SCROLL · ROLLUP-L2 · STAGE 0 NO PQC POSTURE PUBLISHED · QRI 27 v3.1.0 methodology

In plain terms

What it is. Scroll runs Ethereum transactions off to the side at lower cost and hands Ethereum a small receipt proving the work was done honestly.

What we found. Most teams never dare touch the math engine under a live network, but Scroll ripped out its old one and dropped in a new one in 2025 with no one's balance moving, so it has the rare muscle to redo deep internals, and the part it has not yet redone is the lock on the money, which a quantum computer could one day open.

Why it matters. Because the hard part here is willingness rather than skill, the people holding funds on Scroll are waiting on a choice the team has already proven it can carry out, and right now no such choice has been announced for the keys that guard their money.

Type-2 zkEVM rollup whose Euclid upgrade (April 2025) replaced custom Halo2 zkEVM circuits with OpenVM (Plonky3-based STARK + Halo2-KZG wrapper). Internal STARK is FRI-based and PQ-conjectured, but the L1-verified bundle proof wraps to Halo2-KZG over BN254 (Shor-vulnerable), and user signing is ECDSA secp256k1.

inLinkedIn ↷Audit access ⇆Compare Verified 2026-05-01

Summary

Scroll is a Type-2 zkEVM rollup on Ethereum that completed its largest architectural change to date in April 2025 (Euclid upgrade): it deprecated custom Halo2 zkEVM circuits and migrated to OpenVM, a Plonky3-based STARK zkVM developed by Axiom. The internal proving stack is now FRI-over-BabyBear with Poseidon2 hashing, primitives that are not Shor-broken. However, the final bundle proof is wrapped in a Halo2-KZG SNARK over BN254 for on-chain verification on Ethereum, and that wrapper plus all inherited Ethereum signature surfaces (ECDSA secp256k1) remain Shor-vulnerable. Scroll has published no PQC roadmap, no PQC milestones, and no foundation statement on quantum readiness as of 2026-05-01. Sequencer and prover remain centralized under the Scroll Foundation; the Security Council is being dissolved (April 2026 proposal) in favour of an internal team multisig. Migration Stage 0. Raw QRI 27. After-cap QRI 27. Band 2 Acknowledged (boundary case; Band 1 also defensible). CI plus-minus 12. Key uncertainties: OpenVM internals continue to evolve; trusted-setup parameters for the Halo2-KZG wrapper inherit from Perpetual Powers of Tau; no public Scroll Foundation PQC statement exists.

What the gates say

Gate 1a, Hybrid signature: FAIL , no hybrid-signature composition declared anywhere; signing path is pure ECDSA secp256k1
Gate 1a, Hybrid KEM: FAIL , RPC and validator-gossip-equivalent transport uses classical X25519/ECDH; no hybrid KEM
Gate 1b, Commit-to-hash: COND , Gate 1a-Sig is FAIL outright
Gate 2, Evidence reconstruction: PASS , every sub-score reconstructible by independent third party in 48 hours
Gate 3, Primitive naming: PASS , every sub-score names primitives concretely: ECDSA secp256k1, Halo2-KZG over BN254, FRI over BabyBear, Poseidon2

Burn-vs-rescue policy on file

Declared option f, Undeclared. Scroll has published no policy on what happens to ECDSA-protected user funds, historical Halo2-KZG bundle proofs, or pre-PQ-migration L1 settlement state in a post-CRQC scenario.

Seven dimensions

Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.

1 Cryptographic Exposure weight 12% 42 / 100

1a · primitive inventory 14 / 20

Scroll's docs defer cryptographic detail to OpenVM upstream.

Primitives: ECDSA secp256k1 (transaction signatures) · Keccak-256 (Ethereum-state hashing, EVM compatibility) · Poseidon2 (zk-friendly hashing inside OpenVM STARK) · BabyBear (31-bit prime field for OpenVM AIR) · FRI (batched FRI-based polynomial commitment) · Halo2-KZG over BN254 (final bundle-proof SNARK wrapper for L1) · BLS12-381 and BN254 pairings (zkVM precompile-level) · SHA-256 (added in OpenVM v1.0.0)

1b · shor grover pq tag 10 / 20

Tags:

ECDSA secp256k1 → Shor-break-via-DL-without-pairings
Halo2-KZG over BN254 → Shor-break-via-pairings
BN254 / BLS12-381 pairing precompiles → Shor-break-via-pairings
Keccak-256 / SHA-256 → Grover-weaken (256→128 bit)
Poseidon2 → Grover-weaken (research-grade, tier 4)
FRI over BabyBear → PQ-safe (FRI-based, hash-based soundness)

1c · family diversity 10 / 20

Two cryptographic families: discrete-log/pairing-based ECC and hash-based. No lattice, code-based, or isogeny in production. Hash-based portion does not protect any signing or settlement surface today.

1d · nist security category 0 / 20

Voided. Scroll has shipped no NIST PQC standardised primitive.

1e · implementation quality 8 / 20

OpenVM proving stack has third-party audits coordinated with the Security Council. February 2026 ecPairing-subgroup-check bug surfaced via Immunefi. Cryptanalytic tier: tier 1 (ECDSA, SHA-2/Keccak), tier 4 (Poseidon2).

2 Quantum Recovery Exposure weight 8% 38 / 100

Forge subtotal: 30/75 Decrypt subtotal: 8/25

2a · active key exposure 8 / 25

Scroll uses Ethereum's EOA model. Bridged TVL is custodied in the L1 Rollup contract on Ethereum, so dominant forge surface is Ethereum-side.

2b · cold key exposure 12 / 25

Same ECDSA secp256k1 inheritance. Scroll-resident TVL never spent retains a P2PKH-like exposure model.

2c · sig long term validity 10 / 25

Historical L2 transactions signed under ECDSA; historical bundle proofs are Halo2-KZG over BN254. Both Shor-vulnerable.

2d · encryption confidentiality hndl 8 / 25

Validator gossip and RPC TLS use classical X25519/ECDH/RSA. No hybrid PQ KEM declared at any transport layer.

3 Metadata, Anonymity & Confidentiality weight 8% 22 / 100

3a · tx graph visibility 5 / 20

Pseudonymous, Ethereum-equivalent. All Scroll transactions are publicly visible.

3b · rpc mempool concentration 6 / 20

Scroll-hosted RPC plus Alchemy/Infura/QuickNode/Ankr concentrate traffic. Sequencer is centralized; no decentralized mempool.

3c · cross chain bridge correlation 6 / 20

Native L1↔L2 bridge (ScrollMessenger). Third-party bridges (Across, LayerZero) add similar correlation.

3d · retroactive de anonymization 5 / 20

Halo2-KZG bundle proofs over BN254 do not encode user identity. Privacy on Scroll is the same as on Ethereum (pseudonymous baseline).

3e · mixnet shuffle 0 / 20

No protocol-level mixing or shuffle.

4 Migration Architecture weight 15% 55 / 100

4a · crypto agility 7 / 15

Euclid upgrade (April 2025) deprecated halo2 zkEVM circuits and replaced them with OpenVM without forking user state. Verifiable production instance of large-scale cryptographic-stack replacement. EIP-7702 supported on Scroll post-Euclid.

4b · aa key rotation 12 / 20

ERC-4337 supported on Scroll. EIP-7702 supported via Euclid. No documented chain-specific client-layer PQC path.

4c · hard fork track record 10 / 15

Two coordinated upgrades in last 18 months: Euclid (April 2025) and February 2026 emergency upgrade (zkvm-prover ecPairing fix). August 2025 minor emergency upgrade adds third datapoint.

4d · hybrid deployment readiness 3 / 15

Architecturally Scroll could expose OpenVM internal STARK directly on L1 (FRI verification on-chain), FRI is hash-based/PQ-safe. Not architected, not announced.

4e · stateful hash state management 15 / 15

N/A → full credit (stateless schemes only).

4f · bft aggregation path 0 / 20

N/A, Scroll inherits Ethereum L1 consensus; sequencer is single-operator. Reweighted across remaining sub-scores.

5 Deployment Execution weight 22% 15 / 100

5a · mainnet pqc traffic pct 0 / 25

0% of signing traffic uses any PQC primitive on Scroll mainnet.

5b · pqc code in consensus client 0 / 15

No PQC primitive merged into Scroll execution client. The OpenVM-internal Plonky3 STARK is FRI-based but is a proving-system choice, not PQC migration deployment.

5c · validator pqc key adoption 0 / 15

Single-sequencer operator, ECDSA secp256k1. 0% PQ-key adoption.

5d · published dated milestones 0 / 10

VOIDED to 0 per v3.1 (5a = 0).

5e · pqc washing delta 15 / 15

Announced PQC: 0. Shipped PQC: 0. No washing. Full credit.

5f · signature footprint multiplier 0 / 20

Undisclosed. No PQ signature scheme integrated.

6 Supply Chain Vendor Readiness weight 25% 7 / 100

6a · wallet 2 / 25

Top-3: MetaMask, Rabby, Coinbase Wallet. None has dated PQC migration roadmap. Hardware wallets silent on PQC for ECDSA paths.

6b · bridge 1 / 25

Top: Scroll Bridge (native), Across, LayerZero. No bridge has shipped or pre-announced PQC migration.

6c · custodian 2 / 25

Top custodians: Coinbase Custody, Fireblocks, BitGo. Industry-wide MPC-PQ readiness is research-stage; no production deployment.

6d · rpc hsm tee infra 2 / 25

RPC providers (Scroll-hosted, Alchemy, Infura, QuickNode, Ankr): no PQC roadmap. AWS KMS shipped hybrid PQ KEM in TLS endpoints (2024) but not in Scroll signing path. TEE not on Scroll's critical path.

7 Governance & Coordination weight 10% 35 / 100

7a · validator stake distribution 4 / 20

Single sequencer, single prover, both operated by Scroll Foundation. Permissionless force-inclusion via L1MessageQueue. Nakamoto coefficient at sequencer level: 1.

7b · upgrade cadence under pressure 14 / 20

February 2026 emergency upgrade: Immunefi disclosure → privately tested fix → Security Council mainnet deployment, within days. August 2025 emergency upgrade similarly fast.

7c · named coordination lead 8 / 20

Scroll Foundation as protocol coordination body. April 2026 proposal dissolves Security Council and transitions to internal multisig. No published PQC working group, no named PQC migration lead.

7d · adversarial coordination precedent 9 / 20

February 2026 ecPairing fix is a coordination-under-attack-class event: soundness-critical bug disclosed by adversarially-incentivised researcher, fixed and deployed without exploit.

7e · canary tripwire mechanism 0 / 20

No documented canary, no rate-limited spending rule, no cryptographic tripwire embedded.

X + Y vs Z, when does the math turn against you?

v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?

X, signature shelf life

5-10 years

Y, migration time

8-12 years to Stage 5

Z10 (10% CRQC year)

2030

Z25 (25% CRQC year)

2035

Verdict

X+Y reaches 2031-2048, Crisis Zone (vs Z10 2030); Outside risk window in median (vs Z25 2035)

Z-compliance

Outside compliance window for NIST 2035 disallowance

Source-disagreement disclosure

v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.

Internal STARK PQ-safe vs settlement-layer Shor-vulnerable

The OpenVM internal proving stack (Plonky3 STARK + FRI + Poseidon2 over BabyBear) is hash-based and not Shor-broken. The L1 wrapper (Halo2-KZG over BN254) and the user signing layer (ECDSA secp256k1) are both Shor-broken. We treat settlement and signing as the determining surfaces because that is where value is custodied.

Stage 1 vs effective Stage 0

L2BEAT publicly classifies Scroll as Stage 1. The April 2026 Security Council dissolution proposal raises a question over whether the formal governance structure that was a Stage 1 prerequisite still meets criteria after transition to a single internal multisig.

Delta-QRI under alternative weighting

If Dim 1 weight increases to 20% and Dim 6 weight decreases to 17%, Scroll's QRI rises from 27 to roughly 30 (still Band 3 nominally, Band 1-2 by definition test).