Special thanks to various EF, Optimism, Taiko, Flashbots, Surge and other researchers who helped form my thoughts on this.
Today, the state of L2 security and L2 finality guarantees is improving: we now have three rollups at Stage 1, we are on the cusp of rollups getting more blob space with Pectra and then even more with Fusaka, and we have more and more high-quality ZK-EVM options that would allow much shorter finality times. Where can we go from here?
1. More blobs
This has already been discussed in other places; a target of 6 for Pectra, and 72 for Fusaka in Q4 (or, alternatively, 12-24 in Fusaka in Q3, if it is followed up with rapid further increases) feels like it is adequate to L2s’ needs.
2. Pragmatic fast finality via 2-of-3 OP + ZK + TEE
I argue that the best short-term proof system architecture for EVM rollups to get to stage 2 is a 2-of-3 between optimistic, ZK and TEE-based provers. Specifically:
- If a state root is approved by both a ZK prover and a TEE prover, then it is finalized immediately.
- If a state root is approved by either the ZK prover or the TEE prover but not both, then it is finalized after 7 days only if the optimistic proof game also unambiguously favors the state root.
- There is (optionally) a security council, which has the right to update the TEE prover logic with zero delay, and the ZK or optimistic prover logic after 30 days of delay.
- Potentially, we can give the security council upgrade rights in other specific contexts, eg. if a proof system provably disagrees with itself, we could allow the security council to upgrade it instantly.
This specific architecture is designed to simultaneously satisfy three goals:
- Provide instant finality in the normal case
- Satisfy the core stage 2 criteria, particularly (i) the requirement that if the “trustless” proof systems work, then nothing “semi-trusted” (either TEE or security council) is able to override them, (ii) the 30-day upgrade delay
- Avoid short-term over-reliance on ZK. Today, ZK proof systems still have a high enough rate of bugs, and shared code, that it is very plausible that either (i) there is a bug in shared code that affects multiple proof systems, or (ii) an attacker finds and holds on to a bug in one proof system for long enough that they discover a bug in the other.
In fact, the above architecture is arguably the only way to do this. Specifically, if for simplicity, you want a 2-of-3 proof system architecture, and ZK, OP, TEE and SC (security council) are the four “proof system” options, then:
- (1) implies
zk + tee >= 2
(OP and SC are both too slow) - (2) implies
tee + sc < 2
(non-trustless things cannot finalize on their own) - (3) implies
zk < 2
zk = 1
, tee = 1
, op = 1
is the only solution to this system of constraints.
The risk that a ZK system and an OP system will both have bugs (that are found by the same party) is much lower than the same risk for two ZK systems, because ZK and OP are so fundamentally different. In fact, it’s acceptable for the OP system to be ZK-OP (ie. one-round fraud proof via a different ZK-EVM), because the risk that one ZK-EVM has a soundness failure while the other ZK-EVM has a completeness (ie. liveness failure) is much lower than the risk of two soundness failures.
This gets us to a pragmatic higher level of fast finality and security while getting us to the key stage 2 milestone of full trustlessness in the case where proof systems (OP and ZK) work correctly. This will reduce round-trip times for market makers to 1 hour or even much lower, allowing fees for intent-based cross-L2 bridging to be very low.
3. Work on aggregation layers
Realistically, we are already on a trajectory to get ZK-EVMs generating proofs in one slot. This is because this is necessary for L1 use of ZK-EVMs. In fact, a very strong version of this, where we get single-slot proofs even in the worst case, is necessary for L1 use. This also creates a pressure for the rapid discovery and removal for the main class of completeness bugs in ZK-EVM: situations where a block has too many instances of some particular type of ZK-unfriendly computation. The verified ZK-EVM effort will also work to reduce soundness bugs, allowing us to hopefully phase out TEEs and go full-trustless in a few years.
The thing where we are currently relatively behind is Ethereum-ecosystem-wide standardized proof aggregation layers. There should be a neutral ecosystem-wide mechanism by which a prover in any application that uses zero knowledge proof systems (L2s, privacy protocols and zkemail-like wallet recoveries are the most natural initial use cases) can submit their proof, and have one aggregator combine the proofs into a single aggregate proof. This allows N applications to pay the ~500,000 gas cost of proving once, instead of N times.