Your Guide to Rollup Taxonomy, Design, and Tradeoffs

By Michael @ CryptoEQ | CryptoEQ | 22 Jun 2023


You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

67cbbf4723857b85c151585aa280e6d940346c501cef75bafd7dea02b44b24c9.png

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

  • Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
  • Early access to future CORE ratings: Being early is sometimes just as important as being right!
  • Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
  • CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

“Typical” Rollups

Rollups are essentially blockchains that post their blocks to an alternate blockchain, thus leveraging the consensus and data availability of that particular blockchain, often denoted as a "consensus and data availability layer".

rollup diagram Source

A typical rollup mechanism is sustained by three principal components: sequencers, rollup full nodes, and rollup light clients. All rollups embody a state, which is the account addresses and token balances of rollup users at a specific point in time.

Sequencers in a rollup ecosystem are nodes that receive new rollup transactions from users. They bundle these transactions into a block and post it onto the consensus and data availability layer. A block is bifurcated into two parts: a block header and the actual transaction data. The block header, apart from other data, contains a cryptographic commitment to the chain's state, commonly expressed as a Merkle root.

rollup sequencer diagram Source

Rollup full nodes represent a crucial element in the rollup process. These nodes download all rollup block headers and transaction data. They process and verify all transactions to calculate the state of the rollup and ensure the transactions are valid. If a full node encounters an invalid transaction within a rollup block, the node dismisses and ignores that block. This effectively curtails sequencers from creating valid blocks with invalid transactions, as these would be rejected by the nodes.

Conversely, rollup light clients download only the rollup block headers, steering clear of downloading and processing any transaction data. This means they cannot calculate the latest state or verify the state validity of the rollup independently. These clients learn about the latest state commitment from the most recent rollup block header and can request rollup full nodes for fragments of the state. They also indirectly assess the validity of the rollup transactions using methodologies like fraud proofs or validity proofs.

full vs light nod diagram Source

When rollup nodes synchronize the rollup chain, they employ the order imposed on the rollup blocks by the consensus and data availability layer. They finalize a rollup block if it is the first valid block at its height within the rollup to be published on the data availability layer—irrespective of whether the validity is checked directly (as with full nodes), or indirectly (as with light clients).

Rollups offer a revolutionary leap in the context of blockchain technology, bolstering efficiency and security while maintaining the decentralized ethos that underpins this disruptive technology. This advancement promises to revolutionize how transactions and blocks are handled, potentially altering the landscape of blockchain technology and its various applications.

The Spectrum of Sovereignty

While there exist myriad ways to deploy an execution layer, Layer 2 (L2) smart contract rollups on Ethereum have traditionally been the most prevalent. These layers span a spectrum of sovereignty, on one end of which we have enshrined rollups, and on the other, sovereign chains and rollups. Although definitions for these designs remain somewhat contentious, this discussion will employ the classification system proposed by the Ethereum community.

This figure depicts the various rollup kinds and the functions that are done on each layer.

delphi rollup architecture matrix Source

Enshrined Rollups: Embedded Security at the Expense of Flexibility

Nestled within the vast spectrum of rollup variants, enshrined rollups stand as a unique intersection of innovation and practicality. These rollups exhibit consensus integration at Layer 1 (L1), offering a distinctive contrast to their Layer 2 (L2) counterparts—smart contract rollups—that operate outside of consensus. The term "enshrined" speaks to the embedding of the rollup's logic into the protocol of the Layer 1 blockchain itself. This enshrining of the rollup into Layer 1 positions its operation under the governance of the L1 blockchain's consensus rules, veering away from a distinct set of rules or smart contract.

However, this model’s drawback is its sluggish upgrade capability, as any improvements necessitate the underlying blockchain's consensus process. At present, Tezos is the only protocol exploring this path.

The modus operandi of enshrined rollups is rooted in off-chain computational work, with the computation results posted onto the Layer 1 blockchain. A cadre of validators manages these off-chain computations, tasked with processing transactions and producing proofs that attest to the computation's correctness. These proofs are posted onto the L1 blockchain, where they undergo a validation process facilitated by the blockchain's consensus mechanism. The successful validation of these proofs culminates in their acceptance and subsequent incorporation into the blockchain's state.

This unique operational mechanism provides a significant boost to transaction throughput. By offloading the computational work, the Layer 1 blockchain is left with the less resource-intensive task of proof validation. This reallocation of computational responsibilities enables the L1 blockchain to process a larger volume of transactions, translating into greater efficiency and throughput.

Enshrined rollups open new avenues for enhancing blockchain systems, offering distinct advantages. An uptick in transaction throughput is arguably the most direct benefit, achieved by transitioning computations off-chain. Additionally, enshrined rollups inherit the security properties of the Layer 1 blockchain, reinforcing their security profile. In terms of decentralization, enshrined rollups maintain a balanced architecture by transitioning computations to a set of off-chain validators. This effectively minimizes resource requirements for node operation, thus encouraging greater network participation. Furthermore, enshrined rollups, when designed with compatibility in mind, can seamlessly interact with existing L1 blockchains and associated applications.

Like any technological innovation, enshrined rollups present a balanced palette of pros and cons. On the positive side, they promote scalability, bolster security, uphold decentralization, and facilitate interoperability with existing Layer 1 blockchains. However, they introduce a layer of complexity that could potentially hinder their understanding and adoption. The operation and security of enshrined rollups also rely heavily on Layer 1. Therefore, any security compromise within L1 could negatively impact the enshrined rollup. Additionally, the inflexible nature of enshrined rollups—stemming from their embedded logic in the L1 protocol—may pose challenges in terms of upgradability when compared to other rollup types.

Sovereign Rollups: Complete Control and Data Availability

A sovereign rollup operates independently from its settlement layer, which traditionally manages state updates and facilitates inter-communication within the blockchain. Instead, this form of rollup relies entirely on a Data Availability (DA) layer, effectively increasing its operational independence and functionality. A sovereign rollup doesn't depend on the base layer to validate its transactions. It can also fork without permission.

For blockchain novices, envisioning the process can prove challenging, particularly with DA layers incapable of processing smart contracts—such as Celestia. Nevertheless, such systems are surprisingly functional, with transactions posted directly to Celestia. The pivotal factor to consider here is that data, once posted, does not undergo computation on Celestia, but finds a home in the block headers—unique identifiers of distinct blocks on a blockchain.

sovereign vs enshrined diagram Source

This transfer of data is directed towards the rollup's namespace within Celestia, essentially serving as the rollup's smart contract. Merkle trees, which house the transaction data, are subsequently sorted by namespaces. The key advantage of this lies in the ability of any rollup on Celestia to download only data relevant to their respective chain. Consequently, full or light nodes present on the rollup form a peer-to-peer network, downloading blocks to ascertain and verify the sequence of block data on Celestia.

From this, it becomes clear that the canonical history of the chain is determined by local nodes confirming the validity of the rollup's transactions. This creates a reassuring security infrastructure, where full nodes acting as monitors of the rollup's namespace can provide security to light nodes. Interestingly, data availability sampling renders light nodes equivalent to full nodes, a characteristic highlighting the unique dynamism and versatility inherent to this form of blockchain technology.

Unquestionably, sovereign rollups present an intriguing proposition. Their independence enables the operation of specialized nodes and layers, optimized for a range of purposes—capabilities that are far from achievable on monolithic or semi-monolithic chains. A practical demonstration of this can be observed with Optimistic Rollups, where instead of verifying fraud proofs within a settlement layer contract, fraud proofs are distributed among nodes in the peer-to-peer network on the rollup. This approach could potentially expedite dispute resolution periods, offering a more efficient alternative to conventional, slower settlement layers.

At the crossroads of innovation and decentralization, sovereign rollups are redefining how blockchain technology is structured and implemented. From an investor or user perspective, these cutting-edge developments stand poised to enhance the versatility, efficiency, and security of blockchain-based platforms, marking a significant step forward in our collective blockchain journey.

Validium and Volitions

Validium’s mechanism is nearly identical to a ZK-rollup with the only difference being data availability in a ZK-rollup is on-chain, while Validium keeps it off-chain. This means ZK-rollups post data on the L1  blockchain itself while Validiums post validity proofs on-chain, but the data remain on a separate network. 

This benefit enables Validium to achieve considerably higher throughput than ZKR or ORs. By sending data off-chain rather than on-chain, it further reduces the cost of each transaction and increases the transactions per second (TPS). 

validium and starks Source

Validiums still use Zero-Knowledge Proofs for transaction validity, but store the transaction data off-chain with a central data provider. Validiums are the cheapest on a per-transaction basis in this spectrum.

Accessing the latest state in a Validium requires that off-chain data be available. This is fine except in cases where the data provider misbehaves or goes offline. As a result, there's no DA guarantee and security is lower. Current Validium designs use a Data Availability Committee (DAC) rather than a single provider due to these security concerns.

By keeping data off-chain, Validiums also offer privacy benefits as users’ transaction and balance information are stored with the Validium operator instead of publicly on the blockchain. However, because transaction data isn’t published on-chain, users are forced to trust an operator to make the data available when needed. This key difference makes Validiums more akin to a highly performant, custodial PoA system where Validium operators could freeze, but not steal, users' funds. 

The trade-off for storing data off-chain is that it requires trust in the third party who could prevent users from accessing their balances. Starkware aims to solve this with a Data Availability Committee (DAC), which in this case would include a committee of eight independent members that have their own copy of the transactions made. 

In the case of this DAC, it can be thought of as Validium functioning with multiple nodes. Nodes, or members of DACs, are trusted parties that keep copies of data off-chain and port them back into the public in case any operators act maliciously. The nodes, however, made an on-chain attestation that the data of the L2 is available by posting signatures on-chain. 

The committee members are also required to maintain this data by making it available at all times. If an operator prevents a user from accessing their funds, a committee member can override them to confirm their request if it’s valid. This has some security implications—a permissioned committee requires the end user to trust this fixed group of actors to store transaction data. If a threshold of committee members were to act maliciously, they could freeze (in the case of a ZK-rollup), or steal (in the case of an OR) all of the funds on the chain and kill the liveness of the chain.

Optimistic Chains: A Look Into Arbitrum's Nova

Optimistic chains, such as the Arbitrum Anytrust chains like Nova, function similarly to Validiums as they also utilize an external chain for data. However, they introduce a safety net wherein the chain reverts to a rollup if even one (or two) validators dissent. This introduces a 1/n trust assumption as opposed to the typical ⅔ of n assumption for standalone L1s or sidechains.

Nova is built using AnyTrust technology, making it suitable for gaming, social applications, and NFT ecosystems with high volume requirements or for projects that are open to using an off-chain data availability solution.

There are two key differences between the working of Arbitrum Nova and Arbitrum One:

  1. The sequencer sends transaction data to the data availability committee (DAC) instead of posting all calldata to layer 1. This is the reason that a minimal trust assumption is added to Nova. It assumes that at least two committee members are honest. 
  2. Since only data availability certificates are posted to layer 1 instead of full transaction data, the result is cost savings as the smaller amount of data needs to be posted on layer 1. Thus, transactions on Nova are significantly cheaper than on Arbitrum One.

Currently, there are six members in the data availability committee: Consensys, Google Cloud, Offchain Labs, P2P, Quicknode, and Reddit. Over time, more members will join the DAC.

AnyTrust

AnyTrust is a type of “honest minority” sidechain with rollup fallback and functions as a mode of Arbitrum that allows for ultra-low-cost transactions with strong security guarantees. These types of chains operate similarly to any alternative layer-1 or sidechain, but with significantly higher security due to a different consensus model, using a “1-of-N” consensus rather than “%-of-N” consensus. They also feature a “fallback” mode in the case of one or two validators' dissent, which makes the chain fall back into a rollup. 

AnyTrust chains are superior to alternative L1s and also to sovereign rollups since they can allow for much lower cost and faster withdrawals in exchange for a minimal extra trust assumption. Compared to sidechains, AnyTrust’s key advantage is it’s built on top of Ethereum, so it doesn’t require a separate set of validators and, therefore, less trust. However, the “gold standard” of rollups would be a secured Ethereum rollup, which will also be negligibly cheap post-EIP-4844 and danksharding.

AnyTrust works by using a chain that's operated by a committee of nodes with a minimal assumption about how many committee members are honest. For example, there might be 20 committee members and an assumption that at least two of them are honest. This is a much easier trust assumption compared to conventional BFT sidechains, which require more than two-thirds of the members (14 out of 20) to be honest. The trust requirement can be reduced from 14 to two because of AnyTrust’s unique “fallback to rollup” feature built on top of Ethereum.

Assuming the trust assumption holds and the committee members participate, users get two big advantages when using AnyTrust. First, there’s no need to record L2 transaction data on the L1 chain because nodes can rely on the committee to provide data if needed. Instead, with the committee’s promise to provide data, it’s safe to simply record the hash of a transaction batch on the L1, which saves the largest cost of running a rollup. Secondly, withdrawals to the L1 can be executed immediately as soon as the committee vouches for them.

Safety and Consensus

It’s safe to do either of these two actions described above as soon as 19 of the 20 committee members have promised (by signing) it’s acceptable. The logic is: if there are at least two honest members, and 19 of 20 have signed, then at least one honest member must have signed since the quorum must contain an honest member. 

If a quorum signs a promise to provide the data backing a batch of transactions, we know data will be available to anyone who wants it. Therefore, we know it’s safe to post the hash of the data, rather than the full data, on the L1 chain. Similarly, if a quorum signs a statement saying a particular state transition is correct, the state transition can be accepted without waiting for a challenge period. This relationship allows withdrawals to L1 to be processed immediately with AnyTrust.

In the case of lacking an active quorum willing to sign statements, neither of those things can happen. However, the chain can still operate and make progress by using the original Arbitrum rollup protocol as described below. 

Fallback to Rollup Mode

If the committee doesn’t sign anything or several committee members crash or refuse to cooperate, the chain can still operate, but by falling back to a standard rollup protocol. 

In this mode, transaction data will be posted on the L1 Ethereum chain, and withdrawals will have a delay period, just like on a standard rollup, until the committee resumes operation. Then the chain will switch seamlessly back to the cheaper, faster mode of operation.

While Arbitrum is off to a hot start, it’s not without issues. In January 2022, the Arbitrum rollup network came to a halt. Offchain Labs soon after released a post-mortem explaining the issue was due to the main sequencer experiencing a hardware failure during a software upgrade. This issue cascaded down the system, preventing even the redundancy measures in place from working. Eventually, the issue was corrected and has since been restored to full functionality. During the downtime, no funds were at risk (thank you, rollup!), but no transactions could be executed, including deposits and withdrawals.

In summary, if at least two members are honest, the chain operates correctly, and it follows that if there are 19 members available and cooperating, it operates at minimal cost. In fallback to rollup mode, the chain will operate at the cost of an Ethereum-based rollup and it will be evident who the non-cooperating or unavailable members are so they can eventually be replaced.

Therefore, AnyTrust can be best thought of not as an L2, but rather as a sidechain with a 19/20 liveliness assumption, a 2/20 safety assumption, and a 1/20 DA assumption, which falls back to an ORU during a liveliness failure, which would be a safety failure putting funds at risk. However, this security model is worse than Validium. In Validium, only the DA assumption is needed, whereas in AnyTrust, both the DA and the safety assumptions must hold.

Trade-offs: Security, Upgradeability, and Integration

These execution layer designs present a unique combination of security, upgradeability, and integration trade-offs with the underlying blockchain. Typically, more sovereignty implies fewer performance or autonomy limitations but poses potential risks surrounding upgradeability and security, and potentially introduces complexity in secure composability. Conversely, less sovereignty usually implies the opposite.

An essential trade-off to consider is economic in nature. It appears that the more sovereign the execution layer, the clearer the value flow to the respective token. The manner in which a regular rollup's token accrues value—or whether it's needed at all—remains more ambiguous. Considerations around Miner Extractable Value (MEV), resource pricing, among others, are complex and will be discussed in greater detail in a subsequent post.

Developers, considering the specific requirements of their project or application, will need to select the most suitable rollup type to achieve their desired equilibrium between security, decentralization, scalability, and economic preference. It's vital to remember that much of this remains theoretical; so far, only regular rollups have seen extensive production. Clarity on these options and their implications should materialize in the coming months and years.

How do you rate this article?

34


Michael @ CryptoEQ
Michael @ CryptoEQ

I am a Co-Founder and Lead Analyst at CryptoEQ. Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.


CryptoEQ
CryptoEQ

Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.