Security Audit Subsidy Program for Scroll Builders

Security Audit Subsidy Program for Scroll Builders

Submitted by: Unicircle, a Scroll Delegate.

Category: Subsidy Program for Key Services

Your idea (in no less than 4 sentences).

Audits typically cost $10 k – $250 k, putting early teams in a cash-flow bind. We propose a one-year rolling fund that subsidises up to 70 % of audit invoices for projects deploying natively on Scroll, with the remaining co-pay coming from the teams themselves.

How will this idea help ecosystem growth

Cheaper audits mean more dApps go live, faster. Strengthens trust. Keeps talent here and brings in new talent. Polygon Village hands out audit-vouchers that slash security costs, which helps cohort members deploy faster and more securely.

Required budget for the idea in SCR

Cost: Approximately 3.1 million SCR will be allocated to this initiative. This is going to subsidize 20 audits at an average cost of $40k, plus stipends paid to the technical liaison and the project manager.

Who would need to be involved?

  1. Scroll Foundation

  2. An elected technical liaison(s)

  3. An elected project manager(s)

3 Likes

Thanks for putting forward this idea, @Samater.

Making audits more accessible could definitely help attract more teams to build on Scroll. It’s also great that you brought up Polygon Village - always helpful to have more examples.

Would be great to hear what you think on:

  1. Auditor provider: Would teams be free to choose their own auditors, or would the subsidy be tied to specific partners - similar to how Polygon Village seem to do it? Also, if you have any audit providers you’d recommend or have worked with before, please, feel free to share. Would it make sense to have an RFP for which audit firms can be part of the selected providers?
  2. Roles & selection: You mention an elected technical liaison and project manager - how do you see these roles being defined in practice? Would they be elected by the DAO, nominated by the Foundation, or selected another way? Also curious about how their responsibilities would be scoped and how progress or outcomes would be reported back to the community.
    • Also, do you see the technical liaison and PM managing the entire process? Some audit programs have opted to grant the overall amount to a third-party to run the program, auditor selection, and subsidy award process (ex. Uniswap Foundation granting Areta). Is there a preference for Foundation/DAO managed vs outsourced?
  3. Post-audit follow-up: Would it be a good idea to consider ways to track the impact of these audits - like whether they speed up launches or uncover major issues? Are there examples of how other ecosystems track the projects that have received audit support and how it has impacted their development?
  4. Amount: You mention subsidizing 20 audits at an average cost of $40k. Just to clarify - will there be a cap on the subsidy amount per project, or will it vary based on the actual audit cost? Also, is the 70% subsidy fixed, or could it vary depending on project stage, audit scope, or available budget in the rolling fund?
  5. Industry Examples: Besides Polygon, are there other ecosystems or models you’ve looked at?

Really appreciate you sharing this and looking forward to hearing more!

Great to see continued momentum around supporting Scroll builders through critical services like security audits, following our initial discussion during the first ecosystem growth brainstorming session.

As highlighted by @Samater, addressing cost and access barriers can significantly accelerate ecosystem growth. We looked at the topic and did some interviews here.

@Eugene raises some good points, including the question of Foundation/DAO-managed versus outsourced programs:

We’ve experienced bot set-ups first hand (as part of DAO-elected group vs. direct mandate). Obv. tough to say what the “optimal approach” is, as it largely depends on the ecosystem preferences. In terms of effectiveness and budget spend, direct mandates with reporting are obv. tough to beat (vs. mixed groups of different parties working together). For instance, in the Uniswap Foundation Security Fund, our role focused on provider curation, competitive pricing mechanisms, and streamlined procurement. The goal was to maintain ecosystem oversight (e.g., ecosystem-defined eligibility criteria) and holding up a direct link to the DAO via presentations while outsourcing execution complexities like auditor vetting and price discovery.

Regarding the question of auditor selection:

From our experience, a hybrid approach works best. Whitelisting auditors based on ecosystem-specific expertise ensures quality (i.e., pre-determined evaluation criteria), while allowing projects to compare quotes from multiple providers increases competition and transparency.

We particularly agree on an emphasis on tracking post-audit impact. There are several approaches to measuring impact, including:

  • Tracking the number of successful deployments and public launches
  • Monitoring secondary effects like user growth or TVL increases
  • Assessing program influence through builder engagement metrics (e.g., number of projects choosing Scroll because of the program)

Overall, we’re happy to share further insights or frameworks from our work to help shape Scroll’s approach.

I have spoken to dozens of teams looking to do an audit during my time at OpenZeppelin and Immunefi. Surprisingly, many of these projects do not know how to select an auditor for their specific stack, how to scope a project, how to distinguish between a good and a poor security review, or even the typical cost of an audit. My suggestion is to pre‑negotiate with reputable security providers. This approach brings several additional advantages. If Scroll DAO partners with a security firm, that firm should ideally provide more than just a “basic” audit. E.g., a mitigation audit after the primary audit; security training on secure development; best‑practice checklists; secure‑deployment and monitoring guidance; and, if something goes wrong, incident‑response support. It is far easier for projects to work with a single team that understands the codebase well and can easily step in later to provide support or additional value if needed. Setting up security infrastructure that supports projects deploying on Scroll is an investment that will pay dividends later on.

A few reputable security firms already offer these comprehensive services, and I suggest inviting them to submit proposals for the DAO to assess.

I recommend inviting Immunefi, Ottersec, ConsenSys Diligence, and other firms that provide the above services to apply and share their proposals.

The technical liaison would be a part‑time role, ideally elected by the DAO. The Foundation should set minimum qualification requirements so the selection does not become a popularity contest; it can nominate a candidate, but the position should also be open to community applications. The liaison would act as a technical consultant for projects seeking audits, help scope each audit and its requirements, and communicate these to the partner firm(s). They would also provide technical updates on each audit to the DAO. The project‑manager role could be merged with the technical‑liaison role.

Measuring impact and outcomes is crucial to the program’s success. Outcomes should not be tied to metrics outside the security partner’s or project’s control. Instead, they should focus on realistic metrics such as vulnerabilities discovered, potential financial and reputational damage avoided, and faster deployment, among others.

Although outsourcing has its appeal, it adds unnecessary costs that would burden the DAO/Foundation, funds that could instead support more projects. The same benefits of security‑firm selection and competitive pricing can be achieved by having the DAO invite firms to submit proposals directly(which a lot of DAOs/Foundations are now doing). The technical liaison can periodically benchmark partner pricing to keep it competitive. Once a liaison is selected or nominated, they can provide informed comments on each proposal. It is also easier for the Scroll community to hold security firms accountable when their performance is reported after each round of audits by the technical liaison. Outsourcing can be equally transparent, but it introduces an extra layer of trust.

The subsidy will cover up to 70 % of an invoice, capped at approximately $40 k per project, depending on each project’s audit scope.

Numerous DAOs and foundations have partnered directly with firms to great effect. For example, Plume Network partners with Immunefi, Sui Network partners with Ottersec and Zellic; NEAR Foundation partners with multiple audit firms; and Compound DAO partners with OpenZeppelin, although the last partnership does not directly support ecosystem projects, it still exemplifies a strong collaboration.

1 Like

The following reflects the views of L2BEAT’s governance team, composed of @krst, @Sinkas, and @Manugotsuka, and it’s based on their combined research, fact-checking, and ideation.

Thanks for putting this RFI forward, @Samater. We would generally support an initiative for security audit subsidies, given that we figure out the operational details sensibly. We also voted in favor of a similar initiative in Arbitrum some months ago, and it recently got renewed as a program funded by the DAO and managed by the Arbitrum Foundation.

We believe a similar setup could work in Scroll as well. The DAO would earmark a budget, and the Foundation, given it has the capacity, would administer it. Creating external bodies to administer such a fund would generate more overhead without necessarily adding practical value. If needed by the Foundation, a technical liaison could be contracted to offer additional insights and help ease the workload.

For auditor providers, we could set up an RFP and invite reputable auditors to submit competitive bids to be shortlisted so that projects can have various audit options, depending on their needs. Regarding the amount, we also think that covering a percentage of the cost and not offering a full subsidy is a more appropriate approach. That way, it ensures that the projects applying have real skin in the game and are not wasting the budget.

1 Like

Do you mind sharing thoughts on the more open market model? This is an open call to others for feedback as well.

In this scenario, I see using market dynamics to source proposals and due diligence from Foundation and DAO to ensure high quality as getting to better rates over time.

This is an interesting role and I think can be shaped to support an high bar of security in the Scroll Ecosystem. I can see the benefits of it and would be interested in seeing what kind of candidates would be found for the role.