Security first: Polygon zkEVM Mainnet Beta

Security Audits 🔨

No technology, especially novel technology like Polygon zkEVM, can be entirely de-risked. However, Polygon Labs is establishing best practices for securing zkEVMs. The launch of Mainnet Beta has not been taken lightly, Polygon zkEVM’s 35 components have been audited three times, by 26 researchers, over the course of nearly four months.
‍
A comprehensive security audit of Polygon zkEVM began in December. Two security teams have been independently stress-testing all components, including the prover and smart contracts for Polygon zkEVM. During third party audits, software developers and Polygon Labs’ security researchers are available to assist throughout the process.The result of the audit by one of those security teams, Hexens, is now available. (You can view the full report here.) In keeping with Polygon zkEVM’s built-in-public ethos, we wanted to outline the findings.

In total, Hexens found nine vulnerabilities, ranging in severity from critical to low—and seven additional recommendations related to informational gaps in Polygon zkEVM’s documentation. As of this writing, all 16 issues have been fixed. Read here for more details. You can watch the Audit education sessions here.

Training wheels 🚴

Polygon Labs’ highest priority is security. Now that Polygon zkEVM has been battle-tested over the course of successive testnets, it’s ready for a Mainnet Beta release. That doesn’t, however, mean it’s ready to be released without any guardrails in place. Polygon zkEVM Mainnet Beta will be released with a set of security features that will evolve over stages and will pave the way for the ultimate goal of further decentralization.There’s no such thing as a truly innovative technology that carries no risks at launch. That’s why we are launching Polygon zkEVM Mainnet Beta with “limited training wheels,” according to Vitalik’s useful taxonomy of rollup milestones.
‍
As Mainnet Beta goes on, the goal is to reach stage two: “No training wheels,” in Vitalik’s formulation. This second stage will bring Polygon zkEVM closer to its goal of further decentralization.

Polygon Labs recognizes that it’s important to get this right and to communicate with the Ethereum community about what exactly the development team at Polygon Labs is doing and the Polygon zkEVM roadmap to greater decentralization. Read here for more details.

The Bug Bounty Program 💰

Polygon Labs launched a bug bounty for Polygon zkEVM. This is one of the many guardrails in place for Mainnet Beta launch. The bounty program will be run by Immunefi, which hosts bounties for many other top-tier protocols, including Arbitrum, Chainlink, and Polygon PoS.

Bug bounties provide a critical barrier of protection for open-source blockchain networks by incentivizing researchers and white hat hackers to find and document vulnerabilities.For a full rundown on the process for reporting bugs and payouts, check out Immunefi’s landing page for Polygon zkEVM here. For more details about bug bounty program read here.

Open-source 📡

Polygon zkEVM has been built in public from the beginning. The testnet for Polygon zkEVM was open to anyone, and the source code has been available for everyone to view from the very beginning.To commemorate the Mainnet Beta launch and as a contribution to the evolution of the Ecosystem, Polygon labs has made Polygon zkEVM fully open-source under an AGPL v3 license.

As a robust copyleft license, AGPL v3 obligates developers who modify or distribute the Polygon zkEVM code to make their modifications open-source under the same AGPL v3 license or a more permissive one, too. That means that AGPL v3 applies not only to current repositories, but all future modifications and distributions as well, will remain open source, ensuring the code cannot be used for proprietary purposes. While commercial applications may be derived from Polygon zkEVM’s technological breakthroughs in the future, those applications must keep their code open-source, enabling the entire web3 ecosytem to grow and benefit from each other’s contributions. Read here for more details.

‍

Polygon zkEVM Risks Disclosure ‍

The documentation contains statements about technical specifications, some of which may relate to future versions of Polygon zkEVM rather than its current implementation.

Attack Vectors/Security:

• As this is a Mainnet Beta and not a Mainnet release of Polygon zkEVM, security audits and assessments are ongoing. Thus, your data and crypto-assets may be at risk as a result of bugs or otherwise. 
• Polygon zkEVM technology is novel. As such, there may be unanticipated issues and risks associated with your use of the technology. For example, there may be errors that result in losing data or crypto-assets. 
• Cross-blockchain bridging may be subject to cyberattacks and exploits including, without limitation, hacks that exploit a vulnerability in the software, hardware, systems or equipment associated with any bridge component, smart contracts, and related systems.

Network Availability/Performance:

• As this is a Mainnet Beta, Polygon zkEVM may be slow or unavailable from time to time without notice, which could result in unexpected loss of use, data, or crypto-assets. Before engaging in high value transactions, be mindful that there may be time delays before transactions are finalized.

Decentralization Progress:

Polygon Labs is in the process of further decentralizing Polygon zkEVM. This refers to the process of gradually increasing decentralization of the system over time.  

• The Mainnet Beta will have some centralized features, such as the Sequencer and Aggregator (Prover), that Polygon Labs currently maintains in an effort to provide greater security at this time. The Sequencer has the ability to delay the inclusion of a transaction and otherwise reorder transactions. 
• Security of Polygon zkEVM Mainnet Beta is a continuous process. This process includes responding to security concerns, which depends on the Security Council. The Security Council consists of 8 individuals who are empowered to upgrade Polygon zkEVM Mainnet Beta without a timelock to respond to urgent security issues. If members of the Council behave maliciously or collude, then the integrity of the system may be compromised including network upgrades that may result in loss of crypto-assets. 
• As the Sequencer and Aggregator are centralized for Mainnet Beta, there are risks for potential network downtime and outages, including those that are outside the control of Polygon Labs.
• During the initial phase of the Mainnet Beta release, users will not be able to force transactions on Layer 1.

Gas Fees:

• If the gas fees associated with a proposed transaction are too low, it is possible that such transaction will not be sequenced and that those fees may be lost.

Security Audits:

• Polygon Labs’ implementation of Polygon zkEVM has been carefully constructed, was audited by several internal and external parties, and is continuously being reviewed and tested against engineering best practices. It is, however, unlikely that all potential bugs or vulnerabilities were identified through these audits and thus there may be undiscovered vulnerabilities that may put user funds at risk. Users should consider this risk when deciding how much value to place onto the Polygon zkEVM Mainnet Beta. To see the audit reports, see here.
• There is a robust bug bounty program for Polygon zkEVM to help encourage the community to find critical bugs in the codebase. Link to Polygon zkEVM Bug Bounty page on Immunifi.

Prover Infrastructure:

• Currently the Polygon zkEVM zkProver does not run on ARM-powered Macs. For Windows users, using WSL/WSL2 is not recommended. Apple M1 chips are not supported for now, since some optimizations on the zkProver require specific Intel instructions. This means some non-M1 computers won't work regardless of the OS, for example: AMD.
• In the event you are deploying a full node of Polygon zkEVM Mainnet Beta, be mindful that the network data is stored inside of each docker container. This means once you remove the container that network data will be lost and you will be required to resync the network data. 

General:

• Polygon zkEVM Mainnet Beta is provided on an AS-IS and AS-AVAILABLE basis.

Have any questions? Take a look at FAQs here