Doesn’t it count as a Rollup if you don’t use Ethereum as a DA layer? Understanding Layer 2 from the perspective of the Danksharding proposer

Author: Faust, geek web3

Introduction: Recently, Dankrad Feist, the creator of Danksharding and a researcher at the Ethereum Foundation, made some controversial remarks on Twitter. He clearly pointed out that a modular blockchain that does not use ETH as the DA layer (data availability layer) is not Rollup, nor is it Ethereum Layer 2. According to Dankrad, Arbitrum Nova, Immutable X, ApeX, and Metis may all be “removed” from the Layer 2 list, because they only disclose transaction data outside of ETH (they built their own off-chain DA network called DAC).

At the same time, Dankrad also said that solutions like Plasmas and state channels that do not require on-chain data availability (Data Availability) to ensure security are still Layer 2, but Validium (ZKRollup that does not use ETH as the DA layer) is not Layer 2.

As soon as Dankrad’s remark came out, many founders or researchers in the Rollup field questioned it. After all, there are many “Layer 2” projects that do not use ETH as the DA (Data Availability) layer in order to save costs. If these projects are kicked out of the L2 list, it will inevitably affect quite a lot of expansion networks; at the same time, if validium is not counted as L2, Plasma Shouldn’t qualify as L2 either.

In this regard, Dankrad said that when DA is unavailable (that is, the DA layer network under the chain engages in data withholding and does not disclose transaction data), Plasma users can still safely withdraw their assets to L1; but under the same circumstances, Validium (Most projects using the StarkEx scheme are validium) but it can prevent users from withdrawing funds to L1 and freeze the money.

Obviously, Dankrad intends to define whether an expansion project is Ethereum Layer 2 from “whether it is safe or not”. From the perspective of “security”, Validium can indeed freeze user assets in L2 and cannot mention L1 in the extreme case of sequencer failure + DA layer launching a data withholding attack (concealing new data); Different from Validium in design, although most of the time the security is not as good as Validium, but when the sequencer failure + DA layer launches a data withholding attack (concealing new data), it allows users to safely evacuate assets to L1. So Dankrad’s rhetoric makes sense.

This article intends to start from the perspective of Dankrad and further analyze the details of Layer2 to understand why Validium is not strictly “Layer2”.

How to define Layer2?

According to the definition of the ethereum.org website and most members of the Ethereum community, Layer 2 is “an independent blockchain that expands the capacity of Ethereum + inherits the security of Ethereum”. First of all, “expanding the capacity of Ethereum” refers to diverting the traffic that Ethereum cannot carry and sharing the pressure of TPS. And “inheriting the security of Ethereum” can actually be translated as “protecting its own security with the help of Ethereum”.

For example, all transaction Tx on Layer 2 must be finalized on ETH, and Tx with incorrect data will not be released; if you want to roll back the Layer 2 block, you must first roll back the Ethereum block, as long as the Ethereum main network L2 blocks will not be rolled back without a block rollback similar to a 51% attack.

If we further explore the security of Layer 2, there are actually many corner cases to consider. For example, if the L2 project party runs away, the sequencer fails, and the off-chain DA layer hangs up, can users safely withdraw their funds on L2 to L1 when these extreme events occur?

Layer2’s “forced withdrawal” mechanism

Regardless of factors such as L2 contract upgrades/multi-signature hidden dangers, in fact, such as Arbitrum or StarkEx, there are exits for users to set mandatory withdrawals. Assuming that the sequencer of L2 launches a censorship attack, deliberately rejects the user’s transaction/withdrawal request, or simply shuts down permanently, the Arbitrum user can call the force Inclusion function of the Sequencer Inbox contract on L1 to directly submit the transaction data to L1; Within 24 hours, the sequencer has not processed the transaction/withdrawal that needs to be “mandatory included”, and the transaction will be directly included in the transaction sequence of the Rollup ledger, which creates a “mandatory withdrawal” for L2 users. exit".

In contrast, the StarkEx scheme with the escape pod Escape Hetch mechanism is even worse. If the L2 user does not receive a response from the sequencer when the Forced Withdrawal request submitted by L1 ends within the 7-day window, the user can call the freeze Request function to allow L2 to enter the freeze period. At this time, the L2 sequencer will not be able to update the L2 state on the L1, and it will take 1 year after the L2 state is frozen to be unfrozen.

After the L2 state is frozen, the user can construct a Merkle Proof related to the current state to prove that he has XX amount of funds on L2, and withdraw money through the Escape Hetch related contract on L1. This is the “full withdrawal” service provided by the StarkEx program. Even if the L2 project party is gone and the sequencer fails permanently, users still have a way to withdraw funds from L2.

But there is a problem here: most of the L2 using the StarkEx scheme is Validium (such as Immutable X and ApeX), and will not publish the data required by DA to ETH, and the information for constructing the current L2 state tree is stored off-chain. If the user cannot obtain the data to construct the Merkle Proof off-chain (for example, the off-chain DA layer launches a data withholding attack), it is impossible to withdraw funds through the escape pod.

So far, the reason Dankrad mentioned at the beginning of the article believes that Validium is not safe is actually very clear: because Validium does not send DA data to the chain like Rollup, users may not be able to construct the Merkle required for “forced withdrawal”. Proof.

The difference between Validium and Plasma in the event of a data withholding attack

In fact, Validium’s sequencer only publishes the latest Stateroot (the root of the state tree) of L2 on the L1 chain, and then submits a Validity Proof (ZK Proof) to prove the state transition (user fund change) involved in the new Stateroot generation process. , are all correct.

However, stateroot alone cannot restore the current state tree world state trie, and cannot know the specific state of each L2 account (including the balance of funds), and L2 users cannot construct a Merkle Proof corresponding to the current legal Stateroot. This is where Validium is at a disadvantage.

Here we must emphasize the DAC thing. The data involved in Validium’s DA, such as the latest batch of transactions processed by the sequencer, will be synchronized to the L2 exclusive DA network called the Data Availability Committee (DAC). And community members or other units are responsible for operation and supervision (but this is only on the surface, in fact, it is difficult for the outside world to verify who the DAC members are).

The interesting thing is that Validium’s DAC members need to submit frequently in L1 Multi-signature, which proves that the new Stateroot and Validity Proof submitted by the L2 sequencer in L1 can be matched with the DA data synchronized by the DAC. After the multi-signature submission of DAC, the new Stateroot and Validity Proof will be considered legal.

At present, the DAC of Immutable X adopts 5/7 multi-signature. Although dYdX is ZKRollup, it also has DAC, which uses 1/2 multi-signature. (dYdX only publishes State diffs in L1, that is, state changes, rather than complete transaction data. However, after obtaining the State diffs in the historical records, the asset balance of all L2 addresses can be restored. At this time, Merkle Proof can be constructed to withdraw in full ).

Dankrad has a point. If the DAC members of Validium conspire to launch a data withholding attack, prevent other L2 nodes from synchronizing the latest data at the moment, and update the legal Stateroot of the L2 at the moment, the user cannot construct the Merkle Proof corresponding to the legal root at the moment to withdraw money (because the current The DA data is not available anymore, the previous DA data is available).

But Dankrad only considers the theoretical extremes. In reality, most Validium sequencers will broadcast the newly processed transaction data to other L2 nodes in real time, including many honest nodes. As long as there is one honest node that can obtain DA data in time, users can escape from L2.

But the problem that theoretically exists on Validium, why doesn’t it exist on Plasma? This is because the way Plasma determines the legal Stateroot is different from Validium, because there is a fraud proof window period. Plasma is the L2 expansion solution before OPRollup. Like OPR, it relies on fraud proofs to ensure the security of L2.

Plasma, like OPR, has a window period setting. The new stateroot released by the sequencer will not be judged as legal immediately. It has to wait until the window period is closed and there is no fraud certificate issued by the L2 node. Therefore, the current legal Stateroots of Plasma and OPR were submitted a few days ago (this is like the starlight we see, which were actually issued a long time ago), and users can often obtain DA data at past moments.

At the same time, the prerequisite for the fraud proof mechanism to take effect at this moment is that the L2 DA is available at the moment, that is, the Verifier node of Plasma can obtain the data involved in the DA at the moment, so that the fraud proof at the moment can be generated (if necessary).

Then everything is very simple: the premise of Plasma to work normally is that the DA data of L2 is available at this moment. If from now on, L2’s DA is unavailable, can users safely withdraw funds?

This problem is not difficult to analyze, assuming that the window period of Plasma is 7 days, if starting from a certain time point T0, the new DA data will not be available (DAC launches a data withholding attack to prevent honest L2 nodes from obtaining data after T0 ). Because the legal Stateroot at T0 and for a period of time thereafter was submitted before T0, and the historical data before T0 can be traced back, users can construct Merkle Proof to force withdrawals.

Even though many people cannot detect the abnormality immediately, because there is a window period (OP is 7 days), as long as the Stateroot submitted at T0 has not been legalized, and the DA data before T0 can be traced, users can safely withdraw money from L2 .

Summarize

So far we can roughly understand the difference between Validium and Plasma in terms of security:

After Validium’s sequencer releases Stateroot, as long as it immediately releases Validity Proof and DAC multi-signature, it can make it legal and become the latest legal Stateroot; if users and honest L2 nodes encounter data withholding attacks, they cannot construct the Merkle corresponding to the current legal Stateroot. Proof, you cannot withdraw money to L1.

However, after Plasma submits a new Stateroot, it cannot be legal until the end of the window period. At this time, the legal Stateroot was submitted in the past. Because there is a window period (ARB is 3 days, OP is 7 days), even if the newly submitted Stateroot DA data is not available, the user still has the current legal Stateroot DA data (the legal root was submitted in the past), and there is enough time to force Withdraw to L1.

So, what Dankrad said makes sense. When a data withholding attack occurs, Validium may trap user assets in L2, but Plasma does not have this problem.

Therefore, data withholding attacks on the off-chain DA layer will cause many security risks, but it is this problem that Celestia is trying to solve. In addition, because most Layer 2 projects will provide service ports to keep L2 nodes and sequencers synchronized off-chain, Dankrad’s concerns are often theoretical rather than real.

If we use a nit-picking attitude and put forward a more extreme hypothesis: all Plasma off-chain nodes are unavailable, then ordinary users who have not run through L2 nodes will not be able to force withdrawals to L1. But the probability of such a thing happening is equivalent to the probability that all nodes of a public chain will collectively go down permanently, and it may never happen.

So, a lot of times, people are just talking about things that never happened. Just like the golden sentence that the deputy chairman of Rick Gerb said to the protagonist in the American drama “Chernobyl”: “Why worry about things that will never happen?”