The chief selling point of layer-2 blockchains built atop Ethereum — aside from increased throughput — is security. Ideally, it should be faster and cheaper to interact with L-2s, but also as safe to transact as using Ethereum.
Unsurprisingly, in practice it’s complicated and not always black and white.
“Security,” in this context, refers to the settlement guarantees on Ethereum mainnet. That translates to how certain a user can be that their L-2 transactions will be finalized correctly — without censorship — and whether assets remain safe from being stolen by the more performant layer-2.
We’re not talking security from smart contract bugs at the level of applications (it’s not about avoiding exploits or rugpulls), but whether the Ethereum Virtual Machine runs the code and reconciles its state per specifications.
There’s not a universally accepted definition of what it means to be “secured by Ethereum.” According to Louis Guthmann, ecosystem lead at StarkWare, a key feature of assessing whether an L-2 is “secured by Ethereum,” is the existence of an “escape hatch” — a way to permissionlessly exit with one’s assets back to Ethereum mainnet.
“A layer-2 requires a mechanism that allows itself to resolve its challenges using the main chain,” Guthmann told Blockworks.
Data aggregator L2Beat defines a layer-2 as “a chain that fully or partially derives its security from [Ethereum mainnet] so that users do not have to rely on the honesty of L2 validators for the security of their funds.”
It provides a handy “risk analysis” framework for keeping track of various L-2 options. Projects are ranked by total value locked (TVL), not security, but the framework compares all active layer-2s across a spectrum of security-related criteria.
Of these, the “state validation” method is what L2Beat deems “most important” because that is how the chain “ensures that L2 validators cannot cheat and include invalid transactions in a L2 block, e.g. mint coins out of thin air or steal your coins,” according to the site’s FAQ.
Validation occurs through either validity proofs (also known as ZK proofs) or fraud proofs (also known as fault proofs).
A zero-knowledge proof is a cryptographic technique used in layer-2 rollups to verify the correctness of a transaction or computation without revealing any sensitive information.
Imagine you have a treasure chest with a secret combination lock, and you want to prove to your friend that you know the correct combination without actually telling them the numbers. With a zero-knowledge proof, you can demonstrate conclusive that you can open the chest and thus have the combination, without actually disclosing the sensitive information.
Fraud proofs are an alternative way to detect and prevent malicious activities or errors in the transaction processing on a rollup. It ensures that the transactions executed off-chain are honest and accurate.
A fraud or fault proof on Ethereum mainnet acts like a referee who checks the moves of a chess game to make sure they are valid. If anyone tries to cheat or submits an incorrect game state, fraudulent of faulty action won’t be accepted.
Data availability refers to whether transaction data is stored on Ethereum mainnet — the most secure — or elsewhere.
Combining these two, we have four widely accepted varieties of Layer-2s. Per L2Beat:
- zkRollups — Validity Proofs with data on L1 Ethereum;
- Optimistic Rollups — Fraud Proofs with data on L1 Ethereum;
- Validium — Validity Proofs with data kept off-chain; and
- Plasma — Fraud Proofs with data kept off-chain.
Each of these varieties entails tradeoffs, and some may be more suited to specific use cases than others.
The first zk proof-based rollup was Loopring, which launched a dex back in February 2020. But it has stagnated in recent years, L2Beat data shows, processing about one transaction every 10 seconds, while the chain’s TVL has fallen 88% from its 2021 peak, and consists of over 50% LRC — the chain’s own native token.
A new focus on its smart wallet and gaming initiatives remains.
Optimistic rollup launch
The first optimistic rollups to hit mainnet were Arbitrum (ARB), launched in August 2021 and Optimism (OP) followed in December 2021.
Both took up the “secured by Ethereum” mantle through the mechanism of fraud proofs. According to Optimism developer OP Labs, “fault proofs” is a more accurate term.
“The system isn’t always detecting ‘fraud,’ the majority of the time it’s just ‘fault’ (i.e. a node wasn’t synced and it agrees with an incorrect output root, etc.),” an OP Labs spokesperson told Blockworks. But L2Beat uses the more common “fraud proof” and they are conceptually interchangeable.
The difference initially was in the details of the fraud proof implementation. Optimism opted for a simpler “single-round” proof design, while Arbitrum developer Offchain Labs preferred “interactive proofs.”
A subsequent audit of Optimism by security researcher Yoav Weiss showed in March 2022 that “single-round fraud proofs are hard to secure,” for which he received a retroactive grant from the Optimism team.
“If fraud proofs become too complex, they could make full decentralization too risky,” Weiss wrote. “A malicious sequencer could corrupt and rugpull the entire rollup if it can make an unprovable state transition.”
The sequencer is a key component of rollups responsible for transaction ordering and can be centralized or decentralized, but today’s examples are predominantly centralized.
Optimism switched to an approach more similar to Arbitrum’s, in its “cannon” release, although Ben Jones, director at the Optimism Foundation, told Blockworks the “vulnerabilities were not the driver for us changing course.”
“It is true though that some flexibility is limited, and our decision to pioneer the first EVM equivalent L2 codebase made that flexibility and modularity more important than ever,” Jones said. “This was the main driver, alongside research breakthroughs resulting from the development of cannon.”
Of the two major optimistic rollups by TVL and activity, only Arbitrum has implemented fraud proofs. That has been a major point of contention between the two teams over security claims, with Offchain Labs co-founder Steve Goldfeder going so far as to analogize Optimism’s current status to “building cars without engines” but then trying “to sell one by putting a sticker on it that says ‘very powerful engine’.”
We can debate whether an optimistic rollup without fraud proofs has a place in production.
— Steven Goldfeder (💙,🧡) (@sgoldfed) June 20, 2023
But here’s what’s not debatable:
Those pushing this tech should not be using terms like “Secured by Ethereum”.
Without fraud proofs, Ethereum provides zero security.
Relative immaturity
Optimism’s recent Bedrock upgrade introduced a number of improvements, but fault proofs were not among them. Jones didn’t specify a timeline, but said “fault proofs are a key priority on our decentralization roadmap.”
“We are aiming towards reaching [L2Beat’s] Stage 2 decentralization as quickly as possible, and in our view, Stage 2 requires multiple implementations of the fault proof.”
L2Beat released its framework of “stages” earlier this month, building upon Ethereum co-found Vitalik Buterin’s proposed milestones. It notes the stages focus on decentralization “maturity” which is not necessarily directly analogous to security — although there are clear parallels.
Bedrock now has multiple execution clients, a unique feature Jones said, that is “paving the way for multiple [fault] proofs.”
And the OP Stack’s “superchain” concept isn’t limited to fault proofs, but can include zero-knowledge proofs as well. The Optimism Foundation recently put out a request for proposal to develop exactly that, encouraging teams such as Mina protocol’s O(1) Labs to complete its design.
O(1) Labs is excited to submit a proposal to @optimismFND for the application of our zero knowledge proof stack to OP Stack fraud proofs. This application is built on the groundbreaking MIPS zkVM we’re building as part of the @minaprotocol roadmap: https://t.co/ArAhablnrz 1/4
— O(1) Labs (@o1_labs) June 28, 2023
Jones says a successful candidate will improve composability between superchains in addition to providing redundancy.
“A very important note on this RFP is that it is for the same exact state machine which the fault proofs run,” Jones said. “This means that having a ZK-secured chain will not require sacrifices to EVM equivalence.”
Starkware’s Guthmann said “having more adoption of zk as their underlying proof system is very exciting for the ecosystem — it’s more investment more research and hopefully more efficient provers and infrastructure for blockchain to develop.”
He views L2Beats concept of Stage 0-2 rollups as “a bit too strict.”
To reach Stage 1, a rollup must have deployed a “complete and functional proof system,” with “at least five external actors who can submit fraud proofs,” and users must be able to exit to Ethereum mainnet “without the help of the permissioned operators.”
Stage 2 future requires “the rollup becomes fully managed by smart contracts,” with a permissionless fraud proof system — anyone can submit a proof — and at least a 30-day timelock for system upgrades, giving users “ample time to exit.”
This goes back to the notion of an “escape hatch.”
“The gap from 0 to 1 is tremendous,” Gutmann said. “And even from 1 to 2 is unrealistic for any L-2 that’s going to have a governance, because basically number two assumes that you’re never going to upgrade your system, which is problematic,” he said.
Jones said “permissionless withdrawals are insufficient to be ‘secured by Ethereum,’ if there is still a multisig which can unilaterally break security properties.”
Multi-signature wallet schemes are frequently used to manage the upgradability of smart contracts.
“The ability to withdraw to L1 — to another environment — is what makes them more interesting as a scaleability solution where you keep self-custody,” Gutmann said. Governance of a system relies on some kind of upgradeability, whether it’s Ethereum’s social consensus process, or proof-of-stake token voting, or a multisig controlled by a smaller group.
It’s fundamentally a question of where chains fall on the decentralization spectrum and Gutman said zero-knowledge tech enable scaleability gains to come without undermining decentralization.
Of the major rollups, only Arbitrum has reached Stage 1. (Decentralized exchange dYdX is listed based on its deployment on Starkware’s StarkEx system, but it will soon migrate to a Cosmos-based sovereign rollup.)
Gutmann thinks that classification is fully justified. “They’re doing much better than any of the other teams combined,” he said.
But ultimately, he expects zero-knowledge tech to become the standard on both a security and scalability basis.
“There is a difference between Optimism and their lack of fraud proofs, and zkSync and what Starkware does. There is a difference of technological advancement.”