Scroll logoScroll

Scroll is ZK Rollup that extends Ethereum’s capabilities through ZK tech and EVM compatibility.
Value Locked

$131 M

18.89%

Canonically Bridged
$131 M (100%)
Externally Bridged
$0.00 (0%)
Natively Minted
$0.00 (0%)
  • Tokens
  • Daily TPS
    2.3841.69%
  • 30D tx count
    7.38 M
  • Stage
    Stage 0
  • Type
    ZK Rollup
  • Purpose
    Universal
  • Chart

    ...

    Tokens

    Choose token

    Canonically Bridged Tokens (Top 15)

    Ether (ETH)
    USD Coin (USDC)
    Tether USD (USDT)
    Wrapped BTC (WBTC)
    Symbiosis (SIS)
    Rocket Pool ETH (rETH)
    Kyber Network Crystal v2 (KNC)
    Balancer (BAL)
    Curve DAO Token (CRV)
    LUSD Stablecoin (LUSD)
    Aave Token (AAVE)
    Uniswap (UNI)
    0x Protocol Token (ZRX)
    10Set Token (10SET)
    1INCH Token (1INCH)
    Milestones

    Scroll official launch

    2023 Oct 17th

    Scroll announces its official launch.

    Learn more

    Scroll Alpha testnet launch

    2023 Feb 27th

    Scroll launches its Alpha testnet on Goerli.

    Learn more
    Risk analysis
    Sequencer failureState validationData availabilityExit windowProposer failure

    State validation

    ZK proofs (SN)

    zkSNARKS are zero knowledge proofs that ensure state correctness, but require trusted setup.

    Data availability

    On chain

    All of the data needed for proof construction is published on chain.

    Exit window

    None

    There is no window for users to exit in case of an unwanted upgrade since contracts are instantly upgradable.

    Sequencer failure

    No mechanism

    There is no mechanism to have transactions be included if the sequencer is down or censoring.

    Proposer failure

    Cannot withdraw

    Only the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.

    Rollup stage
    ScrollScroll is a
    Stage 0
    ZK Rollup.
    There is no available node software that can reconstruct the state from L1 data, hence there is no way to verify that this system is a rollup.
    Learn more about Rollup stages
    Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.
    Technology

    Validity proofs ensure state correctness

    Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.

    1. ScrollChain.sol#L319 - Etherscan source code, verifyAggregateProof() call

    All transaction data is recorded on chain

    All executed transactions are submitted to an on chain smart contract. The execution of the rollup is based entirely on the submitted transactions, so anyone monitoring the contract can know the correct state of the rollup chain.

    1. ScrollChain.sol#L164 - Etherscan source code commitBatch() function
    State derivation
    Node software

    The node software to reconstruct the state is available here. Note that it uses the L2 p2p network to fetch blocks, and not the L1 network. The ability to check consistency with L1 data is in the works.

    Compression scheme

    The rollup does not use compression.

    Genesis state

    The genesis file can be found here, which contains two prefunded addresses and five predeployed contracts.

    Data format

    Blocks are grouped into chunks and chunks are grouped into batches. Chunk encoding format can be found here, and batch encoding format can be found here.

    Operator

    The system has a centralized operator

    The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    1. ScrollChain.sol#L296 - Etherscan source code, finalizeBatchWithProof() function modifier

    Users can't force any transaction

    There is no general mechanism to force the sequencer to include the transaction.

    • Users can be censored if the operator refuses to include their transactions.

    1. L1MessageQueue.sol#L71 - Etherscan source code, skippedMessageBitmap mapping
    Withdrawals

    Regular exit

    The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is proven the funds become available for withdrawal on L1. Finally the user submits an L1 transaction to claim the funds. This transaction does not require a merkle proof.

    • Funds can be frozen if the operator censors withdrawal transaction.

    1. L1ETHGateway.sol#L70 - Etherscan source code, finalizeWithdrawETH function
    Permissions

    The system uses the following set of permissioned addresses:

    ScrollMultisig 0xEfc9…4dbe

    Currently also designated as the Security Council. Can upgrade proxies and the verifier without delay and propose transactions within Timelocks. It can also revert non finalized batches, remove sequencers and provers and pause contracts. This is a Gnosis Safe with 4 / 5 threshold.

    Those are the participants of the ScrollMultisig.

    ExecutorMultisig 0x1FF1…236f

    Can execute timelock transactions. This is a Gnosis Safe with 1 / 5 threshold.

    Those are the participants of the ExecutorMultisig.

    EmergencyMultisig 0xbdA1…0cBc

    Can revert batches, remove sequencers and provers, and pause contracts. This is a Gnosis Safe with 2 / 5 threshold.

    Those are the participants of the EmergencyMultisig.

    Actors allowed to commit transaction batches.

    Actors allowed to prove transaction batches and publish state root updates.

    Smart contracts
    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    The system consists of the following smart contracts:

    The main contract of the Scroll chain. Allows to post transaction data and state roots, along with proofs. Sequencing and proposing are behind a whitelist. L1 -> L2 message processing on L2 is not enforced.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to send L1 -> L2 and relay messages from L2. It allows to replay failed messages and to drop skipped messages. L1 -> L2 messages sent using this contract pay for L2 gas on L1 and will have the aliased address of this contract as the sender. This contract stores the following tokens: ETH.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contains the array of queued L1 -> L2 messages, either appended using the L1ScrollMessenger or the EnforcedTxGateway. The latter contract, which would allow users to send L2 messages from L1 with their own address as the sender, is not enabled yet.

    Contract used to relay the L2 basefee on L1 in a trusted way using a whitelist. It is also used to store and update values related to intrinsic gas cost calculations.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Whitelist 0x2592…cf37

    Contract used to store whitelists for the L2GasPriceOracle contract.

    ScrollOwner 0x7985…26a6

    Owner of all contracts in the system. It implements an extension of AccessControl that manages roles and functions allowed to be called by each role.

    TimelockSlow 0x1A65…aB9C

    14d timelock. Admin of the ScrollOwner contract, meaning it can assign and revoke roles. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    TimelockMid 0xDC1d…9B1b

    7d timelock. Can update the verifier and manage the USDC gateway bridge. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    TimelockFast 0x0e58…C4F4

    1d timelock. Can add new sequencers and provers, update the gas oracle and permissions to update its values, the max gas limit, and gateways token mappings. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    MultipleVersionRollupVerifier 0xA2Ab…32a0

    Contract used to update the verifier and keep track of current and old versions.

    ZkEvmVerifierV1 0x585D…AD2D

    Current verifier, used to prepare data for the PlonkVerifier.

    PlonkVerifier 0x4B8A…F9E1

    Plonk verifier used to verify the ZK proof.

    1. Source code

    Contract used to bridge ETH from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge WETH from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC20 tokens from L1 to L2. It uses a fixed token list. This contract can store any token.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC20 tokens from L1 to L2. It allows to change the token mappings. This contract can store any token.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge USDC tokens from L1 to L2. This contract stores the following tokens: USDC.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC721 tokens from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Contract used to bridge ERC1155 tokens from L1 to L2.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Main entry point for depositing ETH and ERC20 tokens, which are then forwarded to the correct gateway.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    FeeVaultMultisig 0x8FA3…EB48

    Multisig used to store fees collected from gateways to pay for L1 -> L2 message execution.

    Contracts to force L1 -> L2 messages with the proper sender. Currently not enabled.

    Can be upgraded by: ScrollMultisig

    Upgrade delay: No delay

    Value Locked is calculated based on these smart contracts and tokens:

    If you find something wrong on this page you can submit an issue or edit the information