The Security Implications of Using Rollups in Blockchain

Rollups are a scaling solution for blockchain networks that bundle or “roll up” transactions off-chain and generate a cryptographic proof that is verified on-chain. This allows the computation and storage to be moved off the main blockchain while still maintaining the security guarantees of the blockchain. Some of the most popular rollup solutions include Optimistic Rollups and Zero-Knowledge Rollups.

While rollups provide substantial improvements to transaction throughput and fees on blockchain networks, they also introduce new potential attack vectors and security considerations. In this post, we will dive into some of the security implications of using rollups and how protocol designers and developers should think about mitigating risks.

Background on Rollups

Before diving into security, it’s helpful to understand at a high level how rollups work. There are two main types of rollups:

Optimistic Rollups

Optimistic Rollups bundle transactions off-chain and only submit transaction data to the main blockchain. They operate under the assumption that transactions are valid by default and only run computation and validation off-chain. The off-chain provider posts a cryptographic proof that the bundle of transactions is valid. If there is an invalid transaction, users can submit a fraud proof to the main chain that challenges the state transition.

Zero-Knowledge Rollups (ZK Rollups)

ZK Rollups also bundle transactions off-chain, but use zero-knowledge proofs to validate the correctness of state transitions. ZK proofs allow the off-chain provider to generate a succinct cryptographic proof that the bundled transactions correctly update the state, without revealing any information about the transactions themselves. This proof is posted to the main chain for verification.

The key difference is that Optimistic Rollups only run transaction execution off-chain, while ZK Rollups also validate the transactions in zero-knowledge before posting to layer-1.

Security Implications and Risks

Now let’s discuss some of the unique security risks and attack vectors that rollups introduce:

Increased reliance on validator availability

Since computation and storage happens off-chain, rollup security relies heavily on validators being online to verify proofs and submit fraud proofs if necessary. If a significant percentage of validators go offline, it could delay proof verification and dispute resolution.

This is particularly problematic for Optimistic Rollups. Since state correctness is assumed by default, having insufficient validators online means incorrect or malicious state transitions could go unchallenged. ZK Rollups provide better guarantees since correctness is proven before posting to layer-1, but liveness is still dependent on validator availability.

Potential for validator collusion

In Optimistic Rollups, validators are responsible for submitting fraud proofs if they detect invalid state transitions. However, there is potential for groups of malicious validators to collude and intentionally ignore invalid state changes. This could allow illegal transactions or double spends to occur without dispute.

ZK Rollups are less susceptible to this issue since validity proofs are generated before posting to layer-1. But validator collusion could still disrupt liveness and dispute resolution for both rollup types.

Monopoly power of the sequencer

For both optimistic and ZK rollups, transactions are sequenced and bundled off-chain by a separate entity called the sequencer. This introduces some centralization, since the sequencer has sole responsibility for ordering transactions.

A malicious sequencer could censor certain transactions, reorder transactions to benefit certain users, or attempt to include invalid state transitions that go unnoticed. They also wield monopolistic power over transaction throughput and could potentially extract excessive fees from users.

Decentralizing the sequencer role across multiple entities helps mitigate these risks. There are also initiatives like validator-run sequencer pools that aim to decentralize this function.

Legal and regulatory uncertainty

Since rollups handle computation and storage off the main blockchain, there is uncertainty around how they fit into existing regulations and legal frameworks. Issues like data privacy, censorship resistance, and compliance with financial regulations are still being worked out.

For example, if a malicious sequencer violates laws by laundering money via a rollup, it’s unclear whether the main chain would also be liable. And if a rollup is required to censor transactions or monitor user activity to comply with regulations, it could undermine privacy and self-custody. More regulatory clarity is still needed to understand how rollups fit into existing legal structures.

Weaker guarantees around data availability

Compare to layer-1 blockchains like Ethereum that have strong guarantees around data availability for on-chain data, rollups make tradeoffs around data availability for off-chain transaction data.

Since compressed and aggregated transaction data is posted on-chain, individual transaction details are not directly available on layer-1. Users must rely on availability of the off-chain data to reconstruct full transaction details. If the off-chain data is censored or withheld by a malicious sequencer, it could prevent users from being able to reconstruct true transaction history.

Mitigating Security Risks

Given these risks, here are some ways protocol designers and developers should think about mitigating security issues with rollups:

• Strive for greater validator decentralization – Having a diverse, decentralized set of validators for dispute resolution and proof verification improves resilience against collusion and liveness issues.
• Implement better validator redundancy mechanisms – Techniques like sharding verification across validator sets and minimum validator thresholds help ensure availability even if some validators go offline.
• Build in economic incentives – Penalizing malicious sequencers or validators via slashing, fees, or deposits incentivizes honest behavior.
• Formal verification – Mathematically verifying the cryptographic proofs and other core components provides stronger assurances against flaws in the core protocol logic.
• Encourage multiple sequencers – Supporting a more competitive market of multiple sequencers reduces centralization and monopoly power.
• Handle disputes judiciously – Carefully structuring the dispute resolution process to avoid frivolous disputes harming performance.
• Legal/regulatory analysis – Proactively collaborating with lawmakers and policymakers to clarify legal status and compliance requirements.
• Develop data availability solutions – Using techniques like erasure coding, data blobs, and interoperability with Filecoin to provide stronger guarantees around off-chain data availability.

Conclusion

Rollups introduce significant scalability improvements to blockchain networks, allowing more transactions with lower fees. But their off-chain nature also creates new potential risks around validation availability, centralization, collusion, and legal uncertainty.

By utilizing protocol techniques like decentralization, incentives, formal verification, and data availability schemes, rollup designers can help mitigate these risks. With proper engineering and governance, rollups have the potential to improve scalability while still leveraging the security guarantees of underlying blockchains. As rollup adoption increases, developing solutions to their unique security challenges will be an active area of research and development.

Table summarizing key risks and mitigations:

This summarizes the key security risks introduced by blockchain rollups such as Optimistic Rollups and ZK Rollups, and strategies to help mitigate those risks. With careful protocol design and engineering, rollups can improve blockchain scalability while still leveraging the security of the underlying consensus layer.