In the rapidly evolving Layer 2 (L2) ecosystem, security is not merely a priority, but a necessity. The rampant growth of L2 solutions increases the risk of potential threats such as vulnerabilities introduced during bridging from a Layer 1 to an L2, or the protocol’s smart contracts themselves. Threat prevention is the foundation of security in an L2 environment. There are two categories of threat prevention: auditing and bug bounty programs, which evaluate smart contracts and inspire white-hat hackers to discover and report potential vulnerabilities. In our mission to build the most secure zkEVM ecosystem, we’re sharing our vision of a full-spectrum security system, starting with Threat Prevention.
Core zk-proof Security
A cryptographically secure zero-knowledge infrastructure is the foundation of creating the safest place to interact with web3. Unlike optimistic rollups that prioritize trust in third parties, publishing data to Ethereum mainnet and providing a challenge period to dispute fraudulent transactions, zk rollups prove transaction validity right away. To put it succinctly, zk rollups like Linea rely on cryptography for security, whereas legacy technology pursued by optimistic rollups relies on cryptoeconomics and game theory. Building an ecosystem with zero knowledge at the heart of it is like building a city on top of solid ground.
In the world of zkEVMs, Linea’s security infrastructure is industry-leading. Linea uses zkSNARK proofs to verify the computational integrity of every Linea transaction in Ethereum, offering users high levels of security at low cost. Linea is the first zkEVM to introduce more than one client, aligning to Ethereum’s goal of client diversity. This reduces the risk of single-point-of-failure bugs compared to having a single client.
Linea also adopts a research-directed approach to ensuring overall integrity. For example, we apply formal verification at multiple levels, such as the on-chain Plonk verifier and the zk arithmetization, to ensure that key components of the software are bug-free.
Auditing
At its core, an audit is an in-depth review of a project’s smart contracts (in our case written in Solidity) by a third party specializing in identifying vulnerabilities not just in the smart contract, but also in the architecture surrounding the contract. In the context of Linea, every line of code in our smart contracts has undergone rigorous auditing by Diligence and OpenZeppelin, two of web3’s most sophisticated and popular security firms. Their reputation and expertise demonstrate our commitment to the highest level of security. You can view our audit reports here.
Moreover, we ensure that all decentralized applications (dapps) we promote have received auditing clearance from one of the following recognized providers: Diligence, OpenZeppelin, Hexen, Zokyo, CertiK, Zellic, Scalebit, Secure3, Halborn. By guaranteeing consistent, robust audits on the Linea protocol smart contracts– and incentivized dapps in our ecosystem to take up proactive security measures – we are building a more secure Ethereum ecosystem.
Bug Bounties
Beyond auditing, bug bounty programs are a crucial component of threat prevention in the L2 landscape. These programs invite ethical hackers to scrutinize systems for vulnerabilities and offer substantial rewards for their findings. For instance, Polygon paid out a record $2M bounty to a white-hat hacker in 2021 for identifying a bug that could potentially lead to losses worth $850M on the network.
Recognizing the value of bug bounty programs, we have partnered with Immunefi, a dedicated bug bounty platform. We offer a bounty that can reach up to $100,000 for identifying and reporting potential threats. This substantial reward aligns with our commitment to fortifying security by incentivizing security at the social layer.
Conclusion
As L2 solutions become more intricate, their security measures must keep pace. The pursuit of engineering excellence, auditing and bug bounty programs is one way we are safeguarding the Linea ecosystem, carrying on the principle of trust that forms the backbone of the decentralized ethos. Our threat prevention practices are just the beginning - it’s one band of our full-spectrum security system. We endeavour to foster an L2 environment that embraces transparency, resilience, and the collective wisdom of the community in its pursuit of safety and security.