This proposal introduces a pilot Security Subsidy Program for providing comprehensive onchain security for projects committed to building on Scroll, geared towards projects graduating from Scroll Open.
It is structured into two core components with an extra critical support component:
L2 security is critical yet often misunderstood. As L2s compete to attract builders and scale the EVM, it’s increasingly important to build trust across all ecosystem dimensions. For that, audits are an industry standard and a non‑negotiable best practice. Every project that launches on mainnet needs an audit.
However, modern on-chain security transcends audits, requiring tailored solutions focused on the various needs emerging from a complex code security lifecycle. This is because countless projects suffered devastating hacks after assuming audits were sufficient:
Scroll hasn’t assumed audits are sufficient, being well aware that “security is a continuous journey”. This has resulted in various positive outcomes from at least one of its always-on security programs:
Now, as demonstrated by the Cetus hack on Sui, Scroll should extend this approach to its ecosystem. Given that Scroll is already committed to hard-wire security into its culture from the outset, this would:
Guarantee every eligible project undergoes a code review before launch.
Ensure access to competitive pricing through marketplace dynamics across the security stack.
Grant free-of-charge access to a suite of AI-driven security features and tooling available on the Immunefi Magnus platform during the duration of the program to its projects.
With this program, Scroll ends up protecting its users, safeguarding its brand integrity, and sending a clear signal to builders and investors that it is the right place to innovate and scale. All in a streamlined manner that maximizes security outcomes for each dollar spent across the ecosystem.
This proposal recommends partnering with an established player with proven experience in crowdsourced onchain security to coordinate the Security Subsidy Program, Immunefi.
The subsidy funds will be allocated to two marketplaces: Areta Market and Immunefi Magnus.
Immunefi is the leading onchain security platform, offering a comprehensive suite of services through its Magnus marketplace to more than 350 leading protocols and dapps. In just over four years, it has directly prevented hacks worth over $25 billion USD and its community of Security Researchers was awarded +$120 million USD for responsibly disclosing over 5,000 web2 and web3 vulnerabilities.
Today, Immunefi works with leading projects including Sky (formerly MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, StarkNet, EigenLayer, Astar Network, ZKsync and more, all publicly available on the website. It’s also a proven security partner to other large ecosystems:
Magnus, Immunefi’s unified security marketplace, helps a project's security team deal with tool overload, blindspots and ever evolving threats. Teams can manage security engagements through a single command center — from triaging findings and PR reviews to vendor and payment management:
Areta Market is the leading marketplace solution for security audits. The product has been launched on Arbitrum and Uniswap and has facilitated over $35M in audit offers to date. It is a white-label tech solution that can be used by any party chosen by the Scroll DAO to manage subsidies.
This Security Subsidy Program proposal rests on two core components: 1) traditional audits and 2) end-to-end onchain security.
Traditional audits are to be delivered through the Areta Market marketplace.
These are delivered through Immunefi’s Magnus marketplace and include free access to a suite of AI-driven security features for the duration of the Security Subsidy Program. This entails an AI-powered security copilot that can be privately trained on each project’s unique infrastructure and is powered by Codexa, the most comprehensive dataset of blockchain vulnerabilities in the industry.
The two components above are supported by a couple of mechanisms to ensure commitment to build on Scroll and prevent subsidy farming. This point was inspired by recent research conducted by RnDAO, delegate feedback and work developed by Areta to overcome similar issues as faced in other ecosystems.
These ensure projects attracted to build on Scroll with this program are i) incentivised to remain and ii) those graduating from Scroll Open are motivated to continue advancing the open economy.
Moreover, note the Security Subsidy Program has a separate budget for each of the components which is unlocked per application and on a per product basis, detailed in the summary and in the financial section.
The commitment component outlined above should be driven by three mechanisms that work together to drive the long-term growth of the Scroll ecosystem and prevent abuse of grants with no strings attached.
A). Rating criteria framework to inform the evaluation of applications
a). Rating sheet with up to 10 possible points and a required grade of 6 to qualify.
1. 2 points — Existing fit with the Scroll ecosystem.
1. 0 points - no fit, e.g. no development on Scroll yet.
2. 1 point - some fit, e.g. graduating from Scroll Open.
3. 2 points - strong fit, e.g. project building on Scroll for > 6 months.
2. 2 points — Business plan.
1. 0 points - poor plan, e.g. no clarity, excessive scope.
2. 1 point - good plan, e.g. granular plan, realistic.
3. 2 points - strong plan, e.g. investment-worthy.
3. 2 points — Team qualifications.
1. 0 points - Weak team, e.g. lone individual with minimal to no industry background.
2. 1 point - reasonable team, e.g. co-founders with some industry background.
3. 2 points - strong team, e.g. mature team with extensive industry background.
4. 4 points - Value for Scroll.
1. 0 points - no alignment, e.g. no link to Scroll’s current plans.
2. 1 points - weak alignment, e.g. intangible link and some metrics.
3. 2 points - medium alignment, e.g. direct link and clear metrics.
4. 3 points - strong alignment, e.g. all the above and community support.
5. 4 points - excellent alignment, e.g. all the above and good optics.
b). This grading is an informative framework for pre-screening purposes. Final assessment shall be led by the Scroll Foundation, which will ensure that at least Scroll Labs or the newly-formed Ecosystem Growth Council will also provide input for any given application.
i). Moreover, the Scroll Foundation and Scroll Labs can pre-approve projects for any subsidy under this program.
B). Subsidies as investment contracts
a). Instead of handing out one-off grants, we propose to align the long-term goals of the recipient projects to those of the Scroll ecosystem by structuring the subsidies as investment contracts to the exclusive benefit of the Scroll ecosystem, through an entity to be managed by the Scroll Foundation. The model for these contracts is inspired by RnDAO’s approved agreement with the Arbitrum Foundation, with equivalent documents to be developed with the EGC once it’s formed.
i. That would be a legal document covering three scenarios:
1. Equity fundraising through a SAFE.
2. Token launch through a token warrant.
3. A side letter in case there’s no fundraising nor a token.
ii. This will grant a minority stake in the subsidy recipients proportional to the risk taken by Scroll with this program as per the final assessment of each project’s application, which will be done by the Scroll Foundation.
1. 1% for projects with 9 or 10 points.
2. 1.5% for projects with 7 or 8 points.
3. 2% for projects with 6 points.
iii. With an estimated average audit subsidy of $30k and average onchain security subsidy of $20k, this equates to an average investment of $50k in 10 projects.
1. While the minority stake percentage may seem low, this ensures any fundraising efforts aren’t hindered while allowing to recoup an investment in any project that reaches a minimum valuation of $2.5 to $5 million USD.
b). The legal entity shall be incorporated under the Scroll Foundation, pending legal review.
C). Exclusivity clause
a). Finally, to further promote long-term commitment to Scroll, the investment contracts will have a clause to ensure all code audited under this program must remain exclusive to the Scroll ecosystem for a fixed period, to be defined together with the Scroll Foundation. b). In cases of breach, legal action will be enforced against the project.
In terms of structure, the Security Subsidy Program consists of three phases:
Phase 1: Program Setup (Month 1 — Sept.)
Phase 2: Traditional Audits and End-to-End Onchain Security (Months 2 - 6 — Oct. to Mar.)
Phase 3: Program review (Months 3-6 — Nov. to Mar.)
The Security Subsidy Program may be renovated at the end of the term depending on performance and desire of the community, subject to an updated governance proposal.
Note that even though the Security Subsidy Program’s applications are only open for five months, the projects can benefit from these security products and services for up to one year. For example, an audit competition can be contracted at the end of the program to start a few months later. PR Reviews, bug bounty programs or real-time monitoring can be contracted anytime for a period of 12 months.
Below are the proposed personnel and their roles:
The traditional audits component represents the bulk of the financial investment, given the mature nature of that market. Within this component, audit providers offer market rates to be subsidized by the Security Subsidy Program up to 100%, up to a $50k cap, with projects paying at least 10% of the audit cost to ensure they remain committed to the code review process. Projects are also required to engage in co-marketing activities to be coordinated by Immunefi, as detailed in the Roles section. This process follows the public learnings from previous subsidy funds with Arbitrum and Uniswap.
Within the end-to-end onchain security component, eligible marketplace providers offer a 25% discount, with the Security Subsidy Program subsidising them up to 75%, on a case-by-case basis. Moreover, Immunefi is offering free access to the Magnus marketplace and platform for a period of 6 months to all eligible projects. This includes a proprietary and private AI-powered security co-pilot.
The budget for this Security Subsidy Program shall then amount to $500k, based on the estimated costs to serve a significant portion of the projects graduating from Scroll Open, distributed as follows:
Expense Category | Cost (USD) | Budget allocation |
---|---|---|
Traditional audit subsidies | $300,000 USD | $300k for audits for up to 10 projects — an average 75% subsidy for an average audit cost of $40k (roughly half of Arbitrum’s ADPC average audit cost) |
End-to-end onchain security subsidies | $200,000 USD | Funds are unlocked per application and per product based on each project’s security needs, to be allocated in coordination with the Scroll Foundation. |
Total | $500,000 USD | Current SCR equivalent at the time of the proposal. |
As shown in the budget above, this program has no OpEx as it will be run by Immunefi for the benefit of the Scroll ecosystem. Immunefi is directly and indirectly compensated, being a participant in the Areta Market marketplace for audits and being an operator of the Magnus marketplace.
SCR conversion shall be coordinated by Scroll’s upcoming treasury management provider. Until then, funds will be held at a multisig managed by the Scroll Foundation.
Unused funds at the end of the six-month period will either be returned to the DAO treasury or rolled into a renewed program, pending delegate approval.
Lastly, for additional context, here’s an overview of the typical market rates for each of the services included in the Security Subsidy Program (SSP), and the respective offer for Scroll ecosystem projects.
Product and services | Market rates | Subsidy program rates |
---|---|---|
Traditional audits | Typically from $15k to $150k. | 50% to 100% subsidy, $50k cap per project up to 8 projects. |
Fuzzing | Not enough data to estimate. | 25% vendor discount, up to 75% subsidy. |
Formal verification | Not enough data to estimate. | 25% vendor discount, up to 75% subsidy. |
Pull request reviews | Contingent on the scope of the code review. | 1 complimentary PR review per project up to 10 projects, then 25% vendor discount, up to 75% subsidy. |
Audit competitions | Typically 15% to 25% of the rewards pool. | No fees up to $50k rewards pool, up to 50% subsidy on reward pools capped at $25k for up to 2 projects. |
Bug bounty programs | $20k to $60k per year. | No bug bounty hosting fees for up to 10 projects for 1 year, assisted program design, safe harbor module and 25% discount on bug bounty programs with managed triage service add-on. |
Real-time monitoring | Not enough data to estimate. | 25% vendor discount, up to 75% subsidy. |
The Security Subsidy Program is both urgent and foundational: it slashes security risk while accelerating time-to-launch for Scroll-native teams. This program gives Scroll and its projects an unique opportunity to access proven security outcomes with streamlined processes and long-term alignment.
Passing this proposal signals that the Scroll community is serious about retaining builders and securing TVL beyond just audits. With the full lifecycle security supported by Magnus, projects can iterate fast and scale confidently, protected by industry-leading bounties and precise, automated threat detection tools.
This proposal will break down barriers to secure deployment, fast-track project launches and deliver seamless best-in-class ongoing onchain security for early-stage Scroll teams — before and after going live. We welcome your questions and look forward to fortifying the ecosystem together.
Threshold 51%
DEFEATED