Welcome to the Zellic Security Roundup, a monthly security-focused newsletter covering valuable security news and analysis in Web3.
This month will focus on a vulnerability discovered by a Zenith Security Researcher, a case study about Zellic’s recent audit with Ooga Booga (the native liquidity aggregator on Berachain), recently published audit reports, and the latest news in Web3 security.
Cool Finds at Zellic
In May '23, @zachobront discovered an issue in Optimism Governor & Approval. This vulnerability would've allowed a small fraction of the community to pass proposals even if the majority opposes them, using the Approval Module.
This is a serious governance issue—more on the vulnerability and its impact below.
Vulnerability Overview
Optimism’s governance system allows proposals through two methods:
propose() → Standard governance process:
Requires quorum (yes + abstain votes ≥ quorum)
Requires yes votes > no votes to pass
proposeWithModule() → Uses the Approval Module, where:
Quorum still applies (yes + abstain votes ≥ quorum)
But there is no way to vote 'no'!
Instead, proposal success depends on proposer-defined logic
The problem? This removes the ability for the community to reject bad proposals entirely.
Why This Is Dangerous
Governance relies on majority consensus. Normally, if a proposal is unpopular, it gets more ‘no’ votes than ‘yes’ votes and fails. However, in proposeWithModule(), there’s no option to vote ‘no’—only the proposer's logic decides if it passes. This means a small group can manipulate the system to pass proposals that the majority opposes.
Proof of Concept (PoC)
Imagine there’s a highly controversial issue:
10% of the community strongly supports it
90% of the community opposes it
Under normal voting:
The proposal would fail because yes votes would never outnumber no votes
With proposeWithModule():
The proposer removes the option to vote ‘no’
They set the module’s success criteria to something like: “Top choices win” (and make their proposal the only option)
Now, the 90% who disagree have no way to vote against it
If just 1 person votes yes and quorum (~3%) is met, the proposal automatically passes
This means a small minority can force through decisions, overriding majority rule.
Why This Matters
At the time, this attack could only be performed by the governance manager since proposing is restricted.
But—once the system opened to community proposals:
Anyone with ≥3% OP tokens can pass ANY proposal they want
No way to reject or challenge bad proposals
Critical governance decisions could be manipulated
Lessons for DAO Governance
Governance design must always prevent minority rule.
Ensure no votes count just as much as yes votes
Avoid arbitrary proposer-defined voting logic
Keep core voting mechanics consistent across all proposal types
Client Success with Zellic
How a Zellic Audit Helped Ooga Booga Ship Faster and Close a $1.5M Strategic Round
As Ooga Booga approached its mainnet launch, founders Kevin and Bruno were fixated on growing their business and quickly shipping new features to enhance their users’ experience.
As a fast-growing project, Ooga Booga strongly desired to cement its reputation as a cornerstone and pillar of the Berachain ecosystem. But to ensure their project would be built to last, the founders knew that a comprehensive security audit was a non-negotiable.
Ooga Booga’s founders wanted to show their investors, partners, and ultimately their users that they were not building just another DeFi aggregator but a trusted institution. At the same time, they needed a security partner that they could trust to handle all of the details, freeing them to focus on building their company.
To do this, they knew their comprehensive security audit had to come from Zellic.
With Zellic focusing on security, Ooga Booga closed a $1.5M strategic round that enables the team to continue building towards the next phase of their journey.
Who Is Ooga Booga?
Reviewing the Berachain project ecosystem, Ooga Booga founders Kevin and Bruno noticed a missing piece: a reliable aggregator to simplify the flow of tokens on Berachain. This was how the project was born.
Ooga Booga is the first and only native aggregator on Berachain. It was designed to streamline access to liquidity and optimize trading across the entire Berachain ecosystem.
Why Was a Security Audit Their Nonnegotiable?
“The Zellic audit streamlined decision-making and gave us the peace of mind to think big without compromising on security.” - Ooga Booga
DeFi’s reputation is heavily impacted by security. There are countless examples of hacks in DeFi and projects mishandling their users’ funds. Ooga Booga was set on ensuring their project was resilient and that user funds would be secure as any security oversight could lead to a ripple effect throughout the entire Berachain ecosystem.
After countless discussions with fellow projects in the Berachain ecosystem, they made their choice of a security audit firm. They chose Zellic.
Ooga Booga’s decision was based on a desire for expertise in blockchain security and proven knowledge of a novel ecosystem like Berachain. Zellic’s auditors specialize in a wide range of protocols and are skilled at identifying vulnerabilities in innovative software.
For Ooga Booga, Zellic was the clear choice.
What Did a Security Audit Do for Them?
“Zellic didn’t just audit our contracts — they fortified the foundations of Ooga Booga. Their thorough process and proactive communication gave us the confidence to launch as Berachain’s native aggregator, setting new standards for trust and security in the ecosystem.” - Ooga Booga
With Zellic taking care of security, Ooga Booga could focus instead on growing their business. This focus on security gave Ooga Booga’s investors confidence and ultimately led to founders Kevin and Bruno being able to close a $1.5M strategic round that enables the team to continue building towards the next phase of their journey
Although Ooga Booga’s founders entrusted Zellic with securing their project, founders Kevin and Bruno did not want to feel disconnected from the process. Without consistent communication on audit progress, it’s easy to feel left in the dark.
Auditors at Zellic communicate consistently throughout the audit process, with quick responses to all questions and daily updates. All findings were reported as soon as they were discovered, allowing for quick fixes and resolutions that lifted a weight off the founders’ shoulders.
With this, Ooga Booga could operate without the constant worry of a lurking, protocol-halting vulnerability. In the words of the Ooga Booga, the Zellic audit “streamlined decision-making and gave us the peace of mind to think big without compromising on security”.
Zellic Research & Writing
Choosing a DeFi Protocol: Risks, Red Flags, and Recommendations
A guide to walk you through the key steps in deciding which protocol to invest in and give you the tools to assess the risks.
In the News
Research
Zellic released the EVM Trackooor, a modular tool for monitoring arbitrary actions on chain.
Truffle Security released an article detailing a vulnerability in Google’s authentication flow that puts millions of accounts at risk. According to Dylan Ayrey, co-founder of Truffle Security, “Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees”.
Unpacking the Next Generation of Ethereum L2s (I): Based Rollups is a research article produced by 2077 Research that explores the new class of rollups, including based rollups, booster rollups, gigagas rollups, and native rollups.
“Let’s Talk About AI and End-to-End Encryption” is an article published by Matthew Green, cryptographer and professor at Johns Hopkins University, which looks at the privacy implications that AI has on end-to-end encrypted messaging systems.
LambdaClass, in collaboration with 3MI Labs and Aligned, recently published a blog post that responsibly disclosed two security bugs that could be combined to perform an exploit in Succinct’s SP1 zkVM.
ZKV recently released its Q4 2024 State of ZK Report, which covers research, trends, friction points, investments, and product launches in the ZK space.
Legal
The US District Court for the Western District of Texas has overturned the OFAC’s sanctions against Tornado Cash according to a January 21st court filing.
Check out our blog post “How Does Tornado Cash Work?” for a breakdown of the mathematical principles behind Tornado Cash.
BITMEX, a global crypto exchange, was recently fined $100M for violating the Bank Secrecy Act after failing to establish, implement, and maintain adequate anti–money laundering and KYC programs.
US prosecutors have asked a federal judge to approve the return of the 94,643 Bitcoin recovered by the government from the original wallet used by Ilya Lichtenstein, the Bitfinex hacker.
Michael Lewellen, a blockchain developer, has filed a lawsuit against the US Department of Justice “accusing the agency of criminalizing crypto development through an overly broad interpretation of federal money-transmission laws.”
Crime
Ledger Co-founder David Balland was released after being abducted from his home on January 21st and held for ransom in cryptocurrency.
Huione Guarantee, a Telegram-based marketplace notorious for merchants selling technology, personal data, and money-laundering services, has launched a range of crypto-related products including a US dollar stablecoin, blockchain, exchange, and messaging app.
Hacks
Phemex, a Singaporean-based crypto exchange, suffered an $85M hack after the exchange detected unusual activity in their hot wallet.
WazirX, an Indian-based crypto exchange, has frozen $3M in USDT stemming from their $230M security breach that took place in July 2024.
Orange Finance, a liquidity-management protocol on Arbitrum, suffered an $840K hack announced on January 8th.
Socket’s threat research team uncovered malicious npm packages designed to exfiltrate Solana private keys via Gmail.
Crypto hacks dropped 44% year-over-year in January with $73M stolen in 2025 compared to the $133M stolen in January 2024.
Less than half of all DeFi protocols that suffer a hack survive the experience, according to research from Cozy Finance.
Malicious VS Code extensions, first appearing in October 2024, were discovered on the VS Code marketplace to target developers and crypto projects in supply-chain attacks.
Scams
“$2M Laundered: The YouTube Crypto Tutorials’ Huge Scam (Investigation)” is an article that describes a slew of videos on YouTube that “advise people to deploy a 1000+ row contract with 0.025–0.1 ETH to make 10.000+ USDT”, which just “send out all victim’s money to addresses hardcoded in them”.
Meet Up With Us
We’ll be at the following conference in February. If you’d like to set up 1:1 time with our team, then reach out to sales@zellic.io for scheduling!
ETHDenver — Denver, CO (February 24 – March 1)
Zellic Auditing Stats
In January, Zellic auditors completed 23 audit engagements where they were able to uncover a total of 43 Critical, High, and Medium bugs:
8 Critical-level bugs
5 Coding Mistakes bugs
3 Business Logic bugs
14 High-level bugs
11 Coding Mistakes bugs
3 Business Logic bugs
21 Medium-level bugs
12 Coding Mistakes bugs
9 Business Logic bugs
Recent Zellic Audit Reports
Cosmos SDK Liquid Stake Module Audit Report: The Cosmos SDK branch used by the Cosmos Hub includes extensions that enable liquid staking.
Symbiotic Audit Report: Symbiotic is a shared security protocol that serves as a thin coordination layer, empowering network builders to control and adapt their own (re)staking implementation in a permissionless manner.
Trillion EVM Audit Report: The Trillion EVM Cross-Chain contracts provide a suite of smart contracts designed to facilitate secure and efficient cross-chain interactions.
About Us
Zellic specializes in securing emerging technologies. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants.
Developers, founders, and investors trust our security assessments to ship quickly, confidently, and without critical vulnerabilities. With our background in real-world offensive security research, we find what others miss.
Contact us for real audits, not rubber stamps.