[TPP-17] ZKsync Immunefi Bug Bounty Program 2026
| Title | ZKsync Immunefi Bug Bounty Program 2026 |
|---|---|
| Proposal Type | TPP |
| One Sentence Summary | The ZKsync Token Assembly approves $1.6M USD in ZK (80M ZK @ $0.02) to fund the ZKsync bug bounty program on Immunefi for 2026 and $400k USD in ZK (20M ZK @ $0.02)) for bug bounty payouts made in 2025. |
| Proposal Author | ZKsync Security Council |
| Proposal Sponsor | Cyfrin |
| Date Created | 13 February 2026 |
| Version | v1.0 |
| Total ZK Requested | 100M ZK ($2m USD) |
| Link to proposal discussion | ZKsync Forum post |
| Summary of Actions | Grant minter role to 2 ZK capped minters:<br /> ZKsyncBugBounty2026: 0xc98b9FD0D62514E30c54857A58cc12c94495679D <br /> ZKsyncBugBounty2025Retro: 0x724C33f00eE832c2A4216a6F6986d9C4029849d4 |
Summary
This proposal seeks approval to fund the ZKsync bug bounty program on Immunefi through two capped minters totalling 100M ZK:
- ZKsyncBugBounty2026with $1.6m USD equivalent in ZK tokens (80M ZK) for forward-looking bug bounties; and
- ZKsyncBugBounty2025Retrowith $400k USD equivalent in ZK tokens (20M ZK) in reimbursement to Matter Labs for bug bounty payouts made in 2025.
Abstract
ZKsync’s security is critical infrastructure for both the protocol, and the broader ecosystem of ZK Chains. Vulnerabilities in ZKsync core contracts, circuits, tooling, or infrastructure can have cascading effects across ZKsync, ZK Stack deployments, and other ZK chains that rely on ZKsync technology.
The proposal establishes two distinct USD-denominated capped minters, one for forward-looking bug bounty funding and one for a one-time retroactive reimbursement. This structure provides clear scope separation, strong controls, and transparent accounting for a critical ecosystem-wide security function.
This proposal authorizes funding for:
- Ongoing ZKsync bug bounty rewards administered via Immunefi, and
- Reimbursement for historical bug bounty payouts made by Matter Labs in 2025.
Motivation
A robust bug bounty program is a critical security measure for ZKsync. Vulnerabilities in ZKsync affect not just a single network, but shared protocol components and tooling used across the ZK ecosystem.
Effective bug bounty programs:
- Incentivize responsible disclosure over adversarial exploitation
- Attract highly skilled security researchers to contribute to the protocol
- Reduce systemic risk before vulnerabilities reach production
The existing Immunefi Bug Bounty program is a critical part of the emergency response procedure. With the Emergency Upgrade Board continuously on standby, upgrades in response to critical submissions are able to be escalated and executed within hours.
Historically, Matter Labs funded bug bounty payouts directly to ensure uninterrupted security coverage while Token Assembly funding mechanisms were still maturing. As ZKsync governance evolves, it is appropriate to:
- Transition ongoing bug bounty funding into a governance-authorized structure, and
- Retroactively reimburse prior, verifiable security expenditures that benefited the ecosystem as a whole
This proposal formalizes both objectives while maintaining strict caps, clear accountability, and full transparency.
Specification
This proposal authorizes two USD-denominated capped minters, converted to ZK using a price of 0.02 USD. The capped minters are calculated using a conservative reference price of $0.02 per ZK, ensuring the ZKsync security is prioritized irrespective of market conditions.
If the prevailing market price of ZK is higher at the time of reimbursement, fewer tokens will be minted and any portion of the cap that is not utilized will remain unminted.
1. 2026 Bug Bounty Funding
A capped minter with $1,600,000 USD equivalent (80M ZK @ $0.02) will be granted minting rights to fund future ZKsync bug bounty rewards. The ZKsync Security Council will be the admin, and will work with Immunefi and other ZKsync security maintainers to distribute bounties.
The scope of bounties for this program include the following components where vulnerabilities affect all ZK chains and applications that rely on ZKsync technology:
- ZKsync protocol contracts
- ZK Stack components
- Critical tooling and infrastructure supporting ZKsync-based chains
- Submissions under SEAL Safe Harbour Agreement passed in GAP 2
ZKsyncBugBounty2026 Capped Minter (Forward-Looking Bug Bounty)
| Parameter | Value |
|---|---|
| Name | ZKsyncBugBounty2026 |
| Contract Address | 0xc98b9FD0D62514E30c54857A58cc12c94495679D |
| Admin | ZKsync Security Council 0xfFB6126FF8401665081b771bB11cCD0e09f95D5A |
| Target | ZK Token |
| Cap (ZK) | 80M ZK |
| Start Time | 16 February 2026 |
| End Time | 31 December 2026 |
| Minter Role | To be granted by admin as needed |
2. 2025 Bug Bounty Reimbursement
Matter Labs will be granted a capped minter for $400,000 USD (20M ZK @ $0.02) to cover bug bounty payouts made in 2025 on behalf of the ZKsync protocol. This one-time reimbursement will be limited strictly to historical, verifiable bug bounty rewards paid out in the 2025 calendar year.
ZKsyncBugBounty2025Retro Capped Minter (2025 Reimbursement)
| Parameter | Value |
|---|---|
| Name | ZKsyncBugBounty2025Retro |
| Contract Address | 0x724C33f00eE832c2A4216a6F6986d9C4029849d4 |
| Admin | ZKsync Security Council 0xfFB6126FF8401665081b771bB11cCD0e09f95D5A |
| Target | ZK Token |
| Cap (ZK) | 20M ZK |
| Start Time | 16 February 2026 |
| End Time | 31 December 2026 |
| Minter Role | Matter Labs Multisig 0xb84cFd9EBA97d991afa2E7B76b900804eE911Ab7 |
Accountability Framework
- The ZKsync Security Council reviews and verifies all bug bounty claims and payouts.
- Conflicts of interest require recusal.
- All reimbursements under this TPP are publicly documented and verifiable onchain.
Participants
- ZKsync Security Council: Oversight, verification, and pausing authority on capped minters. Oversight on the ZKsync Immunefi bug bounty program.
- Matter Labs: Primary day-to-day manager of the Immunefi bug bounty program.
