TL;DR
- Babylon proposes using Bitcoin staking to achieve fast finality in rollups.
- The solution entails the sequencer locking up BTC stake that is slashable if they attempt forking attacks.
- It enables faster finality and economic security, unlocking high-value DeFi applications.
- The solution can also lead to a stronger design for decentralized sequencing.
Introduction
Bitcoin Staking introduced by the Babylon protocol is poised to be instrumental in enhancing the economic security of Proof-of-Stake (PoS) blockchains while simultaneously providing a way for BTC holders to use their coins. BTC holders contribute to security by staking and delegating to their preferred validator of compatible PoS chains, such as the Babylon chain. While many of these PoS blockchains are independently secured Layer 1s (L1s), not all transactions are suitable to be processed on L1s and there are fundamental limits to scaling blockchains directly without performing the bulk of transactions off-chain (on Layer 2).
Rollups have emerged as a promising solution to these scalability challenges faced by L1 blockchains like Ethereum. In theory, rollups inherit the security of the L1 by executing transactions off-chain on L2 and committing the resulting state to the main L1 chain for validation and finality. However, rather than waiting for L1 confirmation and validation, which can take minutes for ZK rollups or weeks for optimistic rollups, most users opt to trust transaction confirmations directly from the centralized L2 sequencer. This reliance on the sequencer for fast finality introduces centralization risks and opens the door to potential attacks that threaten the entire system’s integrity.
In this blog post, we will outline the problem with today’s rollup architectures while introducing the solution enabled through Bitcoin staking.
The Sequencer Problem
Rollups Recap
The key idea behind rollups is to execute transactions (computation) off-chain while still inheriting the security properties of L1 for data storage and settlement. Doing so reduces the burden on L1, reduces friction, and increases throughput/scalability. The rollup sequencer plays a key role in that, as it is responsible for submitting L2 blocks to L1. Existing rollups require that the sequencer stakes some coins, which are slashed if it submits an invalid block. However, increased throughput shouldn’t come at the expense of security…
The Threat of Forking Attacks
With current models, i.e., zero-knowledge (ZK) rollups and optimistic rollups, users who require fast finality must not only trust that the sequencer submits valid states to the L1 but also that the states it sends to users match the ones it submits, i.e., that it does not attempt a forking attack. The submission of invalid blocks and forks are all possible safety violations that the sequencer can commit.
Under a forking attack, the sequencer sends one block version (including a crucial transaction) directly to a specific user while committing a different version (without that transaction) to the L1. Imagine the sequencer including a transaction to pay for a car in the block sent to the user but omitting it in the block committed to the L1 chain. This enables double-spending attacks, as the user sees their transaction included, but the committed state does not reflect it.
Satoshi Nakamoto introduced Bitcoin as a payment system, the solution to the double-spend problem, stating in the introduction of the Bitcoin Whitepaper:
“Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network.”
However, this exact problem persists with most rollup L2s, leaving us without any progress.
Existing mechanisms like ZK proofs and dispute periods cannot detect or prevent such attacks by the sequencer. A user’s only protection against forks is to wait for every L2 block to be confirmed on L1 before accepting it as final, which incurs unacceptable latencies of several minutes (e.g., around 12.5 minutes for Ethereum). These lengthy confirmation times preclude many applications.
The Centralization Bottleneck
For parties that require fast finality and cannot wait for full L1 confirmation, relying on a single, trusted sequencer reintroduces a centralized point of failure and bottleneck. They are exposed to the risks of theft, double-spending, and censorship if the sequencer is malicious, reducing the system’s security guarantees to that of a legacy centralized payment processor. This centralization bottleneck also restricts the types of applications that can be built on top of rollups. High-value applications (such as real-time gambling, high-frequency trading, and high-stakes sports) that require strong security guarantees and fast finality (sub-second latency) will find it risky to deploy on current rollup systems due to the inherent trust assumptions and vulnerabilities introduced by the sequencer model.
Addressing the problem is crucial for unlocking the full potential of rollups and enabling a wide range of decentralized applications while upholding the core principles of trustlessness and censorship resistance.
Reducing Latency with Bitcoin Staking
Our protocol aims to improve rollup latency by increasing security assurances for users who consider sequencer blocks final before they are settled on L1. By doing so, we help close the security gap for those who require fast finality (sub-second latency). With staking bitcoins as collateral, we address the sequencer problem and enhance the security of rollups. Slashing mechanisms punish the sequencer for all possible safety violations, namely forks (in the case of optimistic rollups), creating a financial penalty that should disincentivize any sequencer from ever committing such attacks.
The Solution in Action
Here’s how the proposed solution works, protecting against fork (and subsequent double-spend) attacks:
The sequencer locks up a predefined collateral on the Bitcoin chain. For each L2 block, the sequencer adds a finality signature. If the sequencer publishes two conflicting blocks for the same height, any party that sees both blocks can extract a secret from the two finality signatures and slash the sequencer. The rollup smart contract on L1 verifies the finality signature before accepting an L2 block, incentivizing the sequencer to publish only one L2 block.
The proposed solution establishes slashable safety guarantees against forks, introducing economic security and protecting against double-spending. Existing optimistic systems require a non-intrusive code update to the current sequencer and rollup, as the only change to the rollup smart contract on the L1 is adding a verification of the finality signature before accepting a new L2 block.
Bitcoin Staking allows BTC holders to delegate collateral to the sequencer to provide economic security against forks. Bitcoin holders have the opportunity to earn yield while contributing to the security and faster finality of the rollup instead of waiting weeks for the dispute period to conclude on the L1.
Because the sequencer is economically disincentivized from dishonest behavior, users achieve finality within seconds. Rollup users can enjoy the usability benefits of fast confirmations without having to fully trust the sequencer. In addition, honest sequencers and their delegators gain yield from providing the collateral.
A Path to a More Secure and Decentralized Ecosystem
The solution outlined paves the way for greater security and usability of rollup systems by mitigating the main threat posed by the sequencer, which remained up until now unaddressed. Introducing economic incentives and punishments aligns the interests of the sequencer with those of the users, reducing the need for blind trust. This solution introduces added collateral security with slashability guarantees. To continue in the path of sequencer innovation, rollups can also decentralize the sequencer, creating a set of nodes or finality providers competing with each other to validate information before submitting the data to the L1.
Decentralizing the Sequencer with Finality Providers
A committee of finality provider (FP) nodes collectively validate and sign off on each L2 block before it can be committed to the L1. If the sequencer proposes two competing blocks, the FPs that sign both will be slashed. Even if the original sequencer is malicious, the committee of FPs provides a holistic checkpoint, ensuring attempts at forking are rejected before being committed on-chain. Consequently, FPs provide the following extra security guarantees to L2:
- Safety: When there are at least 1/3 honest finality providers, there is no forking.
- Slashable safety: If a safety violation, such as a fork, occurs, at least ⅓ BTC stake can be irrefutably identified as adversarial and slashed.
- Protection against invalid blocks: Since FPs should connect to an honest L2 full node to retrieve and sign valid L2 blocks, our design offers extra protection against invalid blocks. When there are at least 1/3 honest FPs, no invalid L2 blocks will be finalized.
Unlike having FPs individually re-execute transactions (which would increase latency), this design boosts security guarantees with fast finality by making the FPs slashable, retaining better latency than waiting for full L1 confirmation. Distributing this critical responsibility across a decentralized set of economic actors aligns incentives toward consensus on a single canonical chain without putting any centralized party in control.
The Key Benefits of Bitcoin Staking for Rollups
- Fast Finality & Enhanced Security: The solution enables faster finality by introducing a slashing mechanism based on Bitcoin staking that disincentivizes malicious behavior, significantly improving security and protecting users from various attacks, including double-spend attempts. With faster finality, it also makes the rollup more suitable for high-stake applications that require rapid transaction confirmation, such as decentralized finance (DeFi) and gaming applications.
- Decentralization: With the possibility of distributing the responsibility of finality among multiple FPs, this proposed solution reduces the centralization risk associated with a single sequencer, fostering a more decentralized system. Requiring multiple FPs however, does come at the cost of increased latency.
- Democratization: The delegation feature of Bitcoin staking also introduces democratization. More specifically, it allows a broad spectrum of BTC holders to participate in the rollup’s consensus by delegating their voting power to finality providers. With Bitcoin staking for rollups, BTC holders can contribute to the security of rollups on other chains by delegating and increasing the collateral, earning yield in return. This allows for democratization of the sequencer role without incurring the latency costs associated with a fully decentralized sequencer solution. A decentralized committee of sequencer nodes would need to go through a more complex process to agree on each rollup block, inevitably increasing finality times.
Conclusion
With Bitcoin staking collateral used to enhance rollup security, fundamental issues in the current rollup ecosystem are addressed. By introducing slashing mechanisms and economic incentives, the risk of malicious behaviors can be mitigated, and strong security guarantees can be enabled.
For those requiring fast finality rather than waiting minutes or weeks, the solution unlocks a new realm of possibilities for high-value applications that demand rapid transaction confirmation and finality. This paves the way for decentralized finance (DeFi), gaming platforms, and other innovative use cases to flourish on top of secure, trustless rollup systems. Stay tuned as Babylon’s BTC Rollups Litepaper will be released, diving deeper into Forkless Rollups.