“It was the best of times, it was the worst of times.” As it was in Dickens’s retelling of revolutionary Europe, so it is on Ethereum today. The ecosystem—DeFi in particular—is teeming with life and innovation. But the exponential increase in network activity has spawned a congestion crisis: for the vast majority of potential users, transacting on Ethereum has become prohibitively expensive. Scaling is needed, and it’s needed urgently.
I believe that rollups are the way forward. Much has already been written about their key trust assumptions and security properties, and how these differentiate rollups from other scaling solutions like sidechains and EVM-compatible layer 1s(1). My task in this piece is to make sense of the tradeoffs between the two major categories of rollups: Optimistic Rollups and Zero Knowledge (ZK) Rollups. The two share much of the same basic design and guiding principles. They differ in how the “review process” works—how, in other words, Ethereum determines whether a batch of rollup transactions should be accepted or rejected. As we shall see, this single point of difference has important consequences for the security, EVM-compatibility, and user experience of Optimistic and ZK Rollups. These properties, in turn, have far-reaching implications for users, developers, and investors alike.
Guilty until proven innocent, or innocent until proven guilty?
Before diving into the complexities of their respective designs, let’s begin with a high level comparison.
ZK Rollups send batches of transactions back to Ethereum accompanied by a special type of cryptographic proof. The Ethereum network uses this so-called “validity proof” to verify the correctness of that batch’s transactions. In a ZK Rollup protocol, Ethereum only accepts a batch of transactions if that batch can be cryptographically validated. In a word: guilty until proven innocent.
In an Optimistic Rollup, by contrast, Ethereum assumes that a given batch of transactions is legitimate. It only rejects the batch if someone—not just a validator on the Optimistic Rollup, but any participant monitoring the rollup chain—submits a valid claim that the transactions are fraudulent (a “fraud proof”). Hence: innocent until proven guilty.
Whereas ZK Rollups rely on cryptographic proofs to determine transaction integrity, Optimistic Rollups have a grace period between the time that transactions are processed on the rollup and final acceptance by the base chain(2). This “dispute period” allows ample time for users to submit fraud proofs, though in practice it translates into a longer withdrawal period—up to 1-2 weeks—for token migration from the rollup chain back to the Ethereum base layer. For an Optimistic Rollup to operate securely, there only needs to be one honest participant in the network that submits fraud proofs when necessary (more on this assumption below). Additionally, Optimistic Rollups use economic incentives to ensure that malicious users cannot spam the network with false fraud proofs. More specifically, both validators that process transactions and network participants that submit fraud proofs are incentivized to do so honestly because they must bond tokens on their assertions, which are forfeited in the case of a lost dispute.
At first glance, it might appear that ZK Rollups are strictly superior. Not only do they establish a cryptographic burden of proof for every batch of transactions, but they also avoid the week-long withdrawal delays that plague Optimistic Rollups. But ZK Rollups are not inherently better than Optimistic Rollups. The reality is much more complicated.
DeFi Readiness
Whatever their theoretical merits—and there are many—ZK Rollups are handicapped in terms of what they can deliver for scaling DeFi, at least at this stage.
Optimistic Rollups like Arbitrum and Optimism offer execution models very similar to the Ethereum Virtual Machine(3). For developers, moving onto an Optimistic Rollup can be a remarkably easy procedure, regardless of code complexity. Arbitrum’s recently-updated documentation makes clear how simple the process is for applications to migrate over. Generally speaking, Optimistic Rollups have no problem providing the same functionality that alternative EVM-compatible scaling solutions like Matic/Polygon and Binance Smart Chain offer.
For leading ZK Rollups protocols like Starkware and zkSync, on the other hand, compatibility is a much thornier issue. Because ZK Rollups are designed to have validity proofs accompanying every single type of transaction, their rollup technology is much more onerous to construct. ZK Rollups have been used successfully for a few discrete tasks like direct transfers and trading. But they have yet to offer general purpose support for DeFi smart contracts.
This isn’t at all to detract from the future potential of ZK Rollups. Down the line—maybe even sooner rather than later—ZK Rollups may come to offer much of what Optimistic Rollups already do: near-complete EVM Compatibility, computational efficiency, and easy portability for complex code. As things currently stand, however, only Optimistic Rollups are positioned to address Ethereum’s urgent congestion problem and provide a way for DeFi to scale swiftly.
Security considerations
But is scaling speed worthwhile if it is purchased at the cost of security? Proponents of ZK Rollups argue that ZK Rollups offer airtight cryptographic verification of offchain execution and thus enjoy a decisive security advantage over Optimistic Rollups, the implication being that ZK Rollups are worth the wait for DeFi protocols itching to scale.
In practice, though, the question of security is not as straightforward.
ZK Rollups are constructed with a designated party that executes transactions, builds blocks, and includes proof of validity. This party is called the “relayer” (or “prover”). In a ZK Rollup, the relayer is cryptographically barred from submitting a fraudulent batch of transactions and cannot abscond with funds that are processed by the rollup. Nevertheless, this reliance on a single party creates some potential vulnerabilities.
The relayer’s job of constructing blocks with zero knowledge proofs requires expensive computational infrastructure. If the relayer goes offline for any reason, there won’t necessarily be other parties with the proving technology that can seamlessly take over processing responsibilities. What this means, in practice, is that ZK Rollups do not have strong “liveness” guarantees(4).
Now compare this with Optimistic Rollups. On Optimistic Rollups, a single party (the “sequencer”) is also designated as the block producer and transaction processor(5). For the most part, the other validators on the Optimistic Rollup network serve as “referees” that can “call a foul” on the sequencer—i.e., they can post fraud proofs when necessary to trigger a dispute resolution process. Importantly, though, these additional validators can also take over the block producing role without additional processing power or technical knowledge. Arbitrum’s founders even claim that one can run an Arbitrum node with a normal laptop with some additional RAM.
For their part, proponents of ZK Rollups argue that similar vulnerabilities exist in Optimistic Rollups—and that these vulnerabilities, when exploited, are much more severe because of the lack of cryptographic constraints. The argument runs as follows. Optimistic Rollups have an assumption that “one of n participants” is honest. This means so long as there is one honest network user that can submit a fraud proof, the rollup protocol will process transactions correctly. The problem, these critics maintain, is that while this “one honest participant” requirement is weaker than sidechains’ simple-majority consensus mechanism, it remains vulnerable to censorship. In the case that all participants are corrupted or forced offline, a fraudulent batch could theoretically be submitted to Ethereum without triggering a dispute resolution, which would then be erroneously and irrevocably accepted by the base chain.
This attack scenario makes sense in theory, but there are a couple of important mitigating factors in practice. First of all, as mentioned above, Optimistic Rollups have a lengthy dispute resolution period of one to two weeks. In addition to the validators, any participant that is monitoring the state of the network can submit a fraud proof during this dispute period. This means that the “one of n” assumption is not a “one of n permissioned validators,” but rather “one of permissionless n,” as John Adler, a leading rollup researcher, phrased it to me.
Furthermore, there are game theoretic reasons to assume that network participants who have been corrupted (i.e. bribed) will defect and submit a fraud proof, since doing so entitles the defector to the block producer’s forfeited stake. Put differently, the “one honest participant” assumption is actually an assumption that there is one greedy participant willing to submit a correct fraud proof for a monetary reward.
Beyond liveness guarantees and the “one honest validator” assumption, there are various other security issues worth exploring(6). The purpose of this discussion was not to draw black and white conclusions on the complex issues of trust and security. Rather, my goal was to subvert the otherwise-hasty characterization of ZK Rollups as straightforwardly more secure than Optimistic Rollups because of their cryptographic verification.
User experience
While the above discussion has emphasized Optimistic Rollups’ network readiness and highlighted the strengths of their security model, there remains one area in which ZK Rollups enjoy a decisive advantage over Optimistic Rollups: user experience. More specifically, ZK Rollup transactions can be confirmed instantaneously(7). Accordingly, users of ZK Rollups theoretically do not have to wait any significant period of time to withdraw their funds back to Ethereum. Optimistic Rollups, on the other hand, require 1-2 week withdrawal delays to allow for dispute resolution, as detailed above.
These delays have long been considered the Achilles’ Heel of Optimistic Rollups, and for good reason. While some have argued that Optimistic Rollups will be sticky enough that users won’t need to migrate to and from Ethereum with any sort of frequency, I have difficulty imagining that crypto-native users will put up with worse-than-SWIFT withdrawal delays.
Fortunately for Optimistic Rollup protocols, though, withdrawal delays are a problem that can be solved in large part thanks to the transparency and availability of rollup data. Data availability is a fundamental feature of Optimistic Rollup, as it allows other network participants (“referees”) to submit fraud proofs with confidence if the sequencer has processed transactions fraudulently. Conveniently enough, this data availability feature also allows external observers to “know” the correct outcome of a disputed batch of Optimistic Rollup transactions well before the challenge period has elapsed and true finality on Ethereum is achieved. Accordingly, market makers on Ethereum (or other chains) can offer instant liquidity to rollup users whose tokens are stuck in the withdrawal pipeline—and the game theoretic design of Optimistic Rollups means that dispute resolution will be exceedingly rare because fraudulent block producers are penalized.
At the moment, a number of promising protocols are iterating on this basic concept of providing instant liquidity to Optimistic Rollup users. Connext and Hop are generalized cross-chain protocols that use variations of conditional transfer technology to allow users to swap tokens across Layer 2s, EVM-compatible Layer 1s, and Ethereum. MakerDAO recently announced a narrower solution to the withdrawal delay problem: a bridge between Optimism and Ethereum that takes advantage of the protocol’s unlimited Dai liquidity and minting capabilities to mint Dai on Ethereum for Optimism users who initiate a withdrawal. Additionally, Rari Capital is developing a “conditional withdrawal” solution called “Nova,” which uses “bots” to execute specific tasks on Ethereum for rollup users without forcing them to migrate all of their liquidity back to Ethereum. Finally, centralized exchanges will likely offer direct on- and off-ramps to Optimistic Rollups.
Certainly, a more detailed exploration of the withdrawal delay problem and these nascent solutions is warranted, but it would require its own separate article. At least in the near term, however, the success of Optimistic Rollups is conditional in no small part on the success of these “fast withdrawal” protocols. ZK Rollups, to their credit, do not share these same user experience pain points and are thus not as dependent upon viable cross-chain infrastructure.
Final thoughts
To conclude, it might be helpful to zoom out from the complexities of Zero Knowledge and Optimistic Rollups and survey the scaling landscape as a whole.
It is impossible to know at this stage how rollups as a category will fare against their alternatives. Sidechains (Matic/Polygon) and EVM-compatible layer 1s (Binance Smart Chain) have positioned themselves as early scaling incumbents with already-impressive application suites. Furthermore, throngs of crypto users in search of low fees and high throughput have shown no hesitation in using these other scaling solutions, irrespective of their security guarantees.
My own view is that it will take a while for the scaling wars to truly play out in any sort of decisive fashion. In the near term, I would not be surprised to see rollups face barriers to traction. The incentives on alternative chains are generous, and the user experience for early rollup adopters is unlikely to be free of friction. Moreover, absent reliable and seamless cross-chain infrastructure, we may encounter a real fragmentation of liquidity across DeFi that makes it difficult for any scaling solution to truly corner the market.
In the mid to long term, though, any deltas that emerge in terms of cost, speed, and user experience between the competing scaling solutions will, I believe, trend toward zero. The primary differentiators that remain will be security and trust assumptions—plus whatever network effects each solution has built up in the interim. If (and when) this scenario truly takes hold, the vision of a rollup-centric Ethereum may finally become reality.
Disclaimer: The author is an investor in some of the protocols named in the article.
(1) Here, I will assume a baseline familiarity with rollups’ general architecture—namely, how offchain, centralized block production enables transactions to be batched (“rolled up”) for exponentially greater throughput, while onchain data availability allows Ethereum to “review” these offchain computations to ensure their integrity. For a general (but technical) introduction to rollups, see Vitalik Buterin’s article from earlier this year.
(2) In practice, the mandatory challenge period for Optimistic Rollups translates into longer withdrawal times—up to 1-2 weeks—for users who wish to migrate tokens from the rollup chain back to the Ethereum base layer. More on this shortly.
(3) Arbitrum’s Virtual Machine is more EVM-compatible than Optimism’s, but neither one is 100% identical to the EVM.
(4) Furthermore, even though a malicious relayer cannot steal funds or move funds fraudulently, a relayer could still theoretically freeze funds and blackmail users who want to move or withdraw their tokens.
(5) Optimistic Rollup protocols like Arbitrum and Optimism differ in the responsibilities and prerogatives assigned to the sequencer. In Optimism, the sequencer is given liberal transaction-ordering capabilities, which allows the sequencer to extract what’s known as “Miner Extractable Value” (MEV). Optimism plans to eventually move toward a MEV Auction system, whereby the rights to act as the sequencer (and take MEV) are auctioned off and the proceeds are then “donated” to public goods. Arbitrum, by contrast, aims to limit the sequencer’s transaction ordering capabilities through something called a “Fair Sequencing Service.”
(6) Two other important vectors of debate: (a) the feasibility of an Ethereum miner censorship attack, and (b) the viability of ZK-connected, offchain data availability systems like zkPorter (ZkSync) and Validium (Starkware). For some recent back and forth on both topics, see Alex Gluchowski’s introduction to zkPorter and Vitalik Buterin’s pointed response. (It’s worth keeping in mind that the discussion of these security issues is partially dependent upon whether the base layer, Ethereum, uses Proof-of-Work or Proof-of-Stake consensus.)
(7) Importantly, though, in practice Starkware only posts state roots once every few hours for their implementation of the dYdX protocol, meaning that transactions do not receive instant confirmation and users must wait a few hours if they wish to withdraw their funds.
AUTHOR(S)