An Open Letter from the Consensus Lead of Matter Labs to Jon Charbonneau Some Thoughts on Rollup

Open Letter to Jon Charbonneau Thoughts on Rollup

Translation: Huohuo/Plain Language Blockchain

1. What is Rollup and what is not Rollup?

First, I do agree:

  1. There are two different concepts here. I will temporarily refer to them as “rollup bridge” and “rollup blockchain”.

  2. Rollup bridge and Rollup chain are separate and can “fork” from each other.

  3. L1 and L2 are relative terms depending on the issuing location/origin of a given asset.

Let’s start with a thought experiment. Imagine we have two independent existing blockchains, such as Ethereum and Near Chain. Can we establish a trustless bidirectional bridge between them without modifying the protocols? Yes, we can! First, let’s assume we develop zk validity proofs for Near’s VM and consensus (all my examples will be about zk rollups, which is easier for me). This obviously doesn’t require any changes to Near’s protocol, we just need to find a way to prove that a given block is a valid state transition within the SNARK/STARK. Now, we create a smart contract on Ethereum to verify these proofs, and we’re done.

Now, anyone can submit Near blocks (or state increments) along with validity proofs to Ethereum, and the smart contract will know the state of the Near blockchain without any trust assumption. Then, sending messages from Near to Ethereum becomes simple, you just need to submit a Merkle proof of the Near state to the smart contract in Ethereum, which proves any part of the Near state. This is the first understanding. We’re not sending tokens or data from one blockchain to another, there’s no movement, they are still separate databases. We’re just proving the state of one blockchain in another blockchain. Token transfer between blockchains is just a convenient abstraction.

But so far, this is one-way, we’re only proving the state of Near on Ethereum. How do we do the opposite? It’s simple, we develop validity proofs for Ethereum, create a verifier contract on Near, and send Ethereum blocks and validity proofs to Near. Now we can prove the state of Ethereum in Near. With two one-way trustless bridges, we have a bidirectional bridge.

However, this raises a question, why do we need two bridges? Rollup doesn’t have two bridges, Arbitrum and zkSync don’t have an Ethereum bridge in their states, what’s happening here? Well, they do have, but it’s a different type of bridge. We enforce that zkSync full nodes are also Ethereum full nodes, and the same goes for Arbitrum.

This is the second understanding, all rollups actually have two one-way bridges. It’s just that in the zkSync → Ethereum direction, we use validity proofs + state increments, while in the Ethereum → zkSync direction, we only use full node bridges. Apparently, one possible solution to connect Ethereum and the Near side is to require every Ethereum full node to also be a Near side full node, and vice versa. This would achieve the same purpose, but it’s a bit silly because it doesn’t scale well.

But now we have two bridges with proof of validity between Ethereum and Near. We can prove a blockchain state on another blockchain and use it to “move assets” and “send messages”. I would like to point out that we have not changed any protocols, and we do not need Ethereum or Near full nodes to provide any additional functionality. Each blockchain may not even be aware of these bridges. Full third parties like Matter Labs or Coinbase can maintain (and eventually fail to maintain) these bridges.

So, is Ethereum going up on Rollup with Near? Is Near now more secure because its blocks are published on Ethereum? Will the security of the blockchain be reduced if the bridge stops working? I think you would agree that no, none of the blockchains have changed. It’s just that now there is a smart contract on each blockchain that can access the state on another blockchain. Please note that these bridges are also independent, so if one fails, the other is completely unaffected.

Now we can discuss different types of bridges. Patrick McCorry published an article on Rollup verifying bridges. I can say that I generally belong to Patrick’s camp, but I think there are actually more types of bridges:

The first type is “full node bridge”. These are the cases where a full node of one blockchain is also a full node of another blockchain. This is the highest level of security for a bridge, which is the actual case of not trusting the bridge. The bridge has no additional security assumptions. For scalability reasons, it is also completely impractical. In the Ethereum+Near thought experiment, it doesn’t make sense to have two different blockchains if we require all full nodes to be full nodes of both blockchains. However, if the requirements for nodes of one blockchain are much smaller than the requirements for nodes of another blockchain, it makes sense in one direction. This is exactly what happens in Rollups like zkSync, Arbitrum, Optimism, etc.

The second type is “validity bridge”. This is a bridge that uses zk proofs to prove the validity of a given state transition (i.e. zk rollups). We have additional trust assumptions related to the proof system used for these validity proofs.

The third type is “OP bridge”. This is the type of bridge used in OP Rollups. The additional trust assumptions here are related to game theory and the existence of at least one honest full node of the Rollup.

Validity bridges and OP bridges aim to achieve the security of a full node bridge without requiring the same level of resources. In fact, a validity or OP bridge is almost like a full node of another blockchain, but it is just a smart contract.

Of course, there are also light client bridges (such as Near’s Rainbow bridge), multi-signature bridges, etc. Now we can actually use this model to classify different rollup projects. For example, zkSync Era is a centralized (i.e. single validator) blockchain with a full node bridge from and to Ethereum.

This is the case with most Rollups today: a blockchain with a full node bridging from the base chain and validity or optimistic bridging to the same base chain. Note that this creates a hierarchy between the chains, where Ethereum full nodes do not become full nodes for any aggregated decision bridged to it, but aggregated full nodes are almost forced to become Ethereum full nodes.

Finally, note that Rollup blockchains do not inherit the technical security of the parent chain.In other words, publishing data (and proofs) of a certain blockchain to Ethereum does not increase the security of that blockchain.Using Ethereum’s data availability is only for the benefit of the Rollup bridge, not for the benefit of the Rollup blockchain. This means that the Rollup bridge includes smart contracts and data availability on Ethereum, and the Rollup blockchain is just a blockchain.

Although this model looks simple now, it doesn’t explain verification and sovereign Rollup. Are validiums bridges or blockchains? How are they different from validity bridges? What about sovereign rollups? They don’t even have bridges! It is easier to analyze from the perspective of sovereign Rollup.

Sovereign Rollup is often described as Rollup without bridges. They essentially use the data availability and consensus of another blockchain as their own data availability and consensus, thus inheriting the security of that blockchain.They achieve this by publishing all data to the base chain, and sovereign Rollup full nodes are just full nodes of the base chain, with additional rules to interpret the data.

So is this a Rollup? No, it may sound like a Rollup at first, but many other things also fit this definition. We certainly wouldn’t classify it as a Rollup, such as ordinals in Bitcoin. All data of the Ordinals blockchain is on the Bitcoin blockchain. To be a full node of the Ordinals blockchain, you only need a Bitcoin full node and knowledge of the Ordinals rules. It also has the same security as Bitcoin. The same applies to many other protocols built on top of Bitcoin, such as Omni, Counterparty, Mastercoin, etc. None of these protocols can be classified as sovereign Rollups.

I may find more examples, but the point is that a blockchain carrying the consensus and/or data availability of another blockchain is nothing new. As far as I know, there is no universal term for these structures, so I will attempt to use the term “dependent blockchain.” The innovation of Rollup has created a way for two blockchains to communicate in a trust-minimized and efficient manner. Sovereign Rollups lack this, so they should not be called Rollups, but rather attached to blockchains.

2. About verification

Finally, let’s talk about verification. Like Rollups, they are blockchains with full node bridges from the base chain to the base chain and some bridges to the base chain. This new type of bridge is essentially a validity bridge, where we do not publish blockchain data (inputs or state increments) to the base chain, but only publish zk proofs. Due to the lack of a better term, we call them partial validity bridges. But how are they different from regular Rollups? To find the answer, we need to understand what happens when a blockchain fails and the bridge forks.

Let’s go back to our thought experiment about bridging Ethereum and Near. In this case, what happens if the Near blockchain stops running? Obviously, the bridge from Near to Ethereum will stop updating. If there are coins on the bridge, they will be stuck until the Near chain is restored. Clearly, the assets on this bridge do not seem to have the same level of security as the Ethereum blockchain. This goes against the commonly stated Rollup security, so what is happening here? Please remember that the functionality of the validity bridge and the OP bridge is similar to that of a full node, and a full node can fork the blockchain.

Most Rollups plan for some kind of “escape hatch” mechanism, which is essentially an automatic forking mechanism. In our example, if the Near blockchain fails, anyone is allowed to update the state of the bridge as long as they attach a validity proof. If the Near blockchain comes back online subsequently, it will have a different state from the bridge, thus reinforcing the idea that the bridge has indeed forked from Near. This bridge actually has the same level of security as Ethereum, but it is crucial that the bridge has some forking mechanism planned.

Now imagine a different scenario where both Ethereum and Near blockchains are functioning, but only Coinbase is allowed to update the state of the bridge (as designed by the bridge). If Coinbase fails for some reason and there is no forking mechanism in the bridge, then the bridge will stop functioning, and all assets will be stuck even if the Near blockchain still exists.

Now we can easily see the difference between a validity bridge and a partial validity bridge (also known as validiums). A validity bridge always guarantees possession of state data (which is necessary for creating forks) because they publish all state updates to the underlying chain. A partial validity bridge may not have that state data and relies on a small number of honest validators in the validium blockchain to ensure the availability of that data.

To summarize this lengthy article, it is about blockchains and bridges. There are many different types of bridges, but the most interesting ones in the L2 space are: full node bridges, optimistic bridges, validity bridges, and partial validity bridges.

We can also categorize blockchains into two different types: dependent or independent, depending on whether they use the consensus and data availability of another blockchain as their own. However, these are distinct concepts, and we can pair any type of blockchain with almost any number and type of bridges.