Cointime

Download App
iOS & Android

Polygon zkEVM: Results of Hexens' Security Audit

A comprehensive security audit of Polygon zkEVM began in December. Two security teams have been independently stress-testing all components, including the prover and smart contracts for Polygon zkEVM.

The result of the audit by one of those security teams, Hexens, is now available. (You can view the full report here.) In keeping with Polygon zkEVM’s built-in-public ethos, we wanted to outline the findings.

‍In total, Hexens found nine vulnerabilities, ranging in severity from critical to low—and seven additional recommendations related to informational gaps in Polygon zkEVM’s documentation.

‍As of this writing, all 16 issues have been fixed.

Those fixes related to the network were made available on the audit-upgraded testnet that went live earlier this month.

Polygon zkEVM: Setting the Standard

The security audit for Polygon zkEVM has been thorough, rigorous, and is not even finished. In addition to Hexens, another security team, Spearbit, conducted a parallel audit of Polygon zkEVM’s smart contracts. The Polygon Hermez team also conducted its own internal audit. Last week, Spearbit began yet another audit, focused on the ZK circuits and cryptography.

‍No technology, especially novel technology like Polygon zkEVM, can be entirely de-risked. However, Polygon Labs is establishing best practices for securing zkEVMs. When Mainnet Beta for Polygon zkEVM launches, all 35 components will have been audited three times, by 26 researchers, over the course of nearly four months. ‍

In the coming weeks, we will share the findings of the remaining audits as the reports are finalized.

Audit Scope

Hexens’ security review focused on the client stack. This includes the RPC node, sequencer, and aggregator, where proofs are generated. Hexens also reviewed PIL, the language for creating polynomial identities, and the smart contract for bridging assets to Ethereum.

Audit Findings

In total, four critical vulnerabilities were found in Hexens’ audit. One relied on an exploitation of the mechanism that makes Polygon zkEVM censorship resistant. Another used the extended features of ERC-777 tokens to launch a re-entrancy attack on the bridge smart contract. The other two critical vulnerabilities relied on manipulation of missing binary constraints: one in the Storage state machine and one in the ROM.

The remaining vulnerabilities were non-critical. Two in particular are worth highlighting because they illustrate the technical complexity of designing a rollup that increases Ethereum’s throughput without sacrificing EVM-equivalence.

In the EVM, the ecrecover function is used to recover the public key of a transaction sender from the transaction signature. This is an important function for verifying the authenticity of a transaction. A discrepancy with how ecrecover is implemented in zkASM, the assembly language used to implement the EVM in Polygon zkEVM, could have allowed a dishonest user to generate a proof for a transaction that is not compliant with the EVM.

Another non-critical vulnerability would have relied on a difference in the maximum size allowed for gas limits and chain IDs between Polygon zkEVM and EVM implementations, allowing a dishonest user to spam the sequencer and potentially interrupt the network’s availability.

For a comprehensive resource on Polygon zkEVM, check out the documentation wiki. And if you’re interested in (or perplexed by) Zero Knowledge, follow Polygon Labs’ dedicated ZK handle, @0xPolygonZK, and head over to our ZK forum.

Read more: https://polygon.technology/blog/polygon-zkevm-results-of-hexens-security-audit

Comments

All Comments

Recommended for you

  • Fardi Wang, Chairman of NEXUS 2140: AI•Web3•Ecom Global Expo, Made Appearance at Meta Crypto Oasis 2025 in Dubai

    Fardi Wang, Chairman of NEXUS 2140: AI•Web3•Ecom Global Expo, recently appeared at the Meta Crypto Oasis 2025 in Dubai, joining global Web3 leaders such as Justin Sun (Founder of TRON) and Chris (Co-founder of Sonic) to discuss the future of the industry. As the first cross-industry event integrating AI, Web3, and E-commerce, NEXUS 2140 is accelerating its international expansion through Fardi Wang’s active participation. At the summit, Fardi Wang emphasized that the integration of virtual and real-world assets is the key breakthrough for the Web3 ecosystem. He mentioned: “NEXUS 2140 is leveraging Korea’s policies, technological strengths, and ecosystem advantages to build a global industrial hub.” His insights received strong recognition from attendees, and the Dubai visit further amplified the international influence of the event, injecting new momentum into global digital economy collaboration.

  • Binance Wallet’s New TGE B² Network is Now Available for Investment

    according to official page data, Binance Wallet's new TGE B² Network is now open for investment, with an end time of 18:00 (UTC+8). The participation threshold for this TGE is that Alpha points must reach 82 points.

  • The price of ALPACA perpetual contract on Binance platform rose by more than 25% in the past 5 minutes

    the current price of ALPACA perpetual contract on the Binance platform has risen by over 25% in the past 5 minutes, now falling back to $1.3683. At the same time, the spot price of ALPACA is $1.22, showing a significant price difference.

  • To participate in Binance Wallet's new TGE B² Network, you must have 82 points

    according to the official announcement, Binance Wallet has announced the participation threshold for the new B² Network (B2) TGE, with Alpha points needing to reach 82 points.

  • 1confirmation founder: There is a negative correlation between the popularity of the seed round and the success of the project product

    On April 29th, Nick Tomaino, the founder of 1confirmation, wrote on X that there is a negative correlation between the popularity of seed round projects and their success. Participating in a hot round is indeed exciting: high funding amounts, intense competition, big-name investors, and extensive media coverage. However, rarely does participating in such hot projects before the product-market fit is clear bring truly outstanding results. At 1confirmation, some of the most "popular" projects we have invested in have actually performed the worst.

  • U.S. Treasury Secretary Benson: We hope to obtain long-term tariff revenue and agreements

    US Treasury Secretary Besant said he hopes to obtain long-term tariff revenue and agreements, and the US will hold talks with at least 17 partners in the coming weeks. There is a good chance of seeing income tax reductions in the tax bill, and tariff revenue could be used for tax cuts.

  • MilkyWay has opened airdrop applications

    April 29th news, MilkyWay stated on social media that the airdrop application has been opened, and the application will be closed at 18:00 on May 29, 2025.

  • Spot gold continues to fall

    spot gold continues to decline, with the decline expanding to 2%, at $3315.49 per ounce.

  • BTC breaks through $93,500

    the market shows BTC has broken through $93,500, now trading at $93,506.58, with a 24-hour increase of 6.12%. The market is fluctuating greatly, please manage your risks.

  • In April, Polygon’s on-chain NFT sales exceeded US$50 million, setting the second highest record of the year

    According to Cryptoslam data, the NFT sales on Polygon chain in April exceeded 50 million US dollars, reaching 51,539,690.69 US dollars, setting the second highest monthly sales record in 2024, second only to January's sales of 112 million US dollars this year. In addition, the NFT trading volume on Polygon chain in April increased significantly to 1.5 million transactions, with nearly 90,000 independent sellers and over 33,000 independent buyers.