White hat hacker Pavel Shabarkin publicly disclosed a critical vulnerability on the Ethereum Layer 2 network Scroll via social media platform X. He claimed that the issue could have halted the blockchain, impacting over $100 million in total value locked (TVL). Despite this, Scroll reportedly failed to resolve the problem effectively.
According to Pavel Shabarkin, “Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move forward. All funds on L2 would be frozen.”
The hacker also expressed frustration with Scroll’s response to the issue, noting that the project downplayed his report and failed to engage in meaningful communication, opting instead for silence. Additionally, he pointed out that Immunefi, the platform handling the vulnerability report, did not accurately classify the issue, even after he requested a re-evaluation. As a result, Pavel Shabarkin chose to go public with his findings to raise awareness about Scroll’s apparent lack of security expertise.
The issue reported by Pavel Shabarkin poses risks to the Scroll network, with the potential for the chain to be halted at no cost to the attacker. During the attack, withdrawals would remain blocked, potentially indefinitely, as the attacker can sustain the halt without any expense. This disruption in block production would prevent essential time-sensitive decentralized finance (DeFi) actions, such as adding funds to avoid liquidation or updating oracle prices, placing user funds at substantial risk. Additionally, the sequencer would stop collecting transaction fees because no Layer 2 user transactions could be included in blocks. The vulnerability is particularly concerning as anyone with internet access could trigger the attack, making it an easily accessible threat.
On Feb 17 2025 I reported a critical vulnerability to @Scroll_ZKP. $100m+ in TVL was at risk for more than 2 months.
Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move…
— Pavel Shabarkin (@shabarkin) April 30, 2025
Ye Zhang Responds To Hacker’s Claims, Clarifies Scroll Protocol Security
In response, Ye Zhang, co-founder of Scroll, explained that the hacker’s claims stem from a fundamental misunderstanding of how the protocol operates. Specifically, the hacker overlooked the light CCC check that the sequencer conducted prior to the Euclid upgrade.
He highlighted that, “The PoC doesn’t hold up. Logs don’t seem to show reorgs. Light CCC already tracks precompile invocations and skips such transactions without triggering any reorg.”
Ye Zhang further emphasized that Scroll is committed to ensuring protocol security, having invested over $1 million in audits, and values the contributions of whitehat hackers.
Scroll is an Ethereum Layer 2 scaling solution that leverages Zero-Knowledge (ZK) rollups to improve transaction throughput, lower gas fees, and preserve Ethereum’s security and decentralization. By incorporating a zkEVM (Zero-Knowledge Ethereum Virtual Machine), Scroll ensures full compatibility with Ethereum’s existing infrastructure, enabling developers to deploy decentralized applications (dApps) without needing to modify their code.
The post White Hat Hacker Reveals Critical Flaw In Scroll, Co-Founder Defends Protocol Security appeared first on Metaverse Post.
