Report: Scroll Mainnet Emergency Upgrade on 2026-02-23

Authors: The Scroll Security Council.

Overview

In mid-February 2026, the Scroll team received a bug bounty report about the zkvm-prover repository. A fix was implemented by the Scroll team and deployed on mainnet by the Scroll Security Council.

Summary of the Bug

A missing check in the ecPairing precompile implementation could lead to diverging execution results on the sequencer and prover, leading to finalization failure.

Specifically, when we read bytes for the G2 point (on the BN254 curve), we make use of G2Affine::from_xy, which checks if the point is on the curve, but does not check if the point is in the correct subgroup.

As a result, inputs to ecPairing of the form (G1_IDENTITY, G2_NON_SUBGROUP) would output 0 in revm, while the prover guest program would output 1, as one of the points is the identity, while the subgroup check was missing.

The issue has been confirmed and fixed in a private fork of our zkvm-prover repository. The patch was applied on top of the current GalileoV2 version (v0.7.1) and tagged as v0.7.2. The fix was reviewed by the OpenVM team. After executing the emergency upgrade, we moved the patch into the public repository.

Patch: https://github.com/scroll-tech/zkvm-prover/compare/v0.7.1…v0.7.2

Acknowledgment

We would like to thank whitehat @revofusion for disclosing this vulnerability via Immunefi.

Great to see the Scroll Security Council reacting promptly to this critical vulnerability in the zkvm-prover’s ecPairing precompile, while demonstrating optimistic governance in action with rapid, transparent patching and mainnet deployment.

Also shout out to the whitehat @revofusion for the Immunefi disclosure, always good to see a strong bug bounty process in motion.