Smart Contract & ZK Circuit Security Review · CodeHawks First Flight · May 2026
Real-world treasure hunt with on-chain ETH reward claiming via zero-knowledge proofs.
~220 NSLOC reviewed across Solidity contract, Noir ZK circuit, and deploy script.
HIGH2
MEDIUM1
LOW5
INFO2
GAS3
TOTAL FINDINGS13
NSLOC~220
DS-1 · Secret Values Exposed in Public Deploy ScriptL-1 · Proof Replay Drains 100 ETH — Wrong Mapping KeyAC-1 · withdraw() Missing onlyOwner — Anyone Can TriggerEV-1 · updateVerifier() Missing Zero-Address CheckST-2 · Claimed Event Emits msg.sender Instead of RecipientC-1 · Duplicate Hash in ALLOWED_TREASURE_HASHES — Only 9 Unique TreasuresCEI-1 · CEI Violation in claim() — Verifier Called Before State UpdatesDS-2 · Deploy Script hash[8] Differs from Circuit — Confirms C-1AC-2 · receive() Accepts ETH from AnyoneAC-3 · Auth Check Order in updateVerifier() / emergencyWithdraw()G-2 · 9 Custom Errors Defined but Never ThrownG-3 · onlyOwner Modifier Declared but Never AppliedG-7 · Redundant paused = false in Constructor