Kroma logoKroma


Kroma aims to develop an universal ZK Rollup based on the Optimism Bedrock architecture. Currently, Kroma operates as an Optimistic Rollup with ZK fault proofs, utilizing a zkEVM based on Scroll.

Value Locked

$18.45 M


Canonically Bridged
$10.17 M
Externally Bridged
$8.27 M
Natively Minted
  • Tokens
  • Daily TPS
  • 30D tx count
    3.72 M
  • Stage
    Stage 0
  • Type
    Optimistic Rollup
  • Purpose
  • ...


    Choose token

    Externally Bridged Tokens

    WEMIX.e (WEMIX.e)
    Merlin BTC (M-BTC)
    Canonically Bridged Tokens (Top 15)

    Ether (ETH)
    Spectrum Staked ETH (spETH)
    USD Coin (USDC)
    Tether USD (USDT)
    Wrapped BTC (WBTC)
    Uniswap (UNI)
    Dai Stablecoin (DAI)




    Ecotone upgrade

    2024 Apr 25th

    Introduces EIP-4844 data blobs for L1 data availability and more L2 opcodes.

    Learn more

    Kroma Mainnet Launch

    2023 Sep 6th

    Kroma is live on mainnet.

    Learn more
    Risk summary
    Risk analysis
    Sequencer failureState validationData availabilityExit windowProposer failure

    State validation

    Fraud proofs (INT, ZK)

    Fraud proofs allow actors watching the chain to prove that the state is incorrect. Interactive proofs (INT) require multiple transactions over time to resolve. ZK proofs are used to adjudicate the correctness of the last step. The challenge protocol can be subject to delay attacks and can fail under certain conditions. The current system doesn’t use posted L2 txs batches on L1 as inputs to prove a fault, meaning that DA is not enforced.

    Data availability

    On chain

    All of the data needed for proof construction is published on Ethereum L1.

    Exit window


    There is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.

    Sequencer failure

    Self sequence

    In the event of a sequencer failure, users can force transactions to be included in the project’s chain by sending them to L1. There is a 12h delay on this operation.

    Proposer failure

    Self propose

    Anyone can be a Proposer and propose new roots to the L1 bridge.

    Rollup stage
    KromaKroma is a
    Stage 0
    Optimistic Rollup.
    Stage 0
    4 requirements met
    Stage 1
    2 issues need fixing
    Stage 2
    2 issues need fixing
    Learn more about Rollup stages
    Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.

    Fraud Proofs ensure state correctness

    Kroma uses an interactive fraud proof system to find a single block of disagreement, which is then ZK proven. The zkEVM used is based on Scroll. Once the single block of disagreement is found, the challenger is required to present ZK proof of the fraud. When the proof is validated, the incorrect state output is deleted. The Security Council can always override the result of the challenge, it can also delete any L2 state root at any time. If the malicious attester and challenger collude and are willing to spend bonds, they can perform a delay attack by engaging in continuous challenge resulting in lack of finalization of the L2 state root on L1. The protocol can also fail under certain conditions.

    • Withdrawals can be delayed if the fraud proof system is under a delay attack.

    • Funds can be lost if the cryptography is broken or implemented incorrectly.

    1. Colosseum.sol#L300 - Etherscan source code, createChallenge function
    2. Colosseum.sol#L378 - Etherscan source code, bisect function
    3. Colosseum.sol#L434 - Etherscan source code, proveFault function
    4. KROMA-020: lack of validation segments and proofs in Colosseum.sol - ChainLight security audit

    All transaction data is recorded on chain

    All executed transactions are submitted to an on chain smart contract. The execution of the rollup is based entirely on the submitted transactions, so anyone monitoring the contract can know the correct state of the rollup chain.

    1. Derivation: Batch Submission - Kroma specs
    2. BatchInbox - Etherscan address
    3. KromaPortal.sol#L430 - Etherscan source code, depositTransaction function
    State derivation
    Node software

    Kroma nodes source code, including full node, proposer and validator, can be found here. Also, the geth server, source maintained here, is a fork of go-ethereum. For more details on how they are different from the Optimism implementation, see here. The instructions to run the proposer (called validator) and the ZK prover, are documented here.

    Compression scheme

    Data batches are compressed using the zlib algorithm with best compression level.

    Genesis state

    The genesis file can be found here.

    Data format

    L2 blocks derivation from L1 data plus the format and architecture of batch submission is documented here.


    The system has a centralized sequencer

    While forcing transaction is open to anyone the system employs a privileged sequencer that has priority for submitting transaction batches and ordering transactions.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    1. SystemConfig - batcher address

    Users can force any transaction

    Because the state of the system is based on transactions submitted on-chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract directly.

    1. Sequencing Window - Kroma specs
    2. KromaPortal.sol#430 - Etherscan source code, depositTransaction function

    Regular exit

    The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is finalized the funds become available for withdrawal on L1. The process of block finalization takes a challenge period of 7d to complete. Finally the user submits an L1 transaction to claim the funds. This transaction requires a merkle proof.

    1. KromaPortal.sol#L241 - Etherscan source code, proveWithdrawalTransaction function
    2. KromaPortal.sol#L324 - Etherscan source code, finalizeWithdrawalTransaction function

    Autonomous exit

    Users can (eventually) exit the system by pushing the transaction on L1 and providing the corresponding state root. The only way to prevent such withdrawal is via an upgrade.

    Other considerations

    EVM compatible smart contracts are supported

    OP stack chains are pursuing the EVM Equivalence model. No changes to smart contracts are required regardless of the language they are written in, i.e. anything deployed on L1 can be deployed on L2.

    1. Introducing EVM Equivalence

    The system uses the following set of permissioned addresses:

    Spectrum EOA Admin 0x7D76…f81f

    Can upgrade all Spectrum-related contracts and potentially gain access to all escrowed weETH.

    SecurityCouncil 0x3de2…6Ec4

    MultiSig (currently 7 / 9) that is a guardian of KromaPortal, privileged Validator that does not need a bond and privileged actor in Colosseum contract that can remove any L2Output state root regardless of the outcome of the challenge.

    Sequencer 0x41b8…cE12

    Central actor allowed to commit L2 transactions on L1.

    Guardian 0x3de2…6Ec4

    Actor allowed to pause withdrawals. Currently set to the Security Council.

    Smart contracts
    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    The system consists of the following smart contracts on the host chain (Ethereum):

    The L2OutputOracle contract contains a list of proposed state roots which Proposers assert to be a result of block execution. Anyone can participate as a Proposer by depositing in the ValidatorPool. A root can be proposed every 1h.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    The OptimismPortal contract is the main entry point to deposit funds from L1 to L2. It also allows to prove and finalize withdrawals. This contract stores the following tokens: ETH.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    It contains configuration parameters such as the Sequencer address, the L2 gas limit and the unsafe block signer address.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    The L1ERC721Bridge contract is the main entry point to deposit ERC721 tokens from L1 to L2.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    The L1 Cross Domain Messenger contract sends messages from L1 to L2, and relays messages from L2 onto L1. In the event that a message sent from L1 to L2 is rejected for exceeding the L2 epoch gas limit, it can be resubmitted via this contract’s replay function.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    Timelock contract behind which the ProxyAdmin is. There is a 0s delay.

    Contract allowed to start upgrades, dismiss challenges and delete roots. It is also designated as a guardian, meaning it can pause withdrawals.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    Controls the Timelock. It is governed using a Soulbound NFT.

    ProxyAdmin 0x665c…1edd

    Admin of the L2OutputOracle, Timelock, KromaPortal, SystemConfig, SecurityCouncil, L1CrossDomainMessenger, L1ERC721Bridge, ZKVerifier, Colosseum, L1StandardBridge, UpgradeGovernor, SecurityCouncilToken, ValidatorPool proxies. It’s effectively controlled by the Security Council. The proxy is behind a Timelock.

    Contract used to challenge state roots and prove fraud. The SecurityCouncil can interfere by deleting challenges and roots.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    Contract used to manage the Proposers. Anyone can submit a deposit and bond to a state root, or create a challenge. It also manages the Proposer rotation for each submittable block using a random selection. If the selected proposer fails to publish a root within 30m, then the submission becomes open to everyone.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    ZKMerkleTrie 0x3392…610B

    Trie contract used to prove withdrawals.

    ZK verifier used to verify the last step of a fraud proof, which corresponds to a block.

    Can be upgraded by: SecurityCouncil

    Upgrade delay: 0s delay

    Poseidon2 0xFd23…d273

    Contract used to compute hashes. It is used by the ZKMerkeTrie. The contract has been generated using the circomlibjs library.

    1. Source code

    Value Locked is calculated based on these smart contracts and tokens:

    Main entry point for users depositing ERC20 token that do not require custom gateway.

    Main entry point for users depositing ETH.

    Main entry point for users depositing USDC.

    The current deployment carries some associated risks:

    • Funds can be stolen if a contract receives a malicious code upgrade. There is a 0s delay on code upgrades.

    Knowledge nuggets