When evaluating a smaller chain that is somehow "connected" to a larger chain, the most important question to ask is this:
If an attacker can 51% attack the smaller chain, how much damage can they do?
This is a very realistic and important question to ask, because the smaller chain is very often much smaller (in terms of market cap) than the larger chain, and it's often quite feasible for an attacker to actually buy up 51% of the tokens (or at least 51% of the staking tokens), especially if there's a large amount of bridged assets parked inside the chain that they could steal.
- If the smaller chain is an "independent L1", they can steal everything. They can make a block that illegally edits the state to give them all the coins, and then withdraw the coins through the bridge, and there's no verification happening on the larger chain.
- If the smaller chain is a "sidechain", they can steal everything, for the same reason. However, security can be slightly better than fully independent L1s, because sidechains whose block headers are published to Ethereum are guaranteed to revert if Ethereum reverts, preventing thefts involving 51% attacks on Ethereum but not the sidechain.
- If the smaller chain is a "rollup", they can delay transactions and perhaps even force users to pay L1 fees, but they can't steal anything. This is because there is an on-chain mechanism (whether fraud proofs or data availability proofs) that can actually check that the events on the smaller chain leading up to the attacker's withdrawal are all valid.
A couple more niche examples:
- If the smaller chain is a "plasma", they can delay transactions and force users to pay L1 fees, but they can't steal anything.
- If the smaller chain is a "validium", they can permanently lock up all the users' money but they can't steal anything. Validiums (eg. Starkware's ImmutableX) are thus an interesting middle ground. They are not quite "true L2s" to the same extent as rollups are, because someone who takes over the validium can still deny users access to their funds and extort them, but they are nevertheless significantly more secure than sidechains, and importantly they can be as scalable as sidechains.
This is what we mean by "shared security". If you are hodling assets and doing stuff on the smaller chain, are you as secure as if you were doing it on the larger chain, or are you less secure? On a rollup or a plasma, you are just as secure. On an independent L1 or a sidechain, you are much less secure. On a validium, you're somewhere in the middle.
| [--- Platform type ---] | [--- Security compared to base chain ---] |
|---|---|
| Independent L1 | very much less secure |
| Sidechain | much less secure |
| Validium | somewhat less secure |
| Rollup | just as secure |
| Plasma | just as secure |
Note also that for reasons I described in this earlier post, a lot of this is actually symmetric: if you are holding ETC, you are better off holding it on a ZK rollup rooted in ETC than you are holding it wrapped on Ethereum (even if the bridge is a perfect ZK-SNARK verifier of Ethereum's consensus). It's not really about being on the biggest chain you can be. It's about the domain your activity is one being part of the same shared security zone as the domain where the assets you're using were originally issued, where a shared security zone is defined as "a chain, and all other chains [eg. rollups] whose security is ultimately dependent only on that chain".
But this doesn't change the above categorization; it only makes it stronger, as these differences in security persist even if Ethereum itself gets 51% attacked.
Some more specific examples:
| [--- Asset is issued on ---] | [--- You are using that asset on ---] | [--- Security level ---] |
|---|---|---|
| Ethereum | Ethereum | High |
| Ethereum Classic | Ethereum Classic | Medium-high |
| Bitcoin SV | Bitcoin SV | Low |
| Ethereum | Avalanche | Low |
| Avalanche | Ethereum | Low |
| Ethereum | StarkEx (rollup mode) | High |
| Ethereum | Arbitrum | High |
| Optimism | Ethereum | High |
| Arbitrum | ZkSync | High |
This is because (Ethereum, Optimism, Arbitrum, ZkSync, StarkEx rollup mode) are in the same shared security zone (as the latter four are all ultimately secured by Ethereum, or at least soon will be when the fraud proof mechanism is fully enabled with all temporary backdoors removed), but Avalanche and Ethereum Classic are not and likely never will be.
BSV is insecure on BSV despite being in the same shared security zone as itself, because BSV is a weak PoW chain that is easily attackable by bored BTC and/or BCH miners and has blocks that are too large for users to verify (with no plans to add sharding/ZK-SNARK/DAS technology to fix this), so someone who 51% attacks BSV can just push invalid blocks through and users would probably have no choice but to accept them.
No comments:
Post a Comment