Cointime

Cointime

Download App
iOS & Android

Polygon zkEVM: Results of Hexens' Security Audit

Validated Project

A comprehensive security audit of Polygon zkEVM began in December. Two security teams have been independently stress-testing all components, including the prover and smart contracts for Polygon zkEVM.

The result of the audit by one of those security teams, Hexens, is now available. (You can view the full report here.) In keeping with Polygon zkEVM’s built-in-public ethos, we wanted to outline the findings.

‍In total, Hexens found nine vulnerabilities, ranging in severity from critical to low—and seven additional recommendations related to informational gaps in Polygon zkEVM’s documentation.

‍As of this writing, all 16 issues have been fixed.

Those fixes related to the network were made available on the audit-upgraded testnet that went live earlier this month.

Polygon zkEVM: Setting the Standard

The security audit for Polygon zkEVM has been thorough, rigorous, and is not even finished. In addition to Hexens, another security team, Spearbit, conducted a parallel audit of Polygon zkEVM’s smart contracts. The Polygon Hermez team also conducted its own internal audit. Last week, Spearbit began yet another audit, focused on the ZK circuits and cryptography.

‍No technology, especially novel technology like Polygon zkEVM, can be entirely de-risked. However, Polygon Labs is establishing best practices for securing zkEVMs. When Mainnet Beta for Polygon zkEVM launches, all 35 components will have been audited three times, by 26 researchers, over the course of nearly four months. ‍

In the coming weeks, we will share the findings of the remaining audits as the reports are finalized.

Audit Scope

Hexens’ security review focused on the client stack. This includes the RPC node, sequencer, and aggregator, where proofs are generated. Hexens also reviewed PIL, the language for creating polynomial identities, and the smart contract for bridging assets to Ethereum.

Audit Findings

In total, four critical vulnerabilities were found in Hexens’ audit. One relied on an exploitation of the mechanism that makes Polygon zkEVM censorship resistant. Another used the extended features of ERC-777 tokens to launch a re-entrancy attack on the bridge smart contract. The other two critical vulnerabilities relied on manipulation of missing binary constraints: one in the Storage state machine and one in the ROM.

The remaining vulnerabilities were non-critical. Two in particular are worth highlighting because they illustrate the technical complexity of designing a rollup that increases Ethereum’s throughput without sacrificing EVM-equivalence.

In the EVM, the ecrecover function is used to recover the public key of a transaction sender from the transaction signature. This is an important function for verifying the authenticity of a transaction. A discrepancy with how ecrecover is implemented in zkASM, the assembly language used to implement the EVM in Polygon zkEVM, could have allowed a dishonest user to generate a proof for a transaction that is not compliant with the EVM.

Another non-critical vulnerability would have relied on a difference in the maximum size allowed for gas limits and chain IDs between Polygon zkEVM and EVM implementations, allowing a dishonest user to spam the sequencer and potentially interrupt the network’s availability.

For a comprehensive resource on Polygon zkEVM, check out the documentation wiki. And if you’re interested in (or perplexed by) Zero Knowledge, follow Polygon Labs’ dedicated ZK handle, @0xPolygonZK, and head over to our ZK forum.

Read more: https://polygon.technology/blog/polygon-zkevm-results-of-hexens-security-audit

Polygon Polygon $0.69
+5.72%
Polygon
Comments

All Comments

Recommended for you

  • U.S. senators propose spending $32 billion to develop AI and build safeguards around it

    A bipartisan group of four senators led by Chuck Schumer, the leader of the majority party in the United States, has proposed that Congress spend at least $32 billion over the next three years to develop artificial intelligence (AI) and establish safeguards around it.

  • Swiss Federal Council Plans to Implement Crypto Asset Reporting Framework to Improve Tax Transparency

    The Swiss Federal Council (consisting of seven members jointly leading the Swiss government) plans to implement a Cryptocurrency Asset Reporting Framework (CARF) to increase tax transparency.On the 15th, the Federal Council issued a consultation document to investigate public opinion on joining the Automatic Exchange of Information (AEOI) to combat tax evasion and avoidance in cooperation with international tax authorities. Currently, Switzerland's joining of AEOI is scheduled for January 1, 2026. It is reported that the Organisation for Economic Co-operation and Development (OECD) established AEOI and other initiatives for the Group of Twenty (G20) countries, which later expanded to include other countries.Switzerland previously adopted the Common Reporting Standard (CRS) of the OECD in 2014, but did not include CARF regulating cryptocurrency assets and their providers.

  • Morgan Stanley disclosed that it invested nearly $270 million in Grayscale GBTC, becoming one of the largest holders

    On May 16th, Morgan Stanley disclosed in its Q1 13F filing with the SEC that it had invested $269.9 million in the Grayscale Bitcoin Trust (GBTC) to gain exposure to physical bitcoin ETFs. According to Fintel's data, this investment made it one of the largest holders of GBTC, after Susquehanna International Group (which invested $1 billion). Morgan Stanley is also one of many global systemically important banks (G-SIBs) that have disclosed investments in physical bitcoin ETFs, including Royal Bank of Canada, JPMorgan Chase, Wells Fargo, BNP Paribas, and UBS Group.

  • Coinbase Plans to Target Australia's Self-Managed Pensions Sector with New Service

    Coinbase is developing a service that will target Australia's self-managed pensions sector, according to the exchange's Asia-Pacific Managing Director John O'Loghlen. The move comes as self-managed funds in Australia have increasingly held crypto, with nearly A$1 billion ($664 million) allocated to crypto as of the latest data from the Australian Taxation Office. O'Loghlen stated that Coinbase's offering will aim to service these clients on a one-off basis and retain their business. The interest in crypto within the self-managed pensions sector may be driven by the recent momentum gained after spot-ETF approvals in the U.S. and the possibility of similar approvals in Australia this year.

  • The Hashgraph Association and QFC launch $50 million digital asset venture studio in Qatar

    The Hashgraph Association (THA) has announced a strategic partnership with the Qatar Financial Centre (QFC) to establish a $50 million digital asset venture studio called Digital Assets Venture Studio, which will support the development of decentralized finance (DeFi) solutions that comply with regulations and digital assets based on the Hedera distributed ledger technology (DLT) network. They will also invest in Web3 startups and DeFi projects supported by Hedera.

  • US lawmaker: SEC should repeal crypto accounting policy before Senate vote

    US legislator Wiley Nickel wrote a letter to Gary Gensler, Chairman of the US Securities and Exchange Commission (SEC), on May 15th, stating that the SEC should repeal the cryptocurrency accounting policy (SAB 121) before the Senate vote. Protecting investors is the mission of the US Securities and Exchange Commission, but SAB 121 does the opposite by preventing heavily regulated US banks from mass custody of digital assets. In addition, Wiley Nickel criticized the SEC for bypassing the rule-making process when issuing SAB 121, believing that the purpose of the cryptocurrency accounting policy is to clarify existing policies, not to create new ones.

  • CryptoQuant: Bitcoin demand is now in acceleration mode again after two months of decline

    On May 16th, cryptocurrency analysis company CryptoQuant stated in a report that despite a rebound in Bitcoin demand from the low point of the accumulation range, after two months of downward trend, Bitcoin demand is once again in "acceleration mode".

  • In the past 24 hours, the entire network has liquidated $159 million, and short positions have liquidated $114 million

    According to Coinglass data, there were liquidations of $159 million across the entire network in the past 24 hours, with long positions being liquidated for $44.75 million and short positions being liquidated for $114 million. Bitcoin liquidations were approximately $58.41 million and Ethereum liquidations were approximately $21.29 million.

  • Ethereum liquidity re-staking agreement TVL exceeds $10.1 billion, of which Eigenpie TVL exceeds $800 million

    According to DeFiLlama data, the current TVL of Ethereum liquidity re-staking protocol is 10.177 billion US dollars, of which the top five protocols ranked by TVL are:

  • In April, Polygon’s on-chain NFT sales exceeded US$50 million, setting the second highest record of the year

    According to Cryptoslam data, the NFT sales on Polygon chain in April exceeded 50 million US dollars, reaching 51,539,690.69 US dollars, setting the second highest monthly sales record in 2024, second only to January's sales of 112 million US dollars this year. In addition, the NFT trading volume on Polygon chain in April increased significantly to 1.5 million transactions, with nearly 90,000 independent sellers and over 33,000 independent buyers.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company