Ethereum’s Layer-2 is not as secure as many think – BitcoinBlog.de – the blog for Bitcoin and other virtual currencies

Ethereum scales through so-called “rollups” – extremely successful in itself. But rollups have an open, dark secret: a small group of people can steal all the value that lies within them. This should change in the future.

Ethereum does not scale on the mainchain, but at higher levels. And it is extremely successful: The so-called “rollups” currently process around ten times more transactions than the main chain, while they contain coins and tokens worth a good 35 billion dollars. As a Bitcoiner you can only dream of this.

Rollups relieve pressure on the Ethereum blockchain. While this remains relatively small and decentralized, transactions on the more centralized rollups are cheaper and faster, but just as secure, as they are anchored on the main chain and users are able to withdraw their coins and tokens from the rollup at any time, no matter what what happens … –

…at least that’s how it’s thought and planned. However, the current state of affairs is different, which is an open secret that is not actively hidden in the Ethereum community, but is also reluctant to say: rollups are not as secure as they should be – and as many think.

In other words, the $35 billion in rollups – most of it in Arbitrum, Optimism, Blast, Manta and Base – can easily be stolen through the cooperation of a surprisingly small number of people.

If you already knew and accepted that, that’s okay. If not, you should know more.

The core concepts of a rollup (Stage 0)

We look at the problem using the specific example of Arbitrum One. Arbitrum is the largest, most successful and probably most advanced rollup. At $16 billion, it holds almost half the value on the rollups, and processes more transfers than Ethereum itself at 20 transactions per second.

Arbitrum One is a so-called rollup, which means a separate blockchain with its own network and consensus mechanism. Unlike a sidechain, for example, Arbitrum only executes the transactions while storing the transaction data in a bundled form on the main chain.

To go a little deeper here: Signatures and their verification take place on the rollup, while the result of the transaction – who transfers how much to whom or how a smart contract changes – is stored in compressed form on the Ethereum blockchain at regular intervals becomes.

What ends up on the mainchain is the “state root”. This is a mathematical derivation of the “state” in the rollup, i.e. the state of all addresses and smart contracts. With it and the “Data Availability”, which also ends up on the Ethereum blockchain, it becomes possible to reconstruct the state of Arbitrum independently of the Arbitrum nodes – and thus to mine your coins and tokens even if the entire network is down.

For L2Beat, these two components are the prerequisite for one to even speak of a “rollup”: users should be able to autonomously mine their tokens in the rollup. L2Beat calls rollups that meet these minimum requirements “Stage 0” rollups.

Most existing rollups fall into this category: Optimism, Blast, Base and others. Arbitrum One is one of the few that has already reached the next level, “Stage 1”.

Stage 1: Better, but not perfect

A state root may or may not be correct. It may or may not represent the state of Arbitrum. A user cannot recognize this by looking at it alone. Therefore, this type of rollup is called “Optimistic” – users are optimistic that the state roots are correct. They trust the network.

In order to check the validity of state roots, you need so-called “fraud proofs”. Arbitrum introduced it as one of the first rollups: Any user can “challenge” a transaction or a state root, whereupon a mechanism begins in which several parties involved identify and submit fraud proofs. Depending on the result, the transaction is either resent or changed.

However, not every user at Arbitrum can submit fraud proofs themselves. Only 14 validators on a whitelist can do this.

The alternative to Optimistic Rollups are Zero-Knowledge Rollups (ZK-Rollups) such as Polygon’s zkEVM. They produce “validity proofs” that can be used to prove that a state root is valid. In order to force a change, fraud proof is still necessary. Knowledge alone is not enough.

Abitrum is also exemplary when it comes to paying out tokens from the rollup back to the main chain: this is completely possible without the consent of the nodes in the rollup. You can withdraw your coins at any time, i.e. back to Ethereum, without anyone stopping you.Polygons zkEVM

Finally, upgrades only take effect with a delay of seven days. This does not prevent the Arbitrum developers or the DAO from changing the rules through a malicious upgrade so that, for example, all tokens on the rollup belong to them. But there is a time window for users to withdraw their coins in a timely manner.

Overall, Arbitrum scores with relatively extensive security mechanisms that other large rollups still lack. However, Arbitrum is not yet perfect either; There remain two scenarios in which users can lose their credit.

Two scenarios in which users can lose money

First, there needs to be at least one honest validator among the nodes approved for fraud proofs so that users can successfully challenge a transaction. If the 14 validators on the list cooperate, they can prevent users from challenging an invalid state root. You can essentially cut the correct connection between the rollup and Ethereum.

Secondly, there is a so-called “Security Council” of the Arbitrum DAO. It consists of 12 members elected by the ARB token holders. Currently the council consists of more or less well-known members of the Ethereum community and economy. It fulfills a useful function in itself, as it can carry out emergency upgrades, for example if a previously unknown bug becomes known.

However, the Security Council is also Arbitrum’s biggest security vulnerability. Actually, he should only be allowed to introduce upgrades that fix bugs that can be verified onchain. While this is written into the DAO’s constitution, it lacks a mechanism to enforce it. Therefore, if nine out of twelve members agree, the council can in principle make any changes to the smart contracts. Also those that freeze, change or steal all tokens of all users.

Unlike regular upgrades, these emergency upgrades take effect immediately rather than after seven days. That makes sense because you don’t want to wait that long in an emergency. But the result is that there is no longer a time window in which users can protect their assets from harmful upgrades.

So there are two attacks: If 14 validators cooperate, they can prevent users from challenging an invalid transaction; if nine members of the Security Council cooperate, they can perform any upgrade to potentially acquire all the credits on the rollup.

The rocky road to Stage 2

Because of these risks, L2Beat assigns Arbitrum the status of a “Stage 1” rollup. This status is only an intermediate status on the way to “Stage 2”, in which no weaknesses remain.

Vitalik Buterin once explained the requirement for this stage in a post, after which L2Beat adopted it. In order to advance to “Stage 2”, Arbitrum would have to eliminate the remaining vulnerabilities: The fraud proof system must be permissionless, so that every user can submit fraud proofs themselves, instead of just a number of validators on a list; the period to exit the system after an unpleasant upgrade should last not just seven, but 30 days; and the Security Council should be strictly and regulated onchain, so that it can actually only intervene if a serious bug occurs onchain.

The requirements don’t sound easy to implement. The last point in particular is difficult: How to ensure onchain that only onchain bugs are fixed? Vitalik Buterin has outlined the answer: There are two independently generated state proofs, and only if they are not identical – because of a bug – is the Security Council allowed to intervene.

Like fraud proofs, this is of course much more difficult to implement than it sounds. It is therefore not surprising that none of the major rollups have achieved this status so far. Optimism, the second largest rollup that activated fraud proofs on the testnet yesterday, describes on its blog the many hurdles of the “endgame of decentralization in the Optimism ecosystem.”

It’s not easy and will take a while. Until then, Ethereum users have no other option than to at least know what they are getting into.