Unstoppable Rollups

Community Calls

Join our discussions about Unstoppable Rollups.

Community Call #1

Do Exit Windows Work?

May 22, 2025

  • Tom Lehman argued that exit windows fundamentally fail to provide L1-equivalent security because they allow a small group (15 signatures) to shut down rollups with only a 30-day notice period
  • The presentation identified three "fatal flaws" of exit windows: massive user exit costs ($900M vs $5 attack cost), incompatibility with time-locked assets in smart contracts, and inability to withdraw native L2-minted assets
  • Unstoppable rollups were proposed as an alternative approach that removes on-chain governance entirely, though Tom acknowledged this creates different trade-offs around upgradability and gas tokens

Key Arguments

The Core Problem

Current rollups can be shut down by a small group of people (15 signatures for Base at Stage 1). Stage 2's proposed solution—exit windows—doesn't fix this; it just delays shutdown by 30 days.

Three Fatal Flaws of Exit Windows

Flaw 1 - Economics Don't Work

  • Mass exits could cost users $900 million in gas fees (at 3M users with 10 assets each)
  • Attackers only need to spend ~$5 to trigger this
  • Unlike fault proofs (where defenders win money from attackers), exit windows create a massive asymmetry favoring attackers
  • This creates opportunities for ransom attacks or market manipulation

Flaw 2 - Smart Contract Incompatibility

  • Assets locked in smart contracts (vesting, lending, staking) often can't be withdrawn within the 30-day window
  • Example: Quarterly vesting contracts would lose all tokens if the exit window doesn't align with vesting periods
  • Smart contracts don't know about protocol-level exit windows, creating dangerous misalignments

Flaw 3 - Native Assets Can't Be Withdrawn

  • Assets minted on L2 have no canonical representation on L1
  • Even if communities try to recreate L2 assets on L1, composability makes this impossible (the asset might be collateral in multiple protocols)
  • Different execution environments (block times, pre-deploys) make faithful recreation impossible
  • Vitalik and other leaders have acknowledged this by advising to "always issue assets on L1"—a stunning admission

The Religion of Stage 2

Lehman argued that Stage 2 has become an unquestioned belief system rather than a technically sound solution. Despite fatal flaws, the community continues to pursue it without formal analysis or research papers defending exit windows.

Alternative Approaches

  • Immutable contract rollups (no upgrades possible)
  • Sovereign rollups (like Facet - no L1 contracts, social consensus for upgrades)
  • Native rollups (using L1 logic to validate rollup state)

Each approach has trade-offs, but the key insight is that having only one flawed strategy (Stage 2) is dangerous.

Q&A

Q (Julie Bettens): Would you apply similar reasoning to L1 DeFi protocols that have governance with exit windows?

A (Tom Lehman): Yes, that's a good point. Even with an unstoppable protocol, if all the apps have exit windows, users still lose money. However, I believe it's good to have a protocol more secure than its most secure app. Native assets that don't pair with bridged assets can approach the ideal. Michael added that unstoppable rollups at least make unstoppable apps possible, citing Uniswap as an example.

Q (Ilia Shirobokov): How do we popularize the idea of unstoppable rollups when current rollups are easier for typical users?

A (Tom Lehman): It's challenging to convince people to care about this. For lower value amounts, maybe it doesn't matter. But people with real value can be educated - people buy flood insurance before floods. The current "religion" convinces people they don't need insurance. Institutions like Base who want security without trusting others or building themselves could drive adoption. Technology improvements like account abstraction could also make the gas token differences less important.

Q (Boris Dyakov): How do upgrades work in sovereign rollups, and what about performance and node operator incentives?

A (Tom Lehman): In sovereign rollups, nodes decide rules by choosing what software to run, like on L1. For performance, it's similar to other rollups - heavy duty machines for block building, proofs for verification. For incentives, in Facet's case gas is burned like on L1, so operators run nodes to support their apps or verify state, similar to why people run Ethereum nodes.

Participants

Tom Lehman, Michael Hirsch, Julie Bettens, Ilia Shirobokov, Boris Dyakov, G00 GAWD, Drew Marshall, Orest Tarasiuk

Community Call #2

Gone in 15 Signatures: How to Permanently Shut Down Base

May 29, 2025

  • Tom Lehman's presentation argued Base and similar rollups can be shut down (users can't transact) because critical functions, including forced inclusion, are controlled by a small number of signatures (15 for Base) that can upgrade contracts.
  • Lehman contended that current forced inclusion fallbacks, while theoretically offering L1 censorship resistance, are practically insufficient due to severe limitations (e.g., 98% throughput reduction, 12-hour delay) and the fact that these mechanisms can be disabled via governance.
  • The Q&A explored the definition of "shutdown," the significance of bridge security versus protocol liveness, L2Beat's risk assessment methodology, and potential fixes like making forced inclusion immutable and increasing its gas limits.

Presentation: Gone in 15 Signatures

  • Widespread Vulnerability: Most rollups share similar vulnerabilities. Base requires 15 signatures to control its system.
  • Centralized Sequencing Issues: While centralized sequencers offer UX benefits, they are a central control point. The Base sequencer can be disabled with zero keys (e.g., hardware failure) or a 3-of-14 multisig.
  • Force Inclusion Limitations: Base has a force inclusion mechanism for users to submit transactions directly to L1, bypassing the sequencer.
    • A positive is that gas is paid in L1 ETH ("guaranteed gas market").
    • However, it has a 12-hour delay and, critically, its throughput is limited to 20 million gas per L1 block – a 98% reduction from Base's normal capacity, rendering it practically unusable for most.
  • Overarching Governance Risks: Crucially, the force inclusion mechanism itself (via the OptimismPortal2 contract) is upgradeable and can be disabled entirely by the same 15 signatures that control Base. This undermines claims of inheriting L1 censorship resistance. Lehman noted Blast once did this.
  • The "15 Signatures": Control over Base upgrades rests with the Base Security Council (7-of-10), the Base Multisig (3-of-6), and the OP Foundation Operations Safe (5-of-7). The latter also has roles in other OP Stack rollups, indicating shared risk. Transparency is an issue, as signers for some key multisigs are not publicly known.
  • Ultimate Control: The Optimism Collective (via token voting) and the OP Foundation (a Cayman Islands entity with a 5-person board and broad discretionary carve-outs) are presented as the ultimate controllers.
  • Proposed Fixes: Lehman urged making force inclusion impossible to disable and significantly raising its 20 million gas cap. He deemed current plans for "exit windows" insufficient.

Q&A

Q (Boris Dyakov): Would it be trivial to raise the 20 million gas force inclusion limit for OP Stack roll-ups?

A (Tom Lehman): Yes, it's a configuration value changeable by the 15-signature multisig. He recommended raising it.

Q (Timothy Clancy): The draining of a canonical bridge isn't "only money" as it's how L1 proves rollup state. Sovereign rollups are just alt-L1s.

A (Tom Lehman): If forced inclusion can be paid with L1 gas, the bridge is more application-level. Sovereign rollups derive their state from L1 history, not their own consensus mechanism for block production, unlike alt-L1s.

Q (Luca Donno): If Base implemented your suggestions for forced inclusion (immutable portal, increased gas limit) but other contracts like proofs remained upgradeable by 15 signatures, how much happier would you be?

A (Tom Lehman): He would be significantly happier because users could still transact, provided the gas cap for forced inclusion was reasonably high.

Q (Luca Donno): I wouldn't be much happier as the bridge, securing billions, would still be vulnerable. What's the utility if everyone loses their money, even if they can transact?

A (Tom Lehman): He acknowledged the concern but emphasized distinguishing protocol-level security (ability to transact) from application-level security (like specific bridges). He suggested L2Beat could potentially apply different frameworks.

Q (Boris Dyakov): Can anyone run a Base node? Is it permissionless?

A (Tom Lehman): Yes, anyone can run node software and permissionlessly derive the canonical "safe" state from L1 data. However, access to "unsafe" blocks (pre-confirmation state) and the batcher role (posting to L1) are permissioned.

Q (Irfan Shaik): What's the agenda for the next call?

A (Tom Lehman): The next call will likely focus on how to fix the OP Stack with respect to unstoppability, particularly exploring the "sovereign rollup" approach.

Q (Julie B.): Suggested the Aztec system as a potential case study.

A (Tom Lehman): Agreed, stating it's important to look at new approaches like Aztec and Signet that aim for immutability or different trust models.

Participants

Tom Lehman, Julie, Luca Donno, Boris Dyakov, Timothy Clancy, Irfan Shaik, Julie B.