Building a secure network requires a multi-dimensional approach to protecting users against bugs, exploits, scams and hacks. With zkSync, security is and will always remain our top priority.
zkSync testnet ran for a full year with 500,000 active accounts, 30,000 smart contracts deployed and nearly 9 million transactions without any major issues. We used this time to run top-tier audits and stress test the network before opening to projects or users.
We will never cut corners when it comes to security.
zkSync's security model is the only one that can guarantee 100% of the security of Ethereum. It doesn't rely on fraud proofs or game theory. Instead it's based on fundamental mathematical and cryptographic primitives. zkSync publishes cryptographic proofs to Ethereum's Layer 1 (L1), along with the data needed to validate and reconstruct all transactions. This makes it impossible to spoof or corrupt the transactions state, ensuring users' funds are safe.
zkSync supports source code EVM compatibility, which inherits Lindy effects of the Solidity language. This comes with added security benefits, like 100% support of Solidity semantic tests. Most projects redeploying from EVM chains like Ethereum won't need to refactor a single line of source code, which reduces the potential for bugs and exploits.
There's no need to learn new languages, search libraries or understand new tools — with zkSync you use what you're already familiar with.
If your battle-tested source code runs on Ethereum, it runs on zkSync. Given no code is changed, if a project is audited on Ethereum, it is also audited on zkSync.
The protocol design separates the prover (ZK proofs) and the sequencer (block formation), which adds greater security benefits. In the unlikely event someone successfully exploits the prover, they would still need to hack the sequencer, and vice versa.
Since the protocol is operated by us in this early alpha stage, this means breaking into the service run by Matter Labs. And in a decentralized future, it means they would need to control a malicious majority of the network.
Since our bug bounties pay out up to 2.3 million USD for critical findings, it's way more profitable to responsibly disclose a single bug than to try to bypass all the security layers at once.
We have implemented a set of monitoring tools, including OpenZeppelin Defender and Forta bots, to provide 24/7 on-chain auditing and monitoring of critical actions and events.
Our team is dedicated to constantly monitoring potential threats to the network. The protocol also has a programmable delay for L1 withdrawals, giving the team enough time to investigate any suspicious activity and take an appropriate action.
Finally, there is a mechanism to freeze all transactions and contracts if a critical bug is found and stay frozen until its resolved.
As we exit this early alpha stage, withdrawal limits and freeze mechanisms will be gradually lifted as the ecosystem matures and operates in a decentralized manner.
Open sourcing the code is not just part of our ethos, it's essential to the security of the protocol. Bug bounties, crowdsourced contests and community contributors battle-test throughout our journey toward mass adoption.
Roadmap launch dates are entirely dictated by internal and external security audits. Each milestone and upgrade must satisfy security requirements before we agree deadlines. We've spent millions of dollars securing the network through:
• internal security audits
• external tier 1 security audits
This is a lengthy process without known timescales, but it ensures safeguarding users' funds is the top priority.