Cointime

Download App
iOS & Android

Polygon zkEVM: Results of Hexens' Security Audit

A comprehensive security audit of Polygon zkEVM began in December. Two security teams have been independently stress-testing all components, including the prover and smart contracts for Polygon zkEVM.

The result of the audit by one of those security teams, Hexens, is now available. (You can view the full report here.) In keeping with Polygon zkEVM’s built-in-public ethos, we wanted to outline the findings.

‍In total, Hexens found nine vulnerabilities, ranging in severity from critical to low—and seven additional recommendations related to informational gaps in Polygon zkEVM’s documentation.

‍As of this writing, all 16 issues have been fixed.

Those fixes related to the network were made available on the audit-upgraded testnet that went live earlier this month.

Polygon zkEVM: Setting the Standard

The security audit for Polygon zkEVM has been thorough, rigorous, and is not even finished. In addition to Hexens, another security team, Spearbit, conducted a parallel audit of Polygon zkEVM’s smart contracts. The Polygon Hermez team also conducted its own internal audit. Last week, Spearbit began yet another audit, focused on the ZK circuits and cryptography.

‍No technology, especially novel technology like Polygon zkEVM, can be entirely de-risked. However, Polygon Labs is establishing best practices for securing zkEVMs. When Mainnet Beta for Polygon zkEVM launches, all 35 components will have been audited three times, by 26 researchers, over the course of nearly four months. ‍

In the coming weeks, we will share the findings of the remaining audits as the reports are finalized.

Audit Scope

Hexens’ security review focused on the client stack. This includes the RPC node, sequencer, and aggregator, where proofs are generated. Hexens also reviewed PIL, the language for creating polynomial identities, and the smart contract for bridging assets to Ethereum.

Audit Findings

In total, four critical vulnerabilities were found in Hexens’ audit. One relied on an exploitation of the mechanism that makes Polygon zkEVM censorship resistant. Another used the extended features of ERC-777 tokens to launch a re-entrancy attack on the bridge smart contract. The other two critical vulnerabilities relied on manipulation of missing binary constraints: one in the Storage state machine and one in the ROM.

The remaining vulnerabilities were non-critical. Two in particular are worth highlighting because they illustrate the technical complexity of designing a rollup that increases Ethereum’s throughput without sacrificing EVM-equivalence.

In the EVM, the ecrecover function is used to recover the public key of a transaction sender from the transaction signature. This is an important function for verifying the authenticity of a transaction. A discrepancy with how ecrecover is implemented in zkASM, the assembly language used to implement the EVM in Polygon zkEVM, could have allowed a dishonest user to generate a proof for a transaction that is not compliant with the EVM.

Another non-critical vulnerability would have relied on a difference in the maximum size allowed for gas limits and chain IDs between Polygon zkEVM and EVM implementations, allowing a dishonest user to spam the sequencer and potentially interrupt the network’s availability.

For a comprehensive resource on Polygon zkEVM, check out the documentation wiki. And if you’re interested in (or perplexed by) Zero Knowledge, follow Polygon Labs’ dedicated ZK handle, @0xPolygonZK, and head over to our ZK forum.

Read more: https://polygon.technology/blog/polygon-zkevm-results-of-hexens-security-audit

Comments

All Comments

Recommended for you

  • ETH breaks through $1,600

    market shows that ETH has broken through $1600 and is now trading at $1600.1, with a 24-hour increase of 0.22%. The market is volatile, so please be prepared for risk control.

  • AI video startup Runway completes $308 million in funding

    AI video generation company Runway raised $308 million in a new round of financing, with a valuation soaring to over $3 billion. This round of financing was led by General Atlantic, with participation from Nvidia and SoftBank Vision Fund 2. Runway will use the funds to strengthen AI model research and development and expand the creative team. Its software has been used in Amazon series, Madonna tours, and Puma ads, among other projects. The recently launched Gen-4 model supports consistency in characters and scenes, achieving significant technological breakthroughs.

  • Forbes survey: More than a third of Wall Street leaders oppose Trump's economic policies

    Forbes recently conducted an investigation into President Trump's economic policies, contacting 50 of the most influential figures on Wall Street, including billionaire investors, heads of large institutional asset management companies, and top financial advisors in the United States, to understand their views on Trump's economic strategy since taking office.

  • AI infrastructure platform Mahojin completes $5 million financing

    AI infrastructure platform Mahojin has completed a $5 million financing round, led by a16z CSX and Maelstrom. Mahojin aims to create a "GitHub" for AI model creators and dataset developers, with the platform enabling intellectual property tracking and rewarding the original contributors of models and datasets.

  • A senior Brazilian official: Bitcoin reserves are "crucial" to Brazil's prosperity

    according to Decrypt, Pedro Giocondo Guerra, senior advisor to the Vice President of Brazil, stated in a recent speech on behalf of the government: "The strategic reserve of Bitcoin is crucial for the prosperity of the country. Discussions about establishing a BTC reserve may be a key factor in deciding the prosperity of Brazil, in line with the interests of the country and the public." Brazilian congressman Eros Biondini (PL-MG) previously proposed legislation to establish a "strategic sovereign Bitcoin reserve" (RESBit). Holding 5% of foreign exchange reserves (international reserves) in Bitcoin, the Central Bank of Brazil will use advanced monitoring systems, blockchain technology, and artificial intelligence to monitor transactions and be responsible for custody.

  • Bitpanda receives broker-dealer license from Dubai Virtual Assets Authority

    Bitpanda, headquartered in Vienna, has obtained a broker-dealer license from the Dubai Virtual Asset Regulatory Authority (VARA).

  • US artificial intelligence startup Yutori raises $15 million

    Yutori, a startup based in San Francisco, has raised $15 million for the development of an artificial intelligence personal assistant.

  • Meme incubation platform Coresky completes $15 million Series A financing

    Meme incubation platform Coresky announced the completion of a $15 million Series A financing round, led by Tido Capital, with WAGMi Ventures, Copilot Venture Studio, Web3 Vision Fund, and Parallel Ventures participating. The valuation information has not been disclosed, and the company's total financing to date has reached $21 million.

  • Vest Labs Completes $5 Million Seed Round of Financing, with Amber Group, QCP Capital and Other Investors

    Vest Labs, a financial infrastructure company based on real-time risk pricing, has announced the completion of a $5 million seed round financing, with participation from Jane Street, Amber Group, Selini Capital, QCP Capital, and Big Brain Holdings. The new funds will be used to support its construction of a real-time, verifiable risk pricing model based on zero-knowledge proofs to enhance financial market transparency and efficiency, and will also launch a perpetual futures trading platform supporting Arbitrum, Solana, Base, and other L2 solutions.

  • In April, Polygon’s on-chain NFT sales exceeded US$50 million, setting the second highest record of the year

    According to Cryptoslam data, the NFT sales on Polygon chain in April exceeded 50 million US dollars, reaching 51,539,690.69 US dollars, setting the second highest monthly sales record in 2024, second only to January's sales of 112 million US dollars this year. In addition, the NFT trading volume on Polygon chain in April increased significantly to 1.5 million transactions, with nearly 90,000 independent sellers and over 33,000 independent buyers.