Skip to main content

Scroll's Research Moat: Why the zkEVM Built With Ethereum Foundation Cryptographers Still Matters in 2026

· 12 min read
Dora Noda
Dora Noda
Software Engineer

Most Layer 2s were built by product teams who hired cryptographers. Scroll was built by cryptographers who decided to ship a product. That distinction — buried in the git history of the zkevm-circuits repository, where roughly 50% of the early commits came from Ethereum Foundation researchers and 50% from Scroll engineers — is now one of the more interesting moats in the zkEVM landscape. As six production zkEVMs compete for the same DeFi settlement and institutional traffic, Scroll's origin story isn't just marketing. It's a claim about how the underlying math was designed, audited, and hardened — and whether that difference can still matter when everyone ships fast proofs.

The PSE Collaboration Nobody Else Can Replicate

Scroll's zkEVM was not built in isolation. From its earliest commits, it was co-developed with the Ethereum Foundation's Privacy and Scaling Explorations (PSE) team — the same researchers who author the cryptographic libraries the rest of the industry depends on. The collaboration ran deep enough that both parties contributed roughly 50% of the PSE zkEVM codebase, with Halo2 — the proof system powering the circuits — jointly modified by the two teams to swap its polynomial commitment scheme from IPA to KZG. That change cut proof size meaningfully and made ZK verification on Ethereum economically viable.

This is the technical point competitors have trouble replicating. When the team writing your circuits is the same team auditing the cryptographic library those circuits compile into, a class of subtle bugs disappears. You are not integrating an external primitive and praying its edge cases match your assumptions — you are designing both sides of the interface together. PSE has since shifted focus to a new zkVM exploration, but the Halo2 fork Scroll inherits is still actively maintained upstream. That matters because a zkEVM is not a one-time deliverable. It is a cryptographic surface that needs to be continuously extended as Ethereum adds opcodes, precompiles, and hard-fork changes.

Contrast this with the competing architectures. zkSync Era uses a Type 4 approach, transpiling Solidity to its own custom bytecode optimized for proving. Starknet uses Cairo, a new language designed for STARKs, which means the entire development stack is custom. Polygon's zkEVM takes a bytecode-level approach closer to Scroll, but the cryptographic library and execution environment were developed in-house rather than in tandem with Ethereum Foundation researchers. Linea, Taiko, and others each occupy different points on the compatibility spectrum.

None of them can honestly market "our circuits were co-designed with the researchers who invented the proving system." That sentence is a Scroll-only sentence.

Bytecode Equivalence Is a Security Posture, Not a Feature

The Vitalik-authored zkEVM type classification has become standard industry taxonomy: Type 1 aims for full Ethereum equivalence at every layer, Type 2 preserves bytecode equivalence with minor internal modifications, Type 3 makes larger compromises for performance, and Type 4 abandons bytecode entirely for speed. In 2026, Scroll is working toward Type 2 while documenting every opcode and precompile difference transparently in its public docs.

The practical meaning of bytecode equivalence is this: a Solidity contract compiled with the standard Ethereum toolchain produces bytecode that runs identically on Scroll as it does on Ethereum mainnet. No recompilation. No custom compiler. No special libraries. The contract you audit on mainnet is the contract that executes on L2.

This sounds like a developer-experience feature. It is actually a security posture. Every additional transformation between mainnet bytecode and L2 execution is a surface where bugs can appear — silently, in production, after the audit has already concluded. zkSync Era's transpiler has shipped multiple edge-case bugs where Solidity constructs behaved differently on L2 than on L1. These are not theoretical risks. They are the kind of issues that destroy DeFi TVL when a lending protocol's liquidation logic behaves slightly differently than its developers verified.

Scroll's trade-off is explicit: bytecode equivalence caps peak throughput below more aggressively optimized Type 3 and Type 4 designs. You pay for security in TPS. For DeFi protocols settling real value, that trade is almost always the right one. For gaming and consumer apps where a bug is a rollback and not a bankruptcy, the trade is less clear — which is why the landscape has fragmented rather than consolidated.

The Multi-Team Audit Stack

Scroll's audit history reveals how seriously the team takes circuit correctness — and how hard it is to get right. The codebase has been independently reviewed by Trail of Bits, OpenZeppelin, Zellic, and KALOS, with different firms covering different surfaces:

  • Trail of Bits, Zellic, and KALOS reviewed the zkEVM circuits themselves — the cryptographic proofs of execution correctness.
  • OpenZeppelin and Zellic audited the bridge and rollup contracts — the Solidity layer that actually moves funds.
  • Trail of Bits separately analyzed the node implementation — the off-chain infrastructure that produces blocks and proofs.

The Trail of Bits engagement alone produced custom Semgrep rules built specifically for Scroll's codebase, meaning future contributors inherit a static-analysis layer tuned to the project's specific risk surface. OpenZeppelin has run multiple diff audits as the code evolved — not one big audit at launch, but continuous review of pull requests. This is how mature security programs work in traditional software, and it is still rare in crypto, where "we were audited" often means "someone looked at the code once in 2023."

Multi-team independent review matters because circuit bugs are unlike smart contract bugs. A Solidity reentrancy vulnerability can often be discovered by a careful reader. A bug in a PLONKish arithmetization of an EVM opcode requires an auditor who understands both the EVM semantics and the constraint system used to prove them. There are perhaps a few dozen people in the world qualified to find such a bug, and they are spread across Trail of Bits, OpenZeppelin, Zellic, KALOS, and a handful of academic groups. Scroll has engaged most of them.

Proof Generation: The Number That Actually Matters

Early zkEVM prototypes required hours to generate a single block proof. That was a research demo, not a production system. By 2026, the frontier has moved dramatically:

  • Current zkEVM implementations complete proof generation in roughly 16 seconds — a 60x improvement from early designs.
  • Leading teams have demonstrated sub-2-second proof generation, faster than Ethereum's 12-second block times.
  • Scroll's prover sits in the competitive range of this curve, with ongoing work on prover compression and GPU acceleration.

Why does this matter economically? Proof generation cost is the dominant variable cost of a zkEVM. Every second of prover time is electricity and amortized hardware. The difference between 16-second proofs and 2-second proofs is roughly an 8x reduction in the cost to settle a block — which translates directly into lower transaction fees for end users and higher margins for rollup operators.

The more interesting question is whether proof speed is now commoditizing. When every serious zkEVM ships sub-10-second proofs, the differentiator moves back to security, developer experience, and ecosystem — the axes where Scroll's research pedigree and bytecode equivalence compound over time. A year ago, "our proofs are fast" was a legitimate marketing claim. In 2026, it is table stakes.

The TVL Reality Check

Technical elegance does not automatically translate into economic traction. Scroll hit over $748 million in TVL within one year of its October 2023 mainnet launch — briefly establishing itself as the largest zk rollup by TVL. By late 2024, DeFi TVL had compressed to around $152 million after a peak near $980 million in October 2024. As of February 2026, the network has processed over 110 million transactions and supports more than 100 dApps built by 700+ active developers.

Compare the zk-rollup leaderboard in 2026:

  • Linea leads newer zk-rollups with ~$963 million TVL.
  • Starknet holds ~$826 million with ~21.2% YoY growth.
  • zkSync Era has ~$569 million with ~22% YoY growth and captured 25% of on-chain RWA market share in 2025 ($1.9 billion).
  • Cumulative L2 TVL reached $39.39 billion for the 12 months ending November 2025, with the overall L2 ecosystem at roughly $70 billion.

Scroll's position in this pack is middle-of-leaderboard rather than dominant. The gap between the technical moat ("we were built with PSE") and the economic outcome ("we are the #1 zkEVM by TVL") is real — and it is the strategic question facing the team through 2026.

Why the Research Moat Still Matters

The pessimistic read of Scroll's position: in a market where proof generation is commoditizing, where every major zkEVM ships with reputable audits, and where user acquisition comes from incentive programs rather than cryptographic elegance, does the PSE collaboration actually matter? Users do not check which proving system their rollup uses. Developers do not compare audit reports before deploying a stablecoin.

The optimistic read: cryptographic infrastructure is the kind of thing that does not matter until it suddenly matters catastrophically. A serious circuit bug in a competing zkEVM — the kind that allows a prover to forge a state transition — would be an extinction-level event for that chain's TVL and a reallocation moment for the entire ZK rollup category. In that scenario, "built with Ethereum Foundation researchers, audited by four independent circuit security teams, explicit bytecode equivalence with mainnet" becomes the default flight-to-quality destination.

This is not a hypothetical. The optimistic rollup space has had fraud-proof windows precisely because the industry understands that rare, catastrophic failures do happen. The ZK space has been lucky so far — no production zkEVM has yet shipped a verifiable soundness bug that led to user fund loss. When that day comes (and statistically, across six-plus production zkEVMs running for years, something will eventually break), the chains with the deepest research heritage and the most redundant audit stacks will absorb the displaced TVL.

Scroll is positioning for that day.

What This Means for Builders and Infrastructure

For protocol developers choosing a zkEVM in 2026, the calculus has shifted. A year ago, you picked based on proof speed, fees, and token incentives. Today, those factors are increasingly similar across the top six chains. The differentiators that persist:

  • Bytecode equivalence (Scroll, Polygon zkEVM) vs transpilation (zkSync) vs new VM (Starknet) — affects how much of your Ethereum tooling works without modification.
  • Cryptographic heritage — whether your circuits were built by the same community that maintains the proving libraries.
  • Audit depth — single-team vs multi-team, one-time vs continuous.
  • DA layer flexibility — whether you are locked into Ethereum calldata or can use blobs and external DA.

For infrastructure providers, the fragmentation is the story. Six serious zkEVMs, plus optimistic rollups, plus emerging SVM L2s, plus app-chains — each with their own RPC endpoints, indexing requirements, and node software. The winners in this landscape are not the chains themselves but the neutral providers who abstract the complexity away from developers.

BlockEden.xyz provides production-grade RPC and indexing infrastructure across Ethereum, major Layer 2s, and leading alternative chains. If you are building across zkEVMs and need reliable endpoints without operating your own node fleet, explore our API marketplace — it is built for teams who would rather ship product than operate infrastructure.

The Verdict

Scroll's PSE collaboration and bytecode equivalence posture are not going to win the TVL race on their own. Incentive programs, ecosystem partnerships, and institutional integrations matter too, and Scroll is in a fight there against chains with larger treasuries and earlier institutional relationships.

But the underlying claim — that a zkEVM built in tandem with Ethereum Foundation researchers, audited by four independent circuit security teams, and deliberately constrained to mainnet bytecode equivalence is a materially safer piece of cryptographic infrastructure than its competitors — is defensible. In a category where the rare catastrophic failure eventually arrives, that defensibility is worth something. How much it ends up being worth depends on whether the market prices safety before the accident or only after.

For 2026, the Scroll story is the story of whether research-grade security becomes a durable moat or gets outcompeted by faster-shipping teams with shallower cryptographic heritage. It is one of the more interesting experiments running in the L2 space — and the answer will shape how institutional allocators think about zkEVM risk for years.

Sources

Share on Twitter