Dispute Resolution Comparison for Optimistic Rollups (ARDC Research Deliverable)

Arbitrum Research & Development Committee (ARDC) Research Member
1

As part of the ARDC, Delphi Creative (part of Delphi Digital) has put together a summary of dispute resolution mechanisms employed by ORUs. This research aims to shed light on the different methods use by today’s ORUs to implement fraud/fault proofs.

We have published this a public report on our platform for better readability.

Key Takeaways

  • Optimistic rollups accept L2 state outputs, unless challenged, with a typical 7-day challenge period for disputes. New permissionless dispute resolution methods aim to lower participation barriers and enhance security.

  • Arbitrum’s BoLD resolves disputes through an interactive bisection process, narrowing down disputes to single execution steps; similar mechanisms are used by Optimism and Cartesi. Fuel uses a single-round mechanism.

  • With over $30 billion in TVL, optimistic rollups risk significant losses if disputes by malicious actors are not resolved effectively, facing delay, economic, and censorship attacks.

  • Delay attacks aim to disrupt transaction confirmations and chain liveness, but mechanisms like Arbitrum’s BoLD use fixed timers and staged processes to ensure timely resolution.

  • Dispute resolution protocols require economic resources, such as bonds and gas costs; high bonding requirements may deter malicious actors and fend against resource exhaustion attacks. Challengers can trustlessly pool capital together to avoid high individual bonding costs.

  • Mechanisms like BoLD’s Merkle tree commitments and Cartesi’s multi-level refinement allow trustless collaboration among honest parties, incentivizing honest participation.

  • Bad actors may try to censor assertions by honest parties to delay or manipulate dispute resolutions, incurring high costs based on the extent and duration of censorship. BoLD introduces parameters like Nominal Delay and Censorship Budget to mitigate such attacks by pausing timers during censorship

A Look At Dispute Resolution Protocols in Optimistic Rollups

In an ideal world, everything works as intended and there are no disputes. But that’s not a realistic world view to hold. Especially for optimistic rollups.

In centralized institutions, a single entity holds all the decision-making power, determining what is right and which direction to take. This concentration of authority leaves little room for other users or stakeholders to present their interests or versions of the truth.

Conversely, in decentralized systems like blockchains, there is no single source of truth. Instead, the truth emerges from the consensus of multiple entities within a system that is permissionless to participate in. This structure allows for diverse perspectives but can also lead to disputes when different entities have varying versions of the truth. And this necessitates dispute resolution mechanisms.

Arbitrum’s BoLD

Bounded Liquidity Delay, or BoLD, is Arbitrum’s new dispute resolution mechanism. This protocol is designed to be resistant to attack vectors such as delay attacks, resource exhaustion attacks, and censorship attacks. BoLD is permissionless compared to Arbitrum’s currently deployed dispute resolution protocol. Other optimistic rollups, such as Optimism, Cartesi, and Fuel, are also developing their own dispute-resolution methods.

The Dispute

Before we dive into the different dispute resolution mechanisms, let’s clarify a few things. Let’s have a look at where or when a dispute resolution mechanism enters the picture in an optimistic rollup. When funds are withdrawn from an optimistic rollup back to Ethereum using a roll-up bridge, funds are not immediately credited to your account. Why is this the case?

Optimistic rollups exist so that the L1, Ethereum, should not have to do the compute-heavy job of executing transactions. They optimistically accept L2 state outputs unless those outputs are challenged. Claims are assertions about the state of the L2 given a set of inputs.

Now, the claims aren’t considered valid immediately. They must first pass through a challenge period, which usually lasts 7 days. During this challenging period, each claim can be challenged by a challenger who can contest that a claim is invalid. Now, what we have here is a dispute between those who consider a particular claim valid and those who consider that claim invalid.

The Resolution - How Are Disputes Resolved?

With Arbitrum’s currently deployed dispute resolution mechanism, you have assertions about Arbitrum’s state being posted to Ethereum by proposers. These assertions can be challenged by “challengers” during the 7-day period. During this period, the proposers and challengers engage in an interactive step-by-step bisection process. This is where the proposers and the challengers narrow down on the exact point of dispute from the global state down to single blocks. As shown in the diagram below.

After isolating the dispute to a single block, the process further bisects down to the individual execution steps within that block. This involves providing competing state transitions and proving the correctness of each step. And now, when the dispute is further narrowed down to a single execution step, the proposer or challenger, whosever turn it is to respond, has to provide data proof to execute the next step. If executing this step results in a different state than previously asserted, the current responder wins the challenge.

The purpose of this bisection mechanism is to minimize the computation required to verify fraud-proof. If the entire rollup block had to be verified, the L2 throughput would be limited by the L1’s throughput.

1
1860×1028 58 KB

Optimism initially used a single-round mechanism to verify the transactions in question in the EVM but now the newly proposed mechanism will use a multi-round dispute mechanism similar to Arbitrum (add trade-offs between the two). Cartesi’s DAVE also uses a similar multi-round dispute resolution mechanism. Fuel, on the other hand, uses a single-round hybrid proving mechanism.

2
21420×799 91.1 KB

Hybrid Proving does not involve a bisection process to narrow down on the exact execution step. In a dispute where an invalid block is submitted and challenged, the block is run through several ZK provers. The resulting ZK proof is submitted as a fraud-proof.

The dispute resolution period on Arbitrum and Optimism lasts 7 days. This is for various reasons, but mainly to give the Arbitrum & Ethereum community enough time to coordinate a recovery in case of censorship attacks from malicious actors. This works well as long as the censorship attack does not last more than a week. Given that With Hybrid Proving, there is a reduced number of interactive rounds, in a happy case, the dispute resolution window could potentially be reduced to one day. However, it only takes one validator not to do anything, i.e., to not check-in for the 7-day period to kick in. This would lead to the validator getting slashed. Validators may fail to check-in either due to honest inactivity or maliciousness. To account for honest inactivity, validators could placed with an MPC set-up. So even if some nodes go down, they will collectively continue to check-in.

Who takes part in disputes?

Generally speaking, there are two main types of actors: the proposers and the challengers. The role of the proposer is to post assertions to the L1, and the challenger can raise a dispute. Operating both these roles requires a stake. This stake can be slashed if the party is found guilty of raising false flags or misbehaving. The stake is also required to post claims or assertions during each step of a challenge. Some protocols may also use another party whose role is only to verify assertions being posted by the proposer. This role does not require a stake to operate.

Extent of Maliciousness

As of now, Optimistic rollups collectively hold over $30 Bn in TVL. All of this value would be at risk if malicious actors win disputes by posting false assertions unless there are robust dispute resolution protocols in place, if not, Optimistic rollups stand to lose hundreds of millions or billions to these actors potentially.

There are several attack vectors that malicious actors can use to disrupt the chain. These can mainly be classified into delay attacks, economic attacks, and censorship attacks. Current dispute resolution mechanisms that are live, operate on a permissioned and trusted model consisting of entities with high reputations. If any of them were to behave maliciously, they can be punished or kicked off the network. But now, optimistic rollup teams have been coming up with more permissionless dispute resolution methods that would lower the barriers to raising and participating in a dispute. We will look at how Arbitrum’s BOLD, Cartesi’s DAVE, Optimism, and Fuel’s Hybrid Proving mechanism fair against these attack vectors.

Delay Attacks

The idea with delay attacks is to affect the protocol’s liveness. An attacker’s goal is to prevent or delay the confirmation of withdrawals on the L1. A successful delay attack can halt the chain’s progress and cause honest parties to expend resources unnecessarily.

An attacker may also try to delay a dispute from being resolved by keeping the interactive bisection process going for a much longer duration. If an honest actor cannot respond in time, the challenge could be lost due to a timeout, resulting in the attacker winning the dispute.

Unlike the currently deployed dispute protocol on Arbitrum, BOLD is designed to resolve disputes within a bounded duration regardless of the number of participants or assertions being made. The currently deployed dispute protocol of Arbitrum has a “Chess Clock” or a local timer system that allows each responder to have a fixed time period to respond. Once a party makes a move, their timer pauses, and the opposing party’s timer starts ticking. Whichever party’s timer reaches 0 first loses, and the other party ends up winning. This way, causing delays by not responding is not a working strategy for a bad actor.

With BOLD, there is a concept of “parent” and “child” assertions. The original assertion made by a proposer is the parent, and the resulting assertion is the “child” assertion. Each party has a fixed timer to make their moves, and each assertion inherits the timer from its parent assertion. For example, if the first assertion made had a challenge period of 7 days, and it was challenged on the 2nd day, the time remaining is 5 days. So, the child assertion would now have a timer of 5 days.

Optimism also uses a local timer mechanism. Additionally, if any bad actor tries to delay the dispute resolution by posting “freeloader” claims, which are claims that do not contribute to the resolution, that actor will be slashed. Similar to the concept of inheritance of timers from parent to child assertions, with Optimism, if a “grand-child” assertion has less than X amount of time remaining, the “grand-child” assertion’s timer is extended to have exactly X amount of time. While this is designed to ensure that the assertion has enough time to be resolved or challenged, it may allow adversaries to cause more delay.

Cartesi uses a tournament-style refereed mechanism to manage disputes. It splits the dispute into smaller stages and uses binary search to narrow down the exact point of dispute. Each step must be resolved within a predefined time frame. This mechanism is similar to that of BOLD and Optimism, but each round has a separate timer and timing rules. Not meeting the timer limits in each round leads to eliminations. But with a separate timer for each round, a bad actor can choose not to respond and delay the full duration of each of the rounds. Even though the bad actor would get slashed, this would lead to significant delays.

With Fuel, given that there are no local timer based bisection games in which parties take turns to respond. When there is a dispute, the whole block in question is run through several ZK provers and the resulting ZK proof is submitted as a fraud-proof. Effectively being more resilient to any delay attacks that a malicious attacker could use at this stage. There are possibilities of an attacker controlling some of the ZK provers and verifiers in order to delay the proof generation process.

Economics of Dispute Resolution Protocols

Participating in dispute resolution protocols requires different types of economic resources, such as:

  • Bond to be eligible to post assertions and participate in dispute games
  • gas costs associated with posting the assertions or moves to the L1
  • computation resources that are used as a part of participating in a dispute.

The goal of an economic attack for an attacker would be to have the honest party expend significantly higher resources than what it would cost the attacker to perform the attack.

Even a delay attack can be a type of economic attack given that participating in extended disputes requires more resources. So, the attacker may try to exhaust honest parties’ resources so they can no longer afford to participate.

Alternatively, the attacker may try to order transactions being posted to the L1 by placing their own transactions ahead of the honest actor’s transactions. This is possible by either bribing validators or running their own.

Cost of Participation

Dispute resolution protocols require a bond to be placed in order to function as a proposer/validator to post assertions or challenge assertions. It also helps deter delays by preventing just anyone from participating in the validation process.

Arbitrum requires a bond of 3600 ETH to post assertions and can be withdrawn after an assertion has been confirmed. This amount is roughly $13.4 Mn based on current prices. Though this is a high sum, it can also be trustlessly pooled. A challenge bond is required when it comes to opening challenges against assertions posted to Ethereum. These have a 555/79 ETH bond requirement based on the level or granularity of the interactive bisection game. The higher the level, the greater the requirement. BoLD has a maximum depth of 3 with a base fee assumption of 500 Gwei per gas. For reference, Gwei per gas today is 12.

3
31420×306 49.2 KB

Source: Ethereum Average Gas Price Daily Insights: Ethereum Statistics | YCharts

High bonding requirements may lead to centralizing forces, but high costs also mean that it would not be trivial for a bad actor to cause delays. BoLD’s bond requirements are set based on resource exhaustion ratios. The ratio calculates the cost ratio between an honest and malicious party, e.g., a ratio of 5 means defending a $5 attack costs $1. A higher ratio increases security but also bond sizes. BoLD’s ratio has been set to optimize for the tradeoffs between the cost of participation and the security of the chain during challenges. A resource exhaustion ratio >1 means that the defender is always economically advantaged.

4
41920×1050 101 KB

Having a higher bond requirement will also prevent a bad actor from performing resource exhaustion attacks by making it financially unviable to set up several bonds, causing multiple disputes. Additionally, challenging an assertion is trustless, given that challenge bonds can be set up permisionlessly.

Optimism’s FDGs’s bond requirements are also similar as the size of the bond depends on the depth of the move or the level of the dispute. There is a base fee assumption of 200 Gwei per gas, and the first depth of the game has a baseline cost of 400,000 gas. Games have a maximum depth of 73. A scaling factor of 1.09493 is used to calculate the required bond at each level of depth. At the max level of depth, the required bond would be about 300,000,000 gas, which amounts to about 60 ETH. Bond requirements at this level are designed to cover double the cost of a max Preimage Proposal. Preimage Proposals are used to submit and verify large data inputs required to verify claims. There is no explicit mention of a bond required to be a part of the network and post assertions in the docs. Given that it is not costly to open challenges, it can lead to an attacker opening multiple challenges and delaying the protocol. Having an initial bond requirement to start posting assertions would deter an attacker from performing such attacks.

5
51150×642 80.6 KB

Fuel’s fast finality mechanism talks about requiring a dynamic stake that would influence how long a validator could delay withdrawals in the event of a challenge. If an honest validator with high bonding fails to check-in, it could delay the protocol by 7 days. On the other hand, a validator with a lower bond could delay the withdrawals by 3 days. Withdrawal delays give enough time for the protocol and the remaining honest parties to respond to attacks. In case multiple honest minorities do not respond or go offline, all of their stakes can be weighted together to extend the window longer. Fuel currently has not published the exact bond size numbers.

Incentives to Defend

Given that honest participants in a dispute use these resources to contest against malicious actors, they stand to win a portion of the slashed stake from the malicious actor.

BOLD tries to ensure that it is economically unviable for an attacker to increase an honest party’s cost of participation. Dishonest parties stand to be slashed and they lose all of their bond. On the other hand, honest parties will be compensated for all their costs and be rewarded with 1% of the slashed funds. As for when there are no challenges, active honest parties will be paid a service fee by the Arbitrum Foundation.

BOLD uses a bisection game where parties are required to commit to the entire execution history using a Merkle tree. In this approach, each step’s assertion and its previous step’s assertions are committed to the Merkle tree. This ensures that if one honest party has used their stake to calculate and commit to an assertion, other honest parties do not need to use their resources to repeat the same step again. This allows honest parties to collaborate trustlessly against bad actors without having to know each other. For example, if Alice and Bob do not know each other but they are both honest, Bob can help Alice defend the right assertion against a bad actor without needing to know each other.

The currently deployed dispute protocol for Arbitrum allows challenges to happen sequentially. This allows bad actors to start multiple disputes and delay withdrawals. BoLD enables an honest party to fend off multiple challenges simultaneously & even in such a case, the attacker would be at a disadvantage since the costs for an attacker would always exceed the cost for a defender at the end of the challenge. BOLD can be resistant to such attacks with fixed challenge periods with a local timer and stake being required to make moves.

6
6860×835 43.2 KB

Cartesi’s DAVE also uses the same approach of multi-level refinement and committing to execution histories. This way, honest parties can collaborate trustlessly against bad actors and avoid incurring additional costs. Additionally, with DAVE, the cost of participation for an honest party grows logarithmically with the number of bad actors. This helps honest parties defend against an increasing number of bad actors while their cost of participation does not rise exponentially. But this would lead to delays with an increase in bad actors.

Given that Fuel uses a check-in-based model, validators have to check in periodically to attest to the validity of state transitions. Depending on the frequency of the check-ins, validators could incur higher or lower costs. To lower these costs, Fuel plans on using ZK aggregator or batching all check-ins over a period of time. Validators here are incentivized by random stake-weighted rewards to check-in.

With Optimism, the bond/stake required depends on the level or position of the move that a party is about to make in a dispute. Honest responses/moves are incentivized in Optimism’s FDG (Fault Dispute Game) such that honest moves that successfully counter invalid moves will be rewarded with the bond of the invalid moves.

Self-Disputes

This is where “self disputes” become a problem. Here, a single malicious actor could cause delays by putting up both an honest and a dishonest move. Having an invalid move slashed only for it to be rewarded to the honest move. Effectively making it a zero-cost delay. Additionally, there is a delay before the slashed bonds are rewarded. This is so that the protocol can verify that the dispute game played out correctly and the slashed funds are being rewarded to the right party.

7
71150×647 69.2 KB

To model against self disputes, In Arbitrum, all bonds are held in an escrow contract by the dispute protocol. If an assertion is confirmed, the bonds are returned automatically. If the assertion is rejected, bonds are confiscated and sent to the Arbitrum DAO treasury. 1% of the confiscated bonds are rewarded to honest actors who defend against bad actors. The remainder of the confiscated could be used to reimburse the cost of participation for honest parties. This way, it is not economically feasible for a bad actor to self-dispute to cause delays as they would only be rewarded with 1% of the slashed bonds and may never get their hands on the rest of the 99%.

Optimism’s FDG docs do not mention if 100% of the slashed bonds are rewarded to the other party or if it is a specific portion. A “DelayedWETH” contract holds bonds for each game. This contract has an “owner” address parameter that can act as the last defense in case bonds from a game are incorrectly distributed. It is unclear how the protocol will notice two or more colluding addresses that may self-dispute to attribute whether funds were incorrectly distributed.

Fuel’s post did not explicitly mention how they manage self-disputes. But whenever there is a dispute, the whole block in question is ZK proven, and the resulting proof is submitted as fraud-proof. Cartesi’s paper has not explicitly modeled for self-disputes.

Quest Against Censorship

It is possible for a bad actor to try to censor assertions made by honest parties to the L1 and post their own false assertion instead to win or delay the dispute. The attacker bears the cost of censoring transactions, which grows based on the severity and duration of censorship. For example, it will cost the attacker more to gain control of 2/3 of Ethereum validators for 1 week than to gain control of 1/3 of validators for 3 days.

8
81420×793 84.6 KB

Alternatively, an attacker can fill up Ethereum blocks with frivolous transactions and bribe block builders to include those transactions, effectively pushing out honest parties’ transactions from being included in the current block to the subsequent blocks. This, too, can be considered as a form of a delay attack.

To kick a bad actor off the network, a transaction must be submitted to Ethereum. Now, if Ethereum is being censored, it will be difficult to carry out this operation. Full censorship is possible if we assume that it could use billions to carry out the attack. But if Ethereum is only being partially censored, the transaction would be validated by the remaining honest validators on Ethereum. As for the set of L2 validators, they can be governed by a DAO or a security council. But censorship would still be possible on Ethereum.

In BOLD’s case, as there is a local timer mechanism that eliminates a party if their timer runs out, an attacker could potentially censor or prevent an honest party from responding until their timer runs out and the attacker wins. To account for such situations, there is an added buffer to the timer in case an honest party is being censored. It is safe to assume that an attacker will not be able to censor indefinitely as it would consume indefinite resources.

BOLD has two parameters called Nominal Delay and Censorship Budget (Cmax). Nominal Delay accounts for the regular, expected delays that may occur. Cmax is the maximum amount of time an attacker can censor an honest party before Ethereum’s social layer takes action. This is when both the honest parties’ timer is paused. This allows the honest party to respond once the censorship attack stops.

Optimism does not have a parameter similar to a Censorship Budget, but the FDG protocol accounts for a nominal delay that an actor could face while operating a validator (time required to coordinate a multi-sig). Optimism uses an off-chain monitoring system that will keep track of all root assertions made by validators and make sure they align with the correct state.

As previously mentioned, Fuel’s mechanism operates on a check-in model where validators must periodically check in, signaling either that everything is correct (true) or indicating a problem (false). Fuel has modeled for a mass censorship situation where honest parties are unable to respond or check-in. Even if they spot an invalid block, they would not be able to check-in as “false”. Missing a check-in is treated as censorship or inactivity, extending the challenge window up to a maximum of 7 days. Once the censorship attack has concluded, honest parties can check-in again to keep the state finalization process going. Validators may fail to check-in either due to honest inactivity or maliciousness, in which case they would get slashed. To account for honest inactivity, validators could placed with an MPC set-up. So even if some nodes go down, they will collectively continue to check-in.

Role of Security Councils and Guardians

Security councils play a role in monitoring whether or not the protocol is functioning as intended and also step in when corrections or reversions are required. They especially come in handy when new protocol designs are deployed that sustain millions, if not billions. Dispute resolution protocols rely on security councils or other entities that have the power to govern the protocol in dire situations. The level of involvement from such an entity directly reflects how thorough or decentralized the dispute resolution protocol is.

With BoLD, the challenge period lasts 6.4 days. While BoLD does not require proactive monitoring, it has an additional 2-day delay for its security council to step in if there are any major bugs in the protocol in extreme situations. Under normal conditions, BoLD will function without any intervention from the security council.

Optimism’s FDG uses a Guardian contract coupled with a security council that takes a more proactive approach and has the final say over the protocol and can disable fault proofs in an emergency. This failsafe mechanism would be at risk if Ethereum is being censored.

The level of involvement of Fuel’s security council in the fast finality mechanism is unclear but they will be able to step in and take charge of the final state transition in case of attacks or bugs.

Conclusion

All of the proposed dispute resolution protocols are yet to go live on the mainnet. BoLD has had private and public audits and is expected to go live in July/August once the BoLD proposal is voted on successfully. If the vote is successful, Arbitrum will get closer to being a stage 2 rollup.

Optimism’s FDG will likely be audited in June-July, and Optimism’s fault-proof proposal was voted on successfully. There is no official date as to when this would go live, but protocol upgrade #7 mentioned it would be shortly after the proposal had been voted on successfully.

Cartesi’s DAVE is under development, as depicted here. Fuel’s hybrid proving and fast finality mechanism are also under development.

Each dispute mechanism is modeled based on the respective Optimistic rollup’s fraud-proving design. As Arbitrum, Optimism, and Cartesi use interactive verification games, their protocols are more prone to delay and economic attacks, and hence, their dispute mechanism protocols are modeled to handle them better. On the other hand, Fuel’s mechanism is less vulnerable to delay attacks given that there are no interactive verification games but is more prone to censorship attacks as it is reliant on a set of provers and verifiers computing a ZK proof. All the different fraud-proving systems and dispute-resolution protocols can still be vulnerable to a number of attack vectors and internal bugs. Teams are actively working on research and development of these protocols.

9
91339×751 56.6 KB

We’ve seen a handful of L2s and L3s emerge based on Optimistic rollup frameworks. XAI and Syndr, Degen on Arbitrum; Zora and Farcaster on Optimism. With Arbitrum L3s, assertions about L3 state can either be posted by an L3 sequencer or an L2 sequencer through a delayed inbox queue. If the L3 sequencer is censored or offline, assertions can be posted to the L2 sequencer, but if the L2 sequencer is also censored or offline, there is a “forceinclusion” mechanism in place that bypasses the sequencer after 24 hours. This is the happy path without any disputes. If there are disputes, the challenge resolution could take well beyond 7 days, depending upon the number of moves in the dispute. In this case, Arbitrum has a “DelayBuffer” mechanism that allows parties to make moves without being limited by the 24-hrs per move limit by reducing the “forceinclusion” window below 24hrs.

Shared sequencers will also require faster withdrawal periods to be atomically interoperable. Current fraud-proving delays introduce other possible attack vectors, such as delay attacks, economic attacks, and censorship attacks, that can hinder and extend dispute resolution periods that may not be optimal for shared sequencers.

Resources

Incentive Schemes for Rollup Validators

BoLD: Fast and Cheap Dispute Resolution

Optimism Upgrade Proposal: Fault Proofs

Why wait a week? Fast Finality Optimistic Rollups

Introducing Dave — an interactive fraud-proof system

Optimism Fault Dispute Game

AIP: BOLD - permissionless validation for Arbitrum

Economics of Disputes in Arbitrum

Arbitrum BOLD FAQ

6 Likes