On Feb 17 2025 I reported a critical vulnerability to @Scroll_ZKP. $100m+ in TVL was at risk for more than 2 months.
Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move forward. All funds on L2 would be frozen.
@Scroll_ZKP downplayed the report. There was no meaningful communication about the issue—only continuous ghosting and silence. The @immunefi team mediated, yet did not correctly classify the vulnerability, which clearly falls under "Primacy of Impact." When I requested a re-evaluation, I received no response.
As a result, I am disclosing this to the public to highlight Scroll's lack of security proficiency, their unfair resolution process, and their treatment of white-hats.
You can find the link to the full report and complete timeline below.
@redhairshanks86 @0xBalloonLover @Wublockchain@coindesk@cointelegraph @TheBlock__ @aave@EtherFi@ambient_finance@l2beat
Full impact of the issue:
- The Scroll chain can be halted deliberately at zero cost to the attacker.
- Withdrawals remain blocked for the duration of the attack (potentially indefinitely, as it is free to sustain).
- Halted block production prevents critical time-dependent DeFi actions (e.g., topping up positions to avoid liquidation, oracle price updates), putting user funds at risk.
- The sequencer stops collecting transaction fees because no L2 user transactions can be included in blocks.
- Anyone on the internet can trigger the attack, and Scroll has no preventative measures.
---
Timeline
- **Feb 17 2025** – Issue submitted on Immunefi.
- **Feb 18 2025** – Scroll claims the issue was known from a Trail of Bits audit 14 months earlier and says it will be fixed in the Euclid upgrade (still 2+ months away). Scroll closes the report.
- **Feb 18 2025** – I request Immunefi triage, providing code commits that show Scroll attempted—but failed—to fix the issue. I emphasize that, while the attack vector is similar, the impact and exploitation mechanism are different.
- **Feb 24 2025** – Immunefi reopens the report for discussion with Scroll.
- **Feb 27 2025** – Immunefi asks Scroll for an update.
- **Mar 03 2025** – I contact Scroll to stress that the issue is public and exploitable on the live protocol.
- **Mar 03 2025** – I DM @yezhang1998 on Twitter about the Immunefi report.
- **Mar 04 2025** – Scroll says the issue is out of scope, labeling it "Throttling or suppression of operations without loss of user funds," and notes a similar report from Nov 06 2024.
- **Mar 04 2025** – I request Immunefi mediation to confirm the submission's uniqueness and ensure a fair bounty.
- **Mar 13 2025** – I ask Immunefi for an update.
- **Mar 17 2025** – Immunefi classifies the issue as **High severity** ("causing network processing nodes to handle transactions from the mempool beyond set parameters"). They confirm the bug is unique, acknowledge Scroll's attempted fix was ineffective, and suggest a goodwill bounty because Euclid will deprecate the vulnerable functionality (in ~1.5 months).
- **Mar 17 2025** – I reiterate that an attacker could freeze $100m+ on L2 and highlight Scroll's "Primacy of Impact" policy, which requires considering broader consequences.
- **Mar 19 2025** – Scroll acknowledges receipt and promises to follow up shortly.
- **Mar 27 2025** – I ask Scroll for an update.
- **Apr 03 2025** – I ask Scroll for an update.
- **Apr 03 2025** – Immunefi also asks Scroll for an update.
- **Apr 09 2025** – Immunefi contacts Scroll directly.
- **Apr 09 2025** – Scroll offers a payment of only **$1000**, stating the mechanism will be deprecated in the Euclid upgrade (3-4 weeks away).
- **Apr 09 2025** – I reject the bounty, explaining the protocol is still vulnerable and detailing potential losses had the vulnerability been exploited on Feb 17 2025.
- **Apr 15 2025** – I ask Immunefi to confirm "Primacy of Impact" applies and that the network remains vulnerable.
- **Apr 22 2025** – Scroll responds with a single "." and closes the report.
- **Apr 22 2025** – I ask Immunefi to explain Scroll's response and provide an update.
- **Apr 29 2025** – I notify both Scroll and Immunefi that I will publicly disclose the vulnerability on Apr 30 2025 unless the report is treated and rewarded fairly.
Here is the full audit report with a complete explanation of the issue, PoC scripts, a local network setup guide, and a PoC video. A full triage history (screenshots) is included at the end of the blog post—please review it!
https://t.co/dOqk0vh9ng
🎉 Announcing our Season 1 Airdrop and non-transferrable Zircuit Token (ZRC)!
We’re rewarding early stakers, partners, and builders who’ve contributed to Zircuit and shaped our ecosystem 🤝
More details below👇
Gmeow 💚
We're excited to announce our Mainnet funding round to help build the safest L2 with Sequencer Level Security that prevents smart contract exploits.
👇
If you are auditing a smart contract and see math calculations for the slippage parameter to be passed to a swap operation, it is highly likely this is a Medium/High severity issue.
Slippage parameters should only be calculated off-chain, because of possible sandwich attacks
One of the best ways to learn about previous smart contract hacks, understand them in depth and read the code with which the attack can be executed?
Here it is, 10/10 resource
https://t.co/rbLYEHHbmI
Today, we are disclosing LeftoverLocals, a vulnerability that allows listening to LLM responses through leaked GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs (CVE-2023-4969) https://t.co/rIqfClarLJ
Exploring a fascinating idea: Using poisoned Retrieval-Augmented Generation (RAG) to effectively jailbreak LLMs. We're seeing definitive results with malicious queries.
Currently drafting a paper and preparing a demo GPT sample:https://t.co/rV18FgXkH2
🔐 "MASTERKEY": Unveiling vulnerabilities in LLM chatbots! 🤖 We've reverse-engineered defenses & auto-generated jailbreak prompts with high success. Breaches on #ChatGPT & more. Full paper out now! #AI#LLM#JailbreakAI 🛡️
https://t.co/AuIfnViLOe