- TrueBit: off-chain interactive verification of execution and
- Raiden: which is another organisation working on state channels
Instead of putting all activity on the blockchain directly, users perform the bulk of their activity off-chain in a “layer 2” protocol. There is a smart contract on-chain, which only has two tasks: processing deposits and withdrawals, and verifying proofs that everything happening off-chain is following the rules. There are multiple ways to do these proofs, but they all share the property that verifying the proofs on-chain is much cheaper than doing the original computation off-chain. ~An Incomplete Guide to Rollups
Three Major Types:
- State Channels (built atop [sidechain])
Rollups are fully general-purpose; one can even run an EVM inside a rollup, allowing existing Ethereum applications to migrate to rollups with almost no need to write any new code.
How It Works:
- On-chain smart contract that maintains the state root: the merkle root of the roll-up (only the root is stored on chain, not the whole tree)
- Anyone can publish a batch: a transaction collection with the previous state route and new state route. The contract checks that the prev state root matches the current and if so will switch to the new root
- To support depositing / withdrawing, transactions whose input or output can be “outside” the rollup state. If a batch has inputs from the outside, the transaction submitting the batch needs to also transfer these assets to the rollup contract. If a batch has outputs to the outside, then upon processing the batch the smart contract initiates those withdrawals.
Two Flavours of Roll-ups (to address someone submitting a batch that just takes all the assets):
- Optimistic Rollups - uses “fraud proofs”. If anyone discovers one batch had an incorrect post-state root, they can publish a proof. Contract verifies proof and reverses the batch and all batches after it.
- Issues: 1 week withdrawal period to handle proof publishing. Higher pre-transaction on-chain gas costs.
- ZK Rollups - uses “validity proofs”. Every batch includes a proof called [zk-snarks] (e.g. using the PLONK protocol) to prove that the post-state root is the correct result of executing the batch.
- Issues: 10x more computationally expensive = high gas cost per batch. Complex technology. 1000x more computationally expensive running off-chain.
In general, my own view is that in the short term, optimistic rollups are likely to win out for general-purpose EVM computation and ZK rollups are likely to win out for simple payments, exchange and other application-specific use cases, but in the medium to long term ZK rollups will win out in all use cases as ZK-SNARK technology improves.
Problems with Rollups:
- Not yet used by wallets/merchants, etc.
- Cross-rollup transactions
- Fraud-proof nodes
- Hybrid between plasma and roll-ups
- Better security around pre-confirmations
- Recover from absent sequencer
- Efficient ZK-VM