Layer 2 security under the hood: proof systems, upgrade keys, and what actually protects your funds

How rollups derive security from L1

• Optimistic rollups (Arbitrum, Optimism): Assume state transitions are valid. If a validator spots an invalid state root, they submit a fraud proof within a challenge window. Security holds as long as one honest validator exists and has access to the data needed to construct a proof.
• ZK rollups (Polygon zkEVM): Every batch includes a cryptographic validity proof verified on-chain. No challenge window, no honest-watcher assumption for state correctness. The trade-off: circuit complexity becomes the attack surface.

Fraud proofs: BoLD vs. Cannon

Arbitrum's multi-round interactive proofs

• A disputed state assertion triggers an interactive bisection game
• The protocol narrows disagreement through three phases: block-level → a range of 2²⁰ WASM instructions → a single instruction
• That single WASM instruction executes on Ethereum L1 for deterministic adjudication
• The losing party's bond is slashed

• Permissionless validation — anyone can post and challenge assertions (previously limited to ~14 allowlisted validators)
• All-vs-all dispute model — one honest defender can simultaneously resist an arbitrary number of malicious challengers, eliminating sequential delay attacks
• Fixed confirmation bound — disputes resolve within ~12.8 days (two 6.4-day challenge periods plus a 2-day Security Council grace period)
• Trustless bonding pools — defending the network requires substantial capital (e.g., 200 WETH per assertion on Arbitrum One), but pools allow collective funding without mutual trust
• Defender capital exposure: ~15% of the attacker's total deployed capital

Optimism's single-round fault proofs

• The state transition function compiles to a MIPS virtual machine
• The op-challenger monitors the DisputeGameFactory contract for invalid output proposals
• Disputes use a bisection game with a maximum depth of 73 levels
• An airgap window adds delay after game resolution before withdrawals execute
• The Guardian role (held by the Security Council) can pause withdrawals or blacklist specific dispute games

• Cannon historically required patches to disable Go's garbage collector for deterministic execution
• Multi-Threaded Cannon (MT-Cannon) introduced 64-bit MIPS emulation to address memory constraints, but added concurrency risks — deadlocks or thread starvation could theoretically prevent proof generation
• Defender capital exposure: ~109% of the attacker's deployed capital at maximum game depth (~691 ETH cumulative bond)

Proof system comparison

ZK validity proofs: Polygon zkEVM's architecture

1. eSTARK as the primary backend — extended STARK over the Goldilocks field (p = 2⁶⁴ − 2³² + 1), using FRI for polynomial commitments
2. Recursive aggregation — STARK proofs aggregate to reduce verification costs
3. STARK-to-SNARK conversion — the final step converts to a Groth16 SNARK (FFLONK scheme) for constant-size on-chain verification via BN254 pairing curves, reducing L1 verification gas from ~5M to ~350K

ZK circuit vulnerability classes

• Underconstrained free inputs: zkASM patterns where free inputs lacked sufficient polynomial constraints. Attackers could manipulate execution paths while still generating valid proofs.
• Dual execution path attacks: Different paths consuming different ZK counters could both produce valid proofs. The FreeVer tool (academic research, 2025) found 6 soundness issues and 1 completeness issue, all confirmed high-impact by Polygon.
• STARK↔SNARK field incompatibility: The Goldilocks field (64-bit) and the BN254 field (254-bit) have different arithmetic properties. Verichains discovered in late 2023 that the Merkle root computation in this conversion layer could be exploited to forge proofs entirely. Patched December 2023.
• ecrecover discrepancy: Implementation differences between zkASM's ecrecover and standard EVM could have allowed proof generation for non-compliant transactions.
• Integer overflow in storage state machine: Pre-launch audits by Spearbit found overflow vulnerabilities that could grant unauthorized state manipulation to dishonest provers.

Upgrade keys override proof systems

Arbitrum: DAO-controlled with timelocks

• DAO governance controls all upgrades (4.5% quorum threshold)
• Regular upgrade path: L2 Timelock (8 days) → L2→L1 message (6.4-day challenge period, extendable by 2 days) → L1 Timelock (3 days). Total: ~17+ days
• Security Council: 12 members, DAO-elected in semi-annual cohort elections, publicly named
• Emergency path: 9/12 multisig can upgrade instantly (no delay)
• Non-emergency path: 7/12 threshold, subject to timelocks
• The 8-day L2 timelock is deliberate — it exceeds the 6.4-day BoLD challenge period, preventing the Council from altering contract rules mid-dispute
• Exit window: Users can withdraw before any DAO-initiated upgrade executes

Optimism: no exit window

• All contracts upgradable via SuperchainProxyAdmin, controlled by a 2/2 multisig (Optimism Foundation + Security Council)
• No timelock on regular upgrades — changes can execute instantly
• No exit window — users cannot withdraw before an upgrade takes effect
• Guardian role (held by Security Council) can pause withdrawals across the entire Superchain for up to 3 months
• Deputy Guardian (held by Foundation) enables rapid incident response; removable by Council
• DAO governance signals intent via votes but has no direct on-chain upgrade authority

Polygon zkEVM: no-timelock emergency powers

• Regular upgrades: 2/3 developer multisig with a 10-day timelock
• Emergency state: 6/8 Security Council can activate activateEmergencyState, which halts sequencing, blocks the bridge, and disables forceBatch
• No DAO governance mechanism for zkEVM specifically
• Both sequencer and aggregator were centralized under Polygon Labs

Upgrade governance summary

Sequencer centralization and censorship resistance

• Arbitrum: Sequencer operated by the Arbitrum Foundation. Users can force-include transactions via the L1 DelayedInbox. Sequencer decentralization planned but still in progress.
• Optimism: Sequencer operated by the Optimism Foundation. Users can force transactions on L1 with up to a 12-hour delay. If the sequencer goes offline beyond a 30-minute drift threshold, it enters a catch-up phase producing blocks at a 1:1 ratio with L1 until resynchronized.
• Polygon zkEVM: Sequencer and aggregator operated by Polygon Labs. forceBatch was only enabled late in the chain's lifecycle, ahead of the deprecation announcement.

Liveness failures: what broke and why

• Arbitrum (December 2023): Inscription-related traffic consumed ~90% of network load, causing a ~1.5-hour sequencer outage. Secondary nodes failed to take over due to a concurrent software upgrade conflict.
• Optimism: Multiple minor RPC-related incidents during early operation. No prolonged outages documented at the sequencer level.
• Polygon zkEVM (March 2024): A 10–14 hour outage triggered by an L1 block reorganization. The L2 synchronizer failed to detect a dropped global state update transaction, causing the sequencer to produce batches with corrupted timestamps and an invalid Global Exit Root. L1 rejected the batches, halting proof generation entirely. Recovery required declaring Emergency State, manually rewriting the ROM architecture, force-upgrading L1 verifiers, and re-executing thousands of orphaned transactions. Users had no general-purpose mechanism to force-exit assets during the outage.

Audit history and critical incidents

Arbitrum

• Audits: Trail of Bits (BoLD, Nitro v3.9.3), Code4rena competitive audit ($300.5K pool), ChainSecurity
• Bug bounty: Immunefi, up to $2M for critical vulnerabilities
• Notable incident: 2024 Security Council bug fix protecting ~$100M in TVL across Arbitrum dApps. No known exploits resulting in user fund losses on core protocol.

Optimism

• Audits: Core dev teams (OP Labs, Base, Succinct Labs) plus external auditors
• Bug bounty: Immunefi. $2M payout in February 2022 for the infinite mint vulnerability
• Notable incident: A flaw in the OVM's SELFDESTRUCT opcode handling allowed unlimited synthetic ETH minting on L2 through contract reuse loops. The L2 token was returned but the liability record was not purged, enabling balance triplication. Discovered by a whitehat before exploitation.

Polygon zkEVM

• Audits: 35 components audited 3 times by 26 researchers (~4 months). Hexens found 9 vulnerabilities (4 critical). Spearbit found 10 critical, 1 high, 4 medium. Dedicated ZK circuit/cryptography audit by Spearbit.
• Bug bounty: Immunefi
• Notable incidents: STARK↔SNARK proof forgery (Verichains, patched December 2023); FreeVer research uncovering 6 soundness + 1 completeness issue in zkASM circuits (2025, confirmed high-impact)

Polygon zkEVM deprecation: lessons for ZK rollup evaluation

• TVL below $50M; annual operating losses exceeding$1M
• Never integrated EIP-4844 blob support, losing cost competitiveness against optimistic rollups
• ZK counter limits blocked integration with complex DeFi protocols
• Circuit complexity created vulnerability classes requiring deep cryptographic expertise to audit
• Prover remained centralized throughout the chain's lifetime

Using this data for risk modeling

• Evaluate the upgrade path, not the proof system. A 9/12 emergency multisig (Arbitrum) or a 2/2 instant-upgrade multisig (Optimism) defines your actual trust boundary. Model scenarios where these keys are compromised.
• Quantify your exit window. Arbitrum's ~17-day DAO upgrade pipeline gives users time to withdraw. Optimism's zero-delay regular upgrades do not. If your protocol holds significant TVL on an L2, this gap directly affects your users' risk exposure.
• Assess capital requirements for honest validation. If you plan to run a validator or watchdog, Arbitrum's BoLD requires ~15% of an attacker's capital to defend. Optimism's Cannon requires ~109%. This determines whether independent validation is economically viable for your team.
• For ZK rollup integrations: Audit the circuit constraints, not just the smart contracts. Underconstrained free inputs, field incompatibilities in proof conversions, and ZK counter limits are categories your auditors need to specifically target.
• Monitor data availability. Both Arbitrum and Optimism post full DA to Ethereum L1. If you're evaluating alternative DA layers (e.g., Arbitrum Nova's AnyTrust DAC), understand that weaker DA = weaker fraud proof guarantees.
• Track governance changes. Security Council compositions, multisig thresholds, and timelock durations change through governance proposals. Subscribe to governance forums for any L2 where you hold meaningful exposure.

Partner with Zealynx

FAQ: Layer 2 security

Glossary