Alisa Davidson
Published: April 30, 2025 at 11:10 am Updated: April 30, 2025 at 10:50 am
Edited and fact-checked:
April 30, 2025 at 11:10 am
In Brief
Pavel Shabarkin publicly disclosed a critical vulnerability on Scroll, claiming that the issue could have halted the blockchain, impacting over $100 million in TVL, but Scroll reportedly failed to resolve the problem effectively.
White hat hacker Pavel Shabarkin publicly disclosed a critical vulnerability on the Ethereum Layer 2 network Scroll via social media platform X. He claimed that the issue could have halted the blockchain, impacting over $100 million in total value locked (TVL). Despite this, Scroll reportedly failed to resolve the problem effectively.
According to Pavel Shabarkin, “Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move forward. All funds on L2 would be frozen.”
The hacker also expressed frustration with Scroll’s response to the issue, noting that the project downplayed his report and failed to engage in meaningful communication, opting instead for silence. Additionally, he pointed out that Immunefi, the platform handling the vulnerability report, did not accurately classify the issue, even after he requested a re-evaluation. As a result, Pavel Shabarkin chose to go public with his findings to raise awareness about Scroll’s apparent lack of security expertise.
The issue reported by Pavel Shabarkin poses risks to the Scroll network, with the potential for the chain to be halted at no cost to the attacker. During the attack, withdrawals would remain blocked, potentially indefinitely, as the attacker can sustain the halt without any expense. This disruption in block production would prevent essential time-sensitive decentralized finance (DeFi) actions, such as adding funds to avoid liquidation or updating oracle prices, placing user funds at substantial risk. Additionally, the sequencer would stop collecting transaction fees because no Layer 2 user transactions could be included in blocks. The vulnerability is particularly concerning as anyone with internet access could trigger the attack, making it an easily accessible threat.
In response, Ye Zhang, co-founder of Scroll, explained that the hacker’s claims stem from a fundamental misunderstanding of how the protocol operates. Specifically, the hacker overlooked the light CCC check that the sequencer conducted prior to the Euclid upgrade.
He highlighted that, “The PoC doesn’t hold up. Logs don’t seem to show reorgs. Light CCC already tracks precompile invocations and skips such transactions without triggering any reorg.”
Ye Zhang further emphasized that Scroll is committed to ensuring protocol security, having invested over $1 million in audits, and values the contributions of whitehat hackers.
Scroll is an Ethereum Layer 2 scaling solution that leverages Zero-Knowledge (ZK) rollups to improve transaction throughput, lower gas fees, and preserve Ethereum’s security and decentralization. By incorporating a zkEVM (Zero-Knowledge Ethereum Virtual Machine), Scroll ensures full compatibility with Ethereum’s existing infrastructure, enabling developers to deploy decentralized applications (dApps) without needing to modify their code.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa Davidson
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
