The Optimistic Rollup Dilemma

StarkWare
StarkWare
Oct 8 · 5 min read

Capital Efficiency vs. Security

Image for post
Image for post

TL;DR

  • We claim that Liquidity Providers will necessarily prefer a ZKR-Uniswap (Uniswap over a ZK-Rollup) to an OR-Uniswap (Uniswap over an Optimistic Rollup), as the ZKR-Uniswap will be *far* more capital efficient.

Background

The increase of gas price on Ethereum in recent months has generated plenty of interest in scaling solutions, and in particular in Layer-2 (L2) scaling solutions. These can be broadly divided into two families: Validity Proofs vs. Fraud Proofs. We’ve compared these previously here and here.

Validity Proofs include ZK-Rollups (on-chain data availability) and Validium (off-chain data availability). Several such systems are already deployed on Ethereum Mainnet, including our own StarkEx.

Fraud Proofs include Optimistic Rollups (OR), and some of these are approaching public testnets. OR are the latest generation of Fraud Proof designs, and they follow in the footsteps of Lightning and Plasma. OR are attractive to any dApp developer suffering from congestion on Ethereum, as they promise the ability to take Solidity code “as is”, and move the dApp to a scalable and inexpensive OR.

The basic concept behind OR: only tx data is sent to the main chain. Computations and storage are no longer done on the main chain; instead, they are moved to the Rollup, where block producers and validators perform this computational work. System integrity is ensured by assuming at least one user will both detect and report fraud to the main chain in a timely fashion i.e. within a block’s Dispute Time Delay (DTD). Once the DTD is over, the block is considered finalized.

Analysis

Below we will analyze OR from the perspective of Liquidity Providers (LPs) and users.

Assume that an application as big as Uniswap migrates to an OR seamlessly, by easily porting their existing Solidity code. Let us consider this OR from the perspective of LPs and users.

Liquidity Providers (LPs)

As mentioned above, ORs define a Dispute Time Delay (DTD), to allow for frauds to be detected and reported. Withdrawal times need to extend beyond the DTD, otherwise the system could easily become insolvent as a result of theft.

Security considerations motivate extending the DTD, in order to make attacks such as the following, more expensive:

  1. An OR Validator detects fraud, and sends a fraud_detected tx to the mempool. They’ve supposedly filled their role: the fraud was detected and “reported”. But in order to be truly reported, fraud_detected needs to be mined.

We claim that a tradeoff exists between capital efficiency and security. We will describe why it arises, and explain its implications. We will assume the duration of the DTD is 1 week (a proposal for a DTD of only 4.5 hours was proposed; some consider that dangerously short) — our analysis holds whether the DTD is 1 day or two weeks — it simply translates to a different point in the tradeoff curve between security and capital efficiency. Depending on the duration of the DTD, the attacker would have to spend anywhere between $Ms-$10Ms. The amount they would have to spend does not depend directly on the bounty the attacker is going after — if the OR holds $Bs, spending $Ms on an attack is a rational thing to do.

Opportunity cost dramatically impacts dApps, due to LPs actions — we’ve seen liquidity move from Uniswap to SushiSwap, and back again, in a matter of days. Compare OR-Uniswap, Uniswap on an OR, to ZKR-Uniswap, a Uniswap-fork on a neighboring ZK-Rollup. An LP now has the choice of locking their funds in OR-Uniswap for a week, or in ZKR-Uniswap for about 30 minutes (the proof generation cycle). ZKR-Uniswap has a fundamental advantage, one which tokenomics or other incentives will have a hard time beating in the long term.

We’re often asked: Wouldn’t Fast Withdrawals solve the problem? Doesn’t that level the playing field between OR and ZK-Rollups?

No. They would merely improve the UX by shortening the withdrawal time, without improving capital efficiency: sufficient funds would have to be locked in an L-1 smart contract to fund any withdrawal expected to occur during the entire DTD.

Furthermore, Fast Withdrawals can only be used for fungible assets, not NFTs. Even for fungible tokens, the opportunity cost of a token in demand could be prohibitively high. In fact, the opportunity cost is high exactly when many people want to trade a fungible asset in short supply: imagine the cost of provisioning enough YFI for a week’s worth of withdrawals, during that week when the entire DeFi space is hoping to trade them. If you were offered to lock your YFI for that peak-interest week, what return would you expect?

Some may claim LPs should not be concerned, as all of DeFi will simply gravitate to a single OR, allowing users to withdraw from it infrequently, and to transact there inexpensively.
Note this makes the strong assumption that no dApps would live outside this OR: not on L1, not on ZK-Rollups, etc.

We argue that even in this scenario, as the OR’s throughput increases, its security decreases. Why? Let’s consider the situation from the perspective of Alice, a user.

Users

  • Trust: Alice may trust the OR, or more specifically, that there is at least one party that validates the current state of the OR. This means that from Alice’s perspective, the OR is essentially a trusted system. Trusted systems work at astonishing scale, and are often the foundation of very valuable businesses (e.g. Coinbase, Binance, and conventional banks) — these businesses work hard not to betray trust, as their reputation is on the line.

Conclusion

ORs face a dilemma: They cannot match the capital efficiency of ZK-Rollups, as this will hurt the OR’s security. This is an inherent problem of OR, not a design detail. Because of this, any application faced with the choice of running on an OR or a ZK-Rollup, will prefer the latter, as that is where its Liquidity Providers will go.

Thanks to Dan Robinson for commenting on a draft of this post.

Avihu Levy & Uri Kolodny

StarkWare

Developing the Full Proof Stack for STARK

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store