ZecSec: Zcash Ecosystem Security

Free2Z Security Audit Results

Below you will find a link to the results of my audit of Free2Z, which occurred in February, 2023.

The audit found one cross-site scripting bug which could have been used to run arbitrary JavaScript code in users’ browsers. I also noted a privacy risk, which is that Free2Z allows embedding content from third-party domains, which an attacker could potentially use to track visits to their pages on Free2Z. Some bugs were found in the implementation of Free2Z’s “tuzi” token, which could have been used to get tuzi tokens for free.

The cross-site scripting bug has been fixed, the potential privacy leakage has been documented, and the tuzi token issues were fixed. All other bugs found were minor.

Free2Z Audit Report (PDF)