Vitalik gave us the amazing Incomplete Guide to Rollups. I present to you The Complete Guide to Rollups.
Ok it’s not actually complete, but it’s a great meme so I’m stealing it. This report only analyzes the design space of rollups on Ethereum and Celestia. I strongly recommend my recent Ethereum report for background.
I cover the two I’m most familiar with, but there are actually many other teams building here. Polygon (Avail), Tezos, and Milkomeda among others are also in the rollup stack game. Tezos in fact will likely be the first to ship “enshrined” rollups, and Polygon Avail is incredibly similar to Celestia architecturally.
First, what are “modular” blockchains? It’s mostly a meme at this point with plenty of disagreement, but I’ll define how I use the term for simplicity. Then you can fight over why I’m wrong in my Twitter comments.
Modular stacks strip apart the following tasks into separate technical components:
Ethereum can handle each of these. It offers a unified DA, consensus, and settlement layer with general execution. When you transact on L1, Ethereum acts as any monolithic chain does. Alternatively, rollups can handle execution with Ethereum providing DA, consensus, and settlement.
Celestia only provides DA and consensus. No Uniswap living on L1 Celestia, and no verification/arbitration of proofs by the L1. Celestia has no enshrined settlement layer or smart contract execution. The L1’s functionality is limited to Celestia token transfers and validator set management.
Note possibilities such as Validiums and Celestiums using separate layers for DA and settlement also exist. Any settlement layer could be used so long as it accepts an attestation from Celestia that the data has been made available.
However, these are not rollups, and they bring meaningful additional security assumptions. This report will focus on actual “rollup” stacks. I’ll break down the economics first, then dive into each stack in depth.
I use a few abbreviations throughout to save your eyes:
I’ve written previously about the importance of L1 value capture (fees and other forms of MEV). Assets which are relied upon for economic security need a high value staked. Revenue provides the fuel to craft attractive monetary policy (real yield, low and predictable inflation, etc.). Value capture → good monetary policy → monetary premium → high economic security. Fees and other MEV kickstart step 1.
Let’s analyze a rollup transaction from first principles. This simplified graphic depicts the parts which apply to both Ethereum optimistic rollups (ORUs) and zk-rollups (ZKRs):
Users are charged L2 gas when the state transition is applied, executing their transactions. L1 gas is paid later when the batch is posted. L1 and L2 gas prices vary based on their respective congestion. So the user is incurring costs in two types of gas, and there’s a timing mismatch. Sequencers commit to a transaction and collect L2 fees before they know the full contents of the batch, how well it’ll compress, or what the L1 base fee will be when posted.
L2s do their best to guess what their L1 cost will be and charge users accordingly. When things are quiet, only a small margin is charged over the L1 cost on average. When rollups become constrained by their own execution environment (and not L1 costs), that margin goes up. Fee market surge pricing kicks in to meter demand. Higher margins correspond to bursts of high local demand.
We clearly see this in Arbitrum’s latest spike, though their margin has been quite stable otherwise. The recent bottleneck was L2 execution (not L1 costs), and so their native fee market kicked in:
We see similar trends with Optimism, though with higher variability:
Rollups’ L1 costs today are primarily calldata. Even for ZKRs, Polygon estimates that posting transaction data to Ethereum will represent ~90% of total costs (which is largely calldata) with ~10% for proofs. With EIP-4844 potentially coming as soon as the Shanghai hard fork next year, those costs plummet. It increases DA throughput and implements isolated EIP-1559 fee markets for Ethereum’s DA layer and settlement layer. An oversupply of DA means fees hit the floor. Later on, danksharding would make DA even more abundant. Rollups with any reasonable activity will significantly increase those profit margins.
Lastly – the figures above do not include any MEV (outside of regular transaction fees). In reality, rollup tokens are able to accrue significant value from MEV (more on this shortly).
ORUs post compressed full L2 transaction data (with signatures), L2 state roots, and fraud proofs (only in the event of dispute) back to L1. While the full transaction data is stored in Ethereum’s history, the hash of the transaction data is added to its state. If a fraud proof is delivered, then it can check the inclusion proof against the previously stored hash as part of the fraud proof.
ZKRs don’t need to post the full transaction data to L1. It suffices to post the state differences (they choose this because it’s cheaper). Imagine Alice and Bob trade 1 ETH back and forth within the batch – ZKRs only need to post the state change at the end (who has that 1 ETH, and who doesn’t) whereas ORUs would need to post each trade. State diffs are enough to reconstruct the state. ORUs must include all transactions in the event they’re needed for fraud proofs. ZKR provers must also include a validity proof with every batching proving that the associated state root is valid. (For more on ZKRs, you can read our previous Pro report on it here.)
SCRs have fixed costs regardless of transaction activity they must pay to Ethereum:
And they also have variable costs which scale with the transaction activity:
On top of these fees paid to L1, rollups charge surge pricing for L2 gas fees as needed and costs to cover rollup operator expenses. A more detailed analysis can be found here.
Note the timing/cost tradeoff here. Settling frequently means the L1 gives true finality sooner. However, waiting longer to settle amortizes those fixed costs over more transactions = cheaper transactions for rollup users. Rollups balance settling often enough for safety vs. giving rollup users cheaper fees with lower assurances (pre-confirmations).
Let’s look at Optimism as an example. For background, Optimism has two smart contracts that sequencers and proposers post to:
Optimism’s cost breakdown looks like this:
Posting transaction batches to the Canonical Transaction Chain (CTC) incurs two costs:
The gas used by posting state roots to the State Commitment Chain (SCC) is pure overhead cost (though note part of this cost uses L1 calldata as well). Splitting them up by variable/overhead you get this:
These overhead costs may be higher than you expected – there are still many inefficiencies to be ironed out in coming months. Optimizations such as Bedrock will significantly improve data compression, and it will drop fixed costs to near negligible. Gas costs per batch could drop from ~280k per batch excluding calldata to ~21k gas per batch. The SCC will be replaced by the L2OutputOracle, and the CTC will be removed. L2 blocks will instead be saved to Ethereum using a non-contract address, greatly reducing the on-chain footprint and minimizing gas costs. (For more on Optimism, you can read our previous Pro report on it here.)
He also recently spoke on the topic here.
Ethereum fees are derived from:
Fees for isolated monolithic chains are capped at:
Fees = Throughput x $ users will pay for individual transactions
Modular DA and settlement layers (such as Ethereum) have a higher ceiling as they’re capped at:
Fees = Throughput x $ users will pay for aggregated transactions
A rollup can pay Ethereum a larger single fee to settle many transactions (e.g., a proof securing many blocks, settling many aggregated DeFi pooling transactions, etc.) compared to what a single user can pay for an L1 transaction taking up the same block space. Introducing new fee payers to Ethereum (rollups) with a higher marginal utility per transaction adds value in the long-run assuming sufficient demand.
However, note that Ethereum’s revenue kinda looks like this today:
Ethereum is a long way from being primarily a settlement or DA layer for rollups. The vast majority of fees paid to the L1 come from native L1 execution:
So while modular base layers are capable of extracting meaningful revenue should the demand arise from rollups, we need vastly more demand before they do so. It’s critical that Ethereum’s rollup fee capture is in addition to its native L1 execution, not reliant solely on it.
Where that value capture goes from here is a point of debate. Many in the Ethereum and Celestia communities believe DA will eventually be incredibly valuable. Dankrad recently gave his views in a podcast I hosted between him and John Adler:
“Asset… needs to derive its security from some… means of generating yield. And so I see for now only two of these, which are the settlement layer and the data availability layer. I think short-term, we will probably see that the settlement layer still generates much more value.
We’ve seen it already that we have had significant fees on Ethereum in the past, and also some on other settlement layers. But long-term, I believe that the most valuable asset will just be in the data availability, that the block space will become the most valuable asset in the decentralized economy.”
What rollups should be willing to pay for premium DA is an interesting argument. However, the reality is that DA will soon be massively oversupplied between Ethereum scaling and alternative DA solutions. For some context on scale:
Ethereum blocks currently average ~90 KB with calldata ~10 KB of this. The DA supply shock is looming, and rollups will continue to significantly improve data compression. When data blobs get their own fee market and supply < demand, DA fees hit the floor.
Rollup users will pay higher fees, but the primary bottleneck will likely be the rollups’ own native execution environments (based on current order of magnitude activity and DA bandwidth in EIP-4844). DA will no longer be your primary cost when you go to swap on your favorite rollup. Super cheap fees will drive incremental activity, more rollups pop up, etc. Only when DA is saturated up to the target will the EIP-1559 mechanism kick in, pulling fees off the lower bound. However, rollups have many upcoming optimizations which will increase their currently constrained native execution. If this is used up, that could eventually shift the goalposts closer toward DA becoming a larger cost again.
For Ethereum to start charging anything meaningful for DA, you need more than 1.3 MB/s (assuming the current danksharding spec) of actual valuable data that demands the highest security. Even if you hit 1.3 MB/s, the overflow can just go elsewhere. Alternatives such as Celestia, DataLayr, DACs, Adamantiums, Polygon Avail and others will offer massive amounts of cheap DA. Only the most secure transactions require full Ethereum security. Also, DA throughput can be safely increased (with more validators), so 1.3 MB/s is not a fundamental limit.
I’m confident that for at least several years, DA fee revenue will be negligible compared to robust settlement layers such as Ethereum’s.
Lastly, native smart contract execution can also provide ETH stakers with more value than Celestia – ETH can be used to earn additional yield as a productive asset. In particular, EigenLayer is an innovative solution which will allow for “re-staking” of ETH. ETH stakers will be able to subject their stake to additional slashing conditions. They would secure new applications looking to leverage ETH’s economic security, and their fee revenue would accrue to ETH (very similar to Cosmos’ concept of interchain security accruing value to ATOM).
This is where Celestia comes in – the only cost is DA. Rollups handle settlement. In that same podcast, John made an interesting point regarding dYdX’s decision to move from StarkEx to Cosmos. Base layers should accrue as much value as possible for economic security, but economically rational apps want to accrue as much value as possible for themselves. All else equal, they prefer not to pay rent to a settlement layer. DA is the minimum cost of shared security. This accrues less value to Celestia, but it could incentivize more rollups to stay because it’s cheaper.
I tend to disagree with this argument for the reasons I highlighted earlier. The costs paid to the settlement layer are actually relatively low. For ZKRs, costs approach 0 as the fixed cost is amortized over many transactions except for transactions that are settled, which users can pay for (so the rollup isn’t paying this). For ORUs, there are no real settlement costs. I therefore view this cost portion of this equation as negligible – teams will choose between SRs or using a settlement layer based on their particular needs. Both have interesting technical and social arguments which I’ll dig into later.
If Celestia’s business model of taking a smaller cut on a bigger pie is successful, note the percentage value capture can also matter. If the base layer only captures a miniscule amount of value relative to the value it secures, security leverage could get uncomfortable. Maybe you’re comfortable with $1 billion staked securing $20 billion of value (Ethereum’s security ratio is currently ~20x), but are you comfortable with $100 billion? $200 billion? There’s no correct answer. A base layer which is economically self-sufficient even without rollup revenue does not have this concern.
It remains to be seen if relying on DA alone provides sufficient value capture to build economic security. DA is valuable, but it’s a resource we know how to scale incredibly well. A paradigm shift would be required for this to change. Looking at something like 5+ years out though, I don’t think anyone can reasonably predict.
So that’s exactly what I’ll do now anyway. Back of the envelope DA giga-bull case math could look like this years down the line:
Not bad, $30 bn!
13 bytes per transaction would be a meaningful optimization from where we sit today, but it’s possible. For example, Polygon Hermez expects that they’ll eventually need only 14 bytes per transaction. At the current danksharding spec of 1.3 MB/s, you get the nice round 100k TPS. Note most rollups are currently nowhere near 13 bytes per transaction, and you can only get this low by posting state diffs as ZKRs are able to. If you post full transaction data as ORUs do it’s much higher, and even some ZKRs will choose to post full transaction data. It’s quite optimistic that every rollup will run near the lower bound of DA efficiency.
Note the $0.01/tx I assume here is only for DA. This does not include other L2 transaction fee considerations. Valuable real estate (e.g., a DeFi hub rollup) could certainly charge a premium, but cheaper state charges lower execution fees. This could even be enough buffer to clear Vitalik’s $0.05 test.
It’ll be important to consider how those margins stack up for L2 fees in the long run (i.e., what % is paying for DA). If it becomes easy to spin up many chains, and bridging gets so good that app-specific rollups finally make sense, execution could become relatively inexpensive. This leaves some room for DA to get its penny. Significant bridging development will also matter a lot for whether SRs ever make sense over sharing a settlement layer, and the general stickiness of DA.
For reference, Ethereum captured ~$10bn fees in 2021, and its peak months had an annualized run rate >$20bn (note this does not include other forms of MEV). Something like $30bn/year could imply a market cap of a few hundred billion maybe? Is that enough? I don’t know. Personally, I’d want far higher security for nation-state level security, so this gets into a bit of a philosophical debate. At this scale, you’d be securing many trillions of dollars of economic activity, so I’d want more.
Note the difference between Ethereum and Celestia here as well. Being “meaningful” for each one means different things. Maybe 10% of total Ethereum revenue is meaningful, maybe it’s 20%, pick a number. It’s got a cash cow settlement layer paying the bills anyway. For Celestia it’s simple – it has to be enough to fund its entire security budget to protect everything built on top of it.
The reality is those numbers shouldn’t be taken with a grain of salt, they should be taken with the whole shaker. They’re completely made up in a hyper-optimized rollup world to give you a sense of orders of magnitude over a very long time horizon.
Celestia faces a hurdle in bootstrapping economic security with little value capture. We’re used to startup valuations being a bet on future growth, but it’s an admittedly risky proposition when the entire business model (DA) hinges on a paradigm shift to accrue enough value for economic security.
MEV is a deeeeep rabbit hole, so I’ll keep it short here.
Let’s start with the basics. MEV still isn’t quite formally defined, but I’ll oversimplify it here to all potential value that block producers can extract (including regular transaction fees, arbitrage, liquidations etc.).
Simplified L1 Ethereum MEV will look like this with in-protocol PBS (or MEV-Boost in the interim):
Searchers bundle transactions and bid for their inclusion to builders. Builders aggregate searcher bids and bid for the full block to be included by validators. In an efficient market, searchers bid most of their revenue to builders who then bid most of their revenue to validators. As a result, ETH captures the majority of MEV.
Rollups look a bit different, but similar concepts apply. This simplified example shows Optimism running an MEV auction (MEVA) for sequencing rights:
Again, searchers bundle transactions and bid for their inclusion to sequencers. Sequencers aggregate searcher bids and bid for the full block to be included in the MEVA. In an efficient market, searchers bid most of their revenue to sequencers who then bid most of their revenue to the MEVA. You could also insert validators in place of the MEVA if the rollup uses staking for leader-selection. In either case, the rollup captures the majority of MEV. This can accrue to the token, or it can fund something like public goods (as Optimism does).
All else equal, shifting a transaction from L1 to a rollup doesn’t change the amount of MEV. It just shifts how it’s captured and who gets it. In this simplified model, the MEV capture has now been pushed from the L1 asset to the L2 asset.
But is it that simple? Honestly…
And neither does anyone else yet. So if you’re a curious fellow this is a great area of research. How much MEV will leak down to shared DA and/or settlement layers? Will rollup operators start paying the L1 for their MEV executed on L2? If something like a cross-domain Flashbots arises we could gather more concrete data. Let’s look at some hypotheticals for now.
The simplest idea is that it will always accrue to the bottom of the stack. For example, look at a stack with Celestia DA + settlement rollup + recursive rollups. Recursive rollups may be dependent on the settlement rollup for cross-chain MEV, but the DA layer may be able to censor and delay the settlement rollup’s blocks, demanding a piece of that MEV being captured. This kind of negotiation is contingent on social norms and could be a tricky line to cross (similar to time bandit attacks in PoW). The power is there, but will that negotiation happen? Maybe the L1 wants to eat the rollup’s lunch, maybe not.
Then there’s the fancier cross-chain MEV. In the following example:
R1 and R2 have coordinated sequencers and they share the same DA layer. This allows for atomic cross-chain MEV. Each rollup could submit blocks whose acceptance is contingent upon the other. For example, only accept R1 B1 (which includes S1) if R2 B2 (which includes S2) is completed, and vice versa for R2’s conditions. Similarly, a rollup could submit two blocks to its DA layer, one which is the base case, and another which is only to be included if some condition on another rollup is met. The atomicity introduced here could be quite powerful, and it will be interesting to see how it impacts the dynamics of MEV value accrual.
Importantly, this is a wild card for value accrual. If more MEV leaks down than we’re currently aware of, this could accrue significant value to Celestia. This would help subsidize the security budget.
Let’s take a look now at why we even care about DA layer economic security.
This one is pretty simple – halt the chain. Tendermint cannot progress (liveness failure) if it does not have the requisite votes to finalize (⅔). Rollups dependent on Celestia wouldn’t love this.
Ethereum runs Gasper for consensus. So even if >⅓ of stake is faulty, Ethereum keeps chugging along retaining liveness. However, this ledger cannot finalize without the requisite votes. If the faulty >⅓ simply fails to vote, they will be inactivity leaked out until the protocol is eventually able to finalize again.
First off – validity conditions are a part of consensus. So even if you control 100% stake you can’t start printing a bunch of Celestia tokens/Ether out of thin air, steal funds, etc. Honest nodes will reject this as invalid. You could try these though:
The data withholding and censorship attacks do not directly affect the DA layer itself, but they are attack vectors for the rollups reliant on the DA layer.
TLDR here – DA layers need economic security. With varying levels of stake taken over, you can do bad stuff. A key point here that I have seen many confuse – just because something is relied upon for security, does not make it valuable. You must first build a valuable asset, and only then it can be relied upon for meaningful economic security. The asset securing the system needs some way to accrue value and/or monetary premium.
If you want to witness the Great Modular War of our times, please read this thread. Pop it open on Treeverse, and spend a whole day sifting through it. The vast majority of this report (and honestly most of my crypto knowledge) is sourced from me taking notes watching Twitter mayhem.
Revenue generation is a key component of building economic security, so understanding value flows in the modular stack is critical to design. Base layer native assets need to be designed for value capture (fees and other MEV) and/or being good money.
As it stands today, DA captures negligible value. This will remain the case for the foreseeable future. Rollup execution layers capture a relatively small amount of value currently. As certain ones become incredibly popular and potentially contain high value financial transactions, they could see meaningful revenue. Premium general-purpose settlement layers with high value transactions dominate (potentially even L2 settlement layers as StarkNet plans to be with many L3s on top), and likely will for the foreseeable future.
This is Russ. Russ put radio on the internet. Don’t be like Russ.
Mustafa recently offered the most concise definition of rollups which I’ll use for this report. Rollups are blockchains that post their blocks to another blockchain, and inherit the consensus and DA of that blockchain.
Rollups have various actors such as sequencers, proposers, provers, and challengers depending on the implementation. I collectively refer to them as “operators.” Operators combine user transactions and periodically post data to the base layer. They also submit commitments to the updated rollup state (e.g., Merkle roots).
Anyone can use the compressed transaction data (as long as it was made available) to recreate the state and check if a state transition is valid. Rollup light clients do not download and execute the full transaction data though, so they rely on fraud/validity proofs for assurances that the state transition is valid.
We see these on Ethereum today (e.g, Arbitrum, Optimism, StarkNet, zkSync, etc.). They look like this:
Smart contract rollups (SCRs) effectively live in a series of L1 smart contracts. Rollup execution is handled off-chain, and operators periodically post back to the L1. The smart contracts verify proofs/arbitrate disputes as needed. They also track all rollup state roots and transaction data so they can recompute the state:
Fraud (ORUs) or validity (ZKRs) proofs then confirm the validity of the state transitions. Operators post a bond in the L1 smart contract to publish blocks. If the block or proof was invalid, their bond can be slashed and the transactions will not be finalized. This can take over a week for ORUs, but validity proofs finalize instantly.
Submitting and arbitrating a fraud proof is actually quite fast. ORUs need such a long timeout period primarily because the L1 smart contract needs to receive the proof, and this can be censored. In the event that the L1 censors the proof, we need time to coordinate via social consensus.
These smart contracts also serve as trust-minimized two-way bridges between the rollups and L1. This is one of their key advantages. It’s trust-minimized because rollups implicitly fully validate Ethereum, and the smart contract on the L1 acts as a light client (receiving block headers protected by fraud/validity proofs) of the rollup.
Now for the FUD.
These are still smart contracts. You don’t have to look far to see scary bridge hacks (which have largely been bugs, not compromised keys or economic attacks). Rollups aren’t immune. The contract is a very special trust-minimized two-way bridge, but it’s still a bridge. You slip a typo in your code and ya boy here rugs your bridge, oops.
That’s why many rollup teams are holding tight to their upgrade keys for now. There’s often a multisig committee with an upgrade notice period, and in others the code can even be changed arbitrarily by the team without notice.
There’s a balancing act on upgrade timing between safety and trustlessness. If you discover a bug, you probably don’t want to blast it out on your governance forum and wait a month. You want to fix it.
One idea is to have delayed upgradeability, but add a halt button which could stop the rollup immediately. It’s not pretty if you need to halt, but it reduces the trust placed in whoever holds the upgrade keys.
Here’s a related fun take to get everyone mad at me:
I understand it takes time for the training wheels to come off here. My point is just to be realistic about what stage much of this is still at. As with the centralized sequencers and fraud proofs (if any), the teams here intend to progressively decentralize.
There are two options for handing over upgrade keys:
Great conversation here from the major rollup teams on their thoughts around decentralizing.
Back to that last point – rollup exits. An L1 execution layer to safely exit to is a nice fallback. Ethereum has this option, but Celestia will not. They’re practical in isolated cases, but quickly forcing thousands of users back onto L1 with small amounts of money in a future where L1 gas fees are $1000/tx doesn’t seem great. One area that should be explored more is designing the ability to exit to another rollup.
Trust-minimized two-way bridging is incredibly valuable – you have a giant ecosystem of rollups all tapping into shared liquidity and interoperability. Mostly condensing security assumptions into one ultra-secure base layer is great.
But smart contract bugs and upgradeability are kinda scary for now. Immutable rollups alleviate many concerns, but for an unworthy tradeoff.
Eventually, battle hardened contracts with well crafted governance (with upgrade delays) will be a great solution approaching the security of the L1 itself.
StarkNet has some pretty cool fractal scaling plans as a tangible example here:
Today you have the following relationship between L2 and L1:
And it would look like this with an L3 on top:
Recursive proofs are a pretty mind blowing path to scaling. A verifier contract on L2 can accept many L3 validity proofs, create one validity proof that it verified those proofs, and post that one proof to Ethereum. This efficiency matters in a gas-constrained environment like Ethereum. L3s will likely also experiment with off-chain DA solutions for even further cost reduction (though with stronger security assumptions).
These L3s are a natural fit for app-specific ZKRs. Much of the L3 appeal is controlling your own environment away from “noisy neighbors” while retaining network effects via the L2 settlement layer. As bridging and interoperability continue to improve, I expect to see more app-specific ZKRs deploy. They’ll retain most of the advantages of shared execution environments but shed the downsides.
Additionally – show me the incentives, and I’ll show you the outcome. App-specific rollups capture more value than being deployed as a smart contract, as your token now captures execution fees and other MEV. This isn’t worth the tradeoff though if leaving a shared execution environment isolates you. Which is why as I mentioned, better bridging, liquidity sharing, etc. will be critical for this trend to unfold.
Recursive rollups present an attractive value proposition, particularly for app-specific use cases. You get increased scale in a flexible environment while retaining network effects. The L2 can act as a more scalable settlement layer than Ethereum is currently capable of. As long as their data gets pushed back to L1, they’ll have similar security assurances as L2s – they’ll be able to recreate state and exit.
This is the crazy stuff – enshrined rollups (ERs) are a bit futuristic. Some of it’s also controversial, which makes them even more fun.
You’ve probably heard ERs tossed around on Twitter, but don’t actually know what they are because nobody’s ever written about them extensively (except for Justin Drake here, who helped me a ton for this section). I got you.
ERs are built directly into the L1 spec rather than deployed as a smart contract. This removes the risks of malicious governance/multisig upgrades or bug risk (external to Ethereum itself). They’re aligned with the social consensus of the base layer within the scope of hard forks.
At the merge, the execution layer (f.k.a. Eth1) will be merged with the consensus layer (f.k.a. Eth2). The execution layer (which settles to the consensus layer) is what could upgrade to an enshrined rollup.
Transitioning to an ER is likely quickest as an ORU. With weak statelessness already in Ethereum’s roadmap, you can easily add fraud proofs. The simplest fraud proof is distributing the block itself in isolation to re-execute (which will now include witnesses along with the pre/post-state roots, transactions, etc.). However, fraud proofs and finality aren’t exactly friends, so this isn’t ideal.
The ambitious “plan” is instead to shoot directly for enshrined ZKRs. There’s already a team at the Ethereum Foundation led by Barry Whitehat building a zkEVM. Note this is a massive undertaking that will take several years.
Whether ORU or ZKR, the point is that full nodes no longer need to execute transactions (unless there’s a fraud proof). This applies to consensus nodes as well – neither the proposer nor anyone in the committee executes.
“The settlement layer is upgraded to an enshrined zkEVM rollup. The entire Ethereum ecosystem – potentially thousands of rollups/volitions and millions TPS – will be verified by a single succinct ZKP. Hallelujah.”
This is the pretty non-controversial step (once the tech is safe, well understood, etc.). The single instance EVM we know today gets upgraded to a state root equivalent zkEVM. This means each L1 block comes with a SNARK proving the state root is valid.
There are some open implementation details, as this is still years away. Regarding proof distribution, you now have two options:
Ultimately, there are two layers to consensus – social and code. The sidecar approach would lean toward social reliance, and the on-chain approach would lean toward code.
As mentioned, ERs remove the need for full nodes to re-execute transactions. This makes syncing to the chain easier, and it also removes compute as a bottleneck for validators. Several consensus bottlenecks exist for validators today:
Weak statelessness already knocks off storage and disk I/O – clearing the primary bottleneck we have today. But full nodes would still need to execute every transaction at this stage. Getting a SNARK for every block’s validity would knock compute off as well. Statelessness and zkEVM each represent opportunities to raise gas limits as you remove more bottlenecks. Bandwidth is then the only major resource requirement left (which also scales with Nielsen’s law).
Oh, you thought execution shards were gone, did you? Well get ready for the sequel – ERs. (Despite the meme, these are gonna be like Part II not Part III, so even better than the first one).
Once the single-instance EVM has been upgraded, it’s not too hard to deploy many (e.g., 64) parallel zkEVM ERs. This is a form of homogenous L1 execution sharding. It’s also a question whether this sharding will even be needed any time soon. As a zkEVM ER, the single instance throughput could be increased by orders of magnitude over current capacity.
The distinction can seem blurry for typical execution shards vs. ERs, and there’s been plenty of messy Twitter debates over it. The key point again is that full nodes do not need to execute ER blocks. So execution shards with zk-proven state roots can be ERs. You get the same scalability and functionality as a regular SCR (proposers just need to accept a proof and check DA), but you get the advantages of the rollup being enshrined in consensus (will elaborate on these shortly).
The old execution sharding assigned subsets of the Ethereum validator set to each shard. Each monolithic shard would handle its own execution, consensus, and DA then checkpoint back to the Beacon Chain.
zkEVM ERs only handle execution (making them far more efficient), similar to the rollups we see today. They rely on the Beacon Chain for consensus, settlement (posting proofs), and DA (they would consume data blobs).
Another implementation detail regards committees. It’s possible to have a committee of proposers at each rollup verifying a SNARK and then sending it along to the main settlement rollup. Alternatively, you could just skip the committees and have rollup block producers send the SNARKs directly to the main chain where all proposers operate.
Either way, proposers are just accepting the highest bid, checking DA, and verifying a SNARK which comes with each rollup block as an extra field. You can think of it all as one big block. It looks something like this:
Upgrading the current settlement layer seemed obvious, but what’s so great about enshrining all these other zkEVMs vs. just being zkEVM SCRs?
They’re not perfect though:
Builders operating across multiple ERs (or potentially building all rollup blocks, settlement, and data) could offer synchronous interoperability between ZKRs.
For example, builders could put down collateral and promise to include your synchronous transactions. If they accept your bid but fail to execute the transactions, they would stand to lose their bond. crLists could also assist in providing pre-confirmations, as proposers (who can also optionally be bonded with collateral) would be able to force inclusion of transactions.
The economic incentives lead to builders operating across rollups – we already see this centralizing force with cross-chain MEV today. These soft confirmations for synchronous interoperability are something that users will want, and they’ll pay for it. If you’re able to offer this service, you can make more money. If you can make more money than everyone else, you become the best builder.
Note that similar dynamics are at play with ZKRs making synchronous calls to the L1 even prior to any of this. This possibility is retained by the new danksharding design as everything is confirmed in one block. For example, you could bridge down funds to L1 and then execute a swap with those funds all in the same block. To offer this service though, you would need to control L1 and L2 block production to ensure both legs will execute (i.e., only bridge these funds if this swap gets executed right behind it). This is a centralizing force for block builders across rollups and the L1.
Upgrading the single instance EVM to a zkEVM seems like a no-brainer (if and when we get comfortable with the technology). That next step of 64 enshrined rollups is the more controversial part.
“Most of the stuff in the blockchain is opinion things as it turns out and less about technical stuff.” No exception here for the case against ERs. Here’s a fun thread of Ethereum devs, Celestia devs, and Ethereum shitposters making good cases on both sides. There’s plenty of disagreement here. Some worry that ERs do this to SCRs:
The argument posits that ERs would inherently compete with the SCRs that Ethereum is trying to foster, hurting its credible neutrality. SCRs would feel like “second-class citizens.” It could “limit the credible neutrality of the Ethereum settlement layer, weakening its socio-economic guarantees to non-ERs.” This is a similar line of thinking as the debate over Cosmos Hub minimalism. This interesting balance of base layer functionality/minimalism is something that Vitalik has discussed before as well.
Conversely, some argue that ERs could protect Ethereum’s credible neutrality by preventing any commercial rollup team from becoming too dominant. Say “Rollup Labs A” becomes too successful, and their rollups crowd out everyone else. Having such a reliance on one private team could be a serious concern to Ethereum’s credible neutrality and network effects. A neutral balance from ERs could alleviate this.
Going a step further, a successful rollup ecosystem could even break away from their Ethereum alliance.
This is the argument Ali Atiia has made in the past:
The current Ethereum scaling plan is primarily to be a DA layer for SCRs with a constrained settlement layer. Ethereum relies on rollups for scalable computation. However, SCRs could cut off the “aging middleman” and bring in their own rollup-native assets.
The hypothetical example cited was that Optimism, Circle (USDC), MakerDAO (DAI) all share the same investors. Investors promote cross-pollination of portcos, and natively deployed assets are cheaper with better UX. It thus makes economic sense for Circle and MakerDAO to deploy USDC and DAI respectively on Optimism natively. Once a rollup has built up sufficient native assets, DeFi, and security they may decide Ethereum is no longer providing them sufficient value.
To build stickiness, Ethereum needs a better settlement layer. DA alone may not be sticky enough. To build the best settlement layer, you need scalability and shared liquidity. ERs make communication between SCRs vastly more efficient. The “hyper-scale” L3s we hear about today could become more feasible just one layer above Ethereum’s ERs. ERs become the go-to place for sovereign and institutional settlement using the highest value dApps = massive liquidity.
ERs do not threaten Ethereum’s credible neutrality. Yes, activity will occur on ERs that may have in theory gone to SCRs. But this is exactly the same argument that was made against Ethereum SCRs, and continues to be spread by many monolithic alt-L1 proponents. SCRs are not parasitic to Ethereum – they are synergistic. ERs are not parasitic to SCRs – they are synergistic. Ethereum is better off with SCRs, and SCRs are better off with ERs.
ERs grow the pie by far more than they capture for themselves. 50% of a watermelon is better than 100% of a grape.
SCRs will always be the home of innovation and higher scale, and they’ll continue to host the vast majority of rollup activity as a result. ERs are about making sure that Ethereum lives up to its end of the bargain of remaining the best settlement layer around:
I don’t go quite so far as Ali’s concern that Ethereum rollups will break away, though others share a similar sentiment:
If rollups are economically rational actors, they have a simple equation to weigh:
ERs tip this scale even more favorably in both directions – they make Ethereum a better settlement layer and they provide lower cost to SCRs on top.
Spinning off a rollup to become an isolated L1 (with an insecure pairwise bridge) shrinks your pie massively, and all you get in return are ever so slightly improved profit margins (saving on cheap settlement fees). Additionally, you’d need to subsidize your own security now, likely by issuing inflationary block rewards. This makes no economic sense.
The one potentially economically rational argument for why a rollup would leave Ethereum is if they can make a better settlement layer. Then maybe you could capture a bigger pie in theory. The only way I think anyone has any shot is with the following:
However, you sacrifice massively on that latter half of network effects, decentralization, and credible neutrality. It makes far more sense to build a settlement layer *on top of* Ethereum, exactly as StarkNet is doing with their L2. You get the best of both worlds – a high value financial settlement layer that retains the massive upsides of Ethereum, all for a very small price.
Vitalik hit on a very important topic in his recent EthCC speech. Ethereum is entering its most rapid period of innovation. Lots of goodies planned in the next few years. However, layering on complexity means more risk, and it’s getting tougher even for Ethereum devs to keep up with the rate of innovation (tryna do my part here!). While Ethereum doesn’t need to ossify completely, it will eventually pump the brakes a bit:
It’s fair to note that adding zkEVM ERs isn’t exactly a walk in the park. However, they appear to me as the final major step in Ethereum’s ambitious roadmap, somewhere around the top of that graph as the curve is plateauing. We’ll slow down one day, but not quite yet.
My favorite analogy here is that ERs are the public sector and SCRs are the private sector. SCRs remain the home of innovation and most rollup activity. ERs are the slow and steady predictable base layer for them to operate on top of, providing the utmost security. Both coexist harmoniously. ERs add far more value to SCRs than any marginal activity they cannibalize.
Ethereum already has a convincing plan for scaling DA. But that doesn’t mean it should be content with its settlement layer. Ethereum can and should compete here as well. zkEVM ERs offer the best route to scaling L1 Ethereum, positioning it as the dominant settlement layer.
ERs’ economic and social alignment with Ethereum retains their credible neutrality, creating an incredibly cohesive system. Ultrasound money2 yields next level economic security, subsidizing security for the entire ecosystem.
The only argument against ERs is a “social” one around neutrality and competition. While I understand these concerns, I believe they are generally overstated and are vastly outweighed by the upside. Ethereum should certainly pursue one zkEVM ER when the tech is ready, then evaluate parallel instances later on.
You didn’t think that Ethereum’s base layer would be weak and low throughput forever did you, anon?
Now that we have a better understanding of how these rollups work, let’s turn back to what they actually need out of their base layer.
DA is obvious – make it super cheap, offer a lot of it, make it easily verifiable with DAS. Ethereum and Celestia both aim to do this in one way or another.
My general thesis regarding settlement – I do not believe the best settlement layers will be restricted to the core functions of just verifying/arbitrating proofs and bridging tokens. Ethereum should retain a rich general-purpose native execution environment. This will be home to the likes of large scale DeFi which is not price-sensitive on a per-transaction basis. This provides massive network effects, liquidity, and built up security for SCRs to tap into.
Ethereum should have a long-term focus on scaling the settlement layer (statelessness, zkEVM).
Maybe some of you have a private jet, but most of us fly commercial. I need to split the bill with everyone else on board. That’s kinda what DeFi pooling is.
If I want to deposit $100,000 USDC into Yearn, paying $10 is fine. But paying 10% on a $100 deposit makes no sense. Instead, an L2 can take 1000 people who want to deposit $100 into Yearn, bundle them all together, and just make one L1 deposit! All without the user ever paying an L1 gas fee – you just pay your $0.01 share of the fee. In fact, this is exactly what Argent is already offering from zkSync.
Aave is also exploring this as part of its deployment on StarkNet. They would develop a smart contract to aggregate L2 user deposits, then deposit them on L1. The contract would distribute aTokens from Aave L1 to StarkNet users according to their proportion in the pool. The contract would aggregate users’ aTokens and deposit them to L1 Aave when redeeming their collateral.
Here’s an oversimplified version of what it looks like:
dAMMs were first proposed by StarkWare last year in collaboration with Loopring. I’ll summarize their design here. However, note this is an area of active research with open design questions. There are no live implementations, and future designs could look quite different from this one.
dAMM is an L2 AMM that aggregates liquidity in a single L1 pool enforced by an L1 contract. Execution happens across multiple ZKRs asynchronously sharing liquidity. LPs serve the L1 AMM while partaking in L2 trading, exposing them to more trades. (Higher trading volume) / (same liquidity) = higher fee % → better capital efficiency.
Asynchronicity = L2s can process transactions without mandatory communication with other L2s using the same dAMM L1 liquidity pool. This is key to making shared AMMs possible.
This is achieved by separating the liquidity pool from the pricing state. Because the funds and state are decoupled, you can have multiple states (for multiple ZKRs) utilizing the same liquidity pool. Each ZKR gets its own dAMM state.
The contract agrees to provide whatever price is offered by the L2 state as long as the L1 contract has enough liquidity to fulfill the quote. All states should return to an equilibrium ratio due to arbitrage.
This solves the main hurdle in sharing an AMM between L2s – concurrency risk if users can trade at the same time. This could otherwise make it impossible for each L2 to know if it can settle safely.
Impermanent Loss (IL)
LPs are at a greater risk of IL in dAMMs – the risk grows linearly with the number of markets the LPs are exposed to. So the worst case subjects LPs to n times the IL they would have suffered under a regular UniswapV2 AMM. This isn’t concerning for stable pairs (e.g., in Curve), but it could be high for other pools. This can be mitigated using a parameter in the smart contract known as the dAMM “Health Factor” which limits the max IL LPs can suffer. This Health Factor can guarantee that the dAMM liquidity ratio does not fall too low.
This design can support multiple independent markets on L1 and L2 all sharing the same liquidity. L1 liquidity (e.g., trading on Uniswap) can be used as dAMM liquidity by allowing L1 LP tokens (e.g., from UniSwap ETH/DAI) to be deposited directly to the corresponding pool on the dAMM (e.g., ETH/DAI).
dAMM can support L1 trading, but the Health Factor can no longer be easily mitigated. LPs can choose to take on this additional risk and expose themselves to L1 trading though.
Vitalik has made his thoughts clear on the other side of Ali that sharing a DA layer along with settlement is indeed quite sticky:
Much of this comes back to Vitalik’s famous post about why the future is multi-chain but not cross-chain. TLDR here, trusted pairwise bridges mean a 51% attack on the connected chain = your bridge gets rugged (and many bridges are actually far worse). Similar principles apply if you settle to Ethereum but post data elsewhere (e.g., in a Celestium). If Celestia gets majority attacked here, you’re out of luck again.
Rollups sharing a DA and settlement layer avoid these issues because they get trust-minimized bridges with each other (it’s also possible to get trust-minimized bridging with only DA and no shared settlement layer, will touch on this later). If Ethereum doesn’t get 51% attacked, you can’t 51% attack the rollups separately. Even if Ethereum were to get 51% attacked and reverted, then its rollups would revert as well, remaining consistent. As a result, you can safely hold assets that were issued on one rollup and wrapped on another.
So sharing a DA and settlement layer gives the best security. But what’s the benefit/tradeoff if you decide to use Ethereum as a settlement layer, but then offer another DA source (e.g., volition like zkPorter, validium, celestium, etc.)? You still can use the same bridge and connection to the L1 as any rollup – you share liquidity, DeFi pooling, etc. For volitions, both off-chain (e.g., zkPorter) and on-chain (e.g., zkSync) DA modes share the same state and are fully composable. You just choose at a user level when you want your data stored on or off-chain.
Settlement alone then largely provides network effects, while DA adds on full security. These network effects are safely optimized by sharing DA. For example, you can more comfortably implement a burn and mint mechanism across rollups, allowing you to natively deploy a token across chains. However, you wouldn’t be quite as comfortable doing this with very different trust zones.
Ultimately, we can see there’s a security spectrum here. Many Ethereum rollups, validiums, etc. will use Ethereum for settlement – but not all of them will use its DA. DA is at least somewhat more commoditizable, and it will be an abundant resource.
This is the biggest wild card here in how strong network effects will be for different layers. The reality is we’re incredibly early days in understanding how rollups will communicate with each other in the future, and this can have a meaningful difference in how these stacks play out. There’s a lot that’s theoretically possible, a lot of unanswered questions, and a lot of tough engineering problems. For example, Slush is working on some of the most exciting bridging possibilities for ZKRs. We may see atomic composability between ZKRs in the future.
If ERs are one end of the rollup spectrum, sovereign rollups (SRs) are all the way on the other end. Some people think they’re both just made up words, but I think they’re cool.
SRs still post transaction data to a base layer for DA and consensus (just agreement over transaction ordering, not validity), but they handle settlement client side within the rollup. Full and light nodes download the blocks from their P2P network, and they also check for DA on Celestia. Fraud proofs are sent around the SR’s P2P layer for light nodes to see. Validity proofs can also be sent around the P2P layer.
Alternatively, ZKRs can post their validity proofs along with the rollup blocks directly to Celestia. Celestia will not be able to verify the proof, but rollup light clients tracking Celestia will be able to do so easily. (For more on Celestia, you can read our previous Pro report on it here.)
Celestia refers to Ethereum SCRs as “baby chains” because the correct rollup chain is decided by an L1 smart contract. SR nodes instead decide the correct chain for themselves. They check for DA on Celestia, then they locally verify the fork-choice rule.
Note that this is only a trust-minimized one-way bridge now. That smart contract verifying the rollup’s validity is what gives you a trust-minimized bridge back. You could in theory send the Celestia token up to a rollup, but it could never go back (not a great idea). Celestia’s token will be confined. More on this later.
“Sovereignty” refers to the right to fork permissionlessly, whenever you want, without losing security. Your DEX got hacked? Some whale gamed your airdrop?
“To not enshrine a settlement layer is primarily a social distinction rather than a technical one, which means that there is a social contract between the rollup’s community that the rollup’s transaction validity rules are defined by the community rather than an immutable L1 contract. In practice, this means that bridges to the rollup, which are not enshrined, must be mutable so that there is an upgrade path which acknowledges hard forks on the sovereign rollup.”
SCRs are still able to fork, but the decision over what is the canonical chain is delegated to an L1 smart contract. This relies on multisigs/centralized teams (today), majority governance of the rollup (as they decentralize), or they become immutable and forfeit this right (or the L1 could fork, unlikely). Note this upgrade process is subject to majority rule via on-chain governance. Off-chain coordination could deploy a new instance of a SCR, but then you’re starting from scratch drawing users with no history to the chain. SRs are able to fork permissionlessly, even as a minority, via off-chain governance. However, this fork may not be very useful depending on your bridging situation (more on this shortly).
You can always fork a SR in theory, but in practice there are plenty of scenarios where this wouldn’t work so well. So let’s understand where this sovereignty is particularly useful, and where it isn’t.
One mitigant to sovereignty would be a SR’s (or any chain’s) reliance on meaningful centralized assets. A perps exchange heavily reliant on USDC would have a useless fork if USDC doesn’t support it.
Smart contracts deployed on general-purpose SRs have a similar situation. Large communities have murkier socioeconomic alignment. Let’s say your DEX on Ethereum gets hacked. You’re free to fork the chain and revert it, but if every other user and dApp stays on the original chain it’s quite pointless. The SR as a whole certainly has the sovereignty to fork and make changes, but you won’t have much power as an individual contract on a shared chain. App-specific SRs thus most likely derive the greatest benefits of sovereignty.
Sovereignty could be valuable to a project with a strong community, but I argue that most projects lack this today. It’s hard to predict what the future of crypto looks like, but most of it is currently DeFi. Applications driven by purely financial and transactional relationships are likely to value other technical benefits of a given rollup stack over sovereignty, so SRs will need to compete on features vs. SCRs. This is highly dependent on how SR bridging plays out, which is still unclear at this stage (more on this shortly).
Forking rollups with trust-minimized bridges would get very tricky if they were enshrined (e.g., if the bridge logic of SRA is part of SRB’s consensus rules). This would mean that all linked rollups need to hard fork in lockstep. This would make rollup uses such as DeFi (which would connect to many other chains) very difficult.
But if the bridges are not enshrined, SRB does not have to fork when SRA forks, even if they have a trust-minimized bridge. The rollups can instead simply run a smart contract which interprets the state of each bridged rollup and verifies a validity proof for them. You bake everything (including the fork choice rule) into the proof, so that there can only be one canonical version of the chain. This is analogous to SCRs on Ethereum today. If they upgrade via governance, smart contracts interacting with them may need to upgrade as well.
Another benefit of SRs – they grant developers more flexibility over their execution environments. Ethereum SCRs are bound by the settlement layer’s ability to process their fraud or validity proofs, which can present challenges in some instances.
SRs aren’t bound by having fraud or validity proofs interpretable by any particular VM (such as the EVM, as Ethereum SCRs are). This execution agnosticism could foster higher innovation in designing VMs, as we see with new L1s.
This isn’t without some difficulties though. Trust-minimized bridging to other SRs requires them to interpret your execution environment and verify proofs. So you may create interoperability challenges for getting too creative. Uniform standards avoid this.
First, fraud proofs come in two flavors:
For reference, Arbitrum uses an IVG. Optimism’s initial plan was to run single-round fraud proofs, but they’ve since decided to pursue an IVG as well. You can see a recent overview of their new design here.
Now we’ll focus on how these relate to SRs. One benefit of distributing fraud proofs via P2P is faster light client finality. The synchrony delay here in normal cases would likely be lower than getting it included on-chain, and you no longer have to worry about L1 miners/validators censoring your fraud proof. You avoid SCR ORUs’ long timeout period.
The Stanford research team recently proposed a method for playing IVGs over a “dirty ledger” like Celestia. You can watch an overview here. Remember Celestia accepts any raw information, it doesn’t check for “invalid” transactions. It’s a “dirty” ledger. Rollups themselves determine the validity of their chain. But there are some issues here which have since been discovered.
Let’s say a challenger wants to prove that transaction T3 is a double spend. They submit as evidence that the money was already spent in T2. That seems reasonable to prove fraud, but what if there exists some T1 that proves T2 was actually invalid? If T2 was invalid, then maybe T3 is perfectly valid. With a dirty ledger you’ll never know the true state unless you go back to the chain’s genesis and replay every transaction. This means challengers and responders would both have to be archival nodes – this is incredibly burdensome.
This differs from a “clean” ledger like Ethereum, where the smart contract will reject any invalid transactions. You know the latest confirmed tip of the chain was valid before the new proposed state.
To reduce archival nodes’ requirements, you could introduce a new weak subjectivity assumption. Say you only require challengers and responders to hold onto 3 weeks of data. But even this would drastically increase node requirements compared to challengers and responders for SCR ORUs:
This increases their requirements significantly which makes the SR less scalable. Block space would need to be limited in order to bound challenger/responder requirements.
There’s also a stronger synchrony assumption in SRs for the IVG game:
SRs are likely to use single round fraud proofs (this is what Cevmos plans to use). These operate on a much weaker assumption because light clients can receive the fraud proof from an honest challenger and keep passing it along. Light clients no longer sit between the challenger and responder while maintaining a connection. You just need to receive the fraud proof from anyone, then you can check it yourself. Note that single round fraud proofs can introduce higher latency though, as they’re slower to execute. They can also have a larger attack surface than IVGs.
SRs add additional bridge design considerations, but trust-minimized or trusted bridges are still possible with other Celestia rollups. You can read more details about some of the specific design possibilities in Mustafa’s recent blog post, much of which I will summarize here.
Peer-to-peer Settlement vs. On-chain Settlement
There are two options here for proof-based bridges:
Static bridging – Bridges must be explicitly added by chain upgrades or hard forks. SRA and SRB must support each others’ execution environments to interpret their fraud/validity proofs.
Example – SRA is an ORU that wants to bridge to SRB. SRA’s state machine is written directly in Golang (e.g., using the Cosmos SDK). SRB is an EVM chain that doesn’t understand this. SRB must upgrade their node software to include SRA’s state machine as a library in order to validate SRA’s fraud proofs. SRB can’t just automatically add SRA’s state machine code because it could pose a security risk. This similarly applies to validity proofs which otherwise would not be understood by the connected chain. In either case, social consensus or governance is needed to add this bridge by a chain upgrade.
Dynamic bridging – If the ORU SRA was instead written in a sandboxed smart contract environment (e.g., EVM or CosmWasm), then SRB could allow SRA’s state machine code to be added directly into its own. This could be done without any social consensus or governance, for example using a smart contract. This similarly applies to ZKRs who are able to understand each others’ validity proofs.
Upgradeable Bridges vs. Non-upgradeable Bridges
SCRs enshrine Ethereum as a settlement layer which determines its validity. SR bridges are not enshrined, and as such they must be mutable with an upgrade path. SRB must acknowledge that the validity of SRA is determined by its community. SRA could fork via social consensus at any time without requiring on-chain governance or hard fork a settlement layer.
Let’s play this example out where SRA is hard forking, and SRB needs to upgrade its light client for SRA. There are several approaches, and they impact whether or not the bridge is trust-minimized:
Pairwise Bridging vs. Hub-and-spoke Bridging
Rollups on a shared settlement layer only require N bridges to the settlement layer. However, pairwise SR bridging would result in N2 bridges for N rollups to connect to each other. They also lack the shared liquidity and DeFi of a settlement layer.
There’s another issue with the path dependency of assets. If I transfer an asset from chain A → B → C, that asset is not fungible with one transferred from chain A → D → C (unless it’s natively deployed on all chains, and you’re using a burn-and-mint mechanism). This again fragments liquidity, in a manner that is solved by bridging through a shared settlement layer.
A hub-and-spoke model mitigates many of these complexities – many SRs connect to a central hub SR. This reduces bridging overhead back to N. The central hub can be the focal point of shared liquidity and cross-chain communication. It serves a very similar functional role as a shared settlement layer would in this regard.
This is similar to the debate over how the Cosmos ecosystem should unfold. The initial “plan” was for the Cosmos Hub to serve as the focal point with all zones communicating through it via IBC. In reality though, entirely pairwise bridging has come about. Every zone just creates an IBC connection with whatever chains they want to interact with.
A hub would serve many of the valuable roles that Ethereum’s settlement layer does today. It would host valuable DeFi and liquidity while coordinating cross-chain messaging. This likely captures very significant value. However, unlike Ethereum’s settlement layer, it provides no economic security to the Celestia ecosystem. It is not enshrined in the Celestia protocol.
Aggregated ZK Bridging
I saved the best for last. All-to-all bridging with linear complexity using validity proof aggregation. If this works out, the following idea may be a game-changer for rollup topologies which completely flips the appeal of SRs. Credit to Preston Evans and Cem Özer from Sovereign Labs who only very recently pulled this idea together.
Let’s run through an example – SR1 wants to bridge with SR2 through SRN.
Naive solution – As described earlier, the obvious option is for SR1 to run N-1 light clients, 1 for each chain, and verify a proof for each. N2 bridging complexity – very tricky, hence the hub-and-spoke model described above. Can we do better? Yes (I think).
The on-chain verifier contract would contain a mapping from chainId to state root for SR2 – SRN. Whenever it verifies a new aggregated proof, it would update the state roots for SR2 – SRN. The only remaining N2 complexity is now in the state roots – each chain is tracking every other chain’s state roots (but the constant here is tiny). SR1 has removed the N2 complexity of running N-1 light clients and verifying N-1 proofs. Each rollup would likely run its own prover, though in theory you could also have one prover aggregate and send the proof to all N SRs.
There are some assumptions about the interpretability of the other SR’s state machines, but those problems are solvable. Each type of alternative VM that you’re bridged to would require its own interpreter smart contract. Say that SR1 is an EVM chain connected to 3 EVM, 3 Move, and 3 Sealevel SRs. It would need to run two interpreter contracts – one for Move and one for Sealevel.
It’s likely still beneficial to have a DeFi “hub” (e.g., as in the hub-and-spoke model or a shared settlement layer). There’s value in concentrated liquidity. But this hub is no longer relied upon for settlement and two-hop bridging. This eliminates the latency of L3s using something like StarkNet as a scalable settlement layer with high liquidity. You’ve flattened the stack and created shorter paths between all rollups.
Additionally, there’s no longer a locked-in settlement layer. This hub which is a DeFi focal point can evolve over time and progressively shift to be other chains as tech improves. You’re no longer locked into legacy tech of your settlement layer.
Final note – this is still an extremely new idea, and will need continued vetting. This will likely take years to build.
Ethereum Sovereign Rollups
SRs are certainly the brainchild of Celestia, but note you could just as easily use Ethereum’s DA layer and simply ignore the settlement layer. It’ll be efficient once data blobs get their own cheap fee market post EIP-4844. You get the same benefits and tradeoffs, with a few exceptions:
Sovereignty can be quite useful for communities with clear social alignment that don’t want to bootstrap their own L1 validator set. However, complexities may arise during forks if these SRs are bridging to many other chains in a trust-minimized way. Relatively isolated non-financial applications may be a more niche market – they at least don’t exist broadly at the moment.
Purely financial applications are likely to value other technical benefits of a rollup stack over sovereignty, so SRs need to compete on features vs. SCRs here. The hub-and-spoke model mitigates many of the downsides of not sharing a settlement layer, but introduces a number of complexities. By far the most compelling bridging vision is the aggregated ZK-bridging I described above. If it works out, this presents a very interesting route.
Many Celestia rollups won’t be willing to forfeit a shared settlement layer. You see just how powerful it is in the Ethereum rollup ecosystem, and you want that too.
Enter settlement rollups. These are specialized SRs designed for non-sovereign recursive rollups to live on top of. Recursive rollups place smart contracts on the settlement rollup, providing them with a trust-minimized two-way bridge. These recursive rollups post proofs, state updates, and transaction data to the settlement rollup. The settlement rollup batches the recursive rollups’ data and posts it to Celestia.
Now you avoid all those bridging tradeoffs we just discussed for SRs, and you avoid the complexities surrounding P2P proof settlement. N trust-minimized bridges to a shared settlement layer allowing for easy bridging of tokens.
Verifying the validity of the settlement rollup is overhead-minimized for the recursive rollups on top if the settlement rollup is fraud/validity provable. For example, Cevmos intends to be a settlement rollup which is a simplified single-round fraud-provable EVM.
Now, should your settlement rollup be a restricted environment optimized solely for posting proofs and token transfers? Recursive rollups would then get cheaper fees – they no longer compete in an expensive general execution environment against DeFi, NFTs, etc.
There’s a couple of ways to do this potentially:
If you go this route, you lose out on all the rich DeFi use cases (e.g., DeFi pooling, dAMMs, etc.) and make it more difficult to build up liquidity. StarkNet is of course going the opposite route of Cevmos here. StarkNet will be a general-purpose settlement rollup for recursive StarkEx rollups. The other difference is that StarkNet is a SCR, so it ultimately settles back to Ethereum and retains a trust-minimized two-way bridge (vs. Cevmos is a SR without a trust-minimized two-way bridge to the base layer).
The other argument is that the routine operating costs of a rollup at scale paid to a settlement layer are low anyway. Even SCRs today pay very little to Ethereum’s settlement layer, and this will reduce further with upcoming optimizations. Any other settlement layer would be far cheaper and less constrained (particularly a settlement rollup). These costs will drop further with more efficient proofs and amortization of them over more transactions. Ethereum will also scale its settlement layer (though years down the road) potentially with statelessness, state expiry, and zkEVM.
Still, nothing is stopping you from deploying a general-purpose settlement rollup (L3) on top of Cevmos (L2), with recursive rollups (L4) sitting atop that yet another layer up. It’s possible, but now you’re stretching all the way to L3 to get any kind of rich trust-minimized shared liquidity and DeFi (which you would normally just get at L1 Ethereum). You’re potentially relying on additional layers for censorship resistance.
Positive of a four layered approach:
Negatives of a four layered approach:
SCR forced transaction inclusion is pretty well-understood. Generally you can allow any L2 user to submit a transaction directly to the L1 contract. If it’s not submitted by the sequencer after some predetermined window (say one day), then the sequencer will no longer be able to submit blocks without it. Submitting blocks will become permissionless, and you’ll be able to force withdrawal to the L1 individually. This is more expensive to the user than getting batched with other L2 withdrawals, but it works.
Now for recursive rollups on top of sovereign settlement rollups. If the settlement rollup is censoring you, there needs to be a way to force inclusion within your own rollup. You can still inherit censorship guarantees from the L1 DA layer though. You can enforce a rule within your recursive rollup such that transactions posted to your namespace on Celestia must be processed for the rollup block to be valid. Users can force transactions into the DA layer individually which would be ordered by execution layer fees. This places no reliance on the settlement rollup, but would need to be built into the rollup’s state transition rule. This becomes 1 of N honesty – if the sequencer doesn’t include your transaction, a fraud proof can be submitted showing they must submit this transaction.
Regarding liveness – if the sequencers for the recursive rollup itself fail, then you could still exit to the settlement rollup (as you can on Ethereum today). In the event of a settlement rollup liveness failure though, your recursive rollup is out of luck. You won’t be able to progress.
You tradeoff the benefits of sovereignty to regain those practical benefits of a shared settlement layer. Adding more and more layers to the stack can start to feel uncomfortable though.
If the Ethereum ERs were speculative, this is a mile further. There are no current plans for this. This is just one left side of the bell curver offering an opinion. I think enshrining a general-purpose rollup into Celestia is a potentially attractive option. Let me explain.
We’ve discussed how valuable settlement layers are for shared liquidity, trust-minimized two-way bridging etc. But enshrining it in the base layer itself is also particularly important for two reasons in my view:
You have a few remaining options here to represent Celestia’s token elsewhere.
Getting a trust-minimized bridge requires verification of DA and fraud/validity proofs for the state transition of the connected chain. Ethereum SCRs get this because their smart contracts verify the rollup’s state transitions. Celestia is not capable of supporting smart contracts for this bridge, so it would have to enshrine the rollup into the core protocol to make this work.
Celestia rollups could then all have a trust-minimized two-way bridge with this settlement rollup. This provides easier communication between all of them and allows the Celestia token to flow throughout the ecosystem.
The downside is that this increases the complexity of Celestia. Validators must now ensure its validity, and non-consensus nodes would verify its state transitions. It would somewhat increase their bandwidth requirements to download the ER’s data. However, because it’s an enshrined rollup with fraud/validity proofs, this verification is overhead-minimized – no execution is required by any validators or non-consensus nodes.
Ultimately, I view this as a bit of a free option. I think the downside is incredibly limited with potentially very high upside:
Maybe SRs eat the world, and DA accrues a ton of value securing everything. The DA value accrual bull case would be that even with massive amounts of DA supply, the network effects on one ecosystem are massive. As a result, SRs pay up for prime real estate to get trust-minimized bridging in that ecosystem.
Even still, we know how to scale DA to pretty extreme lengths, and artificial pricing may need to be imposed to generate revenue. Or maybe it happens naturally because there’s an obscene amount of demand. In either case, there will be many other DA layers offering far higher throughput at far lower cost, and things are likely to load balance. For example, Ethereum’s security budget is subsidized by its settlement layer (at least currently) – it wouldn’t need to artificially raise DA prices. Other, far cheaper alternatives will also exist.
The other argument against enshrining a rollup is for “credible neutrality.” I.e., other rollups will be scared to deploy on Celestia because the base layer is competing with them, so it can’t be neutral. I generally disagree with this argument. If we think the future of France is a 5x on what we see around us today, we seriously need to think bigger. There’s room for a heck of a lot more than for one rollup out there. Rollups would continue to happily deploy on Celestia.
Alternatively, this enshrined rollup could become the settlement layer that every Celestia rollup decides to use. This becomes quite sticky, and makes it difficult to replace. Even if a better settlement layer becomes available technologically, it may be too late to make the move.
In the event that DA does accrue a ton of value and SRs eat the world, great. But there is a very significant risk that this does not happen in my view. It’s incredibly hard to predict what most future applications will need exactly, and how technology such as ZK-aggregated bridging unfolds from here. ERs seem to present upside in any of these uncertain scenarios.
A lot of the decision-making here is understandably socially driven. In my opinion though, the practical benefits tip the scale towards enshrining a rollup in Celestia. And of course, SRs can still deploy on Celestia as they wish! In the same way SRs could use Ethereum and ignore the settlement layer, they could ignore Celstia’s enshrined rollup. To not enshrine a rollup appears to be a very expensive form of virtue signaling.
TLDR – I believe enshrining a general-purpose ER is far better from a tech PoV, and arguably unfavorable from a social PoV. I favor the tech in this scenario, but remember “most of the stuff in blockchain is opinion things as it turns out and less about technical stuff.”
Sorry just one more podcast quote I liked, back to John on the different rollup stacks:
“Whether or not I expect one to be more prevalent than the other, I wouldn’t say I expect anything, except expect the unexpected. The world is full of surprises and I can’t really predict which one will be used more.”
There’s truth here. I have opinions, and other people have other opinions. But that’s the point – they’re opinions. No stack I described here is strictly better than the others. There are tradeoffs. I expect really smart people to build on everything I described here, and only time will tell what they value most or what accrues value.
And if you still don’t think rollups are cool yet, well honestly it’s not my problem anymore.