Search

Search for projects by name

SummaryValue LockedActivityOnchain costsMilestones & IncidentsRisk summaryRisk analysisRollup stageTechnologyState derivationState validationOperatorWithdrawalsPermissionsSmart contracts

Scroll logoScroll

Badges

About

Scroll is ZK Rollup that extends Ethereum’s capabilities through ZK tech and EVM compatibility.

Value Locked
$939.61 M22.2%
Canonically Bridged
$231.76 M
Externally Bridged
$599.34 M
Natively Minted
$108.50 M
View TVL Breakdown
  • Tokens
  • Daily TPS
    1.5435.3%
  • 30D tx count
    12.30 M
  • Stage
    Stage 0
  • Type
    ZK Rollup
  • Purpose
    Universal
    • Sequencer failureState validationData availabilityExit windowProposer failure

    Badges

    About

    Scroll is ZK Rollup that extends Ethereum’s capabilities through ZK tech and EVM compatibility.

    Value Locked
    Activity
    Onchain costs
    Milestones & Incidents

    Darwin upgrade

    2024 Aug 21st

    Introduces a reduction in gas fees through bundling multiple batches into a single validity proof.

    Learn more

    Batches reverted

    2024 Jul 5th

    To fix a bug in the compression for batches 55 previously committed batches are reverted.

    Learn more
    Risk summary

    Funds can be frozen if

    1. the operator censors withdrawal transaction.

    Users can be censored if

    1. the operator refuses to include their transactions.

    MEV can be extracted if

    1. the operator exploits their centralized position and frontruns user transactions.
    Risk analysis
    Sequencer failureState validationData availabilityExit windowProposer failure

    Sequencer failure

    No mechanism

    There is no mechanism to have transactions be included if the sequencer is down or censoring.

    State validation

    ZK proofs (SN)

    SNARKs are zero knowledge proofs that ensure state correctness, but require trusted setup.

    Data availability

    Onchain

    All of the data needed for proof construction is published on Ethereum L1.

    Exit window

    None

    There is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.

    Proposer failure

    Cannot withdraw

    Only the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.

    Rollup stage
    ScrollScroll is a
    Stage 0
    ZK Rollup.
    There is no available node software that can reconstruct the state from L1 data, hence there is no way to verify that this system is a rollup.

    Learn more about Rollup stages
    Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.
    Technology

    Validity proofs ensure state correctness

    Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.

    1. ScrollChain.sol - Etherscan source code, verifyAggregateProof() and verifyBundleProof() calls

    Zero knowledge SNARK cryptography is used

    Despite their production use zkSNARKs are still new and experimental cryptography. Cryptography has made a lot of advancements in the recent years but all cryptographic solutions rely on time to prove their security. In addition zkSNARKs require a trusted setup to operate.

    • Funds can be stolen if the cryptography is broken or implemented incorrectly.

    All data required for proofs is published on chain

    All the data that is used to construct the system state is published on chain in the form of cheap blobs or calldata. This ensures that it will be available for enough time.

    1. ScrollChain.sol - Etherscan source code commitBatch() and commitBatchWithBlobProof() functions
    State derivation
    Node software

    The node software to reconstruct the state is available here. Note that it uses the L2 p2p network to fetch blocks, and not the L1 network. The consistency with L1 data can be checked by running the scroll-geth node with the --rollup.verify flag.

    Compression scheme

    Data batches are compressed using the zlib algorithm with best compression level.

    Genesis state

    The genesis file can be found here, which contains two prefunded addresses and five predeployed contracts.

    Data format

    Blocks are grouped into chunks and chunks are grouped into batches. Chunk encoding format can be found here, and batch encoding format can be found here.

    State validation

    Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.

    Prover Architecture

    The prover code can be found here.

    ZK Circuits

    Scroll circuits are based on the Halo2 proof system and are designed to replicate the behavior of the EVM. The source code of the base circuits can be found here while the code for the aggregation circuits can be found here.

    Verification Keys Generation

    SNARK verification keys can be generated and checked against Ethereum verifier contract using this guide. The system requires a trusted setup.

    Operator

    The system has a centralized operator

    The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    1. ScrollChain.sol - Etherscan source code, finalizeBundleWithProof() function modifier

    Users can't force any transaction

    There is no general mechanism to force the sequencer to include the transaction.

    • Users can be censored if the operator refuses to include their transactions.

    1. EnforcedTxGateway.sol - Etherscan source code
    2. EnforcedTxGateway is paused - Etherscan proxy contract
    Withdrawals

    Regular exit

    The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is proven the funds become available for withdrawal on L1. Finally the user submits an L1 transaction to claim the funds. This transaction does not require a merkle proof.

    • Funds can be frozen if the operator censors withdrawal transaction.

    1. L1ETHGateway.sol - Etherscan source code, finalizeWithdrawETH function
    Permissions

    The system uses the following set of permissioned addresses:

    ScrollMultisig 0xEfc9…4dbe

    This is a Gnosis Safe with 4 / 5 threshold. Currently also designated as the Security Council. Can upgrade proxies and the verifier without delay and propose transactions within Timelocks. It can also revert non finalized batches, remove sequencers and provers and pause contracts.

    ScrollMultisig participants (5) 0xFCf6…c0720xE2e6…32490xEbbe…Dc680xfc31…E3840x9337…72E0

    Those are the participants of the ScrollMultisig.

    ExecutorMultisig 0x1FF1…236f

    This is a Gnosis Safe with 1 / 5 threshold. Can execute timelock transactions.

    ExecutorMultisig participants (5) 0xEe9b…0D5B0xFcf1…94020x0c5c…f7740xd7bC…06320x5689…f754

    Those are the participants of the ExecutorMultisig.

    EmergencyMultisig 0xbdA1…0cBc

    This is a Gnosis Safe with 2 / 5 threshold. Can revert batches, remove sequencers and provers, and pause contracts.

    EmergencyMultisig participants (5) 0x0c5c…f7740xEe9b…0D5B0xFcf1…94020xd7bC…06320x5689…f754

    Those are the participants of the EmergencyMultisig.

    Sequencers (2) 0xcF28…fc8f0x2ce8…44c7

    Actors allowed to commit transaction batches.

    Proposers (2) 0x3564…90740x69d7…7f06

    Actors allowed to prove transaction batches and publish state root updates.

    Smart contracts
    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    The system consists of the following smart contracts on the host chain (Ethereum):

    ScrollChain 0xa13B…E556Implementation (Upgradable)Admin

    The main contract of the Scroll chain. Allows to post transaction data and state roots, along with proofs. Sequencing and proposing are behind a whitelist. L1 -> L2 message processing on L2 is not enforced.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1ScrollMessenger 0x6774…b367Implementation (Upgradable)Admin

    Contract used to send L1 -> L2 and relay messages from L2. It allows to replay failed messages and to drop skipped messages. L1 -> L2 messages sent using this contract pay for L2 gas on L1 and will have the aliased address of this contract as the sender. This contract stores the following tokens: ETH.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1MessageQueue 0x0d7E…AF9BImplementation (Upgradable)Admin

    Contains the array of queued L1 -> L2 messages, either appended using the L1ScrollMessenger or the EnforcedTxGateway. The latter contract, which would allow users to send L2 messages from L1 with their own address as the sender, is not enabled yet.

    Whitelist 0x2592…cf37

    Contract implementing a generic whitelist. Currently used to define the actor that can relay the L2 basefee on L1.

    ScrollOwner 0x7985…26a6

    Owner of all contracts in the system. It implements an extension of AccessControl that manages roles and functions allowed to be called by each role.

    TimelockSlow 0x1A65…aB9C

    14d timelock. Admin of the ScrollOwner contract, meaning it can assign and revoke roles. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    TimelockMid 0xDC1d…9B1b

    7d timelock. Can manage the USDC gateway bridge. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    TimelockFast 0x0e58…C4F4

    1d timelock. Can add new sequencers and provers, update the gas oracle and permissions to update its values, the max gas limit, and gateways token mappings. The ScrollMultisig can propose and cancel transactions, and the ExecutorMultisig can execute them.

    MultipleVersionRollupVerifier 0x4CEA…ad3F

    Contract used to update the verifier and keep track of current and old versions.

    ZkEvmVerifierV0 0x585D…AD2D

    Current verifier using calldata for DA, used to prepare data for the PlonkVerifierV0.

    PlonkVerifierV0 0x4B8A…F9E1

    Plonk verifier used to verify ZK proofs using calldata for DA.

    1. Source code
    ZkEvmVerifierV1 0x4b28…b247

    Verifier using blobs for DA, used to prepare data for the PlonkVerifierV1.

    PlonkVerifierV1 0x2293…6941

    Plonk verifier used to verify ZK proofs using blobs for DA.

    1. Source code
    ZkEvmVerifierV1-1 0x63FB…faA2

    Verifier using blobs for DA, used to prepare data for the PlonkVerifierV1-1. Added in the Curie upgrade.

    PlonkVerifierV1-1 0x03a7…0110

    Plonk verifier used to verify ZK proofs using blobs for DA.

    1. Source code
    ZkEvmVerifierV2 0x2d6e…18fB

    Verifier proving bundles (group of batches), used to prepare data for the PlonkVerifierV2. Added in the Darwin upgrade.

    PlonkVerifierV2 0x8759…c9a9

    Plonk verifier used to verify ZK proofs for bundles.

    1. Source code
    ZkEvmVerifierV2-1 0xCAEC…54B3

    Verifier proving bundles (group of batches), used to prepare data for the PlonkVerifierV2-1. Added in the Darwin v2 upgrade.

    PlonkVerifierV2-1 0x8c1b…30f7

    Plonk verifier used to verify ZK proofs for bundles.

    1. Source code
    L1ETHGateway 0x7F2b…E905Implementation (Upgradable)Admin

    Contract used to bridge ETH from L1 to L2.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1WETHGateway 0x7AC4…D4fEImplementation (Upgradable)Admin

    Contract used to bridge WETH from L1 to L2.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1BatchBridgeGateway 0x5Bcf…2bc4Implementation (Upgradable)Admin

    Contract used to efficiently bridge ETH (in batches) from L1 to L2.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1StandardERC20Gateway 0xD8A7…F8f9Implementation (Upgradable)Admin

    Contract used to bridge ERC20 tokens from L1 to L2. It uses a fixed token list. This contract can store any token.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1CustomERC20Gateway 0xb2b1…B6ffImplementation (Upgradable)Admin

    Contract used to bridge ERC20 tokens from L1 to L2. It allows to change the token mappings. This contract can store any token.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1USDCGateway 0xf1AF…5c7BImplementation (Upgradable)Admin

    Contract used to bridge USDC tokens from L1 to L2. This contract stores the following tokens: USDC.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1ERC721Gateway 0x6260…554BImplementation (Upgradable)Admin

    Contract used to bridge ERC721 tokens from L1 to L2.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1ERC1155Gateway 0xb94f…75B6Implementation (Upgradable)Admin

    Contract used to bridge ERC1155 tokens from L1 to L2.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    L1GatewayRouter 0xF8B1…1Fd6Implementation (Upgradable)Admin

    Main entry point for depositing ETH and ERC20 tokens, which are then forwarded to the correct gateway.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    FeeVaultMultisig 0x8FA3…EB48Implementation (Upgradable)

    Multisig used to store fees collected from gateways to pay for L1 -> L2 message execution.

    EnforcedTxGateway 0x72CA…7A5dImplementation (Upgradable)Admin

    Contracts to force L1 -> L2 messages with the proper sender. The contract is pausable by ScrollOwner. The contract is currently paused.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    OLD_L2GasPriceOracle 0x987e…3852Implementation (Upgradable)Admin

    Deprecated: the functionality of this contract has been moved to the L1MessageQueue contract. It was used to relay the L2 basefee on L1 in a trusted way using a whitelist. It was also used to store and update values related to intrinsic gas cost calculations.

    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    Value Locked is calculated based on these smart contracts and tokens:

    Generic escrow 0xD8A7…F8f9Implementation (Upgradable)Admin
    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    Generic escrow 0xb2b1…B6ffImplementation (Upgradable)Admin
    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    Escrow for ETH 0x6774…b367Implementation (Upgradable)Admin
    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    Escrow for USDC 0xf1AF…5c7BImplementation (Upgradable)Admin
    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    Escrow for DAI 0x6726…F515Implementation (Upgradable)Admin
    Can be upgraded by:
    ScrollMultisig

    Upgrade delay: No delay

    Escrow for wstETH 0x6625…f504Implementation (Upgradable)Admin

    Custom token escrow with third-party governance, using the canonical bridge only for messaging.

    Escrow for pufETH 0xA033…2b2aImplementation (Upgradable)Admin

    Custom token escrow with third-party governance, using the canonical bridge only for messaging.