Polygon zkEVM

Polygon zkEVM is the leading zero-knowledge scaling solution that is fully equivalent to an EVM. All existing smart contracts, developer toolings and wallets work seamlessly. Polygon zkEVM harnesses the power of zero-knowledge proofs in order to help reduce transaction costs and massively increase throughput, all while inheriting the security of Ethereum.

Polygon

Blockchain

Bridge

Zero-Knowledge Proofs

Circuits

C/C++

Solidity

Maximum Bounty

$1,000,000

Live Since

24 March 2023

Last Updated

18 November 2024

PoC required
KYC required

Submit a Bug

Information Scope Resources

Select the category you'd like to explore

Assets in Scope

Target	Type	Added on
	Smart Contract - PolygonValidiumStorageMigration	18 November 2024
	Smart Contract - fflonkVerifier (validium)	18 November 2024
	Smart Contract - PolygonZkEVMDeployer	20 February 2024
	Smart Contract - PolygonZkEVMBridgeV2	20 February 2024
	Smart Contract - PolygonZkEVMExistentEtrog	20 February 2024
	Smart Contract - fflonkVerifier (zkevm)	20 February 2024
	Smart Contract - PolygonZkEVMGlobalExitRootV2	20 February 2024
	Smart Contract - polygonZkEVMBridgeV2	20 February 2024
	Smart Contract - PolygonRollupManager	20 February 2024
Primacy Of Impact	Smart Contract	16 October 2023
Primacy Of Impact	Blockchain/DLT	5 October 2023
	Blockchain/DLT - Provejs	24 March 2023

Target

Type

Smart Contract - PolygonValidiumStorageMigration

Added on

18 November 2024

Target

Type

Smart Contract - fflonkVerifier (validium)

Added on

18 November 2024

Target

Type

Smart Contract - PolygonZkEVMDeployer

Added on

20 February 2024

Target

Type

Smart Contract - PolygonZkEVMBridgeV2

Added on

20 February 2024

Target

Type

Smart Contract - PolygonZkEVMExistentEtrog

Added on

20 February 2024

Target

Type

Smart Contract - fflonkVerifier (zkevm)

Added on

20 February 2024

Target

Type

Smart Contract - PolygonZkEVMGlobalExitRootV2

Added on

20 February 2024

Target

Type

Smart Contract - polygonZkEVMBridgeV2

Added on

20 February 2024

Target

Type

Smart Contract - PolygonRollupManager

Added on

20 February 2024

Target

Primacy Of Impact

Type

Smart Contract

Added on

16 October 2023

Target

Primacy Of Impact

Type

Blockchain/DLT

Added on

5 October 2023

Target

Type

Blockchain/DLT - Provejs

Added on

24 March 2023

Impacts in Scope

(For Blockchain/DLTR and Smart Contracts Only) This program is considered to be governed by Primacy of Impact. For more information on what this means visit: Best Practice - Primacy of Impact vs Primacy of Rules.

For fflonkVerififer Assets

To check latest verifier in scope used by each rollup, use https://etherscan.io/address/0x5132A183E9F3CB7C848b0AAC5Ae0c4f0491B7aB2#readProxyContract then get the verifier used by each rollup using rollupIDToRollupData for IDs ranging from 1 onwards. Then, the verifier contract will be part of the returning data.

Impacts to other assets

Hackers are encouraged to submit issues outside of those outlined Impacts and Assets in Scope.

If Whitehats can demonstrate a critical impact of code in production for an asset not in scope, Polygon Labs encourages you to submit your bug report using the “primacy of impact exception” asset as outlined below.

The final classification however takes into consideration the likelihood of the impact being achieved based on the table below. When submitting a bug report, select the original assigned impact level, but please be aware that its severity level may be reassigned based on the likelihood according to this table.

Impact \ Likelihood	Critical	High	Medium	Low	None
Critical	Critical	Critical	High	Medium	Informational
High	High	High	High	Medium	Informational
Medium	Medium	Medium	Medium	Low	Informational
Low	Medium/Low	Medium	Low	Low	Informational
None	Informational	Informational	Informational	Informational	Informational

In addition to Immunefi’s Vulnerability Severity Classification System, Polygon classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Polygon.

Critical	Network not being able to confirm new transactions (Total network shutdown requiring hard fork)
Critical	Unintended permanent chain split requiring hard fork (network partition requiring hard fork)
Critical	Direct loss of funds
Critical	Permanent freezing of funds (fix requires hard fork)
Critical	Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Critical	Permanent freezing of funds
Critical	Protocol insolvency
High	Unintended chain split (network partition)
High	Transient consensus failures
High	Temporary freezing of funds for at least 1 week
High	Theft of user fees
Medium	DoS and does not shut down the network

Severity

Critical

Title

Network not being able to confirm new transactions (Total network shutdown requiring hard fork)

Severity

Critical

Title

Unintended permanent chain split requiring hard fork (network partition requiring hard fork)

Severity

Critical

Title

Direct loss of funds

Severity

Critical

Title

Permanent freezing of funds (fix requires hard fork)

Severity

Critical

Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity

Critical

Title

Permanent freezing of funds

Severity

Critical

Title

Protocol insolvency

Severity

High

Title

Unintended chain split (network partition)

Severity

High

Title

Transient consensus failures

Severity

High

Title

Temporary freezing of funds for at least 1 week

Severity

High

Title

Theft of user fees

Severity

Medium

Title

DoS and does not shut down the network

View rewards

Out of scope

Program's Out of Scope information

Broken link hijacking is out of scope
Loss of funds held by third parties
Best practice critiques
Attacks using vulnerable, old or deprecated libraries, that are not exploitable

The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.

Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift.

Default Out of Scope and rules

Blockchain/DLT specific

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Impacts requiring basic economic and governance attacks (e.g. 51% attack)
Lack of liquidity impacts
Impacts from Sybil attacks
Impacts involving centralization risks

All categories

Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
Impacts caused by attacks requiring access to leaked keys/credentials
Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
Best practice recommendations
Feature requests
Impacts on test files and configuration files unless stated otherwise in the bug bounty program
Impacts requiring phishing or other social engineering attacks against project's employees and/or customers

Submit a Bug

Severity

Min. - Max.

Critical

$1M

High

$20k

Medium

$5k

Total Assets in Scope

Total Impacts in Scope

Total paid

756.8k from 53 paid reports