Demyd Korotkykh
Security analyst at HackenProof

Researching security of zkSync projects

zkSync (where zk stands for zero-knowledge) is one of the ZK rollups that offers L2 solutions for Ethereum. The purpose of zkSynk is to make Ethereum faster and cheaper without compromising on security.

The goal of the research was to learn how much the zkSync ecosystem is secured. To calculate this, we’ve agreed on 2 factors that determine the security:

  • code audits
  • bug bounties

The first thing off was listing all zkSync projects. When we were categorizing these projects, we noticed that a lot of them are associated with the blockchain rather than used to connect with the blockchain. That is why we’ve filtered out third-party projects that do not connect directly with zkSync.

In the end, we’ve got 180 projects:

  • 92 dApp
  • 65 Infrastructure
  • 23 Wallets

We’ve then counted how many zkSync projects are protected by either of the approaches.

zkSync Security Infographics

zkSync Research Insights

zkSync has an impressive number of projects secured by code audit or bug bounty program (50% from all dApps, infrastructure and wallet projects). This is a lot compared to Near protocol or Avalanche.

But it is the specialty of zk rollup-based projects — such projects are easy to maintain, cheaper to audit and easier to pay off bounties (fewer critical bugs found).

So more of zkSync projects are secured by design, while audit/bug bounty is more of a trust factor rather than a security solution.