Rollups have come a long way since their initial conception in 2019. We’ve seen a distinction emerge between two primary contenders and a varying assortment of other promising theoretical designs that encompass many hybrid evolutions. It’s now halfway through 2022, and a look at the state of the rollup ecosystem is in order.
Since general-purpose optimistic rollups have been on mainnet significantly longer than their zk-rollup counterparts, they have garnered the vast majority of rollup applications. The two leading optimistic rollups are Arbitrum and Optimism, as has been the case for some time.
Arbitrum ranks as the top rollup as measured by TVL, to the tune of $2.4B. Despite being live on mainnet for the better part of a year, there are still many training wheels on the system. Currently Offchain Labs, the entity that develops Arbitrum, operates a single centralized sequencer. While interactive fraud proofs are live, the single sequencer is the only whitelisted entity that can submit a dispute to generate fraud proofs. From a users’ perspective, they must still place a large amount of trust in the system, though progressive decentralization is expected.
The next protocol upgrade, Nitro, is live on Devnet and will overhaul the existing architecture, replacing the custom Arbitrum virtual machine with a WASM-Geth combo. Arbitrum’s interactive fraud proofs will run over WASM and the node software will have an equivalent codebase to Geth, plus some rollup specific optimizations. All in all, Nitro will bring significant optimizations, increased performance and better EVM compatibility.
Optimism ranks as the second largest optimistic rollup, and third among all rollups by TVL, sitting at $469M. Optimism PBC runs a similar situation to Arbitrum with their single centralized sequencer. However, Optimism PBC has found a way to turn to provide positive benefit to the network by using profits made from the sequencer to retroactively fund public goods. The first round saw a total $1M of donations to 58 public goods projects. If there was any way to make a positive impact despite centralized sequencing this is the way to go.
Currently, Optimism lacks fraud proofs, though progressive decentralization and necessary security upgrades are expected - as is the standard. However, pretty much all rollups have instant or delayed upgradeability, so the rollup's security ultimately depends on the upgrade multisig.
The upcoming Bedrock upgrade will transform Optimism’s architecture into something similar to that of Arbitrium’s. The current Optimism Virtual Machine will be replaced with a MIPS-Geth combo, where the node software is equivalent to a regular Ethereum Geth node – did someone say Ethereum equivalence? Interactive fraud proofs will also feature as an addition, which are an upgrade from their original non-interactive fraud proofs. Generally, Bedrock will be a significant step for Optimism, adding a lot of features and enhancements to the system.
As an aside, Optimism also made a leap to a non-plutocratic governance experimentation. Decision making will be split between two houses, the token house and the citizen’s house. While the token house will feature generic coin voting, the citizens house will feature a one citizen one vote system. From that, the most difficult barrier in such a system is probably finding the best method of allocating citizenships to users while minimizing the potential for sybil attacks. If a user can garner more than one citizenship, they can effectively project more influence over governance than the average citizen. Optimism have noted they’ll use non-transferrable NFTs to represent citizenships, however the threat of individuals exchanging private keys to acquire more votes is still present.
Fuel is another notable player in the optimistic rollup space that is taking a dramatically different approach to that of Arbitrum and Optimism. Fuel Labs is building a custom VM for Fuel V2 with a rust-based programming language. While EVM compatible rollups are especially useful for onboarding the Ethereum dev ecosystem to rollups, custom VMs are where the most performance gains can be made as they don’t have to adhere to an already existing standard.
Perhaps my favourite part of Fuel V2 is parallel transaction processing, primarily because the throughput bottleneck once sufficient data capacity emerges will become execution. Once the throughput bottleneck shifts to execution, rollups that implement parallel processing will have a leg up compared to those without it. Notably, Fuel V1 was the first mainnet optimistic rollup live on Ethereum and is still the only rollup to have permissionless sequencers and fraud disputes, plus no upgrade multisig.
In their current form, optimistic rollups are far superior to that of zk-rollups. Two primary considerations revolve around:
- Full, unrestricted composability: zk-rollups have inherent difficulty in composing smart contracts over zk circuits. The only zk-rollup with general composability is StarkNet, which currently has permissioned smart contract deployment and a cap on the amount of TVL that the bridge can support. All other zk-rollups are application specific, or only do token transfers.
- EVM compatibility: zk circuits have inherent compatibility issues with certain types of cryptography that is standard in the EVM, making zkEVM an incredibly challenging task. Optimistic rollups have existed on mainnet with EVM compatibility for a while, and upgrades are expected to take that further towards equivalence.
For a while there has been consensus within the Ethereum community that zk-rollups are the end state for scalable rollups. As a result, there appear to be a greater number zk-rollups in active development compared to optimistic rollups, many of which are slated to launch within the next two years.
Starknet is currently the only general purpose, composable zk-rollup on mainnet. However, the system is still in an early alpha mode with multiple restrictions. The bridge between StarkNet and Ethereum is limited to a certain amount of TVL which has gradually increased since launch. Smart contract deployment on StarkNet is also whitelisted. I’d consider this is primarily to reduce the risk of smart contact bugs occurring as there likely isn’t enough (any?) auditors to audit all the Cairo contracts that developers want to deploy – makes sense that StarkWare would temporarily take on this role. Auditability is one of the general downsides towards new, custom languages which is only compounded by the complexity of zk systems. Ultimately, StarkNet is currently leads the pack.
ZkSync is another major “zk-rollup” contender that has been building towards a general zk-rollup for a while with zkSync 2.0. The recent testnet marked the first instance of a zkEVM on a live testnet. However, with the addition of zkPorter, zkSync 2.0 is more than a rollup. It will be a volition, enabling users to pick between zkPorter and Ethereum to publish their transaction data. While Ethereum is in the process of upgrading is data throughput with danksharding, volitions are a great middle ground that provide users with a choice on the cost-security spectrum for their transactions.
While most zk-rollups are prioritizing scalability, privacy is another important aspect that zk-rollups can enable. Aztec is currently leading the charge in the privacy domain with their private token transfers zk-rollup (zk.money) – they are the only privacy-focused Ethereum rollup I know of. Aztec will also launch its next iteration, Aztec connect, in roughly the next week which enables users to privately access Ethereum DeFi. This is a large improvement from using something like tornado cash where privacy is only achieved through obfuscation and not directly shielded transactions – you’d hope nobody links your tornado wallets otherwise your privacy is gone.
Zk-rollups are already extremely complex, adding privacy compounds the issue. There’s a chance that zk-rollups will never reach a state of private composable smart contracts. Because of this, privacy will likely emerge through application-specific chains, whether through zk-rollups or validiums on top of a zk-rollup.
An assortment of other zk-rollups also exist in production, including Scroll and Polygon’s assortment of projects. One of the big distinctions among zk-rollups will be between the use of a custom VM or a zkEVM execution environment. The advantages and disadvantages of which are similar to that of optimistic rollups. However, zk-rollups have more inherent complexity in implementing a zkEVM. Because of this, there is a very strong case that can be made for going the route with a custom VM and language, like StarkNet and Cairo.
The last two in the rollup category are currently theoretical, though under active development. A sovereign rollup is distinguished from a typical rollup because it has a fork choice rule which allows it to fork independently from its base layer. Conversely, a regular rollup delegates its fork choice to its settlement layer – it must be a settlement layer because it needs to ensure correctness of the rollup.
Sovereign rollups will be most prominent on DA layers like Celestia, where correctness of rollup transactions isn’t ensured by the DA layer. Because of this, rollups on something like Celestia are sovereign by default as they must ensure their own transaction correctness through fraud/validity proofs and a fork choice. This is not to be mistaken for consensus, which is provided by Celestia for agreement on ordering of transactions.
For an optimistic sovereign rollup, transactions are assumed correct, so rollup nodes need only download block data from Celestia. Zk-sovereign rollup ensure correctness with validity proofs, which would be distributed between rollup nodes through the p2p network.
To me, the importance of sovereign rollups are instilled in their ability to fork, which enables the rollups to truly become independent from their base layer. Essentially, sovereign rollups regain their mechanism for social recourse.
A settlement rollup is a type of sovereign rollup that is purpose-built for settlement. Importantly, a settlement layer is any blockchain that has a two-way trust-minimized bridge with a rollup. The bridge enables tokens to be transferred between the rollup and settlement layer in both directions. Trust-minimized is a property of the bridge where communication only relies on an honest minority assumption through verification of data availability and fraud/validity proofs.
The purpose of a settlement rollup, like any settlement layer, is to provide an environment for “rollups” to verify proofs, resolve disputes, and bridge tokens. Though, technically the “rollups” on top of a settlement are hybrids as they use off-chain DA through the data availability layer that the settlement rollup sits on top of – making them either a validium or an optimistic validium.
Kicking off the hybrids, a validium is a hybrid zk-rollup where transaction data is posted off-chain, which can necessitate any environment other than the settlement layer used to verify validity proofs. StarkEx is the only live instance of a validium. In particular, StarkEx is an application-specific validium which currently supports three applications; Immutable X, Sorare, and DeversiFi. StarkEx also supports a zk-rollup mode which is used by DyDx, the second largest rollup by TVL.
StarkEx uses a data availability committee (DAC) which is comprised of a set of trusted parties to provide data availability to StarkEx validiums. While entrusting data availability to a permissioned committee reduces security, it enables the StarkEx validiums to provide cheaper transactions than zk-rollups. The cost reduction is possible because publishing data to Ethereum is expensive – it is also the primary variable cost that contributes to rollup transaction fees.
Some of the security considerations of a validium with a DAC can be reduced by using an external data availability layer. The primary increase in security comes from the cryptoeconomic security that a blockchain provides, where nodes can get jailed and slashed for dishonest activity. A validium of that implementation is an interesting addition to the cost-security tradeoff within the “rollup” spectrum.
Like a validium, an optimistic validium is a hybrid optimistic rollup where transaction data is posted off-chain. There isn’t general consensus around what this specific hybrid should be called, so this is what I’m going with.
Metis is currently the only optimistic validium, which transitioned from an optimistic rollup model to decrease transaction fees at the cost of security. Optimistic validiums have weaker security assurances to their validium counterparts because data availability is required to generate fraud proofs and successfully solve disputes. If a dispute is made and data for the state transition in question is unavailable, then the fraud proof can’t prove fraud. Because of this, funds can get stolen from an optimistic validium if the off-chain data availability provider fails to provide the data.
Through the combination of both a zk-rollup and a validium, volitions are a hybrid that give users the choice of either on-chain or off-chain data availability. The choice is made at the individual transaction level, where off-chain data represents cheaper fees and lower security while on-chain data results in higher fees and more security. This gives users the freedom of choice provided by the individual system, rather than explicitly seeking out chains that fit the users’ cost-security preference.
Currently, zkSync 2.0 is the only publicly announced volition in development. In zkSync 2.0, on-chain data is provided by Ethereum, and off-chain data is provided by their own dedicated PoS chain known as zkPorter. There aren’t a whole lot of details on the specifics of zkPorter, I’d guess primarily because it is still under active development and testing. StarkWare could implement a volition option for StarkEx or StarkNet, though this is purely speculation.
An adamantium is type of validium where each individual personally provides their own data availability to the network. An individual’s transaction data is personally stored by them (off-chain), and they must stay online to attest to data availability for each block. If the user does not stay online, or fails to attest, then their funds are automatically withdrawn back on-chain to the settlement layer. While StarkWare proposed the adamantium design, there is no confirmed indication of StarkWare or any team working on it. Ultimately, if one does get developed it will likely serve as a niche option for users or entities that want more personal control over their security, which is why adamantium users are referred to as “power users”.
Finally as an honourable mention, an enshrined rollup is a rollup that is directly part of an existing blockchain. Put simply, it is an execution shard. The difference between an enshrined rollup and execution shards as seen in Ethereum 2.0 proposals and other similarly sharded blockchains, is that execution shards were proposed as monolithic. The global validator set would be split into committees and assigned to a specific shard to act as the validator set. The execution shard would act as another blockchain that has its own execution, consensus, and data availability but it would checkpoint back to a “beacon chain” – similar to how sidechains checkpoint back to their chosen chain. In theory, an Ethereum enshrined rollup would only do execution, and use the beacon chain to verify data availability and fraud/validity proofs.