Audits & Bug Bounty Program

Scroll treats security as a top priority.

Aside from rigorous testing, an internal security team, and comprehensive code reviews, we have also engaged with multiple security audit firms to conduct audits on our codebase. We have also launched a bug bounty program to encourage the community to participate in the security of our protocol.

Independent Audits

Scroll has worked with several industry-leading security audit firms to review our codebase, with critical code receiving reviews from multiple teams, including Trail of Bits, OpenZeppelin, Zellic, and KALOS.

Trail of Bits, Zellic, and KALOS have reviewed our zkEVM circuits
OpenZeppelin and Zellic have performed independent audits on our bridge & rollup contracts
Trail of Bits has analyzed our node implementation

Auxiliary contracts

ZkTrie Verifier
- OpenZeppelin

Euclid Upgrade

Trail of Bits
- Phase 1
- Phase 2

Bug Bounty Program

Scroll has active Bug Bounty Program on Immunefi and Bug Bounty Program on Remedy, two leading bug bounty platforms. The program is open to the public, and we encourage anyone to participate.

Rewards depend on the severity of reported vulnerabilities:

Critical: up to $1,000,000
High: $10,000 - $50,000
Medium: $5,000

Scope

The scope of the bug bounty program covers the blockchain infrastructure and the smart contracts for bridging and rollup. For a detailed breakdown of bug categories, please refer to the bug bounty page.

Besides the listed scopes in the bug bounty program, we also encourage reporting any vulnerabilities identified to Immunefi, which we will still consider for rewards.