The math of when stage 1 and stage 2 make sense

2025 May 06 See all posts


The math of when stage 1 and stage 2 make sense

Expanded on from this earlier draft: https://x.com/VitalikButerin/status/1919263869308191017

The three "stages" of Ethereum rollup security can be described in terms of when a security council is allowed to override trustless (ie. pure cryptographic or game-theoretic) components:

We can model this with a chart showing "what share of the vote" the security council has at each stage:



One important question to ask is: when is it optimal for an L2 to move from stage 0 to stage 1, and from stage 1 to stage 2?

The only valid reason to not go to stage 2 immediately is that you do not fully trust the proof system - which is an understandable fear: it's a lot of code, and if the code if broken, then an attacker could potentially steal all of the users' assets. The more confidence you have in your proof system (or, conversely, the less confidence you have in security councils), the more you want to move towards the right.

It turns out that we can quantify this with a simplified mathematical model. First, let's list the assumptions:

Given these assumptions, and given a particular probability of the proof system breaking, we want to minimize the probability of the L2 breaking.

We can do this with binomial distributions:

Here it is in graph form:



As conjectured, as proof system quality increases, the optimal stage shifts from stage 0 to stage 1, then stage 1 to stage 2. Doing stage 2 with a stage-0-quality proof system is worst of all.

Now, note that the assumptions in the above simplified model are very imperfect:

These two arguments both imply stage 1 and stage 2 are both even more attractive than the chart shows. If you take the math seriously, stage 0 is pretty much never justified: you should launch at least straight into stage 1. The main argument that I hear against is: if a critical bug happens, it may be too hard to get 6 of 8 security council members to sign fast enough to fix it. But there is an easy way around this: give any single security council member the permission to delay withdrawals by 1 or 2 weeks, giving everyone else enough time to act.

At the same time, however, it is a mistake to jump to stage 2 too quickly, especially if work to move to stage 2 happens at the expense of work to harden the underlying proof system. Ideally, data providers like l2beat should show proof system audits and maturity metrics (ideally of the proof system implementation, not the rollup as a whole, so we can reuse) along with the stage.