Scroll logoScroll

Scroll is ZK Rollup that extends Ethereum’s capabilities through ZK tech and EVM compatibility.
Value Locked

$703.97 M

1.47%

Canonically Bridged
$343.95 M
Externally Bridged
$360.02 M
Natively Minted
$0.00
  • Tokens
  • Daily TPS
    3.2811.31%
  • 30D tx count
    9.27 M
  • Stage
    Stage 0
  • Type
    ZK Rollup
  • Purpose
    Universal
  • ...

    Tokens

    Choose token

    Externally Bridged Tokens

    StakeStone Ether (STONE)
    KelpDao Restaked ETH (rsETH)
    Canonically Bridged Tokens (Top 15)

    Ether (ETH)
    Wrapped liquid staked Ether 2.0 (wstETH)
    USD Coin (USDC)
    Tether USD (USDT)
    Wrapped BTC (WBTC)
    Uniswap (UNI)
    Rocket Pool ETH (rETH)
    Symbiosis (SIS)
    Kyber Network Crystal v2 (KNC)
    StakeStone Ether (STONE)
    Wrapped eETH (weETH)
    Aave Token (AAVE)
    LUSD Stablecoin (LUSD)
    Balancer (BAL)
    Curve DAO Token (CRV)

    ...

    ...

    Milestones

    Bernoulli upgrade

    2024 Apr 29th

    Introduces EIP-4844 data blobs for L1 data availability, and the SHA2-256 precompile on L2.

    Learn more

    Scroll official launch

    2023 Oct 17th

    Scroll announces its official launch.

    Learn more

    Scroll Alpha testnet launch

    2023 Feb 27th

    Scroll launches its Alpha testnet on Goerli.

    Learn more
    Risk summary
    Risk analysis
    Sequencer failureState validationData availabilityExit windowProposer failure

    State validation

    ZK proofs (SN)

    zkSNARKS are zero knowledge proofs that ensure state correctness, but require trusted setup.

    Data availability

    On chain

    All of the data needed for proof construction is published on Ethereum L1.

    Exit window

    None

    There is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.

    Sequencer failure

    No mechanism

    There is no mechanism to have transactions be included if the sequencer is down or censoring.

    Proposer failure

    Cannot withdraw

    Only the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.

    Rollup stage
    ScrollScroll is a
    Stage 0
    ZK Rollup.
    There is no available node software that can reconstruct the state from L1 data, hence there is no way to verify that this system is a rollup.
    Stage 0
    1 issue needs fixing
    Stage 1
    3 issues need fixing
    Stage 2
    2 issues need fixing
    Learn more about Rollup stages
    Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.
    Technology

    Validity proofs ensure state correctness

    Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.

    1. ScrollChain.sol - Etherscan source code, verifyAggregateProof() and verifyAggregateProof4844() calls

    Zero knowledge SNARK cryptography is used

    Despite their production use zkSNARKs are still new and experimental cryptography. Cryptography has made a lot of advancements in the recent years but all cryptographic solutions rely on time to prove their security. In addition zkSNARKs require a trusted setup to operate.

    • Funds can be stolen if the cryptography is broken or implemented incorrectly.

    All data required for proofs is published on chain

    All the data that is used to construct the system state is published on chain in the form of cheap blobs or calldata. This ensures that it will be available for enough time.

    1. ScrollChain.sol - Etherscan source, code commitBatch() function
    State derivation
    Node software

    The node software to reconstruct the state is available here. Note that it uses the L2 p2p network to fetch blocks, and not the L1 network. The consistency with L1 data can be checked by running the scroll-geth node with the --[rollup](/glossary#rollup).verify flag.

    Compression scheme

    The rollup does not use compression.

    Genesis state

    The genesis file can be found here, which contains two prefunded addresses and five predeployed contracts.

    Data format

    Blocks are grouped into chunks and chunks are grouped into batches. Chunk encoding format can be found here, and batch encoding format can be found here.

    State validation

    Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.


    Prover Architecture

    The prover code can be found here.

    ZK Circuits

    Scroll circuits are based on the Halo2 proof system and are designed to replicate the behavior of the EVM. The source code of the base circuits can be found here while the code for the aggregation circuits can be found here.

    Verification Keys Generation

    SNARK verification keys can be generated and checked against Ethereum verifier contract using this guide. The system requires a trusted setup.

    Operator

    The system has a centralized operator

    The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    1. ScrollChain.sol - Etherscan source code, finalizeBatchWithProof() function modifier

    Users can't force any transaction

    There is no general mechanism to force the sequencer to include the transaction.

    • Users can be censored if the operator refuses to include their transactions.

    1. EnforcedTxGateway.sol - Etherscan source code, EnforcedTxGateway is paused
    Withdrawals

    Regular exit

    The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is proven the funds become available for withdrawal on L1. Finally the user submits an L1 transaction to claim the funds. This transaction does not require a merkle proof.

    • Funds can be frozen if the operator censors withdrawal transaction.

    1. L1ETHGateway.sol - Etherscan source code, finalizeWithdrawETH function
    Permissions

    The system uses the following set of permissioned addresses:

    ScrollMultisig 0xEfc9…4dbe

    Currently also designated as the Security Council. Can upgrade proxies and the verifier without delay and propose transactions within Timelocks. It can also revert non finalized batches, remove sequencers and provers and pause contracts. This is a Gnosis Safe with 4 / 5 threshold.

    Those are the participants of the ScrollMultisig.

    ExecutorMultisig 0x1FF1…236f

    Can execute timelock transactions. This is a Gnosis Safe with 1 / 5 threshold.

    Those are the participants of the ExecutorMultisig.

    EmergencyMultisig 0xbdA1…0cBc

    Can revert batches, remove sequencers and provers, and pause contracts. This is a Gnosis Safe with 2 / 5 threshold.

    Those are the participants of the EmergencyMultisig.

    Actors allowed to commit transaction batches.

    Actors allowed to prove transaction batches and publish state root updates.

    Smart contracts
    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    The system consists of the following smart contracts on the host chain (Ethereum):

    The main contract of the Scroll chain. Allows to post transaction data and state roots, along with proofs. Sequencing and proposing are behind a whitelist. L1 -> L2 message processing on L2 is not enforced.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to send L1 -> L2 and relay messages from L2. It allows to replay failed messages and to drop skipped messages. L1 -> L2 messages sent using this contract pay for L2 gas on L1 and will have the aliased address of this contract as the sender. This contract stores the following tokens: ETH.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contains the array of queued L1 -> L2 messages, either appended using the L1ScrollMessenger or the EnforcedTxGateway. The latter contract, which would allow users to send L2 messages from L1 with their own address as the sender, is not enabled yet.

    Whitelist 0x2592…cf37

    Contract implementing a generic whitelist. Currently used to define the actor that can relay the L2 basefee on L1.

    ScrollOwner 0x7985…26a6

    Owner of all contracts in the system. It implements an extension of AccessControl that manages roles and functions allowed to be called by each role.

    TimelockSlow 0x1A65…aB9C

    14d timelock. Admin of the ScrollOwner contract, meaning it can assign and revoke roles. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    TimelockMid 0xDC1d…9B1b

    7d timelock. Can manage the USDC gateway bridge. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    TimelockFast 0x0e58…C4F4

    1d timelock. Can add new sequencers and provers, update the gas oracle and permissions to update its values, the max gas limit, and gateways token mappings. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    MultipleVersionRollupVerifier 0x1Ea2…98f6

    Contract used to update the verifier and keep track of current and old versions.

    ZkEvmVerifierV0 0x585D…AD2D

    Current verifier using calldata for DA, used to prepare data for the PlonkVerifier.

    ZkEvmVerifierV1 0x4b28…b247

    Current verifier using blobs for DA, used to prepare data for the PlonkVerifier.

    PlonkVerifierV0 0x4B8A…F9E1

    Plonk verifier used to verify ZK proofs using calldata for DA.

    1. Source code
    PlonkVerifierV1 0x2293…6941

    Plonk verifier used to verify ZK proofs using blobs for DA.

    1. Source code

    Contract used to bridge ETH from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge WETH from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC20 tokens from L1 to L2. It uses a fixed token list. This contract can store any token.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC20 tokens from L1 to L2. It allows to change the token mappings. This contract can store any token.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge USDC tokens from L1 to L2. This contract stores the following tokens: USDC.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC721 tokens from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC1155 tokens from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Main entry point for depositing ETH and ERC20 tokens, which are then forwarded to the correct gateway.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    FeeVaultMultisig 0x8FA3…EB48

    Multisig used to store fees collected from gateways to pay for L1 -> L2 message execution.

    Contracts to force L1 -> L2 messages with the proper sender. The contract is pausable by ScrollOwner. The contract is currently paused.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Deprecated: the functionality of this contract has been moved to the L1MessageQueue contract. It was used to relay the L2 basefee on L1 in a trusted way using a whitelist. It was also used to store and update values related to intrinsic gas cost calculations.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Value Locked is calculated based on these smart contracts and tokens:

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Can be upgraded by: Lido (Lido Agent)

    Upgrade delay: No delay