Scroll
Badges
About
Scroll is ZK Rollup that extends Ethereum’s capabilities through ZK tech and EVM compatibility.
$1.32 B
3.12%
- Users' withdrawals can be censored by the permissioned operators.
- Upgrades executed by actors with more centralized control than a Security Council provide less than 7d for users to exit if the permissioned operator is down or censoring.
- The Security Council is not properly set up.
Badges
About
Scroll is ZK Rollup that extends Ethereum’s capabilities through ZK tech and EVM compatibility.
...
Choose token
...
...
Curie upgrade
2024 Jul 3rd
Introduces data compression, new opcodes, dynamic block time, and new transaction types.
Bernoulli upgrade
2024 Apr 29th
Introduces EIP-4844 data blobs for L1 data availability, and the SHA2-256 precompile on L2.
Funds can be stolen if
Funds can be frozen if
Users can be censored if
MEV can be extracted if
State validation
ZK proofs (SN)zkSNARKS are zero knowledge proofs that ensure state correctness, but require trusted setup.
Exit window
NoneThere is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.
Sequencer failure
No mechanismThere is no mechanism to have transactions be included if the sequencer is down or censoring.
Proposer failure
Cannot withdrawOnly the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.
- A complete and functional proof system is deployed.
- Users’ withdrawals can be censored by the permissioned operators.
- Upgrades executed by actors with more centralized control than a Security Council provide less than 7d for users to exit if the permissioned operator is down or censoring.
- The Security Council is not properly set up.
- Upgrades unrelated to on-chain provable bugs provide less than 30d to exit.
- The Security Council’s actions are not confined to on-chain provable bugs.
Validity proofs ensure state correctness
Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.
Zero knowledge SNARK cryptography is used
Despite their production use zkSNARKs are still new and experimental cryptography. Cryptography has made a lot of advancements in the recent years but all cryptographic solutions rely on time to prove their security. In addition zkSNARKs require a trusted setup to operate.
Funds can be stolen if the cryptography is broken or implemented incorrectly.
All data required for proofs is published on chain
All the data that is used to construct the system state is published on chain in the form of cheap blobs or calldata. This ensures that it will be available for enough time.
Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.
Scroll circuits are based on the Halo2 proof system and are designed to replicate the behavior of the EVM. The source code of the base circuits can be found here while the code for the aggregation circuits can be found here.
SNARK verification keys can be generated and checked against Ethereum verifier contract using this guide. The system requires a trusted setup.
The system has a centralized operator
The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.
MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.
Users can't force any transaction
There is no general mechanism to force the sequencer to include the transaction.
Users can be censored if the operator refuses to include their transactions.
Regular exit
The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is proven the funds become available for withdrawal on L1. Finally the user submits an L1 transaction to claim the funds. This transaction does not require a merkle proof.
Funds can be frozen if the operator censors withdrawal transaction.
The system uses the following set of permissioned addresses:
Currently also designated as the Security Council. Can upgrade proxies and the verifier without delay and propose transactions within Timelocks. It can also revert non finalized batches, remove sequencers and provers and pause contracts. This is a Gnosis Safe with 4 / 5 threshold.
Those are the participants of the ScrollMultisig.
Can execute timelock transactions. This is a Gnosis Safe with 1 / 5 threshold.
Those are the participants of the ExecutorMultisig.
Can revert batches, remove sequencers and provers, and pause contracts. This is a Gnosis Safe with 2 / 5 threshold.
Those are the participants of the EmergencyMultisig.
Can upgrade the pufETH custom escrow. This is a Gnosis Safe with 3 / 8 threshold.
Those are the participants of the PufferFinanceOpsMultisig.
Can upgrade the wstETH custom escrow.
Actors allowed to commit transaction batches.
Actors allowed to prove transaction batches and publish state root updates.
The system consists of the following smart contracts on the host chain (Ethereum):
The main contract of the Scroll chain. Allows to post transaction data and state roots, along with proofs. Sequencing and proposing are behind a whitelist. L1 -> L2 message processing on L2 is not enforced.
Upgrade delay: No delay
Contract used to send L1 -> L2 and relay messages from L2. It allows to replay failed messages and to drop skipped messages. L1 -> L2 messages sent using this contract pay for L2 gas on L1 and will have the aliased address of this contract as the sender. This contract stores the following tokens: ETH.
Upgrade delay: No delay
Owner of all contracts in the system. It implements an extension of AccessControl that manages roles and functions allowed to be called by each role.
14d timelock. Admin of the ScrollOwner contract, meaning it can assign and revoke roles. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.
7d timelock. Can manage the USDC gateway bridge. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.
Contract used to update the verifier and keep track of current and old versions.
Current verifier using calldata for DA, used to prepare data for the PlonkVerifierV0.
Plonk verifier used to verify ZK proofs using calldata for DA.
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Main entry point for depositing ETH and ERC20 tokens, which are then forwarded to the correct gateway.
Upgrade delay: No delay
Deprecated: the functionality of this contract has been moved to the L1MessageQueue contract. It was used to relay the L2 basefee on L1 in a trusted way using a whitelist. It was also used to store and update values related to intrinsic gas cost calculations.
Upgrade delay: No delay
Value Locked is calculated based on these smart contracts and tokens:
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay
Upgrade delay: No delay