pith. sign in

arxiv: 2504.14965 · v2 · pith:YG42GT35new · submitted 2025-04-21 · 💻 cs.CR

A Security Framework for General Blockchain Layer 2 Protocols

Zeta Avarikioti , Matteo Maffei , Yuheng Wang This is my paper

Pith reviewed 2026-05-22 18:33 UTC · model grok-4.3

classification 💻 cs.CR
keywords blockchainlayer 2 protocolssecurity frameworkuniversal composabilitypayment channelssidechainsrollupsdata availability
0
0 comments X

The pith

A modular ideal functionality in the iUC model abstracts common L2 mechanisms into subroutines that yield uniform definitions of safety, liveness, and data availability for payment channels, sidechains, and rollups.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper constructs a general security framework for Layer 2 blockchain protocols inside the IITM-style universal composability model. Its core is a single ideal functionality that factors out protocol-specific details through composable subroutines for joining, submission, updating, reading, and settlement. This structure produces consistent security notions that apply across payment channels, sidechains, and rollups instead of requiring separate models for each. The authors then derive protocol-specific ideal functionalities, prove their security by simulation, expose trade-offs among the three properties, and obtain lower bounds that limit what each design class can achieve.

Core claim

The modular ideal functionality F_layer2 captures the essential structure of L2 systems by abstracting mechanism-specific details into composable subroutines for joining, submission, updating, reading, and settlement under adversarial conditions. This yields uniform definitions of safety, liveness, and data availability across a broad class of L2 protocols. Instantiations for the Brick payment channel, Liquid sidechain, and Arbitrum Nitro rollup each produce a tailored ideal functionality whose security is established by simulation-based proofs, while the same framework exposes inherent trade-offs and derives lower bounds on the fundamental limitations of each design class.

What carries the argument

The modular ideal functionality F_layer2 with composable subroutines for joining, submission, updating, reading, and settlement under adversarial conditions.

If this is right

  • Uniform definitions of safety, liveness, and data availability apply to payment channels, sidechains, and rollups.
  • Simulation-based proofs establish security for the three representative instantiations.
  • Trade-offs among safety, liveness, and data availability are made explicit for each protocol class.
  • Lower bounds characterize the inherent limitations of payment-channel, sidechain, and rollup designs.
  • The framework supports requirement-driven design of new protocols such as an optimistic rollup with fast finality.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same modular structure could be extended to compare security assumptions across additional L2 variants that appear after the three case studies.
  • Compositional reasoning becomes possible when multiple L2 protocols interact or when an L2 is stacked on another blockchain component.
  • The lower bounds could guide construction of hybrid designs that deliberately trade one property for gains in another.
  • Future work might incorporate additional properties such as privacy guarantees into the same ideal functionality.

Load-bearing premise

The iUC model and the five chosen subroutines together capture every security-relevant adversarial behavior that can arise in real L2 deployments.

What would settle it

Discovery of an attack on an Arbitrum Nitro deployment that satisfies the modeled assumptions yet violates the claimed safety or liveness property would falsify the framework.

Figures

Figures reproduced from arXiv: 2504.14965 by Matteo Maffei, Yuheng Wang, Zeta Avarikioti.

Figure 1
Figure 1. Figure 1: Structure of the ideal functionality F Λ layer2 for a secure L2 protocol Λ. E refer to the environment, S refer to the simulator and A refer to the adversary. Design Rationale. The ideal functionality Flayer2 is designed to capture the core phases of interaction in a broad class of L2 protocols, from payment channels to rollups and sidechains. Its structure reflects a minimal and modular decomposition of p… view at source ↗
Figure 2
Figure 2. Figure 2: The ideal functionality Flayer2’s main logic for han￾dling the requests. pidcur is the current party and sidcur the L2 protocol’s current session. During the execution of Flayer2, there may exist multiple in￾stances of the ideal functionality, each representing a distinct L2 protocol running concurrently and uniquely identified by a session ID (𝑠𝑖𝑑). In this paper, we focus on a single instance. Within a s… view at source ↗
Figure 3
Figure 3. Figure 3: The Brick payment channel protocol Channel Opening. The two clients communicate to agree on the initial state and select the wardens. Once the wardens are no￾tified, all participants deposit collateral on the L1 ledger. After verifying that the collateral has been committed on the L1 ledger, the channel is considered open. Channel Update. After the channel is opened, the two clients can update the channel … view at source ↗
Figure 4
Figure 4. Figure 4: The Liquid Network sidechain protocol 4.2.2 The Ideal Functionality F Liquid layer2 . After showing the real-world protocol of the Liquid Network sidechain, we then propose the for￾mal definition for the ideal functionalityF Liquid layer2 = (Flayer2 |FLiquid submit, F Liquid open , F Liquid update , F Liquid read , F Liquid settelment, F Liquid updRnd, F Liquid leak ). While the in￾terface Flayer2 remains … view at source ↗
Figure 5
Figure 5. Figure 5: The Arbitrum protocol Once published, validators can re-execute and verify the state up￾date’s correctness based on the published transactions. If the pub￾lished result is incorrect, fraud-proof can be submitted to invalidate the incorrect update. If no fraud proof is submitted within the des￾ignated challenge period, the state is considered valid. If a client notices its transaction has not been executed … view at source ↗
Figure 6
Figure 6. Figure 6: To start with, the direct connection, represented by the I/O connec￾tion, is more apparent. The rollup protocol is distinct from the other two types of L2 protocols in that its subroutines Fupdate and Fread require direct interaction with the underlying L1 ledger Fledger. Recall that Fupdate specifies the requirements for generating a new valid state in the protocol. Unlike PCFs or sidechains, the executed… view at source ↗
Figure 6
Figure 6. Figure 6: Connection among main parameter subroutines. The solid line represents the direct I/O connection. The dotted line [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
read the original abstract

Layer 2 (L2) protocols, payment channels, sidechains, and rollups, are central to blockchain scalability, enabling off-chain execution while preserving on-chain security. Despite growing deployment, existing security models remain protocol-specific and monolithic, hindering compositional reasoning and principled comparison of assumptions and requirements. We present a general security framework for L2 protocols in the IITM-style Universal Composability (iUC) model. At its core is a modular ideal functionality F_layer2 that abstracts mechanism-specific details while capturing the essential structure of L2 systems through composable subroutines for joining, submission, updating, reading, and settlement under adversarial conditions. This yields uniform definitions of safety, liveness, and data availability across a broad class of L2 protocols. We demonstrate generality by instantiating the framework for three representative constructions: the Brick payment channel, the Liquid sidechain, and the Arbitrum Nitro rollup. Each case study yields a protocol-specific ideal functionality derived from F_layer2 and tailored to its assumptions. Our analysis (i) establishes security via simulation-based proofs, (ii) exposes inherent trade-offs among safety, liveness, and data availability, and (iii) derives lower bounds characterizing fundamental limitations of each design class. Finally, we illustrate the framework as a design tool by presenting FRoll, the first optimistic rollup protocol with fast-finality guarantees, together with a security analysis in our model, showing how the framework supports requirement-driven design of L2 protocols.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript introduces a modular security framework for general Layer 2 blockchain protocols in the IITM-style iUC model. Its core is the ideal functionality F_layer2, which abstracts mechanism-specific details via composable subroutines for joining, submission, updating, reading, and settlement. This yields uniform definitions of safety, liveness, and data availability. The framework is instantiated for three protocols (Brick payment channel, Liquid sidechain, Arbitrum Nitro rollup), each with a derived ideal functionality and simulation-based security proof; the paper also derives lower bounds on trade-offs and presents FRoll, a new optimistic rollup with fast finality, as a design example.

Significance. If the simulation-based proofs and lower-bound derivations hold, the work provides a significant advance by supplying a unified, composable model that supports principled comparison and requirement-driven design across L2 classes. The explicit instantiations for three representative constructions and the concrete FRoll example strengthen the generality claim; the use of standard iUC subroutines is a clear methodological strength.

major comments (2)
  1. [§4] §4 (F_layer2 definition): the claim that the five subroutines suffice to capture all security-relevant adversarial behaviors for uniformity across L2 classes is load-bearing for the central contribution, yet the manuscript does not explicitly reduce the safety/liveness/DA definitions to a concrete adversarial model that includes cross-layer or mechanism-specific attacks (e.g., sequencer withholding in rollups or channel closure races).
  2. [§5.2–5.3] §5.2–5.3 (Arbitrum Nitro and lower bounds): the simulation proof for the rollup instantiation and the derived lower bounds on DA vs. liveness trade-offs rely on specific assumptions about on-chain settlement and data posting; these assumptions must be stated formally (including the exact ideal functionality for the DA oracle) to confirm that the bounds are not artifacts of the modeling choices.
minor comments (2)
  1. [§3] The notation for the subroutines (e.g., Join, Submit) is introduced without a consolidated table; adding one would improve readability when comparing the three instantiations.
  2. [§6] In the FRoll presentation, the fast-finality guarantee is described informally; a short pseudocode or state-transition diagram would clarify how it differs from standard optimistic rollups while remaining within the F_layer2 interface.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the positive assessment, the recommendation of minor revision, and the constructive comments. We address each major comment below.

read point-by-point responses

  1. Referee: [§4] §4 (F_layer2 definition): the claim that the five subroutines suffice to capture all security-relevant adversarial behaviors for uniformity across L2 classes is load-bearing for the central contribution, yet the manuscript does not explicitly reduce the safety/liveness/DA definitions to a concrete adversarial model that includes cross-layer or mechanism-specific attacks (e.g., sequencer withholding in rollups or channel closure races).

    Authors: We agree that an explicit reduction would strengthen the presentation of the central claim. Although the subroutines are defined to interact with the standard iUC adversarial interface and thereby capture the listed attacks, the manuscript does not provide a direct mapping. In the revision we will add a short subsection to §4 that explicitly shows, for each subroutine, the corresponding adversarial actions (including sequencer withholding and channel-closure races) and how they are reflected in the uniform safety, liveness, and data-availability definitions. revision: yes

  2. Referee: [§5.2–5.3] §5.2–5.3 (Arbitrum Nitro and lower bounds): the simulation proof for the rollup instantiation and the derived lower bounds on DA vs. liveness trade-offs rely on specific assumptions about on-chain settlement and data posting; these assumptions must be stated formally (including the exact ideal functionality for the DA oracle) to confirm that the bounds are not artifacts of the modeling choices.

    Authors: We thank the referee for this observation. The proofs and lower bounds do rely on concrete modeling choices for on-chain settlement and data posting that are currently stated only informally. We will revise §§5.2–5.3 to state these assumptions formally and to include the precise ideal functionality for the DA oracle used in the simulation proofs and trade-off derivations. revision: yes

Circularity Check

0 steps flagged

No significant circularity in framework definitions and proofs

full rationale

The paper's derivation begins with the introduction of the modular ideal functionality F_layer2 in the established iUC model, along with composable subroutines for joining, submission, updating, reading, and settlement. These serve as the foundational definitions rather than being derived from later results. Instantiations for Brick, Liquid, and Arbitrum Nitro involve deriving protocol-specific functionalities and establishing security through simulation-based proofs, which are standard and non-circular in UC frameworks. The exposure of trade-offs and derivation of lower bounds follow logically from the model without reducing to self-referential inputs or self-citations. The framework is self-contained, building on external iUC foundations without load-bearing self-references that would create circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the adequacy of the iUC model for L2 interactions and the completeness of the listed subroutines; no free parameters or new physical entities are introduced.

axioms (1)
  • domain assumption The iUC model is an appropriate foundation for defining security of blockchain L2 protocols under realistic adversarial conditions.
    Invoked when the paper states that the framework is built in the IITM-style Universal Composability model.

pith-pipeline@v0.9.0 · 5798 in / 1230 out tokens · 48950 ms · 2026-05-22T18:33:43.123640+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

28 extracted references · 28 canonical work pages

  1. [1]

    Lukas Aumayr, Oguzhan Ersoy, Andreas Erwig, Sebastian Faust, Kristina Hostáková, Matteo Maffei, Pedro Moreno-Sanchez, and Siavash Riahi. 2021. Generalized channels from limited blockchain scripts and adaptor signatures. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 635–664

    work page 2021

  2. [2]

    Lukas Aumayr, Pedro Moreno-Sanchez, Aniket Kate, and Matteo Maffei. 2021. Blitz: Secure {Multi-Hop} payments without {Two-Phase} commits. In 30th USENIX Security Symposium (USENIX Security 21) . 4043–4060

    work page 2021

  3. [3]

    Lukas Aumayr, Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Pedro Moreno-Sanchez, and Matteo Maffei. 2022. Sleepy channels: Bi-directional payment channels without watchtowers. In Proceedings of the 2022 ACM SIGSAC A Security Framework for General Blockchain Layer 2 Protocols Conference on Computer and Communications Security . 179–192

    work page 2022

  4. [4]

    Zeta Avarikioti, Makis Arsenis, Dimitris Karakostas, and Orfeas Stefanos Thyfronitis Litos. 2022. Milkomeda Rollup. https://milkomeda.com/Milkomeda% 20Rollup.pdf

    work page 2022

  5. [5]

    Zeta Avarikioti, Eleftherios Kokoris-Kogias, Roger Wattenhofer, and Dionysis Zindros. 2021. Brick: Asynchronous incentive-compatible payment channels. In Financial Cryptography and Data Security: 25th International Conference, FC 2021, Virtual Event, March 1–5, 2021, Revised Selected Papers, Part II 25 . Springer, 209–230

    work page 2021

  6. [6]

    Zeta Avarikioti, Orfeas Stefanos Thyfronitis Litos, and Roger Wattenhofer. 2020. Cerberus channels: Incentivizing watchtowers for bitcoin. In Financial Cryptog- raphy and Data Security: 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10–14, 2020 Revised Selected Papers 24 . Springer, 346–366

    work page 2020

  7. [7]

    Mihailo Bjelic, Sandeep Nailwal, Amit Chaudhary, and Wenxuan Deng. [n. d.]. POL: One token for all Polygon chains. https://polygon.technology/papers/pol- whitepaper Accessed: 2025-04-14

    work page 2025

  8. [8]

    Lee Bousfield, Rachel Bousfield, Chris Buckland, Ben Burgess, Joshua Colvin, Edward W Felten, Steven Goldfeder, Daniel Goldman, Braden Huddleston, H Kalonder, et al. 2022. Arbitrum nitro: A second-generation optimistic rollup

    work page 2022

  9. [9]

    Conrad Burchert, Christian Decker, and Roger Wattenhofer. 2018. Scalable funding of bitcoin micropayment channel networks. Royal Society open science 5, 8 (2018), 180089

    work page 2018

  10. [10]

    Jan Camenisch, Stephan Krenn, Ralf Küsters, and Daniel Rausch. 2019. iUC: Flexible universal composability made simple. In International Conference on the Theory and Application of Cryptology and Information Security . Springer, 191–221

    work page 2019

  11. [11]

    Ran Canetti. 2001. Universally composable security: A new paradigm for cryp- tographic protocols. In Proceedings 42nd IEEE Symposium on Foundations of Computer Science. IEEE, 136–145

    work page 2001

  12. [12]

    Margarita Capretto, Martín Ceresa, Antonio Fernández Anta, Pedro Moreno- Sánchez, and César Sánchez. 2024. Fast and Secure Decentralized Optimistic Rollups Using Setchain. arXiv preprint arXiv:2406.02316 (2024)

    work page arXiv 2024

  13. [13]

    Stefanos Chaliasos, Denis Firsov, and Benjamin Livshits. 2024. Towards a formal foundation for blockchain rollups. arXiv preprint arXiv:2406.16219 (2024)

    work page arXiv 2024

  14. [14]

    Christian Decker and Roger Wattenhofer. 2015. A fast and scalable payment network with bitcoin duplex micropayment channels. InStabilization, Safety, and Security of Distributed Systems: 17th International Symposium, SSS 2015, Edmonton, AB, Canada, August 18-21, 2015, Proceedings 17 . Springer, 3–18

    work page 2015

  15. [15]

    Ben Fisch, Arthur Lazzaretti, Zeyu Liu, and Lei Yang. 2024. Permissionless verifiable information dispersal (data availability for bitcoin rollups). Cryptology ePrint Archive (2024)

    work page 2024

  16. [16]

    Juan Garay, Jonathan Katz, Ueli Maurer, Björn Tackmann, and Vassilis Zikas. 2013. Rational protocol design: Cryptography against incentive-driven adversaries. In 2013 IEEE 54th Annual Symposium on Foundations of Computer Science . IEEE, 648–657

    work page 2013

  17. [17]

    Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2017. The bitcoin backbone protocol with chains of variable difficulty. In Annual International Cryptology Conference. Springer, 291–323

    work page 2017

  18. [18]

    Peter Gaži, Aggelos Kiayias, and Dionysis Zindros. 2019. Proof-of-stake sidechains. In 2019 IEEE Symposium on Security and Privacy (SP) . IEEE, 139– 156

    work page 2019

  19. [19]

    Mike Graf, Daniel Rausch, Viktoria Ronge, Christoph Egger, Ralf Küsters, and Dominique Schröder. 2021. A security framework for distributed ledgers. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1043–1064

    work page 2021

  20. [20]

    Lewis Gudgeon, Pedro Moreno-Sanchez, Stefanie Roos, Patrick McCorry, and Arthur Gervais. 2020. Sok: Layer-two blockchain protocols. In Financial Cryptog- raphy and Data Security: 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10–14, 2020 Revised Selected Papers 24 . Springer, 201–226

    work page 2020

  21. [21]

    Anurag Jain, Sanidhay Arora, Sankarshan Damle, and Sujit Gujar. 2022. Tiramisu: Layering consensus protocols for scalable and secure blockchains. In 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) . IEEE, 1–3

    work page 2022

  22. [22]

    Aggelos Kiayias and Orfeas Stefanos Thyfronitis Litos. 2020. A composable security treatment of the lightning network. In 2020 IEEE 33rd Computer Security Foundations Symposium (CSF). IEEE, 334–349

    work page 2020

  23. [23]

    Matter Labs. 2025. zkSync Documentation. https://docs.zksync.io/ Accessed: 2025-03-06

    work page 2025

  24. [24]

    Andrew Miller, Iddo Bentov, Surya Bakshi, Ranjit Kumaresan, and Patrick Mc- Corry. 2019. Sprites and state channels: Payment networks that go faster than lightning. In International conference on financial cryptography and data security . Springer, 508–526

    work page 2019

  25. [25]

    Jonas Nick, Andrew Poelstra, and Gregory Sanders. 2020. Liquid: A bitcoin sidechain. Liquid white paper. URL https://blockstream. com/assets/downloads/pdf/liquid-whitepaper. pdf (2020)

    work page 2020

  26. [26]

    Optimism Collective. 2024. Optimism Rollup Stack: Overview. https://docs. optimism.io/stack/rollup/overview Accessed: 2025-04-09

    work page 2024

  27. [27]

    Joseph Poon and Thaddeus Dryja. 2016. The bitcoin lightning network: Scalable off-chain instant payments

    work page 2016

  28. [28]

    (pubrole1, ..., pubrole𝑛 | privrole1, ..., privrole𝑚)

    Erkan Tairi, Pedro Moreno-Sanchez, and Matteo Maffei. 2021. A 2 l: Anonymous atomic locks for scalability in payment channel hubs. In 2021 IEEE symposium on security and privacy (SP) . IEEE, 1834–1851. A The iUC Framework In this section, we provide a brief introduction to the Interactive Universal Composability (iUC) framework, which underpins our propos...

    work page 2021