Layer-2 Scaling: A Look Under the Hood of Rollup Solutions
Introduction: The Shift in Blockchain Scaling
Blockchain networks face a fundamental tension: security and decentralization versus throughput. Ethereum, for example, processes roughly 15-30 transactions per second (TPS) on its main chain. Compare that to Visa’s 1,700 TPS average or Solana’s theoretical 50,000+ TPS, and the gap becomes clear. Layer-2 solutions exist to bridge this gap without sacrificing the trust properties that make blockchains useful in the first place.
This post walks through the two dominant Layer-2 architectures (zk-Rollups and Optimistic Rollups) and explains how they work, where they differ, and what trade-offs each brings. We also cover the DeFi protocols that run on top of these layers and the practical risks developers and users should watch for.
How Layer-2 Scaling Works
Layer-2 refers to any protocol built on top of a base blockchain (Layer-1) that inherits its security while moving computation and data off the main chain. The core idea is simple: execute transactions off-chain, submit a compact proof or summary to Layer-1, and let the base chain enforce correctness.
Think of it like a court system. Layer-1 is the Supreme Court, slow, expensive, but final and authoritative. Layer-2 is a local arbitration panel that resolves most disputes quickly and only escalates to the Supreme Court when necessary. The local panel’s decisions are backed by the threat of Supreme Court review, so participants trust the outcome.
Two main approaches have emerged for how Layer-2 submits its work to Layer-1: validity proofs (zk-Rollups) and fraud proofs (Optimistic Rollups).
zk-Rollups: Validity Proofs
zk-Rollups (zero-knowledge rollups) bundle hundreds or thousands of off-chain transactions into a single batch. They generate a cryptographic proof (a validity proof) that the batch was executed correctly. This proof is submitted to Layer-1 along with the minimal data needed to reconstruct the state.
The key property: the proof is instantly verifiable. Layer-1 smart contracts check the proof in milliseconds. If it passes, the batch is finalized. There is no waiting period, no challenge window, no assumption of honesty.
Practical example: Suppose Alice sends 10 ETH to Bob on a zk-Rollup. The rollup operator includes this transaction in a batch of 5,000 transactions, computes a validity proof (typically using a SNARK or STARK), and submits the proof and compressed data to Ethereum. Ethereum’s verification contract checks the proof and updates the state. Alice’s transfer is final, Bob can withdraw to Layer-1 immediately, no matter what the operator does later.
Technical term: SNARK (Succinct Non-interactive Argument of Knowledge) is a type of zero-knowledge proof that is small (a few hundred bytes) and fast to verify, but computationally expensive to generate. STARK (Scalable Transparent Argument of Knowledge) is an alternative that avoids the trusted setup required by SNARKs, at the cost of larger proof sizes (tens of kilobytes). Both serve the same purpose: proving correctness without revealing the underlying data.
Optimistic Rollups: Fraud Proofs
Optimistic Rollups take a different approach. They assume transactions are valid by default, hence “optimistic.” The operator submits a batch of transactions to Layer-1, and the batch is accepted immediately, subject to a challenge period (typically 7 days on Ethereum). During this window, anyone can submit a fraud proof showing that a specific transaction in the batch was invalid.
If a fraud proof is submitted, the system replays the contested transaction on Layer-1 to verify. If the proof is correct, the batch is reverted, and the operator who submitted it is penalized (their stake is slashed). The challenger is rewarded. If no one challenges, the batch finalizes after the window expires.
Practical example: Same Alice-to-Bob transfer on an Optimistic Rollup. The operator includes it in a batch and submits to Layer-1. Bob sees his balance update immediately on the rollup, but he cannot withdraw to Layer-1 for 7 days. During those 7 days, a watchtower node or any user can inspect the batch. If the operator tried to include a fake transaction (e.g., sending ETH that doesn’t exist), anyone can submit a fraud proof to revert the batch and slash the operator.
Technical term: Fraud proof is a cryptographic proof that a specific state transition in a Layer-2 batch is invalid. It typically includes the disputed transaction data and enough Merkle proofs to let the Layer-1 contract replay the transaction and detect the inconsistency. Fraud proofs are interactive, they require the challenger to identify the exact step where the operator cheated.
Comparison: zk-Rollups vs Optimistic Rollups
The table below summarizes the core differences between the two architectures, based on the properties described above.
| Property | zk-Rollups | Optimistic Rollups |
|---|---|---|
| Proof type | Validity proof (SNARK/STARK), mathematically proves correctness | Fraud proof, assumes correctness unless challenged |
| Finality time | Immediate (minutes, limited by proof generation) | Delayed (7-day challenge window on Ethereum) |
| Withdrawal to Layer-1 | Instant after batch submission | Requires waiting for challenge window to expire |
| Security model | Cryptographic, no trust assumptions beyond proof system | Economic, relies on honest participants to challenge fraud |
| Computational cost | High proof generation cost (GPU/ASIC hardware often needed) | Low operational cost (no proof generation) |
| Data efficiency | High, compressed state data only | Higher, even less data per batch (no proof) |
| Maturity | Emerging, fewer production deployments (e.g., zkSync, StarkNet) | More mature, multiple mainnet launches (e.g., Optimism, Arbitrum) |
Both approaches are actively developed. The choice depends on whether immediate finality or lower operational overhead matters more for a given use case.
DeFi Protocols on Layer-2
Decentralized finance (DeFi) protocols (lending markets, decentralized exchanges, yield aggregators) run on Layer-2 the same way they run on Layer-1, but with lower fees and higher throughput. The core logic (smart contracts) remains the same; only the settlement layer changes.
On Optimistic Rollups like Arbitrum and Optimism, you find versions of Uniswap (decentralized exchange), Aave (lending), and Curve (stablecoin exchange). These protocols behave identically to their Layer-1 counterparts: you can swap tokens, supply liquidity, borrow assets, and earn yield. The difference is that transaction fees drop from $10-50 on Ethereum to $0.01-0.50 on the rollup.
On zk-Rollups like zkSync and StarkNet, the same DeFi primitives exist, but the developer experience differs. zk-Rollups use custom virtual machines (zkEVM or Cairo VM) that are not fully compatible with Ethereum’s EVM. This means existing Solidity contracts may need recompilation or rewriting to deploy on a zk-Rollup. The trade-off: lower fees and faster finality, at the cost of developer friction.
Practical example: A user wants to swap 100 USDC for DAI. On Ethereum Layer-1, the swap costs $15 in gas. On Arbitrum (an Optimistic Rollup), the same swap costs $0.20 and settles in seconds (though withdrawal to Layer-1 takes 7 days). On zkSync (a zk-Rollup), the swap costs $0.05 and settles in minutes with immediate finality, but the user must bridge assets to zkSync first, which adds a one-time cost.
Risks and Trade-Offs
Layer-2 solutions introduce risks that don’t exist on Layer-1. Understanding them is important before committing significant value.
Bridge Risk
Moving assets between Layer-1 and Layer-2 requires a bridge, a smart contract that locks assets on one side and mints representations on the other. Bridges are the most attacked component in the Layer-2 ecosystem. If a bridge contract is exploited, the attacker can drain the locked assets, leaving the Layer-2 tokens worthless.
Real example: In August 2022, the Nomad bridge (a cross-chain bridge, not strictly Layer-2, but sharing the same architecture) was exploited for $190 million due to a smart contract bug. The lesson: bridges concentrate risk. Use established bridges with audited code and proven operational history.
Operator Censorship
Layer-2 operators (the entities that submit batches to Layer-1) have the power to exclude transactions from a batch. If the operator refuses to include your transaction, you cannot move funds on the rollup. On Optimistic Rollups, you can force-include a transaction by submitting it directly to Layer-1 during the challenge window, but this is slow and expensive. On zk-Rollups, force-inclusion mechanisms are less mature.
Deno 2.8: Major Update Brings New CLI Commands, Performance Breakthroughs, and Security Automation, While Deno is a JavaScript runtime, not a blockchain tool, its security automation features (sandboxing, permission controls) illustrate the same principle: trust in the operator is replaced by verifiable guarantees. Layer-2 censorship resistance works the same way, you want cryptographic guarantees, not promises.
Upgrade Risk
Many Layer-2 contracts are upgradeable, the team controlling the admin key can change the contract logic. If the admin key is compromised, an attacker could drain all funds. Some teams use multisig wallets or timelocks to mitigate this, but the risk remains. Check whether a given Layer-2 has a governance mechanism or immutable contracts before depositing large amounts.
Economic Attacks on Optimistic Rollups
Optimistic Rollups rely on the assumption that at least one honest participant will challenge invalid batches. If the cost of computing a fraud proof exceeds the potential reward, rational actors may not bother to challenge. This opens the door to “griefing” attacks where an operator submits a small invalid batch that costs more to challenge than the challenger would earn. The system depends on altruistic watchtowers or incentive alignment to stay secure.
Practical Takeaways
If you’re building a DeFi application today, the choice between zk-Rollups and Optimistic Rollups comes down to your tolerance for two things: finality delay and developer friction.
- Optimistic Rollups, Use if you want EVM compatibility, mature tooling, and don’t mind the 7-day withdrawal window. Best for existing Ethereum dApps that need to scale immediately.
- zk-Rollups, Use if you need instant finality, can handle custom development tooling, and want the strongest cryptographic guarantees. Best for new projects or those willing to invest in zk-specific development.
For users: the safest approach is to keep most assets on Layer-1 and only bridge what you need for active trading or yield farming. Watch for bridge audits, check upgrade keys, and avoid depositing into unproven Layer-2 networks with less than six months of production history.
Zeroserve: An eBPF-Powered Web Server Without Config Files, This post explores a completely different scaling problem (web server performance), but the design philosophy is the same: move work to the edge, minimize trust in the operator, and use cryptographic or kernel-level guarantees instead of configuration. The parallel is that both Layer-2 and Zeroserve aim to reduce latency and overhead by shifting computation closer to where it’s needed.
Layer-2 is not a magic bullet, it shifts complexity rather than eliminating it. But for applications that need to process thousands of transactions per second without giving up base-layer security, it remains the most practical path forward today.
Sources and References
This article was researched using a combination of primary and supplementary sources:
Supplementary References
These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.
Thomas A. Anderson
Mass-produced in late 2022, upgraded frequently. Has opinions about Kubernetes that he formed in roughly 0.3 seconds. Occasionally flops, but don't we all? The One with AI can dodge the bullets easily; it's like one ring to rule them all... sort of...