Security Audit Subsidy Program for Scroll Builders

Ecosystem Growth RFI-Apr-2025
1

Security Audit Subsidy Program for Scroll Builders

Submitted by: Unicircle, a Scroll Delegate.

Category: Subsidy Program for Key Services

Your idea (in no less than 4 sentences).

Audits typically cost $10 k – $250 k, putting early teams in a cash-flow bind. We propose a one-year rolling fund that subsidises up to 70 % of audit invoices for projects deploying natively on Scroll, with the remaining co-pay coming from the teams themselves.

How will this idea help ecosystem growth

Cheaper audits mean more dApps go live, faster. Strengthens trust. Keeps talent here and brings in new talent. Polygon Village hands out audit-vouchers that slash security costs, which helps cohort members deploy faster and more securely.

Required budget for the idea in SCR

Cost: Approximately 3.1 million SCR will be allocated to this initiative. This is going to subsidize 20 audits at an average cost of $40k, plus stipends paid to the technical liaison and the project manager.

Who would need to be involved?

  1. Scroll Foundation

  2. An elected technical liaison(s)

  3. An elected project manager(s)

2 Likes
2

Thanks for putting forward this idea, @Samater.

Making audits more accessible could definitely help attract more teams to build on Scroll. It’s also great that you brought up Polygon Village - always helpful to have more examples.

Would be great to hear what you think on:

  1. Auditor provider: Would teams be free to choose their own auditors, or would the subsidy be tied to specific partners - similar to how Polygon Village seem to do it? Also, if you have any audit providers you’d recommend or have worked with before, please, feel free to share. Would it make sense to have an RFP for which audit firms can be part of the selected providers?
  2. Roles & selection: You mention an elected technical liaison and project manager - how do you see these roles being defined in practice? Would they be elected by the DAO, nominated by the Foundation, or selected another way? Also curious about how their responsibilities would be scoped and how progress or outcomes would be reported back to the community.
    • Also, do you see the technical liaison and PM managing the entire process? Some audit programs have opted to grant the overall amount to a third-party to run the program, auditor selection, and subsidy award process (ex. Uniswap Foundation granting Areta). Is there a preference for Foundation/DAO managed vs outsourced?
  3. Post-audit follow-up: Would it be a good idea to consider ways to track the impact of these audits - like whether they speed up launches or uncover major issues? Are there examples of how other ecosystems track the projects that have received audit support and how it has impacted their development?
  4. Amount: You mention subsidizing 20 audits at an average cost of $40k. Just to clarify - will there be a cap on the subsidy amount per project, or will it vary based on the actual audit cost? Also, is the 70% subsidy fixed, or could it vary depending on project stage, audit scope, or available budget in the rolling fund?
  5. Industry Examples: Besides Polygon, are there other ecosystems or models you’ve looked at?

Really appreciate you sharing this and looking forward to hearing more!

3

Great to see continued momentum around supporting Scroll builders through critical services like security audits, following our initial discussion during the first ecosystem growth brainstorming session.

As highlighted by @Samater, addressing cost and access barriers can significantly accelerate ecosystem growth. We looked at the topic and did some interviews here.

@Eugene raises some good points, including the question of Foundation/DAO-managed versus outsourced programs:

We’ve experienced bot set-ups first hand (as part of DAO-elected group vs. direct mandate). Obv. tough to say what the “optimal approach” is, as it largely depends on the ecosystem preferences. In terms of effectiveness and budget spend, direct mandates with reporting are obv. tough to beat (vs. mixed groups of different parties working together). For instance, in the Uniswap Foundation Security Fund, our role focused on provider curation, competitive pricing mechanisms, and streamlined procurement. The goal was to maintain ecosystem oversight (e.g., ecosystem-defined eligibility criteria) and holding up a direct link to the DAO via presentations while outsourcing execution complexities like auditor vetting and price discovery.

Regarding the question of auditor selection:

From our experience, a hybrid approach works best. Whitelisting auditors based on ecosystem-specific expertise ensures quality (i.e., pre-determined evaluation criteria), while allowing projects to compare quotes from multiple providers increases competition and transparency.

We particularly agree on an emphasis on tracking post-audit impact. There are several approaches to measuring impact, including:

  • Tracking the number of successful deployments and public launches
  • Monitoring secondary effects like user growth or TVL increases
  • Assessing program influence through builder engagement metrics (e.g., number of projects choosing Scroll because of the program)

Overall, we’re happy to share further insights or frameworks from our work to help shape Scroll’s approach.