Dear Bankless Nation,
The last couple of years have brought massive growth to layer-2 networks on Ethereum, particularly optimistic rollups like Arbitrum and Optimism. Value is moving towards them, but are they growing too big, too fast?
– Bankless team
Bankless Writer: Jack Inabinet [disclosures]
Optimistic rollups were never for the pessimists. Arbitrum and Optimism, two of Ethereum’s leading optimistic rollups, have seen their TVLs climb by an impressive 108% and 52%, respectively, since the start of the year.
But despite their benefits, optimistic rollups are not the endgame of Ethereum scaling. While they’ve ballooned in terms of TVL and have helped to cement L2s as an integral component of the Ethereum ecosystem, the potential for a black swan attack on a core security component of optimistic rollups only increases with their rising success.
Today, we’re unpacking why optimistic rollups (despite their popularity) remain vulnerable to exploitation, exploring the zero-knowledge solutions mitigating all of these concerns, and harkening back to The DAO hack to explain why Ethereum might not simply fork its way out of another major exploit. 👇👇
😱 Optimistic Vulnerability
As their name suggests, optimistic rollups optimistically assume that the state of the rollup published by the operator to Ethereum is correct unless proven otherwise, and derive their security from cryptographic “fraud proofs”.
Today, Arbitrum is the only major L2 with working fraud proofs and for now only permissioned actors are allowed to prove that its state is incorrect. If an actor disputes the state of the chain, the rollup protocol will initiate a fraud proof computation, a form of on-chain conversation between the challenger and rollup, to determine whether the state is valid. If not, the transaction state changes (i.e.; transactions) are reverted and the hash is reset to a provably correct state root. Optimistic rollups have coalesced around a standard challenge period of seven days, giving well-intentioned actors plenty of time to dispute the state of the rollup.
The security of an optimistic rollup, however, is predicated on two central assumptions:
1. Someone submits a fraud proof in the case of an invalid state
With respect to assumption one, we can reasonably expect an invalid state to be challenged by an honest participant via attempted publication of a fraud proof.
2. The underlying L1 remains censorship-resistant
Ethereum’s censorship-resistant qualities are certainly laudable. EIP-1559, for example, exponentially increases the base fee – the component of the transaction fee that is burned – when blocks are full. In theory, this should prohibit an actor from profitably DDoS-ing the L1 through spam transactions to prevent the publication of fraud proofs, as cost of gas required for the attack will quickly exceed the value held in the rollup well in advance to the end of the seven-day challenge period.
Unfortunately, even in the hypothetical future world where all optimistic rollups have permissionless fraud proofs, a concerning attack vector still exists. Albeit unlikely, it remains possible to prevent the publication of fraud proofs while circumventing EIP-1559’s exponentially increasing gas fees through validator collusion.
Contesting parties must be able to submit fraud proofs at the L1 level, as the rollup protocol interprets the absence of any challenge as implicit consent to its state. Potential censorship of fraud proofs stemming from collusion at the L1 invalidates point two, nullifying the security promises of the rollup.
⏰ Inevitable Alternative
While their optimistic counterparts have been easier to implement – and dominate Ethereum’s L2 landscape today, zero-knowledge rollups are likely to disrupt the current paradigm, offering instantaneous confirmation, faster finality, higher throughput, and native privacy.
Instead of disputing an incorrect rollup state with fraud proofs, this category of rollups opts for validity proofs, a form of off-chain computation that verifies the correctness of transactions submitted by the rollup’s operator and proves the correctness of the rollup without needing to reveal the state itself.
While cryptographically complex, this proving design means that the posted state will always reflect the correct state of the L2 and means zero-knowledge rollups only depend on the censorship-resistant properties of Ethereum for liveliness and not security, like optimistic rollups do under their fault proof schemes.
Some of these zero-knowledge rollups have already made their way to mainnet and their rapid adoption is displaying the demand for zero-knowledge scaling solutions built on top of Ethereum.
Leading the pack is zkSync’s Era, which has seen the most aggressive inflows in terms of both users and TVL (due in large part to airdrop speculation) and amassed an eye-watering $155M in TVL since deploying to mainnet in late March.
Competitors have undeniably struggled to enjoy similar success, however both Starknet and Polygon’s zkEVM rollup have seen aggressive TVL inflows since the beginning of April.
Just yesterday, Polygon Labs proposed an upgrade to the existing Polygon PoS chain, in the process injecting further confusion into conversations around what constitutes a “rollup”.
One key distinction, however, separates the zero-knowledge rollups highlighted above (including the Polygon’s zkEVM rollup) from the zero-knowledge validium that appears to be the future of the Polygon PoS chain.
Publication of validity or “zk” proofs to Ethereum indeed guarantees the correctness of Polygon PoS state transitions, however users will still be dependent on the MATIC network to preserve the data availability and functionality of the validium.
While this approach will undeniably slash transaction fees and increase scalability, by outsourcing data availability beyond Ethereum, the “validium” vision proposed for Polygon PoS will not inherit the full Ethereum-backed security package and liveness available to true zero-knowledge rollups.
😓 The DAO Hack
When considering any future potential black swan event, it’s helpful to reflect on history. Less than one year after Ethereum went live, the nascent ecosystem was forced to reckon with a disastrous event: The DAO hack.
The DAO launched in April 2016 and was able to raise $150M over a brief four week formation period by granting unprecedented voting powers to token holders. Unfortunately, their unprecedented success in fundraising was short lived and an exploiter used a reentrancy attack to drain nearly all of the ETH controlled by The DAO.
Despite the best efforts of the white-hat hacker group “Robin Hood” to recover these funds, the attacker was left with $40M ETH, amounting to 5% of the circulating Ether supply at that time. In the chaotic aftermath, Etherians reached for the ultimate reset button: an irregular state change!
While Ethereum frequently resorts to coordinated hard forks to implement protocol upgrades, as seen during the Merge and Shapella, cleaning up The DAO hack required additional steps. Not only did this hard fork fix the bug that proved the downfall of The DAO, it also returned all of the hacked funds to their rightful owners.
Rewinding the clock to roll back The DAO hack was a contentious decision, with much of the pushback coming from the Bitcoiners who argued that an irregular state chain degrades the trustworthiness of the Ethereum network and circumvents the entire premise of a blockchain’s immutability. In the end, pro hard forkers won the battle, a feat made possible only through concerns that the hacker’s large concentration of Ether stake (5%) would make it equally difficult to take the network seriously.
Demands for such a reset will be made if a rollup is exploited – and for good reason, seeing as it worked out alright before – but don’t cross your fingers just yet, anon: no one is coming to bail out your crypto project this time.
The decision to hard fork is not one that is made lightly and its use to manipulate account balances does indeed compromise the value proposition of blockchain technology. Requests to implement similar hard forks have languished in proposal purgatory, like EIP-867 (which aimed to standardize fund recovery requests) and EIP-999 (written to undo the 513k ETH Parity Wallet catastrophe).
Ethereum Magician Vitalik Buterin himself recently issued a glaring rebuke to any would-be rollup rollback stans in his essay “Don’t overload Ethereum’s consensus,” in which he argues that fragile social consensus creates a high risk of a chain split and that hard forks should be used sparingly in mature communities.
While the piece leaned heavily into the dangers posed to social consensus by restaking, Vitalik explicitly flags a rollup’s potential reliance on Ethereum to fork and recover funds as a high-risk application of consensus, and thus one likely to result in a chain split.
Unless we see a radical changing of the guard in the Ethereum community, it is unlikely that we will see another The DAO-style irregular state change to paper over a rollup exploit.
TL;DR
Truthfully, we’re still extremely early in Ethereum’s scaling journey!
Optimistic rollups represent devs’ best attempt at scaling Ethereum to date, but they remain vulnerable to exploitation and have attack surfaces that only enlarge with their increasing success. Faced with the reality that Ethereum’s social consensus will likely not be coming to the rescue of an exploited optimistic rollup, however, it is imperative to seek alternative scaling solutions.
While shortcomings are evident today, it is inevitable that further time and development will allow the teams behind the various zero-knowledge rollups and rollup-like scaling approaches to perfect their solutions, remedying Ethereum’s present scaling challenges. 🏴
Action steps
Read More: www.bankless.com