Original author: Faust

Original source:Geek Web3

Introduction: Recently, Dankrad Feist, the creator of Danksharding and a researcher at the Ethereum Foundation, made some controversial remarks on Twitter. He clearly pointed out that a modular blockchain that does not use ETH as the DA layer (data availability layer) is not Rollup, nor is it Ethereum Layer 2. According to Dankrad, Arbitrum Nova, Immutable X, ApeX and Metis will all be removed from the Layer 2 list because they only disclose transaction data outside of ETH (they have built their own off-chain DA network called DAC).

At the same time, Dankrad also said that solutions such as Plasmas and status channels that do not require on-chain data availability (Data Availability) to ensure security are still considered Layer 2, but Validium (ZKRollup that does not use ETH as the DA layer) is not considered Layer 2.

As soon as Dankrads remark came out, many founders or researchers in the Rollup field questioned it. After all, there are many Layer 2 projects that do not use ETH as the DA (data availability) layer in order to save costs. If these projects are kicked out of the L2 list, it will inevitably affect a lot of expansion networks; at the same time, if Validium is not considered L2, Plasma should not be eligible to be counted as L2.

In this regard, Dankrad said that Plasma users can still safely withdraw their assets to L1 when DA is unavailable (that is, the DA layer network under the chain engages in data withholding and does not disclose transaction data); but under the same circumstances, Validium (Most projects using the StarkEx scheme are validium) but it can prevent users from withdrawing funds to L1 and freeze the money.

Obviously, Dankrad intends to define whether an expansion project is Ethereum Layer 2 from whether it is safe or not. If we consider it from the perspective of security, in the extreme case of sequencer failure + DA layer launches data withholding attack (concealing new data), Validium can indeed freeze user assets in L2 and cannot mention L1; Plasma is The design is different from Validium. Although the security protection is not as good as Validium most of the time, it allows users to safely evacuate assets to L1 when the sequencer fails + the DA layer launches a data withholding attack (concealing new data). So what Dankrad said makes sense.

This article intends to start from Dankrads perspective and further analyze the details of Layer 2 to gain a deeper understanding of why Validium is not Layer 2 in the strict sense.

How to define Layer 2?

According to the definition of the ethereum.org website and most members of the Ethereum community, Layer 2 is an independent blockchain that expands the capacity of Ethereum + inherits the security of Ethereum. First of all, expanding the capacity of Ethereum refers to diverting the traffic that Ethereum cannot carry, and sharing the pressure of TPS. And inheriting the security of Ethereum can actually be translated as protecting its own security with the help of Ethereum.

For example, all transaction Tx on Layer 2 must complete final settlement on ETH, and Tx with incorrect data will not be released; if you want to roll back the Layer 2 block, you must first roll back the Ethereum block, as long as the Ethereum If there is no block rollback similar to the 51% attack on the Fangzhu network, the L2 block will not be rolled back.

If we further explore the security of Layer 2, there are actually many corner cases to consider. For example, if the L2 project party runs away, the sequencer fails, and the off-chain DA layer hangs up, can users safely withdraw their funds on L2 to L1 when these extreme events occur?

Layer 2’s “forced withdrawal” mechanism

Regardless of factors such as L2 contract upgrades/multi-signature hidden dangers, in fact, such as Arbitrum or StarkEx, there are exits for users to set mandatory withdrawals. Assuming that the sequencer of L2 launches a censorship attack, deliberately rejects the users transaction/withdrawal request, or simply goes down permanently, Arbitrum users can call the force Inclusion function of the Sequencer Inbox contract on L1 to submit the transaction data directly to L1; if Within 24 hours, the sequencer has not processed this transaction/withdrawal that requires forced inclusion. The transaction will be directly included in the transaction sequence of the Rollup ledger, which creates a forced withdrawal for L2 users. exit.

In comparison, the StarkEx solution with the Escape Hetch mechanism is even better. If the Forced Withdrawal request submitted by the L2 user at L1 does not receive a response from the sequencer at the end of the 7-day window, the user can call the freeze Request function to allow L2 to enter the freeze period. At this time, the L2 sequencer will not be able to update the status of L2 on L1, and it will take 1 year for the L2 status to be unfrozen.

After the L2 state is frozen, users can construct a Merkle Proof related to the current state to prove that they have XX amount of funds on L2, and withdraw money through the Escape Hetch related contract on L1. This is the full withdrawal service provided by the StarkEx plan. Even if the L2 project team disappears and the sequencer fails permanently, users will still have a way to withdraw funds from L2.

But there is a problem here: L2 using the StarkEx solution is mostly Validium (such as Immutable X and ApeX), which does not publish the data required by DA to ETH, and the information to construct the current L2 state tree is stored off-chain. If the user cannot obtain the data that constructs Merkle Proof off-chain (for example, the off-chain DA layer launches a data withholding attack), he will not be able to withdraw funds through the escape hatch.

At this point, the reason Dankrad mentioned at the beginning of the article that Validium is unsafe is actually very clear: because Validium does not send DA data to the chain like Rollup, users may not be able to construct the Merkle required for forced withdrawal Proof.

The difference between Validium and Plasma in the event of a data withholding attack

In fact, Validiums sequencer only publishes the latest Stateroot of L2 (the root of the state tree) on the L1 chain, and then submits a Validity Proof (ZK Proof) to prove the state transitions (changes in user funds) involved in the new Stateroot generation process. , are all correct.

(Source: eckoDAO)

However, stateroot alone cannot restore the current world state trie, and it is impossible to know the specific status of each L2 account (including fund balance). L2 users cannot construct a Merkle Proof corresponding to the current legal Stateroot. This is the disadvantage of Validium.

(Merkle Proof is actually the data required in the root generation process, which is the dark part in the figure. To construct the Merkle Proof corresponding to the Stateroot, you must know the structure of the state tree and need DA data)

Here we must emphasize the DAC. The data involved in Validiums DA, such as the latest batch of transactions processed by the sequencer, will be synchronized to the L2 exclusive DA network called the Data Availability Committee (DAC). The DAC is composed of multiple node servers, generally led by the L2 official And community members or other units are responsible for operation and supervision (but this is only on the surface. It is difficult for outsiders to verify who the actual DAC members are).

Whats interesting is that Validiums DAC members need to frequently submit multi-signatures in L1 to prove that the new Stateroot and Validity Proof submitted by the L2 sequencer in L1 can match the DA data synchronized by the DAC. After the DACs multi-signature is submitted, the new Stateroot and Validity Proof will be considered legal.

Currently, the DAC of Immutable (dYdX only publishes State diff in L1, that is, state changes, not complete transaction data. However, after obtaining the State diff in the historical record, the asset balance of all L2 addresses can be restored. At this time, Merkle Proof can be constructed to withdraw in full ).

Dankrad has a point. If the DAC members of Validium conspire to launch a data withholding attack, prevent other L2 nodes from synchronizing the latest data at the moment, and update the legal Stateroot of the L2 at the moment, the user cannot construct the Merkle Proof corresponding to the legal root at the moment to withdraw money (because DA data is no longer available, the previous DA data is available).

But Dankrad only considers the theoretical extremes. In reality, most Validium sequencers will broadcast the newly processed transaction data to other L2 nodes in real time, including many honest nodes. As long as there is one honest node that can obtain DA data in time, the user can escape from L2.

But why does the problem that theoretically exists with Validium not exist with Plasma? This is because the way Plasma determines a legitimate Stateroot is different from Validium, and there is a fraud proof window period. Plasma is the L2 expansion solution before OPRollup. Like OPR, it relies on fraud proof to ensure L2 security.

Plasma, like OPR, has a window period setting. The new stateroot released by the sequencer will not be judged as legal immediately. It has to wait until the window period is closed and no L2 node issues a fraud certificate. Therefore, the current legal Stateroots of Plasma and OPR were all submitted a few days ago (this is like the starlight we see, which were actually issued a long time ago), and users can often obtain DA data in the past.

At the same time, the prerequisite for the fraud proof mechanism to take effect at this moment is that the L2 DA is available at the moment, that is, the Verifier node of Plasma can obtain the data involved in the DA at the moment, so that the fraud proof at the moment can be generated (if necessary).

Then everything is simple: the prerequisite for Plasma to work properly is that the DA data of L2 is available at this moment. If L2’s DA is no longer available from now on, can users safely withdraw their funds?

This problem is not difficult to analyze, assuming that the window period of Plasma is 7 days, if starting from a certain time point T 0, the new DA data will not be available (DAC launches a data withholding attack to prevent honest L2 nodes from obtaining T 0 The data). Because the legal Stateroot at T 0 and for a period of time thereafter was submitted before T 0, and the historical data before T 0 can be traced back, users can construct Merkle Proof to force withdrawal.

Even though many people cannot detect the abnormality immediately, because there is a window period (OP is 7 days), as long as the Stateroot submitted at T 0 time has not been legalized, and the DA data before T 0 is traceable, users can withdraw money safely. Exit L2.

Summarize

At this point we can roughly understand the difference in security between Validium and Plasma:

After Validiums sequencer releases Stateroot, as long as it immediately releases Validity Proof and DAC multi-signature, it can make it legal and become the latest legal Stateroot; if users and honest L2 nodes encounter data withholding attacks, they cannot construct the Merkle corresponding to the current legal Stateroot. Proof, you cannot withdraw money to L1.

After Plasma submits a new Stateroot, it must wait until the window period ends before it becomes legal. The legal Stateroot at this time was submitted in the past. Because there is a window period (ARB is 3 days, OP is 7 days), even if the DA data of the newly submitted Stateroot is not available, the user still has the DA data of the current legal Stateroot (the legal root was submitted in the past), and there is enough time to force Withdraw money to L1.

So, what Dankrad said makes sense. When a data withholding attack occurs, Validium may trap user assets in L2, but Plasma does not have this problem.

(What Dankrad said in the picture below is a bit wrong. Plasma should not allow the construction of an outdated legal Stateroot corresponding to the Merkle proof to withdraw money, because this will lead to double payment)

Therefore, data withholding attacks at the off-chain DA layer will cause many security risks, but it is this problem that Celestia is trying to solve. Also, since most Layer 2 projects provide service ports that keep L2 nodes and sequencers off-chain in sync, Dankrads concerns are often theoretical rather than real.

If we use a nitpicking attitude and put forward a more extreme assumption: all Plasma off-chain nodes are unavailable, then ordinary users who have not run through L2 nodes cannot force withdrawals to L1. But the probability of this happening is equivalent to the probability of a collective permanent downtime of all nodes in a public chain, which may never happen.

So, many times, everyone is just talking about things that will never happen. Just like the famous line from the American TV series Chernobyl, Vice Chairman of the G.B.C. Rick said to the protagonist: Why worry about things that wont happen?