Proposal: Security Subsidy Program for Scroll Builders

As agreed on the last Weekly DAO & Governance Call, we’re providing a minor update to this proposal to clarify a term that was used in a confusing way. In this final version of the proposal, we’ve then removed all references to a formal investment committee, clarifying that such role will be led by the Scroll Foundation for the time being, with input from relevant teams and committees when appropriate.

Proposal Title: Security Subsidy Program for Scroll Builders

Proposal Type: Growth

Summary:

This proposal introduces a pilot Security Subsidy Program for providing comprehensive onchain security for projects committed to building on Scroll, geared towards projects graduating from Scroll Open.

It is structured into two core components with an extra critical support component:

• 1. Access to subsidized audit services via Areta’s open audit marketplace.
• 2. Access to a discounted and subsidized onchain security marketplace managed by Immunefi for end-to-end protection beyond traditional audits, from pre-deployment through post-launch.
• 3. Governed by mechanisms to ensure commitment to build on Scroll and prevent subsidy farming.

Funding Request & Support:

• Requests the SCR equivalent to $500k USD, with $300k dedicated to audit subsidies to be used in Areta’s open audit marketplace and $200k to the end-to-end security marketplace run by Immunefi.
• To be coordinated by Immunefi in collaboration with the newly-formed Ecosystem Growth Council and Scroll Labs, with oversight by the Scroll Foundation. Scroll Labs and the Foundation have final say over the eligibility of projects and over the marketplace offerings.

Expected Outcomes:

• Subsidize audits and related pre-launch and post-launch security services for eligible Scroll-native projects, covering up to 100% of audit costs and up to 75% of end-to-end security services, with an additional 25% discount on those end-to-end services, i.e. an effective subsidy of 100%.
• Discounted access (on top of the subsidies) to best-in-class providers across the security stack.
• Eliminate the burden of discovering and vetting the right security suppliers and tooling.
• Reduce the need to hire large internal teams to get effective security through a project’s life cycle.
• Reduce the cost hurdle to build a secure tech stack required to develop trust amid end-users.
• Improve the overall speed to market of the projects participating in Scroll’s Open Economy.
• Improve the attractiveness of the Scroll ecosystem to new builders deciding where to build.
• Improve the overall security practices and security culture within the Scroll ecosystem.

Motivation:

L2 security is critical yet often misunderstood. As L2s compete to attract builders and scale the EVM, it’s increasingly important to build trust across all ecosystem dimensions. For that, audits are an industry standard and a non‑negotiable best practice. Every project that launches on mainnet needs an audit.

However, modern on-chain security transcends audits, requiring tailored solutions focused on the various needs emerging from a complex code security lifecycle. This is because countless projects suffered devastating hacks after assuming audits were sufficient:

• Consider Immunefi’s statistics: among the roughly 500 projects that launched bug bounty programs there, nearly all had been audited previously, often multiple times.
  • Yet, Immunefi’s community of security researchers has surfaced critical bugs in 80% of its bug bounty programs in the first year after launch.
• Consider the May 2025 hacks of Cetus on Sui or of Cork Protocol on Ethereum, with both projects having undergone multiple audits by reputable providers.
  • Still, edge cases that were either considered out of scope or overlooked during the audits caused tens of millions in losses, showing how end-to-end security is key.

Scroll hasn’t assumed audits are sufficient, being well aware that “security is a continuous journey”. This has resulted in various positive outcomes from at least one of its always-on security programs:

• Scroll’s bug bounty program has awarded a $1M bounty to one of Immunefi’s elite security researchers in May 2025 for a bug found this April.
  • Scroll’s own report acknowledged that, “if exploited, this vulnerability would allow an attacker to essentially mint an arbitrary amount of ETH or any ERC20 tokens on L2”.
• Overall, we have been authorized to share that Scroll’s bug bounty program with Immunefi helped report 4 critical bugs and 1 bug classified as high severity so far.

Now, as demonstrated by the Cetus hack on Sui, Scroll should extend this approach to its ecosystem. Given that Scroll is already committed to hard-wire security into its culture from the outset, this would:

• Guarantee every eligible project undergoes a code review before launch.

  • While also offering essential access to pre-deployment and post-launch security tools as per modern best practices that are rarely followed due to their perceived high costs.

• Ensure access to competitive pricing through marketplace dynamics across the security stack.

  • While benefiting from additional discounts from on top of the proposed subsidies.

• Grant free-of-charge access to a suite of AI-driven security features and tooling available on the Immunefi Magnus platform during the duration of the program to its projects.

  • While incentivising and regulating eligible projects to avoid subsidy farming.

With this program, Scroll ends up protecting its users, safeguarding its brand integrity, and sending a clear signal to builders and investors that it is the right place to innovate and scale. All in a streamlined manner that maximizes security outcomes for each dollar spent across the ecosystem.

Execution:

Operational:

This proposal recommends partnering with an established player with proven experience in crowdsourced onchain security to coordinate the Security Subsidy Program, Immunefi.

The subsidy funds will be allocated to two marketplaces: Areta Market and Immunefi Magnus.

About Immunefi:

Immunefi is the leading onchain security platform, offering a comprehensive suite of services through its Magnus marketplace to more than 350 leading protocols and dapps. In just over four years, it has directly prevented hacks worth over $25 billion USD and its community of Security Researchers was awarded +$120 million USD for responsibly disclosing over 5,000 web2 and web3 vulnerabilities.

Today, Immunefi works with leading projects including Sky (formerly MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, StarkNet, EigenLayer, Astar Network, ZKsync and more, all publicly available on the website. It’s also a proven security partner to other large ecosystems:

• Whitelisted for Arbitrum’s Security Subsidy Fund and current Arbitrum Security Council Member to both secure what is built on Arbitrum and Arbitrum itself.
• Selected by Plume as the end-to-end security partner to support the secure scaling of its full-stack RWA L1 blockchain and ecosystem through Immunefi’s Magnus platform and marketplace.
• Optimism Growth Cycle and Retro Public Good Funding Grant Recipient for helping to ensure the security of the Optimism ecosystem.
• Ran the Binance Smart Chain Priority One joint Bug Bounty Program funded with $10M which supported 100 dApps over one year, including PancakeSwap.
• Ran the Nexus Mutual Bug Bounty Matching Program, saving the industry’s largest insurer from major losses on well-known protocols such as Yearn.
• Ran the Algorand Ecosystem Bug Bounty Matching Program where the Algorand Foundation matched all ecosystem bounties up to US$100,000, thus further securing the Algorand ecosystem.
• Created the Immunefi Security Core Unit (IS-001) within MakerDAO to provide in-depth security to the Maker ecosystem. This included thorough identification of the critical infrastructure of the ecosystem, operational security audits for the core units, fire drill management and execution for the platform, and on-call security advisory, on top of active management and high-precision customized creation of the bug bounty program to ensure it reflected Maker’s security needs.

Magnus, Immunefi’s unified security marketplace, helps a project’s security team deal with tool overload, blindspots and ever evolving threats. Teams can manage security engagements through a single command center — from triaging findings and PR reviews to vendor and payment management:

• Magnus integrates end-to-end onchain security solutions from multiple partners.
  • Combining in-house tools built by Immunefi with tooling delivered by best-in-class firms.
    • Already onboarded Runtime Verification, Failsafe, Fuzzland and ChainPatrol, as well as Nexus Mutual, Dedaub, OtterSec and ThreeSigma. More soon.
  • Leveraging Immunefi’s proprietary vulnerabilities dataset, the industry’s largest.
    • And aggregating a community of over 45,000 security researchers.
• With a few clicks, projects can post a service request on Magnus and invite providers to match against technical and budget requirements.
  • In addition to audits and crowdsourced security, these experts provide infrastructure audits in non-mainstream languages, fuzzing and formal verification, real-time monitoring, incident response, and operational security war gaming (emergency preparedness).

About Areta Market:

Areta Market is the leading marketplace solution for security audits. The product has been launched on Arbitrum and Uniswap and has facilitated over $35M in audit offers to date. It is a white-label tech solution that can be used by any party chosen by the Scroll DAO to manage subsidies.

Program Overview

This Security Subsidy Program proposal rests on two core components: 1) traditional audits and 2) end-to-end onchain security.

• 1. The traditional audits component is focused on the following offering:
  • Traditional audits: standard code reviews typically lasting between 3 days to 3 weeks.

Traditional audits are to be delivered through the Areta Market marketplace.

• 2. The end-to-end onchain security component is focused on the following offering:
  • Fuzzing: automated smart contract testing with variable inputs to detect bugs.
  • Formal verification: mathematical proof of whether a smart contract is up to specifications.
  • Pull-request reviews: streamlined code reviews from the very best security researchers embedded directly in the GitHub pull requests on the Magnus marketplace.
  • Audit competitions: crowdsourced, time-bound code review with a fixed prize pool for valid reports, typically lasting one to three weeks.
  • Bug bounty programs: incentivised, always-on program for security researchers to responsibly disclose vulnerabilities combined with a 24/7 managed triage service to filter through submitted reports together with active program monitoring and expert set-up.
  • Real-time monitoring & threat prevention: detect and optionally intercept malicious transactions in the mempool before they get executed.

These are delivered through Immunefi’s Magnus marketplace and include free access to a suite of AI-driven security features for the duration of the Security Subsidy Program. This entails an AI-powered security copilot that can be privately trained on each project’s unique infrastructure and is powered by Codexa, the most comprehensive dataset of blockchain vulnerabilities in the industry.

The two components above are supported by a couple of mechanisms to ensure commitment to build on Scroll and prevent subsidy farming. This point was inspired by recent research conducted by RnDAO, delegate feedback and work developed by Areta to overcome similar issues as faced in other ecosystems.

• 3. The commitment component is focused on the following mechanisms:
  • Rating criteria to inform the evaluation of the applications.
    • This framework is detailed further below in the proposal.
  • Subsidies are distributed as investments instead of grants.
    • This process is detailed further below in the proposal.
  • An exclusivity clause for code audited under this program.
    • This process is detailed further below in the proposal.

These ensure projects attracted to build on Scroll with this program are i) incentivised to remain and ii) those graduating from Scroll Open are motivated to continue advancing the open economy.

Moreover, note the Security Subsidy Program has a separate budget for each of the components which is unlocked per application and on a per product basis, detailed in the summary and in the financial section.

• This means each project can benefit from the products and services that best fit its specific security needs in the development lifecycle as opposed to a standard cookie cutter approach — maximising security outcomes for projects and for the Scroll ecosystem.
• To further reduce the risk of funds misuse, unused funds at the end of the program will either be returned to the DAO treasury or rolled into a renewed program, pending delegate approval.

Mechanisms to ensure commitment to Scroll

The commitment component outlined above should be driven by three mechanisms that work together to drive the long-term growth of the Scroll ecosystem and prevent abuse of grants with no strings attached.

A). Rating criteria framework to inform the evaluation of applications

a). Rating sheet with up to 10 possible points and a required grade of 6 to qualify.

1. 2 points — Existing fit with the Scroll ecosystem.

  1. 0 points - no fit, e.g. no development on Scroll yet.
  2. 1 point - some fit, e.g. graduating from Scroll Open.
  3. 2 points - strong fit, e.g. project building on Scroll for > 6 months.

2. 2 points — Business plan.

  1. 0 points - poor plan, e.g. no clarity, excessive scope.
  2. 1 point - good plan, e.g. granular plan, realistic.
  3. 2 points - strong plan, e.g. investment-worthy.

3. 2 points — Team qualifications.

  1. 0 points - Weak team, e.g. lone individual with minimal to no industry background.
  2. 1 point - reasonable team, e.g. co-founders with some industry background.
  3. 2 points - strong team, e.g. mature team with extensive industry background.

4. 4 points - Value for Scroll.

  1. 0 points - no alignment, e.g. no link to Scroll’s current plans.
  2. 1 points - weak alignment, e.g. intangible link and some metrics.
  3. 2 points - medium alignment, e.g. direct link and clear metrics.
  4. 3 points - strong alignment, e.g. all the above and community support.
  5. 4 points - excellent alignment, e.g. all the above and good optics.

b). This grading is an informative framework for pre-screening purposes. Final assessment shall be led by the Scroll Foundation, which will ensure that at least Scroll Labs or the newly-formed Ecosystem Growth Council will also provide input for any given application.

i). Moreover, the Scroll Foundation and Scroll Labs can pre-approve projects for any subsidy under this program.

B). Subsidies as investment contracts

a). Instead of handing out one-off grants, we propose to align the long-term goals of the recipient projects to those of the Scroll ecosystem by structuring the subsidies as investment contracts to the exclusive benefit of the Scroll ecosystem, through an entity to be managed by the Scroll Foundation. The model for these contracts is inspired by RnDAO’s approved agreement with the Arbitrum Foundation, with equivalent documents to be developed with the EGC once it’s formed.

i. That would be a legal document covering three scenarios:

  1. Equity fundraising through a SAFE.
  2. Token launch through a token warrant.
  3. A side letter in case there’s no fundraising nor a token.

ii. This will grant a minority stake in the subsidy recipients proportional to the risk taken by Scroll with this program as per the final assessment of each project’s application, which will be done by the Scroll Foundation.

  1. 1% for projects with 9 or 10 points.
  2. 1.5% for projects with 7 or 8 points.
  3. 2% for projects with 6 points.

iii. With an estimated average audit subsidy of $30k and average onchain security subsidy of $20k, this equates to an average investment of $50k in 10 projects.

  1. While the minority stake percentage may seem low, this ensures any fundraising efforts aren’t hindered while allowing to recoup an investment in any project that reaches a minimum valuation of $2.5 to $5 million USD.

b). The legal entity shall be incorporated under the Scroll Foundation, pending legal review.

C). Exclusivity clause

a). Finally, to further promote long-term commitment to Scroll, the investment contracts will have a clause to ensure all code audited under this program must remain exclusive to the Scroll ecosystem for a fixed period, to be defined together with the Scroll Foundation.
b). In cases of breach, legal action will be enforced against the project.

Program Phases:

In terms of structure, the Security Subsidy Program consists of three phases:

Phase 1: Program Setup (Month 1 — Sept.)

• (Week 1): Form election committee and validate application form.
• (Week 2): Validate investment vehicle structure with the Scroll Foundation and any relevant stakeholders.
• (Weeks 3–4): Open call for project applications according to the eligibility requirements.
• (Week 4): Vetting and selection of projects as per the requirements and criteria.
• (Week 4): Onboarding workshop, security best practices sessions and marketplace walkthrough.

Phase 2: Traditional Audits and End-to-End Onchain Security (Months 2 - 6 — Oct. to Mar.)

• (Month 2 onwards): First code reviews can begin for selected projects.
• (Month 2 onwards): Additional onchain security services (e.g. PR reviews, audit competitions, bug bounty programs, monitoring) can kick-off through the Magnus marketplace.
• (Month 2 onwards): Open call for projects to apply according to the eligibility requirements.
• (Month 2 onwards): Ongoing vetting and selection of projects as per the requirements and criteria.

Phase 3: Program review (Months 3-6 — Nov. to Mar.)

• (Month 3 onwards): Oversee the quality of the deliverables and report back to the DAO at the end of the 3rd and 6th month of the program.

The Security Subsidy Program may be renovated at the end of the term depending on performance and desire of the community, subject to an updated governance proposal.

Note that even though the Security Subsidy Program’s applications are only open for five months, the projects can benefit from these security products and services for up to one year. For example, an audit competition can be contracted at the end of the program to start a few months later. PR Reviews, bug bounty programs or real-time monitoring can be contracted anytime for a period of 12 months.

Personnel & Resources:

Below are the proposed personnel and their roles:

1. Immunefi:

• Program Facilitator: Lead project vetting process in coordination with the Ecosystem Growth Council, conduct onboarding sessions and marketplace walkthrough.
• Recruitment and Onboarding: Launch open calls to onboard more qualified security firms and security researchers to Magnus. Launch open call for the first cohort of Scroll-native projects.
• Program Coordinator: Oversee the implementation of the Security Subsidy Program in alignment with Scroll’s ecosystem growth goals and security standards.
• Marketplace Operator: Facilitate a competitive open marketplace for auditors, security researchers and security firms to participate in audit engagements and security programs.
• Coordination with Ecosystem Growth Council: Work in collaboration with the Ecosystem Growth Council to align technical execution and ensure projects are supported end-to-end.
• Ongoing Operational Management: Monitor engagement quality, track deliverables, and coordinate communications between projects and providers across both phases of the program.
• Co-marketing efforts coordinator: Ensure the subsidy recipients promote the Security Subsidy Program appropriately, while also fostering co-marketing initiatives with the Program’s partners.
• Quarterly Transparency Reporting: Produce and publish a quarterly transparency report summarizing completed audits, active services, key findings, and overall impact of the program.

2. Ecosystem Growth Council:

• Project vetting: Participate in the project vetting process in coordination with Immunefi.
• Coordination with the Scroll Foundation: Engage in the application assessment process.

3. Scroll Labs:

• Project vetting: Participate in the project vetting process in coordination with Immunefi.
• Coordination with the Scroll Foundation: Engage in the application assessment process..

4. Scroll Foundation:

• Subsidy Program Oversight: Liaise with Immunefi and with relevant stakeholders to ensure the program’s goals are met.
• Subsidy Program Funding Operations: Operate the investment entity that will disburse the security subsidies as investment contracts.

Finance:

The traditional audits component represents the bulk of the financial investment, given the mature nature of that market. Within this component, audit providers offer market rates to be subsidized by the Security Subsidy Program up to 100%, up to a $50k cap, with projects paying at least 10% of the audit cost to ensure they remain committed to the code review process. Projects are also required to engage in co-marketing activities to be coordinated by Immunefi, as detailed in the Roles section. This process follows the public learnings from previous subsidy funds with Arbitrum and Uniswap.

Within the end-to-end onchain security component, eligible marketplace providers offer a 25% discount, with the Security Subsidy Program subsidising them up to 75%, on a case-by-case basis. Moreover, Immunefi is offering free access to the Magnus marketplace and platform for a period of 6 months to all eligible projects. This includes a proprietary and private AI-powered security co-pilot.

The budget for this Security Subsidy Program shall then amount to $500k, based on the estimated costs to serve a significant portion of the projects graduating from Scroll Open, distributed as follows:

As shown in the budget above, this program has no OpEx as it will be run by Immunefi for the benefit of the Scroll ecosystem. Immunefi is directly and indirectly compensated, being a participant in the Areta Market marketplace for audits and being an operator of the Magnus marketplace.

SCR conversion shall be coordinated by Scroll’s upcoming treasury management provider. Until then, funds will be held at a multisig managed by the Scroll Foundation.

Unused funds at the end of the six-month period will either be returned to the DAO treasury or rolled into a renewed program, pending delegate approval.

Lastly, for additional context, here’s an overview of the typical market rates for each of the services included in the Security Subsidy Program (SSP), and the respective offer for Scroll ecosystem projects.

Success metrics:

• At least 75% of the projects undergoing the program launch on Scroll within 6 months.
• At least 50% of the projects undergoing the program generate revenue within 6 months.
• At least 75% of the projects undergoing the program successfully fundraise within 12 months.
• At least 50% of the projects undergoing the program continue to build on Scroll within 12 months.

Conclusion:

The Security Subsidy Program is both urgent and foundational: it slashes security risk while accelerating time-to-launch for Scroll-native teams. This program gives Scroll and its projects an unique opportunity to access proven security outcomes with streamlined processes and long-term alignment.

Passing this proposal signals that the Scroll community is serious about retaining builders and securing TVL beyond just audits. With the full lifecycle security supported by Magnus, projects can iterate fast and scale confidently, protected by industry-leading bounties and precise, automated threat detection tools.

This proposal will break down barriers to secure deployment, fast-track project launches and deliver seamless best-in-class ongoing onchain security for early-stage Scroll teams — before and after going live. We welcome your questions and look forward to fortifying the ecosystem together.