Introducing Scroll, a new layer2 solution

Hi all,
I’m Ye Zhang, a Ph.D. student at NYU. We’re building a new layer2 system on Etherum based on Rollup. Here is a draft introduction:

Three main differences from other Rollup projects:
(1) We are considering combining two different zero-knowledge proof systems for both on-chain and off-chain efficiency. If the recursive proof system is efficient enough, we will also consider that.
(2) We use commitment (UTXO) as the middle layer for interaction between different layer2 ASIC circuits. So ASIC circuits can interact and combine arbitrarily. It’s similar to Zexe. We will eventually move to recursive proof for the CPU circuit if it’s feasible enough in the future.
(3) We want to use a new incentive mechanism for layer2 mining and let “miners” be volunteers to generate proofs for us. It’s a little similar to snarker in Mina. The mechanism is still working under progress thus we didn’t provide many details in the article. We think it can eliminate the problem of MEV by separating batching and proving.

We are still at a very early stage for development and hope to get more feedback from the Ethereum community. Also, we are hiring, if anyone is interested in joining, pls email us ( Some are still open problems for all L2. If you are interested in doing research or solving some problems or collaborating or giving suggestions, we can also talk and build a better layer2 together. Email me at



How does this compare to the Aztec zk-zk rollup’s vision? Are there any large technical differences between what they are doing and your approach?

1 Like

Hi, Thanks for your interest!
It’s true that this framework can easily support privacy due to the underlying two-layer zero-knowledge proof system (like Aztec does in zk-zk rollup). However, we don’t focus on privacy for now. We focus more on the practical efficiency to support more dedicated DeFi circuits and their interactions on layer2.

So, one difference behind this is that we use two different zkp systems for efficiency instead of privacy.
Most rollup only supports Transfer and Swap circuits using Merkle Tree. It’s hard to support more complicated DeFi and larger applications. It takes a fairly long time to generate a snark proof for large-sized computation. However, there are indeed many prover-efficient protocols with longer proof size or longer verification time. For example, zk-stark, spartan, and many GKR-based protocols are efficient for prover but not as succinct as snark for the verifier. We want an efficient off-chain prover and efficient verifier to reduce the on-chain gas cost. So we combine two different zkp systems to support large circuits in the future. This is also pretty much similar to Mina’s/Zcash’s cross-chain bridge to Etherum ---- the Pickle system or Halo2 can support recursive proof but the verification is costy on EVM, we need another “wrapping” layer for the verification.

Another technical difference is that we propose a new interaction model through the commitment scheme.
We think it’s still hard to support general zkEVM at this point and each DeFi circuit still needs to be written manually for efficiency. The problem for circuit auditing might be solved in the future by a stronger compiler with math proof (i.e., Leo compiler supports verification for zkp circuits, see Leo paper). However, such separated circuits are hard to interact like smart contracts usually does. One way to allow general interaction is importing different DeFi ASIC circuits and generate one proof for all in one shot. However, this might bring more problems with the increasing size of the composed circuit. We give a more clear way to model interactions between those circuits. It’s like a hybrid version of the account based model and UTXO model where you generate proofs for separate parts and link them together in the end.

The last thing is that we want to enable layer2 mining where everyone can still join to generate the proof. This looks easy but needs a careful incentive mechanism design to avoid the situation where the fastest miner always wins.

All those ideas are very open for discussion and expect more feedbacks from the Ethereum community.

Our specific roadmap is that:
(1) Test the layer2 mining model with one zkp layer (i.e. zksync or loopring).
(2) Add more DeFi circuits and test for the best interaction model (i.e. nft, lending and other protocols)
(3) Move to the new layered proving system with the best efficiency (i.e. halo+plonk)

We will make some adjustments depending on concrete performance of zkEVM. We believe recursive proof+VM with the solidity support will be the winning solution in the future. But even with VM, the exploration of DeFi ASIC circuits will be useful as builtins or sub gadgets. We are looking forward to more discussion of all those details. Email me at or :slight_smile:

1 Like