3000 before) to ensure that the amount passed is still higher than safeTxGas | ||
| success = execute(to, value, data, operation, gasPrice == 0 ? (gasleft() - 2500) : safeTxGas); | ||
| gasUsed = gasUsed.sub(gasleft()); | ||
| // ... | ||
| } | ||
| ``` | ||
|
|
||
| While the contract does enforce the correct `gasleft()`, it does not enforce the correct `gasPerPubdata`, since there | ||
| was no such parameter on Ethereum. This means that a malicious user could call this wallet when the `gasPerPubdata` is | ||
| high and make the transaction fail, hence making it spend artificially more gas than required. | ||
|
|
||
| This is the case for all relayer-like logic ported directly from Ethereum and so if you see your code relying on logic | ||
| like “the user should provide at X gas”, then the `gasPerPubdata` should be also taken into account on ZKsync Era. | ||
|
|
||
| For now, ZKsync Era operators use honest values for ETH L1 price and `gasPerPubdata`, so it should not be an issue if | ||
| enough margin is added to the estimated gas. In order to prepare for the future decentralization of ZKsync Era, | ||
| it is imperative that you update your contract. | ||
|
|
||
| ## Use native account abstraction over `ecrecover` for validation | ||
|
|
||
| Use ZKsync Era's native account abstraction support for signature validation instead of this function. | ||
|
|
||
| We recommend not relying on the fact that an account has an ECDSA private key, since the account may be governed by | ||
| multisig and use another signature scheme. | ||
|
|
||
| Read more about [ZKsync Era Account Abstraction support](/build/developer-reference/account-abstraction/introduction). | ||
|
|
||
| ## Use local testing environment | ||
|
|
||
| For optimal development and testing of your contracts, it is highly recommended to perform local testing before deploying | ||
| them to the mainnet. Local testing allows you to test your contracts in a controlled environment, providing benefits such as | ||
| reduced network latency and cost. | ||
|
|
||
| We provide [two different testing environments](/build/test-and-debug) designed for local testing purposes. | ||
| These tools allow you to simulate the ZKsync network locally, enabling you to validate your contracts effectively. | ||
|
|
||
| By incorporating local testing into your development workflow, you can effectively verify the behavior and functionality of | ||
| your contracts in a controlled environment, ensuring a smooth deployment process to the mainnet. | ||
|
|
||
| For detailed instructions on configuring the local testing environment and performing tests using Mocha and Chai, | ||
| refer to the dedicated [Testing](/build/test-and-debug) page. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| --- | ||
| title: Audits and Bug Bounty Program | ||
| description: | ||
| --- | ||
|
|
||
| ZKsync Era takes security seriously and as such, we have completed multiple audits in all critical parts of the | ||
| protocol. On top of that, there is an ongoing massive bug bounty program. | ||
|
|
||
| ## Audits | ||
|
|
||
| We always ensure that all code deployed to production has been thoroughly tested before release. Our auditing and | ||
| review processes begin well before any code is deployed. We conduct internal audits, followed by independent | ||
| external audits from reputable auditors. If applicable, we also hold a public auditing contest and top it off with another independent external audit. | ||
|
|
||
| Here is the list of **completed audits**: | ||
|
|
||
| - Layer 1 Smart Contracts, Internal Audit, from 2022-06-14 to 2022-08-17. | ||
| - [Layer 1 Smart Contracts](https://blog.openzeppelin.com/zksync-layer-1-audit/), OpenZeppelin, from 2022-09-05 to 2022-09-30. | ||
| - [Layer 1 Diff Audit (Upgrade Audit)](https://blog.openzeppelin.com/zksync-layer-1-diff-audit/), OpenZeppelin, from 2022-11-21 to 2022-11-25. | ||
| - [Layer 1 Diff Audit (Upgrade Audit)](https://blog.openzeppelin.com/zksync-l1-diff-audit-february-2023/), OpenZeppelin, from 2023-02-06 to 2023-02-17. | ||
| - [Layer 1 Public Contest](https://code4rena.com/reports/2022-10-zksync/), Code4rena, from 2022-10-28 to 2022-11-09. | ||
| - [Layer 1 Smart Contracts](https://github.com/Secure3Audit/Secure3Academy/blob/main/audit_reports/zkSync/zkSync_L1_final_Secure3_Audit_Report.pdf), | ||
| Secure3, from 2022-10-22 to 2022-11-06. | ||
| - [WETH Bridge Audit](https://blog.openzeppelin.com/zksync-weth-bridge-audit), OpenZeppelin, from 2023-03-27 to 2023-03-31. | ||
| - [Bridge and .transfer & .send](https://blog.openzeppelin.com/zksync-bridge-and-.transfer-.send-diff-audit), OpenZeppelin, from 2023-04-24 to 2023-05-01. | ||
| - [GnosisSafeZk Assessment](https://blog.openzeppelin.com/zksync-gnosissafezk-assessment-1), OpenZeppelin, from 2023-05-22 to 2023-05-26. | ||
| - [Upgrade System](https://blog.openzeppelin.com/zksync-upgrade-system-audit), OpenZeppelin, from 2023-06-26 to 2023-06-30. | ||
| - [Layer 1 Messenger Upgrade](https://blog.openzeppelin.com/zksync-l1messenger-upgrade-audit), OpenZeppelin, from 2023-08-30 to 2023-09-14. | ||
| - [Diff and Governance Audit](https://blog.openzeppelin.com/december-diff-and-governance-audit), OpenZeppelin, from 2023-12-04 to 2023-12-22. | ||
| - Layer 2, Internal Audit, from 2022-08-17 to 2022-10-24. | ||
| - [Layer 2 Bootloader](https://blog.openzeppelin.com/zksync-bootloader-audit-report/), OpenZeppelin, from 2022-11-28 to 2022-12-23. | ||
| - [Layer 2 Fee Model and Token Bridge](https://blog.openzeppelin.com/zksync-fee-model-and-token-bridge-audit/), OpenZeppelin, from 2023-01-23 to 2023-02-17. | ||
| - [Layer 2 System Contracts Public Contest](https://code4rena.com/contests/2023-03-zksync-era-system-contracts-contest), | ||
| Code4rena, from 2023-03-10 to 2023-03-19. | ||
| - [Layer 2 Block Refactor](https://blog.openzeppelin.com/zksync-l2-block-refactor-audit), OpenZeppelin, from 2023-07-25 to 2023-07-31. | ||
| - [Keccak256 Upgrade](https://blog.openzeppelin.com/zksync-keccak256-upgrade-audit), OpenZeppelin, from 2023-10-23 to 2023-10-27. | ||
| - [Layer 1 & 2 Diff Audit](https://blog.openzeppelin.com/november-diff-audit), OpenZeppelin, from 2023-11-27 to 2023-12-05. | ||
| - [Short-Term Fee Model Changes](https://blog.openzeppelin.com/short-term-fee-model-changes-audit), OpenZeppelin, from 2023-12-06 to 2023-12-13. | ||
| - ZK Proof System, Internal Audit, from 2022-10-24 to 2022-11-18. | ||
| - [ZK Proof System](https://github.com/HalbornSecurity/PublicReports/blob/master/ZK%20Audits/MatterLabs_zkSync_Era_Circuits_Zero_Knowledge_Security_Audit_Report_Halborn_Final..pdf), | ||
| Halborn, from 2023-01-09 to 2023-03-08. | ||
| - [Smart Contract Security Assessment](https://github.com/HalbornSecurity/PublicReports/blob/master/Solidity%20Smart%20Contract%20Audits/MatterLabs_Verifier_Smart_Contract_Security_Assessment_Report_Halborn_Final.pdf), | ||
| Halborn, from July 12th, 2023 - July 20th, 2023. | ||
| - [SNARK Wrapper](https://github.com/spearbit/portfolio/blob/master/pdfs/Matter-labs-snark-wrapper-Spearbit-Security-Review.pdf), Spearbit, November 2023 | ||
| - [EIP-4844 Support](https://blog.openzeppelin.com/eip-4844-support-audit), OpenZeppelin, February 2024 | ||
|
|
||
| ## Bug Bounty Program | ||
|
|
||
| ZKsync Era has a very detailed **[Bug bounty Program on Immunefi](https://immunefi.com/bounty/zksyncera/)**. In the listing, you can | ||
| find all the information related to assets in scope, reporting, and the payout process. | ||
|
|
||
| ### Scope | ||
|
|
||
| The bug bounty program for ZKsync Era aims to identify and resolve | ||
| security vulnerabilities in our system before they can be exploited by | ||
| malicious actors. The program is open to all individuals and teams who | ||
| are interested in participating and are willing to comply with the | ||
| program's rules and guidelines. The scope of the program covers all aspects of our blockchain products, including smart contracts, | ||
| protocols, portals, and any other components that are part of our ecosystem. | ||
|
|
||
| ### Requirements | ||
|
|
||
| 1. Eligibility: The bug bounty program is open to anyone who is interested in participating and who complies with the program's rules and guidelines. | ||
| 2. Responsible Disclosure: All participants must agree to follow the responsible disclosure policy and report any security vulnerabilities | ||
| they discover to our security team in a timely and responsible manner. | ||
| 3. Rewards: The bug bounty program offers rewards to participants who discover and report security vulnerabilities. The rewards are | ||
| determined based on the severity of the vulnerability and are paid in USDC. | ||
| 4. Reporting Guidelines: Participants must follow the reporting guidelines specified by the program. | ||
| 5. No Public Disclosure: Participants must not publicly disclose any vulnerabilities they discover until after they have been resolved by | ||
| our security team. | ||
| 6. No Exploitation: Attacks that the reporter has already exploited themselves, leading to damage are not eligible for a reward. | ||
| 7. Legal Compliance: Participants must comply with all applicable laws and regulations, including data privacy and security laws. | ||
| 8. Program Changes: We reserve the right to modify or terminate the program at any time and without prior notice. We also reserve the | ||
| right to disqualify any participant who violates the program's rules and guidelines. | ||
|
|
||
| ### Unscoped Bug | ||
|
|
||
| If you think you have found a critical or major bug that is not covered by our existing bug bounty, please report it to us | ||
| [via the Immunefi program](https://immunefi.com/bounty/zksyncera/) regardless. We will seriously consider the impact of any issues and | ||
| may award a bounty even for out of scope assets or impacts. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| --- | ||
| title: Community Channels | ||
| description: | ||
| --- | ||
|
|
||
| Engage with our vibrant community and stay updated on the latest news, insights, and discussions through our diverse channels. Here's a quick overview: | ||
|
|
||
| ## **1. Developer Discussions** | ||
|
|
||
| A dedicated space in GitHub for developers to discuss, collaborate, and brainstorm on technical topics. | ||
|
|
||
| [Engage in GitHub Discussions](https://github.com/zkSync-Community-Hub/zksync-developers/discussions) | ||
|
|
||
| --- | ||
|
|
||
| ## **2. Discord** | ||
|
|
||
| Join real-time conversations, ask questions, and connect with both the team and fellow community members. | ||
|
|
||
| [Join our Discord server](https://join.zksync.dev/) | ||
|
|
||
| --- | ||
|
|
||
| ## **3. Twitter/X** | ||
|
|
||
| Follow us for quick updates, announcements, and trends related to our platform, updates for developers, and the broader industry. | ||
|
|
||
| [Follow us on Twitter](https://twitter.com/zksync) | ||
|
|
||
| [Follow our developer-focused Twitter](https://twitter.com/zkSyncDevs) | ||
|
|
||
| --- | ||
|
|
||
| ## **4. Blog** | ||
|
|
||
| Delve deep into comprehensive articles, tutorials, and insights penned by our team. | ||
|
|
||
| [Read our Blog](https://zksync.mirror.xyz/) | ||
|
|
||
| --- | ||
|
|
||
| ## **5. GitHub Issues** | ||
|
|
||
| The most effective way to seek technical support is by raising an issue on GitHub. Ensure you provide a comprehensive description, | ||
| relevant details, and steps to reproduce for prompt assistance. | ||
|
|
||
| - **ZKsync Era Issues**: Address all queries and concerns related to ZKsync Era here. [Report ZKsync Era Issue](https://github.com/matter-labs/zksync-era/issues) | ||
| - **era-test-node Issues**: If you're facing challenges with the era-test-node, this is the place to raise them. [Report era-test-node Issue](https://github.com/matter-labs/era-test-node/issues) | ||
| - **SDKs Issues**: For any issues related to our Software Development Kits, kindly head over to this section. [Report SDKs Issue](https://github.com/zksync-sdk) | ||
|
|
||
| --- | ||
|
|
||
| ## **6. Telegram** | ||
|
|
||
| Get instant updates and participate in mobile-friendly discussions on our official Telegram channel. | ||
|
|
||
| [Join us on Telegram](https://t.me/zksync) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| --- | ||
| title: Contribution Track | ||
| description: | ||
| --- | ||
|
|
||
| Welcome to the ZKsync Contributors Track! The purpose of this track is to accelerate your journey into the thriving ZKsync development | ||
| landscape. As a fully open-source project, we | ||
| believe in community-driven development, and that means anyone from anywhere can contribute to shaping the future of ZKsync. | ||
|
|
||
| This track aims to guide you in discovering various aspects of our project, inspire you to | ||
| contribute in the ways that interest you most, and provide a pathway to connect with the ZKsync community. | ||
|
|
||
| ## Open-Source Repositories | ||
|
|
||
| Here's a list of our key open-source repositories that you can contribute to: | ||
|
|
||
| ### ZKsync Era | ||
|
|
||
| - [**ZKsync Era**](https://github.com/matter-labs/zksync-era): Node implementation for ZKsync Era. | ||
|
|
||
| ### Smart Contracts | ||
|
|
||
| - [**era-contracts**](https://github.com/matter-labs/era-contracts): Submodule containing the smart contracts for ZKsync Era. | ||
|
|
||
| ### Circuit Implementation | ||
|
|
||
| - [**era-sync_vm**](https://github.com/matter-labs/era-sync_vm): Houses the circuit implementation of zkVM specifically for ZKsync Era. | ||
|
|
||
| ### Testing and Debugging | ||
|
|
||
| - [**era-test-node**](https://github.com/matter-labs/era-test-node): An in-memory node designed for integration testing and debugging. | ||
|
|
||
| ### Development Tools | ||
|
|
||
| - [**zksync-cli**](https://github.com/matter-labs/zksync-cli): CLI tool that aims to simplify the development process on ZKsync. | ||
| - [**hardhat-zksync**](https://github.com/matter-labs/hardhat-zksync): Hardhat plugins tailored for the ZKsync Network. | ||
|
|
||
| ### Documentation | ||
|
|
||
| - [**zksync-web-era-docs**](https://github.com/matter-labs/zksync-web-era-docs): The go-to source for official ZKsync documentation. | ||
|
|
||
| ### SDK and Explorers | ||
|
|
||
| - [**block-explorer**](https://github.com/matter-labs/block-explorer): The official block explorer for navigating the ZKsync network. | ||
| - [**zksync-sdk**](https://github.com/zksync-sdk): Software Development Kit for ease of integration with the ZKsync network. | ||
|
|
||
| Feel free to explore these repositories, and don't hesitate to contribute! | ||
|
|
||
| ## Why the Contributors Track? | ||
|
|
||
| ### Purpose | ||
|
|
||
| - Facilitate easy entry for external contributors into zkSync's development ecosystem. | ||
| - Offer a structured approach to involvement, reducing the initial overwhelm of diving into a new project. | ||
| - Build a strong, diverse, and global community of developers who are excited about zkSync. | ||
|
|
||
| ### Who is it for? | ||
|
|
||
| - Developers interested in blockchain and layer 2 solutions. | ||
| - Open-source enthusiasts looking to contribute to a growing project. | ||
| - Those interested in contract development, dApp development, ZKsync Era, and more. | ||
|
|
||
| ## The Track | ||
|
|
||
| ### Getting Started | ||
|
|
||
| #### 1. Introduce Yourself on [ZKsync Discord](https://discord.com/invite/QKSsp7tC2x) | ||
|
|
||
| - Join our Discord channel and say 'hi' in the `#introductions` thread. Share what interests you and what you're hoping to learn or contribute. | ||
|
|
||
| #### 2. Follow [ZKsync Developers](https://twitter.com/zkSyncDevs) on X (formerly Twitter) | ||
|
|
||
| - Keep up to date with the latest news, updates, and releases by following us on X. | ||
|
|
||
| #### 3. Dive into our Official Documentation | ||
|
|
||
| - Immerse yourself in our comprehensive official documentation to acquire essential knowledge on ZKsync. If | ||
| you discover a typo, syntax error, or see room for improvement, submit a Pull Request to contribute to its enhancement. | ||
|
|
||
| ### Dive Into Development | ||
|
|
||
| #### 4. Deploy Your First Contract Using [ZKsync-CLI](https://github.com/matter-labs/zksync-cli) | ||
|
|
||
| - Familiarize yourself with the zkSync-CLI tool and deploy your first contract on the ZKsync Era testnet. | ||
|
|
||
| #### 5. Tackle a 'Good First Issue' | ||
|
|
||
| - Start contributing immediately by taking on a "Good First Issue" from any of our GitHub repositories. This is | ||
| a great way to get hands-on experience and a feel for the project. | ||
|
|
||
| ### Community Engagement | ||
|
|
||
| #### 6. Participate in [ZKsync Developer Discussions](https://github.com/zkSync-Community-Hub/zkync-developers/discussions) | ||
|
|
||
| - Join the discourse on GitHub discussions or other community forums to provide answers, ask questions, or share insights. | ||
|
|
||
| #### 7. Submit a [Community Tutorial](https://github.com/zkSync-Community-Hub/tutorials) or Guide | ||
|
|
||
| - Help others by sharing your knowledge. Write a tutorial or guide, then submit it to our community contributions repository or community forums. |
Oops, something went wrong.