hvax.eth

[SCROLL] Security Subsidy Program for Scroll Builders

Voting ended 4 months agoSucceeded

Security Subsidy Program for Scroll Builders

Proposal Title: Security Subsidy Program for Scroll Builders

Proposal Type: Growth

Summary:

This proposal introduces a pilot Security Subsidy Program for providing comprehensive onchain security for projects committed to building on Scroll, geared towards projects graduating from Scroll Open.

It is structured into two core components with an extra critical support component:

1. Access to subsidized audit services via Areta’s open audit marketplace.
1. Access to a discounted and subsidized onchain security marketplace managed by Immunefi for end-to-end protection beyond traditional audits, from pre-deployment through post-launch.
1. Governed by mechanisms to ensure commitment to build on Scroll and prevent subsidy farming.

Funding Request & Support:

Requests the SCR equivalent to $500k USD, with $300k dedicated to audit subsidies to be used in Areta’s open audit marketplace and $200k to the end-to-end security marketplace run by Immunefi.
To be coordinated by Immunefi in collaboration with the newly-formed Ecosystem Growth Council and Scroll Labs, with oversight by the Scroll Foundation. Scroll Labs and the Foundation have final say over the eligibility of projects and over the marketplace offerings.

Expected Outcomes:

Subsidize audits and related pre-launch and post-launch security services for eligible Scroll-native projects, covering up to 100% of audit costs and up to 75% of end-to-end security services, with an additional 25% discount on those end-to-end services, i.e. an effective subsidy of 100%.
Discounted access (on top of the subsidies) to best-in-class providers across the security stack.
Eliminate the burden of discovering and vetting the right security suppliers and tooling.
Reduce the need to hire large internal teams to get effective security through a project’s life cycle.
Reduce the cost hurdle to build a secure tech stack required to develop trust amid end-users.
Improve the overall speed to market of the projects participating in Scroll’s Open Economy.
Improve the attractiveness of the Scroll ecosystem to new builders deciding where to build.
Improve the overall security practices and security culture within the Scroll ecosystem.

Motivation:

L2 security is critical yet often misunderstood. As L2s compete to attract builders and scale the EVM, it’s increasingly important to build trust across all ecosystem dimensions. For that, audits are an industry standard and a non‑negotiable best practice. Every project that launches on mainnet needs an audit.

However, modern on-chain security transcends audits, requiring tailored solutions focused on the various needs emerging from a complex code security lifecycle. This is because countless projects suffered devastating hacks after assuming audits were sufficient:

Consider Immunefi’s statistics: among the roughly 500 projects that launched bug bounty programs there, nearly all had been audited previously, often multiple times.
- Yet, Immunefi’s community of security researchers has surfaced critical bugs in 80% of its bug bounty programs in the first year after launch.
Consider the May 2025 hacks of Cetus on Sui or of Cork Protocol on Ethereum, with both projects having undergone multiple audits by reputable providers.
- Still, edge cases that were either considered out of scope or overlooked during the audits caused tens of millions in losses, showing how end-to-end security is key.

Scroll hasn’t assumed audits are sufficient, being well aware that “security is a continuous journey”. This has resulted in various positive outcomes from at least one of its always-on security programs:

Scroll’s bug bounty program has awarded a $1M bounty to one of Immunefi’s elite security researchers in May 2025 for a bug found this April.
- Scroll’s own report acknowledged that, “if exploited, this vulnerability would allow an attacker to essentially mint an arbitrary amount of ETH or any ERC20 tokens on L2”.
Overall, we have been authorized to share that Scroll’s bug bounty program with Immunefi helped report 4 critical bugs and 1 bug classified as high severity so far.

Now, as demonstrated by the Cetus hack on Sui, Scroll should extend this approach to its ecosystem. Given that Scroll is already committed to hard-wire security into its culture from the outset, this would:

Guarantee every eligible project undergoes a code review before launch.
- While also offering essential access to pre-deployment and post-launch security tools as per modern best practices that are rarely followed due to their perceived high costs.
Ensure access to competitive pricing through marketplace dynamics across the security stack.
- While benefiting from additional discounts from on top of the proposed subsidies.
Grant free-of-charge access to a suite of AI-driven security features and tooling available on the Immunefi Magnus platform during the duration of the program to its projects.
- While incentivising and regulating eligible projects to avoid subsidy farming.

With this program, Scroll ends up protecting its users, safeguarding its brand integrity, and sending a clear signal to builders and investors that it is the right place to innovate and scale. All in a streamlined manner that maximizes security outcomes for each dollar spent across the ecosystem.

Execution:

Operational:

This proposal recommends partnering with an established player with proven experience in crowdsourced onchain security to coordinate the Security Subsidy Program, Immunefi.

The subsidy funds will be allocated to two marketplaces: Areta Market and Immunefi Magnus.

About Immunefi:

Immunefi is the leading onchain security platform, offering a comprehensive suite of services through its Magnus marketplace to more than 350 leading protocols and dapps. In just over four years, it has directly prevented hacks worth over $25 billion USD and its community of Security Researchers was awarded +$120 million USD for responsibly disclosing over 5,000 web2 and web3 vulnerabilities.

Today, Immunefi works with leading projects including Sky (formerly MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, StarkNet, EigenLayer, Astar Network, ZKsync and more, all publicly available on the website. It’s also a proven security partner to other large ecosystems:

Whitelisted for Arbitrum’s Security Subsidy Fund and current Arbitrum Security Council Member to both secure what is built on Arbitrum and Arbitrum itself.
Selected by Plume as the end-to-end security partner to support the secure scaling of its full-stack RWA L1 blockchain and ecosystem through Immunefi’s Magnus platform and marketplace.
Optimism Growth Cycle and Retro Public Good Funding Grant Recipient for helping to ensure the security of the Optimism ecosystem.
Ran the Binance Smart Chain Priority One joint Bug Bounty Program funded with $10M which supported 100 dApps over one year, including PancakeSwap.
Ran the Nexus Mutual Bug Bounty Matching Program, saving the industry's largest insurer from major losses on well-known protocols such as Yearn.
Ran the Algorand Ecosystem Bug Bounty Matching Program where the Algorand Foundation matched all ecosystem bounties up to US$100,000, thus further securing the Algorand ecosystem.
Created the Immunefi Security Core Unit (IS-001) within MakerDAO to provide in-depth security to the Maker ecosystem. This included thorough identification of the critical infrastructure of the ecosystem, operational security audits for the core units, fire drill management and execution for the platform, and on-call security advisory, on top of active management and high-precision customized creation of the bug bounty program to ensure it reflected Maker’s security needs.

Magnus, Immunefi’s unified security marketplace, helps a project's security team deal with tool overload, blindspots and ever evolving threats. Teams can manage security engagements through a single command center —

... please visit link below to view full proposal

https://gov.scroll.io/proposals/91360824989201313760093357308966451810618090588954576726162250101960628120398

Off-Chain Vote

For226 HVAXVC100%

Against0 HVAXVC0%

Abstain0 HVAXVC0%

Quorum: 22600%

Download mobile app to vote

Timeline

Aug 01, 2025Proposal created
Aug 04, 2025Proposal vote started
Aug 10, 2025Proposal vote ended
Dec 12, 2025Proposal updated

Loading proposal...

Security Subsidy Program for Scroll Builders

Proposal Title: Security Subsidy Program for Scroll Builders

Proposal Type: Growth

Summary:

It is structured into two core components with an extra critical support component:

1. Access to subsidized audit services via Areta’s open audit marketplace.
1. Access to a discounted and subsidized onchain security marketplace managed by Immunefi for end-to-end protection beyond traditional audits, from pre-deployment through post-launch.
1. Governed by mechanisms to ensure commitment to build on Scroll and prevent subsidy farming.

Funding Request & Support:

Requests the SCR equivalent to $500k USD, with $300k dedicated to audit subsidies to be used in Areta’s open audit marketplace and $200k to the end-to-end security marketplace run by Immunefi.
To be coordinated by Immunefi in collaboration with the newly-formed Ecosystem Growth Council and Scroll Labs, with oversight by the Scroll Foundation. Scroll Labs and the Foundation have final say over the eligibility of projects and over the marketplace offerings.

Expected Outcomes:

Subsidize audits and related pre-launch and post-launch security services for eligible Scroll-native projects, covering up to 100% of audit costs and up to 75% of end-to-end security services, with an additional 25% discount on those end-to-end services, i.e. an effective subsidy of 100%.
Discounted access (on top of the subsidies) to best-in-class providers across the security stack.
Eliminate the burden of discovering and vetting the right security suppliers and tooling.
Reduce the need to hire large internal teams to get effective security through a project’s life cycle.
Reduce the cost hurdle to build a secure tech stack required to develop trust amid end-users.
Improve the overall speed to market of the projects participating in Scroll’s Open Economy.
Improve the attractiveness of the Scroll ecosystem to new builders deciding where to build.
Improve the overall security practices and security culture within the Scroll ecosystem.

Motivation:

Consider Immunefi’s statistics: among the roughly 500 projects that launched bug bounty programs there, nearly all had been audited previously, often multiple times.
- Yet, Immunefi’s community of security researchers has surfaced critical bugs in 80% of its bug bounty programs in the first year after launch.
Consider the May 2025 hacks of Cetus on Sui or of Cork Protocol on Ethereum, with both projects having undergone multiple audits by reputable providers.
- Still, edge cases that were either considered out of scope or overlooked during the audits caused tens of millions in losses, showing how end-to-end security is key.

Scroll’s bug bounty program has awarded a $1M bounty to one of Immunefi’s elite security researchers in May 2025 for a bug found this April.
- Scroll’s own report acknowledged that, “if exploited, this vulnerability would allow an attacker to essentially mint an arbitrary amount of ETH or any ERC20 tokens on L2”.
Overall, we have been authorized to share that Scroll’s bug bounty program with Immunefi helped report 4 critical bugs and 1 bug classified as high severity so far.

Guarantee every eligible project undergoes a code review before launch.
- While also offering essential access to pre-deployment and post-launch security tools as per modern best practices that are rarely followed due to their perceived high costs.
Ensure access to competitive pricing through marketplace dynamics across the security stack.
- While benefiting from additional discounts from on top of the proposed subsidies.
Grant free-of-charge access to a suite of AI-driven security features and tooling available on the Immunefi Magnus platform during the duration of the program to its projects.
- While incentivising and regulating eligible projects to avoid subsidy farming.

Execution:

Operational:

This proposal recommends partnering with an established player with proven experience in crowdsourced onchain security to coordinate the Security Subsidy Program, Immunefi.

The subsidy funds will be allocated to two marketplaces: Areta Market and Immunefi Magnus.

About Immunefi:

Whitelisted for Arbitrum’s Security Subsidy Fund and current Arbitrum Security Council Member to both secure what is built on Arbitrum and Arbitrum itself.
Selected by Plume as the end-to-end security partner to support the secure scaling of its full-stack RWA L1 blockchain and ecosystem through Immunefi’s Magnus platform and marketplace.
Optimism Growth Cycle and Retro Public Good Funding Grant Recipient for helping to ensure the security of the Optimism ecosystem.
Ran the Binance Smart Chain Priority One joint Bug Bounty Program funded with $10M which supported 100 dApps over one year, including PancakeSwap.
Ran the Nexus Mutual Bug Bounty Matching Program, saving the industry's largest insurer from major losses on well-known protocols such as Yearn.
Ran the Algorand Ecosystem Bug Bounty Matching Program where the Algorand Foundation matched all ecosystem bounties up to US$100,000, thus further securing the Algorand ecosystem.
Created the Immunefi Security Core Unit (IS-001) within MakerDAO to provide in-depth security to the Maker ecosystem. This included thorough identification of the critical infrastructure of the ecosystem, operational security audits for the core units, fire drill management and execution for the platform, and on-call security advisory, on top of active management and high-precision customized creation of the bug bounty program to ensure it reflected Maker’s security needs.

... please visit link below to view full proposal

https://gov.scroll.io/proposals/91360824989201313760093357308966451810618090588954576726162250101960628120398