Status DataClose notification
Bug bounty program
Triaged by HackenProof

Zynk Protocol: Program info

Zynk Protocol

Company: Zynk
150 reputation points required KYC required POC required $5 submission fee
Live
Program is active now
Program infoHackers (1)Reports

Zynk is a just-in-time liquidity and settlement infrastructure layer for cross-border payment companies. Payment companies often need to pre-fund transactions to provide fast settlements — this ties up capital, slows growth, and makes treasury operations unnecessarily complex. Zynk removes that bottleneck by providing liquidity on a transaction-by-transaction basis, allowing companies to settle faster without locking up idle capital.

In scope
TargetTypeSeverity
https://github.com/Zynklabs/zynk-protocol-solana-programs.public/tree/cc81cc7a61fd72b46ac3b4bcbb708a2d72d116f3/programs/zynk-core
copy
Copy
success Copied

The Zynk Core Solana Program is the primary on-chain component responsible for liquidity deployment, settlement, and governance within the Zynk Protocol.

The program manages:

  • Beneficiary and assets whitelisting
  • Liquidity deployment to beneficiaries
  • Partner settlement flows
  • Order lifecycle tracking
  • Governance and administrative actions
  • Protocol safety mechanisms

All operational logic is enforced through deterministic account constraints, cryptographic signature verification, and strict role-based authorization.

Smart Contract
Critical
https://github.com/Zynklabs/zynk-protocol-solana-programs.public/tree/ebdbf9872794efc7318351b9e531c180678af6e9/programs/zynk-orbit
copy
Copy
success Copied

Zynk Orbit is a lightweight Solana program responsible for managing liquidity provider (LP) fund flows within the Zynk Protocol. Its primary function is to securely move liquidity into and out of the Zynk ecosystem, bridging LP wallets and the Zynk Operational Vault (ZOV) in a controlled and auditable manner. Zynk Orbit is intentionally minimal in scope. It does not enforce in-program governance or partner logic. Instead, it serves as a dedicated liquidity rail, enforcing strict constraints and relying on backend orchestration for business logic.

The yield computation logic resides off-chain (out-of-scope) and hence, there's no on-chain counterpart to it.

Smart Contract
Critical
Target
https://github.com/Zynklabs/zynk-protocol-solana-programs.public/tree/cc81cc7a61fd72b46ac3b4bcbb708a2d72d116f3/programs/zynk-core
copy
Copy
success Copied

The Zynk Core Solana Program is the primary on-chain component responsible for liquidity deployment, settlement, and governance within the Zynk Protocol.

The program manages:

  • Beneficiary and assets whitelisting
  • Liquidity deployment to beneficiaries
  • Partner settlement flows
  • Order lifecycle tracking
  • Governance and administrative actions
  • Protocol safety mechanisms

All operational logic is enforced through deterministic account constraints, cryptographic signature verification, and strict role-based authorization.

TypeSmart Contract
Severity
Critical
Target
https://github.com/Zynklabs/zynk-protocol-solana-programs.public/tree/ebdbf9872794efc7318351b9e531c180678af6e9/programs/zynk-orbit
copy
Copy
success Copied

Zynk Orbit is a lightweight Solana program responsible for managing liquidity provider (LP) fund flows within the Zynk Protocol. Its primary function is to securely move liquidity into and out of the Zynk ecosystem, bridging LP wallets and the Zynk Operational Vault (ZOV) in a controlled and auditable manner. Zynk Orbit is intentionally minimal in scope. It does not enforce in-program governance or partner logic. Instead, it serves as a dedicated liquidity rail, enforcing strict constraints and relying on backend orchestration for business logic.

The yield computation logic resides off-chain (out-of-scope) and hence, there's no on-chain counterpart to it.

TypeSmart Contract
Severity
Critical
Out of scope
TargetTypeSeverity
https://github.com/Zynklabs/audit-reports
copy
Copy
success Copied
  • Any and all issues already disclosed in the previous audit reports won't be considered.
Other
None
Target
https://github.com/Zynklabs/audit-reports
copy
Copy
success Copied
  • Any and all issues already disclosed in the previous audit reports won't be considered.
TypeOther
Severity
None

Focus Area

IN SCOPE VULNERABILITIES:

All targets are deployed on Solana. Only the Solana programs' code is in scope. Everything else (tests, mocks, scripts, deployment tooling, and third-party dependencies/imports) is out of scope.

DISCLAIMERS:

  • Mode of operations With the exception of Orbit::deposit, all entry points are restricted to protocol-controlled signers. The Admin and Guardian roles are protected by multisig wallets with an appropriate security threshold. Any vulnerability disclosure must take this architectural constraint into account.
  • Recoverable/reversible is never Critical, and recoverable/temporary DoS is Low. If funds can be recovered or the impact reversed (admin action, pausing, timelock, rescue), or a lock/DoS is cleared by a trusted-role action, ordinary protocol operation or any remedy, it is not "permanent." Critical requires permanent, irreversible, systemic user-fund loss.
  • Single-user vs. systemic. Loss confined to a single user will not be considered. Critical requires loss across all/many users or protocol insolvency.
  • Version alignment Any vulnerabilities resulting from the use of toolchain or third-party dependency versions other than those specified by the protocol will not be considered. Researchers are advised to use the exact versions specified.
  • Off-chain dependencies Certain off-chain components—most notably the yield computation engine for Zynk Orbit — affect the on-chain state. These components are explicitly out of scope but should be considered when evaluating protocol behavior.
  • These program rules may be clarified and/or amended at any time, every submission is evaluated against the rules in effect at the time of judging.

Program Rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • All communication regarding the program must take place exclusively through the HackenProof platform. Contacting the project team directly through support channels, social media, or any other external communication channels is strictly prohibited. Researchers who violate this rule may be disqualified from the program and may face account suspension.

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment
  • Platform-Only Disclosure: Disclosure is only possible through the HackenProof Disclosure function
  • Researchers must not contact the project team directly regarding any findings, questions, or bounty-related matters. All communication must be conducted through the HackenProof platform only
  • Researchers may request disclosure (Limited or Full) within the report ticket
  • We reserve the right to approve, redact, or deny disclosure requests at our sole discretion
  • Mutual Required: Any publication requires explicit mutual agreement. Reports must remain Private until the status is officially changed to "Public" on the HackenProof platform by the team.

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
  • You must not be a former or current employee of us or one of its contractor
  • ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps
  • AI-generated reports without runable PoC are not accepted under this program.
Rewards
Range of bounty$0 - $5,000
Severity
Critical
$0 - $5,000
High
$0
Medium
$0
Low
$0
Stats
Scope Review1374
Submissions1
Total rewards$0
Types
smart contract
Languages
Rust
Platforms
Solana
Project types
Lending
Stablecoin
DeFi
Hackers (1) View all
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time5d
Reward Time10d
Resolution Time45d