Meta Zero

Introduction

MetaZero is a synthetic liquidity infrastructure for omnichain tokenization of gaming RWAs (Real World Assets), built on top of LayerZero. It enables users to mint, detokenize, and bridge ERC721 NFTs across chains, forming the backbone of a cross-chain gaming asset ecosystem.

Why Did They Need an Audit?

MetaZero’s protocol handles minting, burning, and transferring NFTs across chains. Functions like send(), mintGenesis(), and deTokenize() interact directly with users’ assets and are highly sensitive to access control and cross-chain assumptions. Incorrect logic could result in stolen or permanently lost NFTs, broken bridging flows, or gas griefing. MetaZero engaged Three Sigma for a targeted review of its minting and bridging mechanisms.

Scope of the Engagement

• File Audited: ONFTV2-721C.sol
• Team: 2 auditors · 3 days
• Chain: Ethereum (LayerZero V2 infrastructure)

Results and Findings

Key Critical Issues

Unrestricted NFT burning in deTokenize()

• Description: The deTokenize() function allowed any user to burn NFTs, without validating ownership or approval. This enabled griefers to destroy others’ assets.
• Resolution: Enforced _isApprovedOrOwner() to validate permissions before burning NFTs.

NFT theft via send() without ownership checks

• Description: The send() function allowed anyone to send NFTs across chains, regardless of ownership. This created a vector to forcibly transfer others’ NFTs to attacker-controlled addresses on other chains.
• Resolution: Added _isApprovedOrOwner() on all NFTs passed to send().

Notable High-Severity Issues

Gas griefing risk due to unset destination gas limit

• Description: send() allowed messages to chains with no defined gas limit, risking stuck messages and lost tokens on the destination chain.
• Resolution: send() now reverts unless a proper gas limit is set for the destination.

Smart wallets misaligned across chains

• Description: Cross-chain messages defaulted to sending NFTs to the msg.sender. However, smart contract wallets may have different addresses on different chains, breaking receipt logic.
• Resolution: Allowed explicit specification of destination addresses in send().

Notable Medium-Severity Issues

Push-based minting can fail or lose NFTs

• Description: mintGenesis() and mint() used _mint() instead of _safeMint(), risking sending NFTs to contracts that can't receive ERC721s.
• Recommendation: For mintGenesis(), switch to a Merkle tree-based claim system. Acknowledged tradeoffs with _safeMint() and reentrancy.

mint() and lzReceive() may lose NFTs on cross-chain failures

• Description: Lack of _safeMint() in lzReceive() means failed minting leads to unrecoverable loss of bridged NFTs.
• Recommendation: Implement fallback mint logic with manual payload clearing; acknowledged.

Off-by-one error in genesis minting cap

• Description: Only 999 genesis NFTs could be minted, while documentation stated 1000.
• Resolution: Adjusted genesisCounter initialization to 0.

In conclusion

Three Sigma conducted a 3-day audit of MetaZero’s 812 nSLOC implementation of omnichain NFT bridging. The review identified two critical vulnerabilities—both promptly addressed—and provided architecture-level recommendations for improving security, ownership management, and gas efficiency. The fixes position MetaZero to launch with stronger guarantees for user asset safety and cross-chain reliability.