Proposal: Security Subsidy Program for Scroll Builders

This proposal introduces the first security subsidy program for Scroll. It’s the result of months of conversation and collaboration, building on this RFI.

I’d like to thank everyone who helped shape this proposal - Unicircle, @Immunefi, @Areta , @ACI, @danielo, @Sinkas, @SEEDGov, @404Gov, @PGov , @eugene, @Jamilya and everyone else who shared their feedback on the forum or the document.

Proposal Type: Growth

Summary

This proposal introduces a pilot Security Subsidy Program for providing comprehensive onchain security for projects committed to building on Scroll, geared towards projects graduating from Scroll Open.

It is structured into two core components with an extra critical support component:

1. Access to subsidized audit services via Areta’s open audit marketplace.
2. Access to a discounted and subsidized onchain security marketplace managed by Immunefi for end-to-end protection beyond traditional audits, from pre-deployment through post-launch.
3. Governed by mechanisms to ensure commitment to build on Scroll and prevent subsidy farming.

Funding Request & Support:

• Requests the SCR equivalent to $500k USD, with $300k dedicated to audit subsidies to be used in Areta’s open audit marketplace and $200k to the end-to-end security marketplace run by Immunefi.
• To be coordinated by Immunefi in collaboration and with oversight by the Scroll Foundation, which has final say over the eligibility of projects and over the marketplace offerings.

Expected Outcomes:

• Subsidize audits and related pre-launch and post-launch security services for eligible Scroll-native projects, covering up to 90% of audit costs and up to 75% of end-to-end security services, with an additional 25% discount on those end-to-end services, i.e. an effective subsidy of 100%.
• Discounted access (on top of the subsidies) to best-in-class providers across the security stack.
• Eliminate the burden of discovering and vetting the right security suppliers and tooling.
• Reduce the need to hire large internal teams to get effective security through a project’s life cycle.
• Reduce the cost hurdle to build a secure tech stack required to develop trust amid end-users.
• Improve the overall speed to market of the projects participating in Scroll’s Open Economy.
• Improve the attractiveness of the Scroll ecosystem to new builders deciding where to build.
• Improve the overall security practices and security culture within the Scroll ecosystem.

Motivation:

L2 security is critical yet often misunderstood. As L2s compete to attract builders and scale the EVM, it’s increasingly important to build trust across all ecosystem dimensions. For that, audits are an industry standard and a non‑negotiable best practice. Every project that launches on mainnet needs an audit.

However, modern on-chain security transcends audits, requiring tailored solutions focused on the various needs emerging from a complex code security lifecycle. This is because countless projects suffered devastating hacks after assuming audits were sufficient:

• Consider Immunefi’s statistics: among the roughly 500 projects that launched bug bounty programs there, nearly all had been audited previously, often multiple times.
  • Yet, Immunefi’s community of security researchers has surfaced critical bugs in 80% of its bug bounty programs in the first year after launch.
• Consider the May 2025 hacks of Cetus on Sui or of Cork Protocol on Ethereum, with both projects having undergone multiple audits by reputable providers.
  • Still, edge cases that were either considered out of scope or overlooked during the audits caused tens of millions in losses, showing how end-to-end security is key.

Scroll hasn’t assumed audits are sufficient, being well aware that “security is a continuous journey”. This has resulted in various positive outcomes from at least one of its always-on security programs:

• Scroll’s bug bounty program has awarded a $1M bounty to one of Immunefi’s elite security researchers in May 2025 for a bug found this April.
  • Scroll’s own report acknowledged that, “if exploited, this vulnerability would allow an attacker to essentially mint an arbitrary amount of ETH or any ERC20 tokens on L2”.
• Overall, we have been authorized to share that Scroll’s bug bounty program with Immunefi helped report 4 critical bugs and 1 bug classified as high severity so far.

Now, as demonstrated by the Cetus hack on Sui, Scroll should extend this approach to its ecosystem. Given that Scroll is already committed to hard-wire security into its culture from the outset, this would:

• Guarantee every eligible project undergoes a code review before launch.

  • While also offering essential access to pre-deployment and post-launch security tools as per modern best practices that are rarely followed due to their perceived high costs.

• Ensure access to competitive pricing through marketplace dynamics across the security stack.

  • While benefiting from additional discounts from on top of the proposed subsidies.

• Grant free-of-charge access to a suite of AI-driven security features and tooling available on the Immunefi Magnus platform during the duration of the program to its projects.

  • While incentivising and regulating eligible projects to avoid subsidy farming.

With this program, Scroll ends up protecting its users, safeguarding its brand integrity, and sending a clear signal to builders and investors that it is the right place to innovate and scale. All in a streamlined manner that maximizes security outcomes for each dollar spent across the ecosystem.

Execution

Operational:

This proposal recommends partnering with an established player with proven experience in crowdsourced onchain security to coordinate the Security Subsidy Program, Immunefi.

The subsidy funds will be allocated to two marketplaces: Areta Market and Immunefi Magnus.

About Immunefi:

Immunefi is the leading onchain security platform, offering a comprehensive suite of services through its Magnus marketplace to more than 350 leading protocols and dapps. In just over four years, it has directly prevented hacks worth over $25 billion USD and its community of Security Researchers was awarded $120 million USD for responsibly disclosing over 4,000 web2 and web3 vulnerabilities.

Today, Immunefi works with leading projects including Sky (formerly MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, StarkNet, EigenLayer, Astar Network, ZKsync and more, all publicly available on the website. It’s also a proven security partner to other large ecosystems:

• Whitelisted for Arbitrum’s Security Subsidy Fund and current Arbitrum Security Council Member to both secure what is built on Arbitrum and Arbitrum itself.
• Selected by Plume as the end-to-end security partner to support the secure scaling of its full-stack RWA L1 blockchain and ecosystem through Immunefi’s Magnus platform and marketplace.
• Optimism Growth Cycle and Retro Public Good Funding Grant Recipient for helping to ensure the security of the Optimism ecosystem.
• Ran the Binance Smart Chain Priority One joint Bug Bounty Program funded with $10M which supported 100 dApps over one year, including PancakeSwap.
• Ran the Nexus Mutual Bug Bounty Matching Program, saving the industry’s largest insurer from major losses on well-known protocols such as Yearn.
• Ran the Algorand Ecosystem Bug Bounty Matching Program where the Algorand Foundation matched all ecosystem bounties up to US$100,000, thus further securing the Algorand ecosystem.
• Created the Immunefi Security Core Unit (IS-001) within MakerDAO to provide in-depth security to the Maker ecosystem. This included thorough identification of the critical infrastructure of the ecosystem, operational security audits for the core units, fire drill management and execution for the platform, and on-call security advisory, on top of active management and high-precision customized creation of the bug bounty program to ensure it reflected Maker’s security needs.

Magnus, Immunefi’s unified security marketplace, helps a project’s security team deal with tool overload, blindspots and ever evolving threats. Teams can manage security engagements through a single command center — from triaging findings and PR reviews to vendor and payment management:

• Magnus integrates end-to-end onchain security solutions from multiple partners.
  • Combining in-house tools built by Immunefi with tooling delivered by best-in-class firms.
    • Already onboarded Runtime Verification, Dedaub and Fuzzland. More soon.
  • Leveraging Immunefi’s proprietary vulnerabilities dataset, the industry’s largest.
    • And aggregating a community of over 45,000 security researchers.
• With a few clicks, projects can post a service request on Magnus and invite providers to match against technical and budget requirements.
  • In addition to audits and crowdsourced security, these experts provide infrastructure audits in non-mainstream languages, fuzzing and formal verification, real-time monitoring, incident response, and operational security war gaming (emergency preparedness).

About Areta Market:

Areta Market is the leading marketplace solution for security audits. The product has been launched on Arbitrum and Uniswap and has facilitated over $35M in audit offers to date. It is a white-label tech solution that can be used by any party chosen by the Scroll DAO to manage subsidies.

Program Overview

This Security Subsidy Program proposal rests on two core components: 1) traditional audits and 2) end-to-end onchain security.

• 1. The traditional audits component is focused on the following offering:
  • Traditional audits: standard code reviews typically lasting between 3 days to 3 weeks.

Traditional audits are to be delivered through the Areta Market marketplace.

• 2. The end-to-end onchain security component is focused on the following offering:
  • Fuzzing: automated smart contract testing with variable inputs to detect bugs.
  • Formal verification: mathematical proof of whether a smart contract is up to specifications.
  • Pull-request reviews: streamlined code reviews from the very best security researchers embedded directly in the GitHub pull requests on the Magnus marketplace.
  • Audit competitions: crowdsourced, time-bound code review with a fixed prize pool for valid reports, typically lasting one to three weeks.
  • Bug bounty programs: incentivised, always-on program for security researchers to responsibly disclose vulnerabilities combined with a 24/7 managed triage service to filter through submitted reports together with active program monitoring and expert set-up.
  • Real-time monitoring & threat prevention: detect and intercept malicious transactions in the mempool before they get executed.

These are delivered through Immunefi’s Magnus marketplace and include free access to a suite of AI-driven security features for the duration of the Security Subsidy Program. This entails an AI-powered security copilot that can be privately trained on each project’s unique infrastructure and is powered by Codexa, the most comprehensive dataset of blockchain vulnerabilities in the industry.

The two components above are supported by a couple of mechanisms to ensure commitment to build on Scroll and prevent subsidy farming. This point was inspired by recent research conducted by RnDAO and work developed by Areta to overcome similar issues as faced in other ecosystems.

• 3. The commitment component is focused on the following mechanisms:
  • Rating criteria to evaluate applications.
    • This framework is detailed further below in the proposal.
  • Subsidies are handed as investments instead of grants.
    • This process is detailed further below in the proposal.

These ensure projects attracted to build on Scroll with this program are incentivised to remain and those graduating from Scroll Open are motivated to continue advancing the open economy.

Moreover, note the Security Subsidy Program has a separate budget for each of the components which is unlocked per application and on a per product basis, detailed in the summary and in the financial section.

• This means each project can benefit from the products and services that best fit its specific security needs in the development lifecycle as opposed to a standard cookie cutter approach — maximising security outcomes for projects and for the Scroll ecosystem.
• To further reduce the risk of funds misuse, unused funds at the end of the program will either be returned to the DAO treasury or rolled into a renewed program, pending delegate approval.

Mechanisms to ensure commitment to Scroll

The commitment component outlined above should be driven by three mechanisms that work together to drive the long-term growth of the Scroll ecosystem and prevent abuse of grants with no strings attached.

A. Rating criteria framework

a. Rating sheet with up to 10 possible points and a required grade of 6 to qualify.

i). 2 points — Existing fit with the Scroll ecosystem.

  1. 0 points - no fit, e.g. no development on Scroll yet.
  2. 1 point - some fit, e.g. graduating from Scroll Open.
  3. 2 points - strong fit, e.g. project building on Scroll for > 6 months.

ii). 2 points — Business plan.

  1. 0 points - poor plan, e.g. no clarity, excessive scope.
  2. 1 point - good plan, e.g. granular plan, realistic.
  3. 2 points - strong plan, e.g. investment-worthy.

iii). 2 points — Team qualifications.

  1. 0 points - Weak team, e.g. lone individual with minimal to no industry background.
  2. 1 point - reasonable team, e.g. co-founders with some industry background.
  3. 2 points - strong team, e.g. mature team with extensive industry background.

iv). 4 points - Value for Scroll.

  1. 0 points - no alignment, e.g. no link to Scroll’s current plans.
  2. 1 points - weak alignment, e.g. intangible link and some metrics.
  3. 2 points - medium alignment, e.g. direct link and clear metrics.
  4. 3 points - strong alignment, e.g. all the above and community support.
  5. 4 points - excellent alignment, e.g. all the above and good optics.

b. Grading shall be done by representatives from Immunefi and from Scroll’s newly formed Ecosystem Growth Council.

i). The results will also influence the percentage of the security products and services eligible for the subsidy as follows:

  1. Audits:

    1. 90% for projects with 9 or 10 points.
    2. 75% for projects with 7 or 8 points.
    3. 60% for projects with 6 points.

  2. End-to-end onchain security:

    1. 75% for projects with 9 or 10 points (equivalent to 100% with the 25% discount).
    2. 50% for projects with 7 or 8 points (equivalent to 75% with the 25% discount).
    3. 25% for projects with 6 points (equivalent to 50% with the 25% discount).

B. Subsidies as investment contracts

a. Instead of handing out one-off grants, we propose to align the long-term goals of the recipient projects to those of the Scroll ecosystem by structuring the subsidies as investment contracts to the exclusive benefit of the Scroll ecosystem, through an entity to be managed by the upcoming Ecosystem Growth Council. The model for these contracts is inspired by discussions with Daniel Ospina and RnDAO’s approved agreement with the Arbitrum Foundation, with equivalent documents to be developed with the EGC once it’s formed.

i). That would be a legal document covering three scenarios:

  1. Equity fundraising through a SAFE.
  2. Token launch through a token warrant.
  3. A side letter in case there’s no fundraising nor a token.

ii). This will grant a minority stake in the subsidy recipients proportional to the risk taken by Scroll with this program as per the grading of each project’s application:

  1. 1% for projects with 9 or 10 points.
  2. 1.5% for projects with 7 or 8 points.
  3. 2% for projects with 6 points.

iii). With an estimated average audit subsidy of $30k and average onchain security subsidy of $20k, this equates to an average investment of $50k in 10 projects.

  1. While the minority stake percentage may seem low, this ensures any fundraising efforts aren’t hindered while allowing to recoup an investment in any project that reaches a minimum valuation of $2.5 to $5 million USD.

b. If the ECG is ever sunsetted, that legal entity can be transitioned to any other group taking over ecosystem growth functions or to the Scroll Foundation.

Program Phases:

In terms of structure, the Security Subsidy Program consists of three phases:

a) Phase 1: Program Setup (Month 1 — Aug.)

• (Week 1): Validate application form with the Scroll Foundation and the Ecosystem Growth Council.
• (Week 1): Validate investment vehicle structure with the Ecosystem Growth Council.
• (Weeks 2–3): Open call for project applications according to the eligibility requirements.
• (Week 4): Vetting and selection of projects as per the requirements and criteria.
• (Week 4): Onboarding workshop, security best practices sessions and marketplace walkthrough.

b) Phase 2: Traditional Audits and End-to-End Onchain Security (Months 2 - 6 — Sept. to Feb.)

• (Month 2 onwards): First code reviews begin for selected projects.

• (Month 2 onwards): Additional onchain security services (e.g. PR reviews, audit competitions, bug bounty programs, monitoring) through the Magnus marketplace.

• (Month 2 onwards): Open call for projects to apply according to the eligibility requirements.

• (Month 2 onwards): Ongoing vetting and selection of projects as per the requirements and criteria.

• Phase 3: Program review (Months 3-6 — Oct. to Mar.)

• (Month 3 onwards): Oversee the quality of the deliverables and report back to the DAO at the end of the 3rd and 6th month of the program.

The Security Subsidy Program may be renovated at the end of the term depending on performance and desire of the community, subject to an updated governance proposal.

Note that even though the Security Subsidy Program’s applications are only open for five months, the projects can benefit from these security products and services for up to one year. For example, an audit competition can be contracted at the end of the program to start a few months later. PR Reviews, bug bounty programs or real-time monitoring can be contracted anytime for a period of 12 months.

Personnel & Resources:

Below are the proposed personnel and their roles:

1. Immunefi:

• Program Facilitator: Lead project vetting process in coordination with the Ecosystem Growth Council, conduct onboarding sessions and marketplace walkthrough.
• Recruitment and Onboarding: Launch open calls to onboard more qualified security firms and security researchers to Magnus. Launch open call for the first cohort of Scroll-native projects.
• Program Coordinator: Oversee the implementation of the Security Subsidy Program in alignment with Scroll’s ecosystem growth goals and security standards.
• Marketplace Operator: Facilitate a competitive open marketplace for auditors, security researchers and security firms to participate in audit engagements and security programs.
• Coordination with Ecosystem Growth Council: Work in collaboration with the Ecosystem Growth Council to align technical execution and ensure projects are supported end-to-end.
• Ongoing Operational Management: Monitor engagement quality, track deliverables, and coordinate communications between projects and providers across both phases of the program.
• Co-marketing efforts coordinator: Ensure the subsidy recipients promote the Security Subsidy Program appropriately, while also fostering co-marketing initiatives with the Program’s partners.
• Quarterly Transparency Reporting: Produce and publish a quarterly transparency report summarizing completed audits, active services, key findings, and overall impact of the program.

2. Ecosystem Growth Council:

• Project vetting: Participate in the project vetting process in coordination with Immunefi.
• Investment contract operator: Operate the investment entity that will disburse the security subsidies as investment contracts.

3. Scroll Foundation:

• Subsidy Program Oversight: Liaise with Immunefi and with the Ecosystem Growth Council to ensure the program’s goals are met.

Finance:

The traditional audits component represents the bulk of the financial investment, given the mature nature of that market. Within this component, audit providers offer market rates to be subsidized by the Security Subsidy Program up to 90%, up to a $50k cap, with projects paying at least 10% of the audit cost to ensure they remain committed to the code review process. Projects are also required to engage in co-marketing activities to be coordinated by Immunefi, as detailed in the Roles section. This process follows the public learnings from previous subsidy funds with Arbitrum and Uniswap.

Within the end-to-end onchain security component, eligible marketplace providers offer a 25% discount, with the Security Subsidy Program subsidising them up to 75%, on a case-by-case basis. Moreover, Immunefi is offering free access to the Magnus marketplace and platform for a period of 6 months to all eligible projects. This includes a proprietary and private AI-powered security co-pilot.

The budget for this Security Subsidy Program shall then amount to $500k, based on the estimated costs to serve a significant portion of the projects graduating from Scroll Open, distributed as follows:

As shown in the budget above, this program has no OpEx as it will be run by Immunefi for the benefit of the Scroll ecosystem. Immunefi is directly and indirectly compensated, being a participant in the Areta Market marketplace for audits and being an operator of the Magnus marketplace.

This budget shall be OTC’ed to stablecoins by Immunefi after the approval of the fund to guarantee security outcomes in case of market volatility. Funds should be held at a multisig handled by Immunefi and the Ecosystem Growth Council, with terms to be defined once it’s formed over the next weeks.

Unused funds at the end of the six-month period will either be returned to the DAO treasury or rolled into a renewed program, pending delegate approval.

Lastly, for additional context, here’s an overview of the typical market rates for each of the services included in the Security Subsidy Program (SSP), and the respective offer for Scroll ecosystem projects.

Success metrics:

• At least 5 projects successfully audited through Areta Market within 6 months launch on Scroll.
• At least 10 projects benefiting from onchain security services within Magnus launch on Scroll.
• ≥ 80% of the subsidy pool allocated within the first six months of the program.

Conclusion:

The Security Subsidy Program is both urgent and foundational: it slashes security risk while accelerating time-to-launch for Scroll-native teams. This program gives Scroll and its projects an unique opportunity to access proven security outcomes with streamlined processes.

Passing this proposal signals that the Scroll community is serious about retaining builders and securing TVL beyond just audits. With the full lifecycle security supported by Magnus, projects can iterate fast and scale confidently, protected by industry-leading bounties and precise, automated threat detection tools.

This proposal will break down barriers to secure deployment, fast-track project launches and deliver seamless best-in-class ongoing onchain security for early-stage Scroll teams — before and after going live. We welcome your questions and look forward to fortifying the ecosystem together.

My understanding is that the Growth Council is marketing focused. Investment decisions on projects incubated being well outside the scope, no?

If correct, then better to have the foundation as those staffing said committee.

If I’m wrong, I’d ask the foundation to change the description of the growth council and reopen applications for a few days as then we’re talking about a very different council

cc @eugene @Jamilya

As for the rest of the proposal, do we have any data on the dealflow from Scroll open, etc that can help us assess whether it makes sense to double down on those investments? I generally see no hard I’m earmarking some funds but would be good to know if the pipeline has a chance of using this amount.

Hi, @danielo , as per proposal, the EGC :

"The EGC would be able to use it’s budget to approve new growth initiatives. The council would need a 4/7 vote to pass any proposal that uses less than 25% of the total budget, and a 6/7 to pass any proposal that would use more than 25% of the budget.

After the first 6 months, the council will need to produce a charter that outlines it’s duties and relevant governance processes. This charter will be needed to request more budget or to extend it’s window of activity beyond the first 6 months if there is remaining budget."

Considering that we have been mostly OOO this week, we will be extending the application window for both ECG and GCR working group until Friday 27 th of June.

We consider this to be a highly auspicious proposal that tackles the Scroll version of an initiative already present in many DAOs for a time now - a continuity that speaks of the relevance of the topic itself. In that sense, having a Security Subsidy Program seems like a right move in contributing to the protocols growth and security. As mentioned and known, associated costs regarding security audits are non-trivial for any project trying to deploy and grow.

Also we’d like to highlight the role of the EGC in the process which should give the DAO direct participation on the program’s governance. In that sense we’re glad to see structures growing in scope and undertaking these sort of responsabilities that allow for easier accountability and management while building expertise at the service of specific programs.

Considering that the integration of Areta’s marketplace has already been announced by the Foundation this initiative should act as a next step on the DAO side regarding the subsidies piece. To which we wanted to ask the following:

• Where there any integration costs?
• In case this proposal should not pass would projects be able to access the marketplace only to get preferencial quotes?

As a co-founder of a native project and a Scroll ecosystem participant, I fully support introducing a Security Subsidy Program. Audits are essential but often cost-prohibitive, especially for small teams. Going beyond that and prioritizing onchain security is vital as we scale decentralized applications as vulnerabilities in smart contracts can lead to irreversible financial and reputational damage. Subsidizing security across the developmeny lifecycle ensures projects adopt rigorous onchain security practices early, helping to prevent exploits before they happen and setting a higher standard for secure, composable infrastructure across the Scroll network.

My opinion is that this subsidy will directly improve protocol safety, developer inclusion and overall ecosystem trust. It complements existing accelerator and tokenization initiatives by closing the security gap, making Scroll a safer, more credible home for innovative dApps.

I’m fully in support of this proposal.

Security is one of the most critical pillars of sustainable ecosystem growth, especially in a modular, permissionless environment like Scroll. As builders and contributors, we understand that it’s not just about shipping fast, it’s about shipping safe.

The Scroll Security Subsidy Program addresses a real need: high-quality audits can be prohibitively expensive, especially for early-stage projects that are experimenting, iterating, and working towards product-market fit. By offering a subsidy for verified security audits, this program lowers the barrier for projects that want to prioritize safety from the beginning and encourages a culture of proactive security practices, rather than reactive patches.

More importantly, this isn’t just a grant for code review. It’s an investment in ecosystem-wide trust. When users see that protocols on Scroll have passed reputable audits, backed by Scroll itself, it builds confidence and increases the likelihood of organic adoption and long-term retention.

The emphasis on reputable audit firms, clear eligibility criteria, and alignment with core Scroll values (public goods, open-source contributions, decentralization, etc.) is exactly the kind of structured support system that will help Scroll scale securely and credibly.

Overall, this is a thoughtful, well-scoped proposal that aligns with both Scroll’s long-term vision and the broader Ethereum ethos. I’d be excited to see it passed and even more excited to see the innovative, secure projects it helps bring to life.

Thanks to @Samater for this proposal. We believe security is one of the most important areas where projects need support, and we’re excited about this initiative because it addresses a major pain point for Scroll builders.

We’re happy to support this initiative with our marketplace solution. The Areta Market streamlines the procurement process for builders while offering significant cost and time savings.

The Areta Market is now live on Scroll. You can find more information here: Areta Market

Areta Market - Benefit for Builders1920×1077 116 KB

N.b.: While we’ve contributed to discussions around the Scroll Security Subsidy Program via governance calls and forum threads, we are not co-authors of this proposal.

We are supportive of this proposal, as security is a foundational requirement for any ecosystem growth. Ensuring users have confidence and peace of mind when transacting on Scroll should remain a top priority. We believe this initiative, through the combined efforts of Immunefi and Areta’s marketplace, can meaningfully advance that goal. Furthermore, direct alignment with the Scroll Foundation increases the likelihood of a successful rollout and long-term impact.

As a verified delegate, we would like to endorse this proposal.

Based on my conversation with the Scroll Open team, there has been one cohort so far. 10 teams participated in person, and about 70 joined virtually. A second, and potentially a third, cohort are planned before the end of the year.

While we don’t yet have quantified dealflow data (e.g. how many teams are progressing toward launch or showing traction), the volume of participation suggests early momentum aligned with the scope of the Security Subsidy Program.

There are no integration costs involved within this proposal. We believe there are also no integration costs associated with Areta’s marketplace. Will let @Areta confirm.

Yes, projects will still be allowed to use the marketplaces to get better pricing or quotes from vendors or service providers.

Thank you.

I’m worried the KPIs of the proposal and its governance are poorly structured. The KPIs incentivise using the platform as much as possible, hence growing the marketplace as a product. This is inthe interest of the vendor but not (necessarily) in the interest of Scroll.

Projects that meet some points shouldn’t automatically be included. I have yet to see a VC operate with a rigid scorecard as investment logic. Instead, investment decisions should follow investment committees best practices. The proposal team can do a first pass but final decision of whether to allocate funds from Scroll should be done by a team incentive-aligned with Scroll’s success. In this case I recommend the Labs team as they have initmate knowledge of the projects that participated in the program and are properly incentivised. Or have the Growth Council + advise from Labs.

The KPIs should reflect something more aligned with Scroll goals. Useful to track adoption for the program but more importantly to track whether the funds deployed are generating ROI. I would use a lagging indicator for tracking whether the projects foundraise or exhibit some form of growth/traction in the following months. And yes this requires more tracking but we shouldn’t confuse easy to measure with valuabel to measure.

If these two issues can be fixed, I’m happy to support it.

tldr The gov team is not yet ready to endorse this proposal.

I think this is a really important topic and personally want to see both the audit subsidies as well as the general security subsidies. However, given that we have not yet recruited the Ecosystem Growth Council, I am hesitant to add another thing on their time-constrained plate without confirming with them first. As such, we will feel more comfortable endorsing it on that basis for the Aug 1 voting cycle. That would give time to check in with them first.

The other general concern is the financial approach. I understand why converting the full amount to stables may be preferential in terms of securing the funds for the audits/security programs. However, that would be a sizable OTC transaction and would prefer to coordinate with a treasury management provider (getting the RFP going / lining up a treasury manager is a top priority for next month). Prior to that happening, it would be easier to justify keeping in SCR (even if we have to commit a volatility buffer) until audits are approved. This would add overhead for more transactions, but might minimize downward pressure on SCR.

Smaller point of feedback - please adjust the 90% coverage to 100% for audits. This obviously won’t be the case for most/all, but whoever is making the call should have the discretion to fully cover an audit if the project seems important / aligned enough.

I agree with Daniel here - if we decide that the EGC is making the call, then that group of 5 people should have the say to do as they see fit and in the best interest of the ecosystem. Having a scorecard could be helpful for framing thinking, but I’m am weary of being overly rigid here.

Correct, no costs were incurred by Scroll Foundation for setting up the Areta platform.

Please adjust this to the Scroll Foundation will manage the multi-sig.

The following reflects the views of L2BEAT’s governance team, composed of @kaereste, @Sinkas, and @Manugotsuka, and it’s based on their combined research, fact-checking, and ideation.

We’re overall supportive of the proposal.

We have supported similar proposals in other ecosystems, and we believe audit subsidies are a low-hanging fruit for any DAO to tackle, potentially having a significant impact on the ecosystem’s builders. If there’s any area we cannot afford to be loose with, then that’s security.

We particularly like the lean setup, where there’s no overhead in managing the funds for the subsidies, and instead, ImmuneFi and Areta are compensated through the use of their platforms.

The outlined scoring is a good guiding tool, but we agree with @danielo and @eugene in that the final decision on whether to allocate funds should lie with someone and not be made automatically. It’s important to note that, in our view, audit subsidies are a form of grant, and grants are meant to be a tool for growth and business development. Therefore, audit subsidies should prioritise the business value for Scroll, and not just technical aspects.

The EGC could potentially take that responsibility up once it’s formed, but as @eugene pointed out, it hasn’t been elected yet. Perhaps the Foundation could step into that role, either temporarily until the EGC is elected, or permanently, if the EGC cannot or doesn’t want to have that responsibility. It could also be beneficial if someone from Scroll’s growth/BD team is involved in the process, given the dynamic we mentioned above.

Discussed this with @Samater and team. tldr, it felt more appropriate to push this to the next voting cycle. By then, the EGC will be in place and we can come up with a strategy. Also, asking around BD/growth to see if anyone has capacity to support (though more likely that they will give us leads of who they want to nominate for it).

Samater, one thing to keep in mind as y’all revise the proposal. Please add a clause to the effect that whoever the decision makers are, the Labs growth/BD team is able to green-light folks that would then automatically be approved for audit at whatever level that team suggests.

Thanks @Sinkas, @Eugene, and @Danielo for the feedback. Since we’re waiting for the EGC to form, as well as for other key roles to be filled, we’ll make the necessary changes based on your feedback and the feedback we will receive from both the EGC.

We appreciate you bringing forward this proposal for a “Security Subsidy Program” for Scroll builders. It’s clear that this is a super important and initiative that could really help make Scroll ecosystem stronger and more secure, which is something we all want.

That said, as we’ve been reviewing it, a few questions have come up that we believe are crucial for strengthening the proposal, particularly regarding the significant operational and financial roles assigned to the newly formed Ecosystem Growth Council (EGC).

The EGC council is tasked in this proposal with duties like project vetting and acting as an investment contract operator, which involves structuring these subsidies as investments. This is quite a leap from the EGC’s original mandate, as outlined in the Proposal: Ecosystem Growth Council Formation to approve, oversee, and evaluate growth programs, not manage financial contracts or directly execute operations.

Therefore, we’d like to ask:

• Are these expanded responsibilities consistent with the current EGC charter?
• If not, could the proposal clarify the role separation?

Additionally, to ensure long-term alignment and deter misuse of audit resources, we suggest including a Scroll exclusivity clause, modeled on Arbitrum’s program: “All code audited under this program must remain exclusive to the Scroll ecosystem for a fixed period.” In cases of breach (e.g., by deploying the same audited codebase elsewhere), projects would be required to repay the full subsidy, a mechanism explicitly tied to the grant agreement and enforced through legal terms. This builds in a tangible incentive for long-term commitment and ecosystem loyalty.

We’re supportive of this direction and believe these refinements would help the program scale with clarity and accountability.