Reunderstanding Layer 2 and Rollup from L2beat Risk Rating Metrics

When it comes to the name L2BEAT, most people may have heard it, but they don’t really understand what it does. For quite a long time until 2023, people’s impression of L2BEAT was often just a “Ethereum Layer 2 data visualization platform”. Apart from the TVL data display and technical solution classification of the L2 circuit, people don’t seem to know much about the functions of L2beat. However, with the gradual rise of Layer 2 risk rating indicators launched in June of this year, L2BEAT, a niche organization comparable to the “Ethereum L2 rating agency,” has been made known to more and more people.

When the four words “rating agency” are mentioned, there is an extremely vivid analogy in the book “The World Is Flat”: “We live in a world of two superpowers, one is the United States and the other is a rating agency. The US can use bombs to destroy a country, and rating agencies can use debt downgrades to destroy a country; sometimes, the power of the two is impossible to say who is more powerful.”

From the 1997 Asian financial crisis to the 2007 subprime mortgage crisis, Wall Street rating agencies played a significant role, and even became important drivers of these vicious events. However, in Web3, a circle that ostensibly focuses on “decontamination” and actually relies on “social consensus,” “risk ratings” are an important part that can never be circumvented. Whether it’s contract code auditing or on-chain change analysis, their value is no less than zero-knowledge proofs and consensus algorithms, or even more so.

For the new field of modular blockchain, an objective, comprehensive set of risk assessment indicators that can distinguish between different layers is particularly important. Especially now that the L2 system already carries nearly 10 billion US dollars in assets, how to better detect potential L2 risks and better warn the public is already an unavoidable practical problem.

In a 2022 forum blog, Vitalik mentioned that currently almost all Rollups are not very mature, and most of them use auxiliary means known as Training Wheels (auxiliary wheels) to ensure the normal operation of Rollups. The “auxiliary round” reflects the extent to which the Rollup project relies on “manual intervention” and “social consensus”. The less reliance on the auxiliary wheel, the more “decontaminated” the L2, the lower the risk; vice versa, the higher the risk.

For example, most of the optimistic Rollups, including Optimism, have not launched a fraud proof system, which greatly increases the risk level; there are also quite a few L2s such as Immutable X that implement DA (data availability) under the ETH chain, or lack mandatory withdrawal/mandatory transaction functions that can be invoked at any time, such as Starknet. For Layer 2, the above conditions are necessary to ensure that it is “as secure as ETH.” Of course, in addition to these, almost all L2 project partners currently have left a “back door” for themselves. They rely on a set of multiple signatures to manage the L2 contract code on Ethereum, and can change the status hash at any time. This is also a huge hidden danger.

In order to better differentiate and define Rollup, Vitalik and others divided Rollup into 3 levels, namely Stage 0, Stage 1, and Stage 2, based on how much a Rollup project relies on auxiliary wheel/manual intervention. L2beat later revised this classification scheme by soliciting comments from the community. It can be roughly summarized as follows:

Stage 0 — Relying entirely on auxiliary wheels, the minimum standards a rollup should meet:

· The project claims to be Rollup.

·Transactions processed by Rollup should be “on-chain” (data involving the L2 state transition process must be disclosed to L1, and the L2 state hash Stateroot must also be disclosed;)

·A batch of rollup nodes with open permissions and open source code should be set up to help users know the status of all accounts on L2 (including balance, number of transactions, etc.).

Only L2 projects that meet all of the above conditions will be marked as stage 0 by L2beat, that is, they meet the minimum standard for a rollup; otherwise, they will not be considered a rollup (such as Arbitrum Nova).

Stage 1, which relies in part on the rollup on the auxiliary wheel, has the following characteristics:

·A fraud proof/validity certification system must be launched to ensure the effectiveness of L2 status transitions;

·If it is an optimistic Rollup, there must be at least 5 unofficially controlled L2 nodes that can issue proof of fraud (the challenger whitelist includes at least 5 entities other than Rollup’s official).

For Example, as of November 2022, members of Arbitrum One’s challenger whitelist include 9 entities: Consensys, Ethereum Foundation, L2BEAT, Mycelium, Offchain Labs, P2P, Quicknode, DLRC, and Unit410.

·At any time, users can bypass the sequencer Sequencer (Operator) and forcibly withdraw assets from L2 to L1 to ensure that assets will not be frozen; if the sequencer launches censorship attacks and refuses to process certain transactions, users can forcibly submit transactions into the L1 Rollup transaction sequence. Other than posting the wrong Stateroot, the sequencer couldn’t find any other way to do evil.

·Rollup can set up a security committee, managed by a set of multiple signatures, and has the power to forcibly upgrade the Rollup contract in case of emergency, or interfere with the L2 status hash recorded in the contract. However, the Commission’s multi-signature private keys must be scattered enough, and the threshold must be high enough. Vitalik himself believes that this value should be at least 6/8, that is, multiple signatures are managed by more than 8 people, and the effective threshold is 75%.

·The rollup contract upgrade, which was not authorized by multiple signatures by the Commission, is subject to a time lock delay of at least 7 days. In this way, if Rollup is hit by a malicious update proposal such as a governance attack (see Tornado Cash governance attack incident), users can be given at least 7 days to safely withdraw funds.

Currently, only Arbitrum One, dYdX, and zkSync Lite meet the Stage 1 requirements; all other mainstream Rollups remain at Stage 0.

Stage 2 — Ditch the auxiliary wheel completely and become a complete rollup:

·L2 nodes in the optimistic Rollup Network that can publish fraud certificates should be permissonless and remove whitelist settings (in response to this, Arbitrum One recently introduced an agreement called BOLD);

·All rollup contract upgrades are limited by a time lock delay of at least 30 days, or the contract cannot be upgraded at all. This means that in the event of a malicious rollup upgrade, L2 users have at least 30 days to safely withdraw funds.

In order to better understand the risk rating indicators listed by L2BEAT, we can select three Rollup examples with different security levels for analysis.

Stage0-Base, Stage1-Arbitrum One, Stage2-Fuel:

Base is one of the leading projects of the Optimistic Rollup Circuit. It relies on contracts on L1 to record L2 status hash Stateroot, process funds in and out of L2, and use Ethereum to achieve data availability (DA), and has a bridging relationship with L1.

The Base sequencer needs to disclose L2 transaction data to L1. Specifically, every few minutes, the sequencer initiates a transaction to a specified address on Ethereum, and records a batch of compressed transaction data in Transcation’s customizable additional data Calldata. Since all L2 nodes will automatically synchronize the L1 block, they can monitor the transaction issued by the sequencer, analyze the L2 transaction data in its Calldata, and then obtain the latest status status of the L2 sequencer, calculate the correct status hash, Stateroot, and compare it with the Stateroot submitted by the L1 sorter.

Currently, Base does not have an online fraud certification system, so there is no guarantee that the L2 Stateroot recorded in the L1 contract is correct, but users capable of running all L2 nodes can detect the error in a timely manner; furthermore, Base does not have a plan to resist censorship attacks such as forced withdrawals. If the sequencer goes down for a long time or deliberately rejects user requests, L2 users will not be able to safely withdraw funds to L1, so it poses a huge security risk.

Obviously, this kind of rollup is unsafe at the level of mechanism design, but users and L2 community members can issue warnings through social media when necessary to make regulators such as the Ethereum Foundation and even the SEC aware of the occurrence of danger. This is the so-called “social consensus,” that is, through a high degree of data transparency and voluntary supervision by community members, to restrain the misconduct of L2 project partners through “public opinion fermentation” and “manual intervention” and subsequent “legal accountability”. It is the lowest level of security guarantee because it cannot stop evil in advance, but only after the misconduct has occurred.

However, in reality, “social consensus” is also a basic condition for securing blockchain (if someone attempts to maliciously fork Ethereum, the Ethereum community will also use social consensus to determine which fork chain to follow), and since malicious actors consider the consequences of their actions being exposed, most of the time they don’t dare to take risks (with the exception of FTX, ZT, and Mentougou exchanges, etc., of course).

When we change the inspection object to Arbitrum One, we can immediately see the difference between it and Base. For example, it has launched a usable fraud proof system and set up a white list of challengers. It includes nodes running by 9 different entities, including the Ethereum Foundation and L2beat. As long as the sequencer posts an erroneous status hash Stateroot to L1, the challenger node will publish a fraud certificate, which can ensure that the L2 Stateroot recorded in the Rollup contract is correct;

At the same time, Arbitrum One has a mandatory transaction mechanism to deal with sequencer censorship attacks, which allows users to call the Force Inclusion function of the Sequencer Inbox contract on L1 to submit transaction instructions directly to L1; if the sequencer does not process this transaction/withdrawal that requires “mandatory inclusion” within 24 hours, the transaction/withdrawal order will be directly included in the Rollup transaction sequence, which creates a “safe exit” for users from forced withdrawals from L2.

It should be emphasized here that in the Stage 1 rollup project, users can force withdrawals through the specified function in the Rollup contract as long as they know the overall L2 account status and construct a Merkle Proof corresponding to their account balance (this function is generally called Escape Hetch in the escape capsule). As for how to know the status of the L2 account, it depends on whether there are all nodes in the Rollup network that open data to the outside world (almost all L2 have such nodes).

Furthermore, Arbitrum One’s contract upgrade behavior is limited by various factors. For example, a normal contract upgrade proposal must first pass a voting decision governed by on-chain governance. After the voting threshold is passed, it is also subject to a time lock (there is a delay of 12 days) before it is automatically executed. If the contract upgrade proposal contains malicious code logic, it can be rejected by the Security Committee (executed through multiple signatures).

However, the Arbitrum One Safety Committee itself can cross the time lock. For example, as long as more than one sign is passed on 9/12, the Safety Commission can immediately upgrade the contract code, or forcibly change the L2 Stateroot recorded in the Rollup contract.

As to why the Security Council has so much power, Vitalik once explained:

“Some rollups may use multiple independent state transition functions, such as two fraudulent certificate publishers with different views, or multiple prover nodes submitting different proof of validity, or the sequencer trying to fork the L2 account on L1, or the proof of validity not being submitted to the chain within 7 days, all of which may cause the L2 system to completely crash. The safety committee can make decisions in this dangerous situation, using manual intervention to guide the system to adopt the right results.”

Of course, Vitalik only listed a few simple “dangerous situations.” Considering that the Rollup contract may be hacked and the sequencer may be hacked (or inexperienced) at any time, urgent countermeasures are clearly necessary.

According to Vitalik, if it’s a complete Rollup, the contract can be upgraded, but it must have a time lock delay greater than 30 days to give users and community members enough time to respond.

Obviously, since Arbitrum’s security committee can upgrade contracts immediately after multiple signatures are approved, if the new version of the code contains malicious business logic, it can theoretically take away users’ L2 assets. Therefore, Arbitrum One does not meet Vitalik’s definition of a perfect rollup; it’s just that the risk level is relatively low.

When we were looking at the “perfect rollup,” only two projects on L2BEAT met the criteria: Fuel V1 and DeGate. Among them, Fuel V1 is an optimistic rollup of the first online fraud proof system. Its fraud certificate submission is permissionless, and anyone can run the node and publish fraud certificates when necessary. At the same time, the Fuel V1 contract is written out and cannot be upgraded at all, and the Commission is unable to interfere with the L2 Stateroot recorded in the Rollup contract, so there is no so-called Safety Commission risk.

Fuel V1 has reached the lowest risk level, but every time it is updated and iterated, contracts have to be redeployed, and users are required to manually migrate assets to the new version. In essence, a new project has been reworked. The result is a fragmentation of liquidity, which greatly reduces flexibility. Due to various reasons such as the use of UTXO and incompatibility with EVM in the programming model, and the founder later switching to the Celestia team, the development of Fuel has gradually stagnated, and the ecological construction has not been satisfactory.

All in all, the cost of pursuing absolute security is the inconvenience of updates and iterations. At a time when fraud proof and validity proof technology are not yet perfect, maintaining a certain degree of contract upgradability is probably a feature that RollUp must have.

For quite some time to come, we can anticipate the following situation: most rollups will not give up on the safety committee’s multiple signatures, and the L2 contract will be “immediately upgradeable” for a long period of time (a certain ZK Rollup project never gave up on multiple security committee signings, and then just turned its head to a new project). Due to the difficulty of developing a fraud proof system, most optimistic rollups that are not leaders may not be able to launch fraud proofs in the short term (probably not by the end of 2023), and Arbitrum One will be in a leading position on the Rollup circuit for a long time. Although it does not yet have the highest level of security, it has a relatively complete fraud proof system, and the security committee’s multiple signatures are reasonably scattered (9/12 multiple signatures, distributed to 12 community members, including ARB project members), and also has the largest dApp ecosystem — ownership Over 440 apps. However, whether Base, which has poor security and relies more on marketing, can continue the growth momentum of the past few months is yet to be verified. If Base can surpass Arbitrum One in terms of TVL volume, it may lead to the collapse of the “de-trust” belief itself.

Of course, most importantly, we will always need risk rating agencies such as L2BEAT. In this turbulent and chaotic era, a set of clear, comprehensive risk rating indicators will always be the key to ensuring the flourishing development of the Ethereum system and Web3 as a whole.

Disclaimer：

1. This article is reprinted from [medium]. All copyrights belong to the original author [Faust，极客web3]. If there are objections to this reprint, please contact the Gate Learn team（[email protected]）, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.