Cointime

Download App
iOS & Android

Polygon zkEVM: Results of Hexens' Security Audit

A comprehensive security audit of Polygon zkEVM began in December. Two security teams have been independently stress-testing all components, including the prover and smart contracts for Polygon zkEVM.

The result of the audit by one of those security teams, Hexens, is now available. (You can view the full report here.) In keeping with Polygon zkEVM’s built-in-public ethos, we wanted to outline the findings.

‍In total, Hexens found nine vulnerabilities, ranging in severity from critical to low—and seven additional recommendations related to informational gaps in Polygon zkEVM’s documentation.

‍As of this writing, all 16 issues have been fixed.

Those fixes related to the network were made available on the audit-upgraded testnet that went live earlier this month.

Polygon zkEVM: Setting the Standard

The security audit for Polygon zkEVM has been thorough, rigorous, and is not even finished. In addition to Hexens, another security team, Spearbit, conducted a parallel audit of Polygon zkEVM’s smart contracts. The Polygon Hermez team also conducted its own internal audit. Last week, Spearbit began yet another audit, focused on the ZK circuits and cryptography.

‍No technology, especially novel technology like Polygon zkEVM, can be entirely de-risked. However, Polygon Labs is establishing best practices for securing zkEVMs. When Mainnet Beta for Polygon zkEVM launches, all 35 components will have been audited three times, by 26 researchers, over the course of nearly four months. ‍

In the coming weeks, we will share the findings of the remaining audits as the reports are finalized.

Audit Scope

Hexens’ security review focused on the client stack. This includes the RPC node, sequencer, and aggregator, where proofs are generated. Hexens also reviewed PIL, the language for creating polynomial identities, and the smart contract for bridging assets to Ethereum.

Audit Findings

In total, four critical vulnerabilities were found in Hexens’ audit. One relied on an exploitation of the mechanism that makes Polygon zkEVM censorship resistant. Another used the extended features of ERC-777 tokens to launch a re-entrancy attack on the bridge smart contract. The other two critical vulnerabilities relied on manipulation of missing binary constraints: one in the Storage state machine and one in the ROM.

The remaining vulnerabilities were non-critical. Two in particular are worth highlighting because they illustrate the technical complexity of designing a rollup that increases Ethereum’s throughput without sacrificing EVM-equivalence.

In the EVM, the ecrecover function is used to recover the public key of a transaction sender from the transaction signature. This is an important function for verifying the authenticity of a transaction. A discrepancy with how ecrecover is implemented in zkASM, the assembly language used to implement the EVM in Polygon zkEVM, could have allowed a dishonest user to generate a proof for a transaction that is not compliant with the EVM.

Another non-critical vulnerability would have relied on a difference in the maximum size allowed for gas limits and chain IDs between Polygon zkEVM and EVM implementations, allowing a dishonest user to spam the sequencer and potentially interrupt the network’s availability.

For a comprehensive resource on Polygon zkEVM, check out the documentation wiki. And if you’re interested in (or perplexed by) Zero Knowledge, follow Polygon Labs’ dedicated ZK handle, @0xPolygonZK, and head over to our ZK forum.

Read more: https://polygon.technology/blog/polygon-zkevm-results-of-hexens-security-audit

Comments

All Comments

Recommended for you

  • AI infrastructure platform Mahojin completes $5 million financing

    AI infrastructure platform Mahojin has completed a $5 million financing round, led by a16z CSX and Maelstrom. Mahojin aims to create a "GitHub" for AI model creators and dataset developers, with the platform enabling intellectual property tracking and rewarding the original contributors of models and datasets.

  • A senior Brazilian official: Bitcoin reserves are "crucial" to Brazil's prosperity

    according to Decrypt, Pedro Giocondo Guerra, senior advisor to the Vice President of Brazil, stated in a recent speech on behalf of the government: "The strategic reserve of Bitcoin is crucial for the prosperity of the country. Discussions about establishing a BTC reserve may be a key factor in deciding the prosperity of Brazil, in line with the interests of the country and the public." Brazilian congressman Eros Biondini (PL-MG) previously proposed legislation to establish a "strategic sovereign Bitcoin reserve" (RESBit). Holding 5% of foreign exchange reserves (international reserves) in Bitcoin, the Central Bank of Brazil will use advanced monitoring systems, blockchain technology, and artificial intelligence to monitor transactions and be responsible for custody.

  • Bitpanda receives broker-dealer license from Dubai Virtual Assets Authority

    Bitpanda, headquartered in Vienna, has obtained a broker-dealer license from the Dubai Virtual Asset Regulatory Authority (VARA).

  • US artificial intelligence startup Yutori raises $15 million

    Yutori, a startup based in San Francisco, has raised $15 million for the development of an artificial intelligence personal assistant.

  • Meme incubation platform Coresky completes $15 million Series A financing

    Meme incubation platform Coresky announced the completion of a $15 million Series A financing round, led by Tido Capital, with WAGMi Ventures, Copilot Venture Studio, Web3 Vision Fund, and Parallel Ventures participating. The valuation information has not been disclosed, and the company's total financing to date has reached $21 million.

  • Vest Labs Completes $5 Million Seed Round of Financing, with Amber Group, QCP Capital and Other Investors

    Vest Labs, a financial infrastructure company based on real-time risk pricing, has announced the completion of a $5 million seed round financing, with participation from Jane Street, Amber Group, Selini Capital, QCP Capital, and Big Brain Holdings. The new funds will be used to support its construction of a real-time, verifiable risk pricing model based on zero-knowledge proofs to enhance financial market transparency and efficiency, and will also launch a perpetual futures trading platform supporting Arbitrum, Solana, Base, and other L2 solutions.

  • Digital asset high-frequency trading company ABEX completes new round of financing of US$6 million

    ABEX, a digital asset high-frequency trading company based in London, United Kingdom, announced the completion of a $6 million financing round, led by MMC Ventures. The new funds are intended to be used for the launch of derivative trading and algorithmic execution solutions to improve the transaction execution efficiency of centralized and decentralized financial venues. It is reported that the company is registered with the Financial Conduct Authority (FCA) in the United Kingdom, allowing it to engage in cryptocurrency trading activities.

  • The market value of BSC ecosystem meme coin BUBB hit a record high of US$35 million, with a 24-hour increase of 516%.

    On March 21st, according to GMGN market information, the BSC ecosystem meme token BUBB reached a market value of 35 million USD in a short time, hitting a historic high, and is currently at 31.3 million USD, with a 24-hour increase of 516% and a 24-hour trading volume of 41.7 million USD.

  • Decentralized identity management platform Via Science completes $28 million Series B financing, led by Bosch Ventures

    decentralized identity management platform Via Science has completed a $28 million Series B financing round, led by Bosch Ventures, with participation from BMW i Ventures, MassMutual Ventures, Sentinel Global, and Westly Group. It is reported that Via Science's decentralized, zero-trust architecture has been tested by the US Department of Defense and, unlike any other Web3 technology, its combination of end-to-end post-quantum encryption can ensure access and privacy for the authorizer.

  • In April, Polygon’s on-chain NFT sales exceeded US$50 million, setting the second highest record of the year

    According to Cryptoslam data, the NFT sales on Polygon chain in April exceeded 50 million US dollars, reaching 51,539,690.69 US dollars, setting the second highest monthly sales record in 2024, second only to January's sales of 112 million US dollars this year. In addition, the NFT trading volume on Polygon chain in April increased significantly to 1.5 million transactions, with nearly 90,000 independent sellers and over 33,000 independent buyers.