Arbitrum Security Examined After Layer 2 TVL Surges to $6 Billion
With more than $6 billion locked into Ethereum layer 2 scaling solutions, questions are arising over the security of user funds bridged across L2 networks.
The total value locked across all layer 2 networks hit an all-time high of just over $7 billion in late November. Currently, it’s hovering around $6 billion which is an increase of around 500% over the past three months.
L2beat, which compares various layer 2 networks, has delved into the issue of security now that more and more crypto is locked up in the ecosystem.
In a blog post on Dec 8, L2beat took a closer look at the current market leader, Arbitrum, which has a 42% market share with $2.5 billion locked up.
Diving into Arbitrum
Aribitrum uses optimistic rollups to provide a full Ethereum experience without the painful transaction fees. Optimistic rollups rely on publishing data that is assumed to be correct to the chain and allowing a grace period for the transaction to be challenged. During this time, users can submit “fraud proofs” to signal that the data is incorrect.
There are three smart contracts that allow users to bridge layer 1 tokens across to Arbitrum. The researcher stated that “whoever controls these gateways (bridges) has indirect access to these funds,” before questioning the identity of the admin.
The contracts are controlled by a multi-sig that can upgrade implementation, and the rollup machinery itself, the report added. Arbitrum has stated that it will retain manual control over the system until the technology matures. L2beat sees this as a possible security compromise, stating:
One can then argue that until these controls are removed, the whole construction is no more secure than a simple bridge to a sidechain that is controlled and operated by a MultiSig.
Optimistic and zk-rollups both inherit their security from Ethereum layer 1 but there is a difference between a system that uses these with a clear path to decentralization and one that doesn’t L2beat said
The report concluded that L2 is still largely experimental tech and needs to be closely monitored by “vendor-neutral third parties” to ensure user funds remain secure;
What the community needs is live monitoring for all the major Rollups, alerting and — ultimately — tooling for users to opt out from whatever changes to the Rollup architecture and / or parameters are thrown at them by the Rollup administrators.
On its risks page, L2beat warns that Arbitrum only allows whitelisted actors to submit fraud proofs for the optimistic rollup and that the code that currently secures the system can be upgraded arbitrarily and without notice. Finally, if a whitelisted validator goes down, funds will be frozen as there is no mechanism to protect against validator outages.
In mid-September, Arbitrum experienced a brief outage due to a sequencer bug that affected transaction timestamps, but this was not related to rollup security.
Back to the list