Search for projects by name or address
Critical contracts can be upgraded by an EOA which could result in the loss of all funds.
Lighter on Robinhood is an application-specific ZK rollup deployed on Robinhood Chain. It is a fork of Lighter adapted to use Global Dollar (USDG) as its quote and margin asset.
Lighter on Robinhood is an application-specific ZK rollup deployed on Robinhood Chain. It is a fork of Lighter adapted to use Global Dollar (USDG) as its quote and margin asset.
Robinhood launches Lighter perpetuals integration
2026 Jul 1st
Robinhood announces Lighter perpetual futures in Robinhood Wallet on public mainnet.
Lighter contracts deployed on Robinhood Chain
2026 Jun 26th
The USDG-based Lighter fork is deployed on Robinhood Chain.
| SEQUENCER FAILURE | STATE VALIDATION | DATA AVAILABILITY | EXIT WINDOW | PROPOSER FAILURE | |
| Robinhood Chain L2 | No mechanism | Fraud proofs (INT) | Onchain | None | Self propose |
| Lighter on Robinhood L3 • Individual | Force via host chain | Validity proofs (SN) | Onchain (SD) | None | Unsafe escape hatch |
| Lighter on Robinhood L3 • Combined | No mechanism | Fraud proofs (INT) | Onchain | None | Unsafe escape hatch |
There is no guaranteed mechanism to have transactions included if the sequencer is down or censoring. Although users can enqueue messages in the L1 delayed inbox and call forceInclusion on the SequencerInbox, the chain runs ArbOS 61 transaction filtering: an authorized filterer can register any transaction hash in the ArbFilteredTransactionsManager precompile (0x00…0074), after which the state transition function forcibly fails that transaction, including force-included ones, without delay.
Fraud proofs only allow 2 WHITELISTED actors watching the chain to prove that the state is incorrect. Interactive proofs (INT) require multiple transactions over time to resolve. The challenge protocol can be subject to delay attacks. There is a 6d 8h challenge period.
All of the data needed for proof construction is published on the base chain, which ultimately gets published on Ethereum.
There is no window for users to exit in case of an unwanted upgrade since contracts are instantly upgradable.
If operators stop processing priority requests, desert mode can be activated. The deployed DesertVerifier does not validate withdrawal proofs, allowing users to claim balances that are not part of the last verified state.
The state differences required to reconstruct and prove the Lighter state are included directly in commitBatch calldata on Robinhood Chain. Unlike the Ethereum deployment, the Lighter contract does not read EIP-4844 blob hashes. Robinhood Chain subsequently batches its own transaction data to Ethereum blobs.
Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid transactions to the previous state. These proofs are verified on Robinhood Chain by a smart contract. In desert mode, users are expected to provide proofs of their balances to exit, but the deployed DesertVerifier does not validate them.
Lighter uses a Plonk-based proof system which requires a trusted setup. The verification keys are hardcoded in the verifier contract on-chain. The Lighter prover repository contains a script that regenerates circuits and verification keys, but it does not reproduce the verification keys used by this deployment.
State updates are verified by the ZkLighterVerifier contract. In desert mode, the DesertVerifier does not validate withdrawal proofs, allowing users to withdraw balances that are not part of the last verified state.
Funds can be stolen if desert mode is activated and users withdraw balances that are not part of the last verified state (CRITICAL).
Initial discovery of the USDG-quoted Lighter instance on Robinhood Chain.
Initial discovery of the USDG-quoted Lighter instance on Robinhood Chain.
| + | Status: CREATED |
| contract UpgradeGatekeeper (robinhood:0x43CfF77CD060A155dCe5deb12B93b875f69F2716) [lighter/UpgradeGatekeeper] | |
| +++ description: Governance contract functioning like an upgrade timelock for downstream contracts. The current delay is 21d and can be entirely skipped by robinhood:0x4972E0CaCb2AC45644BA054838e96fF4f6f7eFDb. |
| + | Status: CREATED |
| contract DesertVerifier (robinhood:0x443Cc0c7f773D0955E3Bd8DA393b708152cFA5Bc) [lighter/DesertVerifierAlwaysTrue] | |
| +++ description: The verifier used for desert-mode withdrawals. It does not validate proofs or public inputs. |
| + | Status: CREATED |
| contract Lighter (robinhood:0x94bAB9693Ba2f6358507eFfcbd372b0660AFfF9d) [lighter/ZkLighterWithSpotQuoteAsset] | |
| +++ description: The main rollup contract. It processes L2 batches, manages token deposits and withdrawals, allows users to submit priority requests and controls desert mode (escape hatch). This variant uses a configurable quote asset and commits state differences through host-chain calldata instead of EIP-4844 blob hashes. Logic is split between two contracts because of code-size limits, with many operations delegated to AdditionalZkLighter. |
| + | Status: CREATED |
| contract ZkLighterVerifier (robinhood:0xe1aFBE2D670eFF0e7C8A41F080792C011916ac31) [lighter/ZkLighterVerifier] | |
| +++ description: The main ZK verifier of Lighter, settles the proofs of correct L2 state transition in the case of normal rollup operation. |
| + | Status: CREATED |
| contract Governance (robinhood:0xf6F6Bd6eEA2b9A2041328732CcAe4c5e1DD278B7) [lighter/Governance] | |
| +++ description: Manages the list of validators and the network governor. |
Only the centralized operators can submit batches and verify them with a ZK proof, i.e. advance the state of the protocol. The network governor can add or remove validators.
MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.
Users can submit priority requests directly to the Lighter contract on Robinhood Chain. If the operators leave the oldest request unprocessed for more than 14d, anyone can activate desert mode. The deployed DesertVerifier does not validate withdrawal proofs, so desert mode does not provide a safe escape hatch.
Funds can be stolen if desert mode is activated, because withdrawals are not constrained by a valid proof (CRITICAL).
After desert mode is activated, users are expected to exit by proving their balance against the last verified state root. The deployed DesertVerifier does not validate these proofs, so withdrawal balances are not constrained by the last verified state.
Funds can be stolen if desert mode is activated and users withdraw balances that are not part of the last verified state (CRITICAL).
Unlike the Ethereum deployment, this fork uses Global Dollar (USDG) instead of USDC as the quote and margin asset.
Lighter uses external oracles to determine index prices. External signatures are not verified by the settlement contract and the sequencer must be trusted to truthfully report data.
Funds can be lost if the oracle prices are manipulated.



Governance contract functioning like an upgrade timelock for downstream contracts. The current delay is 21d and can be entirely skipped by 0x4972E0CaCb2AC45644BA054838e96fF4f6f7eFDb.
The verifier used for desert-mode withdrawals. It does not validate proofs or public inputs.
The main rollup contract. It processes L2 batches, manages token deposits and withdrawals, allows users to submit priority requests and controls desert mode (escape hatch). This variant uses a configurable quote asset and commits state differences through host-chain calldata instead of EIP-4844 blob hashes. Logic is split between two contracts because of code-size limits, with many operations delegated to AdditionalZkLighter.


























Manages the list of validators and the network governor.
The current deployment carries some associated risks:
Funds can be stolen if desert mode is activated, because withdrawals are not constrained by a valid proof (CRITICAL).
Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).