[TPP-17] ZKsync Immunefi Bug Bounty Program 2026

Summary

This proposal seeks approval to fund the ZKsync bug bounty program on Immunefi through two capped minters totalling 100M ZK:

1. ZKsyncBugBounty2026with $1.6m USD equivalent in ZK tokens (80M ZK) for forward-looking bug bounties; and
2. ZKsyncBugBounty2025Retrowith $400k USD equivalent in ZK tokens (20M ZK) in reimbursement to Matter Labs for bug bounty payouts made in 2025.

Abstract

ZKsync’s security is critical infrastructure for both the protocol, and the broader ecosystem of ZK Chains. Vulnerabilities in ZKsync core contracts, circuits, tooling, or infrastructure can have cascading effects across ZKsync, ZK Stack deployments, and other ZK chains that rely on ZKsync technology.

The proposal establishes two distinct USD-denominated capped minters, one for forward-looking bug bounty funding and one for a one-time retroactive reimbursement. This structure provides clear scope separation, strong controls, and transparent accounting for a critical ecosystem-wide security function.

This proposal authorizes funding for:

• Ongoing ZKsync bug bounty rewards administered via Immunefi, and
• Reimbursement for historical bug bounty payouts made by Matter Labs in 2025.

Motivation

A robust bug bounty program is a critical security measure for ZKsync. Vulnerabilities in ZKsync affect not just a single network, but shared protocol components and tooling used across the ZK ecosystem.

Effective bug bounty programs:

• Incentivize responsible disclosure over adversarial exploitation
• Attract highly skilled security researchers to contribute to the protocol
• Reduce systemic risk before vulnerabilities reach production

The existing Immunefi Bug Bounty program is a critical part of the emergency response procedure. With the Emergency Upgrade Board continuously on standby, upgrades in response to critical submissions are able to be escalated and executed within hours.

Historically, Matter Labs funded bug bounty payouts directly to ensure uninterrupted security coverage while Token Assembly funding mechanisms were still maturing. As ZKsync governance evolves, it is appropriate to:

• Transition ongoing bug bounty funding into a governance-authorized structure, and
• Retroactively reimburse prior, verifiable security expenditures that benefited the ecosystem as a whole

This proposal formalizes both objectives while maintaining strict caps, clear accountability, and full transparency.

Specification

This proposal authorizes two USD-denominated capped minters, converted to ZK using a price of 0.02 USD. The capped minters are calculated using a conservative reference price of $0.02 per ZK, ensuring the ZKsync security is prioritized irrespective of market conditions.

If the prevailing market price of ZK is higher at the time of reimbursement, fewer tokens will be minted and any portion of the cap that is not utilized will remain unminted.

1. 2026 Bug Bounty Funding

A capped minter with $1,600,000 USD equivalent (80M ZK @ $0.02) will be granted minting rights to fund future ZKsync bug bounty rewards. The ZKsync Security Council will be the admin, and will work with Immunefi and other ZKsync security maintainers to distribute bounties.

The scope of bounties for this program include the following components where vulnerabilities affect all ZK chains and applications that rely on ZKsync technology:

• ZKsync protocol contracts
• ZK Stack components
• Critical tooling and infrastructure supporting ZKsync-based chains
• Submissions under SEAL Safe Harbour Agreement passed in GAP 2

ZKsyncBugBounty2026 Capped Minter (Forward-Looking Bug Bounty)

2. 2025 Bug Bounty Reimbursement

Matter Labs will be granted a capped minter for $400,000 USD (20M ZK @ $0.02) to cover bug bounty payouts made in 2025 on behalf of the ZKsync protocol. This one-time reimbursement will be limited strictly to historical, verifiable bug bounty rewards paid out in the 2025 calendar year.

ZKsyncBugBounty2025Retro Capped Minter (2025 Reimbursement)

Accountability Framework

• The ZKsync Security Council reviews and verifies all bug bounty claims and payouts.
• Conflicts of interest require recusal.
• All reimbursements under this TPP are publicly documented and verifiable onchain.

Participants

• ZKsync Security Council: Oversight, verification, and pausing authority on capped minters. Oversight on the ZKsync Immunefi bug bounty program.
• Matter Labs: Primary day-to-day manager of the Immunefi bug bounty program.

Links

• ZKsync Bug Bounty Program