Original Title: "Ethereum's Ticking Time Bomb?"

Author: Jack Inabinet

Translation: Kate, Marsbit

In the past few years, Ethereum's layer-two networks have seen significant growth, especially Optimistic Rollups like Arbitrum and Optimism. Value is shifting towards them, but are they growing too big, too fast?

- Bankless Team

Optimistic Rollups have never been pessimistic. Since the beginning of this year, the total value locked (TVL) in Ethereum's two major Optimistic Rollup projects, Arbitrum and Optimism, has increased by 108% and 52% respectively, which is impressive.

However, despite these benefits, Optimistic Rollups are not the ultimate goal of Ethereum's scalability. Although they continue to grow in TVL and help solidify L2 as an integral part of the Ethereum ecosystem, their increasing success also increases the possibility of a black swan attack on the core security components of Optimistic Rollups.

Today, we will explain why Optimistic Rollups (although popular) are still vulnerable to exploitation, explore zero-knowledge solutions to mitigate all these issues, and revisit the DAO hack to explain why Ethereum may not simply overcome the predicament. Another major vulnerability.

Weaknesses of Optimistic Rollups

As the name suggests, Optimistic Rollups optimistically assume that the rollup states issued by operators to Ethereum are correct unless proven otherwise, and derive their security from cryptographic "fraud proofs".

Currently, Arbitrum is the only major L2 with valid fraud proofs, which can only be proven incorrect by permitted participants. If there is a dispute among participants regarding the state of the chain, the rollup protocol initiates an anti-fraud proof computation, which is an on-chain dialogue between the challenger and the rollup to determine the validity of the state. Otherwise, the transaction state changes are reverted, and the hash is reset to a provably correct state root. Optimistic Rollups have a 7-day standard challenge period, which provides sufficient time for well-intentioned participants to question the state of data aggregation.

However, the security of Optimistic Rollups relies on two core assumptions:

1. In the case of invalid state, someone submits fraud proof

Regarding assumption one, we can reasonably expect that an honest participant would challenge the invalid state by attempting to submit fraud proof.

2. The underlying L1 is still censorship-resistant

The censorship-resistant feature of Ethereum is certainly commendable. For example, when blocks are full, EIP-1559 exponentially increases the base fee (a portion of transaction fees). In theory, this should prevent participants from launching DDoS attacks on L1 through spam transactions to prevent the publication of fraud proof, as the gas cost required for the attack would quickly exceed the accumulated value before the 7-day challenge period ends.

Source: Twitter

Unfortunately, even in the assumed future world where all Optimistic rollups have fraud proofs without permission, a concerning attack vector still exists. While unlikely, it is still possible to prevent the publication of fraud proofs while circumventing the exponential gas fee growth of EIP-1559 through collusion among validators.

Competitors must be able to submit fraud proofs at the L1 level, as the rollup protocol will interpret no challenges as implicit consent to its state. The potential censorship caused by collusion at L1 resulting in the publication of fraud proofs would invalidate point 2, thereby rendering the security guarantees of rollup invalid.

Source: Twitter

Inevitable Choices

Although their Optimistic counterpart is more easily implementable and currently dominates the Ethereum L2 space, zkRollup has the potential to disrupt the current paradigm by offering instant confirmations, faster finality, higher throughput, and native privacy.

Unlike rollups that rely on fraud proofs to dispute incorrect rollup states, these types of rollups opt for validity proofs, a form of off-chain computation that verifies the correctness of transactions submitted by rollup operators and proves the correctness of the rollup without revealing the state itself.

While cryptographically complex, this proof design means that the published state will always reflect the correct state of L2 and that zkRollup relies only on Ethereum's censorship resistance rather than security, as Optimistic rollup does under its fraud proof scheme.

Some zkRollups have already made their way to the mainnet, and their rapid adoption demonstrates the demand for zero-knowledge extension solutions built on top of Ethereum.

Leading the way is zkSync Era, which has seen the most active inflow in terms of users and TVL (largely due to speculation from airdrops) and has amassed an impressive $155 million TVL since its deployment on the mainnet in late March.

Source: Artemis

It is undeniable that competitors have been striving for similar success, with Starknet and Polygon's zkEVM seeing significant TVL inflows since early April.

Just yesterday, Polygon Labs proposed an upgrade to the existing Polygon PoS chain, further causing confusion around the discussion of what a "rollup" is.

Source: Twitter

However, a key distinction is separating the zkRollup highlighted above (including Polygon's zkEVM Rollup) from zero-knowledge validity (seemingly the future of the Polygon PoS chain).

Validating on Ethereum with "zk" proofs does indeed ensure the correctness of Polygon PoS state transitions, but users will still rely on the MATIC network for data availability and functionality.

Source: Polygon Labs

While this approach undoubtedly reduces transaction fees and improves scalability, the "validity" vision proposed for Polygon PoS will not inherit the full security package supported by Ethereum and the activity needed for a true zkRollup by outsourcing data availability beyond Ethereum.

DAO Hack

When considering any potential black swan events in the future, it is helpful to review history. Less than a year after Ethereum launched, its nascent ecosystem was forced to face a catastrophic event: the DAO hack.

DAO was launched in April 2016 and raised $150 million in just four weeks by giving token holders unprecedented voting rights. Unfortunately, their unprecedented success in fundraising was short-lived as an attacker used a reentry attack that exhausted almost all ETH controlled by DAO.

Despite the best efforts of the white-hat hacker group "Robin Hood" to recover the funds, the attacker still left behind $40 million worth of ETH, which accounted for 5% of the circulating supply of Ether at the time. In the aftermath of the chaos, the Ethereum community reached the ultimate reset button: an irregular state change!

While Ethereum often adopts coordinated hard forks to achieve protocol upgrades, as seen during the Merge and Shapella periods, cleaning up the DAO hack required additional steps. This hard fork not only fixed the vulnerabilities that led to DAO's collapse but also returned all the funds hacked by the attacker to their rightful owners.

The rollback of the DAO hack was a controversial decision, with much of the resistance coming from Bitcoin supporters who believed that irregular state changes would undermine the credibility of the Ethereum network and circumvent the entire premise of blockchain immutability. In the end, the professional hard forkers emerged victorious in this battle, made possible by concerns that a large concentration of Ether (5%) controlled by the hacker would make people equally dismissive of the network.

If rollups were exploited, such a reset would be demanded - and with good reason, as it had previously proven effective in addressing issues. But for now, don't cross your fingers, as no one will come to rescue your crypto project.

The decision to perform a hard fork was not made lightly, and using it to manipulate account balances indeed undermined the value proposition of blockchain technology. Requests to implement similar hard fork-like actions have stalled in the proposal hell, such as EIP-867 (aimed at standardizing fund recovery requests) and EIP-999 (aimed at undoing the 513k ETH Parity Wallet disaster).

Vitalik Buterin, the Ethereum magician, recently issued a harsh condemnation of any potential rollback nodes in his article "Don't Overload Ethereum's Consensus," arguing that fragile social consensus poses a high risk of chain splits and that hard forks should be used cautiously in mature communities.

Although this article primarily discusses the danger posed by re-collateralization to social consensus, Vitalik explicitly points out that rollups may rely on Ethereum to fork and recover funds, which is a high-risk consensus application that could potentially lead to chain splits.

Source: Vitalik Buterin

Unless we see fundamental changes in the Ethereum community's guardians, it is unlikely that we'll witness another DAO-style irregular state change to mask rollup vulnerabilities.

TL;DR

To be honest, we are still in the early stages of Ethereum's scalability journey!

Optimistic rollups represent the best attempt by developers so far to scale Ethereum, but they are still susceptible to attacks, and the attack surface will only expand as they become more successful. However, faced with the reality that Ethereum's social consensus may not be able to rescue exploited optimistic rollups, seeking alternative scaling solutions is necessary.

While the drawbacks are evident today, it is inevitable that further time and development will enable teams behind various zkRollups and similar rollup scaling methods to refine their solutions and address Ethereum's current scalability challenges.