Kroma
$72.22 K
48.27%
...
Can't find a token?
Request it hereChoose a token
Can't find a token?
Request it hereMilestones
Description
Kroma aims to develop an universal ZK Rollup based on the Optimism Bedrock architecture. Currently, Kroma operates as an Optimistic Rollup with ZK fault proofs, utilizing a zkEVM based on Scroll. Kroma’s goal is to eventually transition to a ZK Rollup once the generation of ZK proofs becomes more cost-efficient and faster.
If you find something wrong on this page you can submit an issue or edit the information.
Risk Analysis
State validation
Fraud proofs (INT, ZK)Fraud proofs allow actors watching the chain to prove that the state is incorrect. Interactive proofs (INT) require multiple transactions over time to resolve. ZK proofs are used to adjudicate the correctness of the last step. The challenge protocol can be subject to delay attacks and can fail under certain conditions.
Data availability
On chainAll of the data needed for proof construction is published on chain.
Upgradeability
YesThe code that secures the system can be changed arbitrarily and without notice.
Sequencer failure
Self sequenceIn the event of a sequencer failure, users can force transactions to be included in the project’s chain by sending them to L1. There is a 12h delay on this operation.
Proposer failure
Self proposeAnyone can be a Proposer and propose new roots to the L1 bridge.
Rollup stage
Kroma is aStage 0Optimistic Rollup.Technology
Fraud Proofs ensure state correctness
Kroma uses an interactive fraud proof system to find a single block of disagreement, which is then zk proven. The zkEVM used is based on Scroll. Once the single block of disagreement is found, CHALLENGER is required to present zkProof of the fraud. When the proof is validated, the incorrect state output is deleted. The Security Council can always override the result of the challenge, it can also delete any L2 state root at any time. If the malicious ATTESTER and CHALLENGER collude and are willing to spend bonds, they can perform a delay attack by engaging in continuous challenge resulting in lack of finalization of the L2 state root on L1. The protocol can also fail under certain conditions.
Withdrawals can be delayed if the fraud proof system is under a delay attack.
Funds can be lost if the cryptography is broken or implemented incorrectly.
All transaction data is recorded on chain
All executed transactions are submitted to an on chain smart contract. The execution of the rollup is based entirely on the submitted transactions, so anyone monitoring the contract can know the correct state of the rollup chain.
Operator
The system has a centralized sequencer
While proposing blocks is open to anyone the system employs a privileged sequencer that has priority for submitting transaction batches and ordering transactions.
MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.
Users can force any transaction
Because the state of the system is based on transactions submitted on-chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract directly.
Withdrawals
Regular exit
The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is finalized the funds become available for withdrawal on L1. The process of block finalization usually takes several days to complete. Finally the user submits an L1 transaction to claim the funds. This transaction requires a merkle proof.
Other considerations
EVM compatible smart contracts are supported
OP stack chains are pursuing the EVM Equivalence model. No changes to smart contracts are required regardless of the language they are written in, i.e. anything deployed on L1 can be deployed on L2.
Permissions
The system uses the following set of permissioned addresses:
Only member of the UpgradeGovernor, which owns the Timelock and therefore controls the ProxyAdmin. Can instantly upgrade the system.
MultiSig (currently 1/1) that is a guardian of KromaPortal, priviliged Validator that does not need a bond and priviliged actor in Colosseum contract that can remove any L2Output state root regardless of the outcome of the challenge.
Can add, remove and replace members of the SecurityCouncil multisig, and can also add addresses to the Governor whitelist. Currently EOA.
Central actor allowed to commit L2 transactions on L1.
Actor allowed to pause withdrawals. Currently set to the Security Council.
Smart Contracts
The system consists of the following smart contracts:
The L2OutputOracle contract contains a list of proposed state roots which Proposers assert to be a result of block execution. Anyone can participate as a Proposer by depositing in the ValidatorPool. A root can be proposed every 1h.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
The OptimismPortal contract is the main entry point to deposit funds from L1 to L2. It also allows to prove and finalize withdrawals. This contract stores the following tokens: ETH.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
It contains configuration parameters such as the Sequencer address, the L2 gas limit and the unsafe block signer address.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
The L1ERC721Bridge contract is the main entry point to deposit ERC721 tokens from L1 to L2.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
The L1 Cross Domain Messenger contract sends messages from L1 to L2, and relays messages from L2 onto L1. In the event that a message sent from L1 to L2 is rejected for exceeding the L2 epoch gas limit, it can be resubmitted via this contract’s replay function.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
Timelock contract behind which the ProxyAdmin is. There is a 30d delay, but it can be bypassed by the KromaAdmin without conditions.
Contract designated as a guardian, meaning it can pause withdrawals. Managed by the SecurityCouncilAdmin.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
Controls the Timelock. It is governed using a Soulbound NFT. It can bypass the Timelock delay without conditions.
Admin of the L2OutputOracle, Timelock, KromaPortal, SystemConfig, SecurityCouncil, L1CrossDomainMessenger, L1ERC721Bridge, ZKVerifier, Colosseum, L1StandardBridge, UpgradeGovernor, SecurityCouncilToken, ValidatorPool proxies. It’s effectively controlled by the KromaAdmin. The proxy is behind a Timelock, but the delay can always be bypassed.
Contract used to challenge state roots and prove fraud. The SecurityCouncil can interfere by deleting challenges and roots.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
Contract used to manage the Proposers. Anyone can submit a deposit and bond to a state root, or create a challenge. It also manages the Proposer rotation for each submittable block using a random selection. If the selected proposer fails to publish a root within 30m, then the submission becomes open to everyone.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
Trie contract used to prove withdrawals.
ZK verifier used to verify the last step of a fraud proof, which corresponds to a block.
Can be upgraded by: KromaAdmin
Upgrade delay: No delay
Contract used to compute hashes. It is used by the ZKMerkeTrie. The contract has been generated using the circomlibjs library.
Value Locked is calculated based on these smart contracts and tokens:
Main entry point for users depositing ERC20 token that do not require custom gateway.
Main entry point for users depositing ETH.
The current deployment carries some associated risks:
Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).