Search

Search for projects by name or address

Lighter on Robinhood logo
Lighter on Robinhood

Critical contracts can be upgraded by an EOA which could result in the loss of all funds.

Badges

About

Lighter on Robinhood is an application-specific ZK rollup deployed on Robinhood Chain. It is a fork of Lighter adapted to use Global Dollar (USDG) as its quote and margin asset.


  • Total Value SecuredTVS
    $6.19 M7.02%
  • Past day UOPSDaily UOPS
    No data
  • Stage
  • Type
    ZK Rollup

  • Purpose
    Exchange
  • Host chain
    Robinhood Chain

  • Tokens breakdown

    Sequencer failureState validationData availabilityExit windowProposer failure

    Badges

    About

    Lighter on Robinhood is an application-specific ZK rollup deployed on Robinhood Chain. It is a fork of Lighter adapted to use Global Dollar (USDG) as its quote and margin asset.


    Total
    Canonically BridgedCanonically Bridged ValueCanonical
    Natively MintedNatively Minted TokensNative
    Externally BridgedExternally Bridged ValueExternal

    ETH & derivatives
    Stablecoins
    BTC & derivatives
    Other

    Robinhood launches Lighter perpetuals integration

    2026 Jul 1st

    Robinhood announces Lighter perpetual futures in Robinhood Wallet on public mainnet.

    Learn more

    Lighter contracts deployed on Robinhood Chain

    2026 Jun 26th

    The USDG-based Lighter fork is deployed on Robinhood Chain.

    Learn more
    There are 5 additional risks coming from the host chain Robinhood Chain logoRobinhood Chain
    The L3 risks depend on the individual properties of L3 and those of the host chain combined.
    Critical contracts can be upgraded by an EOA which could result in the loss of all funds.
    SEQUENCER
    FAILURE
    STATE
    VALIDATION
    DATA
    AVAILABILITY
    EXIT WINDOWPROPOSER
    FAILURE
    Robinhood Chain
    L2
    No mechanismFraud proofs (INT)OnchainNoneSelf propose
    Lighter on Robinhood
    L3 • Individual
    Force via host chainValidity proofs (SN)Onchain (SD)NoneUnsafe escape hatch
    Lighter on Robinhood
    L3 • Combined
    No mechanismFraud proofs (INT)OnchainNoneUnsafe escape hatch
    L2 & L3 individual risks
    Sequencer failureState validationData availabilityExit windowProposer failure
    L3 combined risks
    Sequencer failureState validationData availabilityExit windowProposer failure

    L3 combined risks
    The information below reflects combined L2 & L3 risks.
    Sequencer failure
    No mechanism

    There is no guaranteed mechanism to have transactions included if the sequencer is down or censoring. Although users can enqueue messages in the L1 delayed inbox and call forceInclusion on the SequencerInbox, the chain runs ArbOS 61 transaction filtering: an authorized filterer can register any transaction hash in the ArbFilteredTransactionsManager precompile (0x00…0074), after which the state transition function forcibly fails that transaction, including force-included ones, without delay.

    State validation
    Fraud proofs (INT)

    Fraud proofs only allow 2 WHITELISTED actors watching the chain to prove that the state is incorrect. Interactive proofs (INT) require multiple transactions over time to resolve. The challenge protocol can be subject to delay attacks. There is a 6d 8h challenge period.

    Data availability
    Onchain

    All of the data needed for proof construction is published on the base chain, which ultimately gets published on Ethereum.

    Exit window
    None

    There is no window for users to exit in case of an unwanted upgrade since contracts are instantly upgradable.

    Proposer failure
    Unsafe escape hatch

    If operators stop processing priority requests, desert mode can be activated. The deployed DesertVerifier does not validate withdrawal proofs, allowing users to claim balances that are not part of the last verified state.

    Lighter on Robinhood
    Lighter on Robinhood is a
    Stage 0
    Appchain
    ZK Rollup.
    There is no available node software that can reconstruct the state from L1 data, hence there is no way to verify that this system is a rollup.

    Learn more about Stages
    Please keep in mind that these stages do not reflect project security, this is an opinionated assessment of project maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.

    State differences posted on Robinhood Chain

    The state differences required to reconstruct and prove the Lighter state are included directly in commitBatch calldata on Robinhood Chain. Unlike the Ethereum deployment, the Lighter contract does not read EIP-4844 blob hashes. Robinhood Chain subsequently batches its own transaction data to Ethereum blobs.

    1. Example commitBatch transaction on Robinhood Chain
    2. Robinhood Chain architecture documentation
    Learn more about the DA layer here: Robinhood Chain logoRobinhood Chain

    Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid transactions to the previous state. These proofs are verified on Robinhood Chain by a smart contract. In desert mode, users are expected to provide proofs of their balances to exit, but the deployed DesertVerifier does not validate them.


    Verification Keys Generation

    Lighter uses a Plonk-based proof system which requires a trusted setup. The verification keys are hardcoded in the verifier contract on-chain. The Lighter prover repository contains a script that regenerates circuits and verification keys, but it does not reproduce the verification keys used by this deployment.

    1. ZK Lighter verifier verification keys
    Validity proofs

    State updates are verified by the ZkLighterVerifier contract. In desert mode, the DesertVerifier does not validate withdrawal proofs, allowing users to withdraw balances that are not part of the last verified state.

    • Funds can be stolen if desert mode is activated and users withdraw balances that are not part of the last verified state (CRITICAL).

    1. Deployed DesertVerifier implementation
    PROVER

    Trusted Setups

    Onchain verifier

    Used in

    Lighter on Robinhood logo

    Onchain verifier

    Used in

    Lighter on Robinhood logo
    2026 July 13, 15:02 UTC
    5changes

    Initial discovery of the USDG-quoted Lighter instance on Robinhood Chain.

    Initial discovery

    + Status: CREATED
    contract UpgradeGatekeeper (robinhood:0x43CfF77CD060A155dCe5deb12B93b875f69F2716) [lighter/UpgradeGatekeeper]
    +++ description: Governance contract functioning like an upgrade timelock for downstream contracts. The current delay is 21d and can be entirely skipped by robinhood:0x4972E0CaCb2AC45644BA054838e96fF4f6f7eFDb.
    + Status: CREATED
    contract DesertVerifier (robinhood:0x443Cc0c7f773D0955E3Bd8DA393b708152cFA5Bc) [lighter/DesertVerifierAlwaysTrue]
    +++ description: The verifier used for desert-mode withdrawals. It does not validate proofs or public inputs.
    + Status: CREATED
    contract Lighter (robinhood:0x94bAB9693Ba2f6358507eFfcbd372b0660AFfF9d) [lighter/ZkLighterWithSpotQuoteAsset]
    +++ description: The main rollup contract. It processes L2 batches, manages token deposits and withdrawals, allows users to submit priority requests and controls desert mode (escape hatch). This variant uses a configurable quote asset and commits state differences through host-chain calldata instead of EIP-4844 blob hashes. Logic is split between two contracts because of code-size limits, with many operations delegated to AdditionalZkLighter.
    + Status: CREATED
    contract ZkLighterVerifier (robinhood:0xe1aFBE2D670eFF0e7C8A41F080792C011916ac31) [lighter/ZkLighterVerifier]
    +++ description: The main ZK verifier of Lighter, settles the proofs of correct L2 state transition in the case of normal rollup operation.
    + Status: CREATED
    contract Governance (robinhood:0xf6F6Bd6eEA2b9A2041328732CcAe4c5e1DD278B7) [lighter/Governance]
    +++ description: Manages the list of validators and the network governor.
    The section considers only the L3 properties. For more details please refer to Robinhood Chain logoRobinhood Chain

    Centralized operators

    Only the centralized operators can submit batches and verify them with a ZK proof, i.e. advance the state of the protocol. The network governor can add or remove validators.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    Priority requests can be submitted on Robinhood Chain

    Users can submit priority requests directly to the Lighter contract on Robinhood Chain. If the operators leave the oldest request unprocessed for more than 14d, anyone can activate desert mode. The deployed DesertVerifier does not validate withdrawal proofs, so desert mode does not provide a safe escape hatch.

    • Funds can be stolen if desert mode is activated, because withdrawals are not constrained by a valid proof (CRITICAL).

    1. Lighter contract on Robinhood Chain
    The section considers only the L3 properties. For more details please refer to Robinhood Chain logoRobinhood Chain

    Regular exit

    The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is settled the funds become available for withdrawal on L1. ZK proofs are required to settle blocks. Finally the user submits an L1 transaction to claim the funds.

    Unsafe desert-mode escape hatch

    After desert mode is activated, users are expected to exit by proving their balance against the last verified state root. The deployed DesertVerifier does not validate these proofs, so withdrawal balances are not constrained by the last verified state.

    • Funds can be stolen if desert mode is activated and users withdraw balances that are not part of the last verified state (CRITICAL).

    1. Deployed DesertVerifier on Robinhood Chain

    USDG is the quote and margin asset

    Unlike the Ethereum deployment, this fork uses Global Dollar (USDG) instead of USDC as the quote and margin asset.

    1. Robinhood Chain token contracts
    2. Robinhood Wallet perpetual futures documentation

    External oracles used for index prices

    Lighter uses external oracles to determine index prices. External signatures are not verified by the settlement contract and the sequencer must be trusted to truthfully report data.

    • Funds can be lost if the oracle prices are manipulated.

    1. Lighter docs - Fair Price Marking
    A dashboard to explore contracts and permissions
    Go to Disco
    Disco UI Banner

    Robinhood Chain

    Actors:

    • Can interact with Governance
      • can commit, verify, execute batches, and revert committed but not yet executed batches
    Lighter Governor0x42cD…6213
    • Can upgrade with 21d delay
      • Lighter
      • ZkLighterVerifier
      • Governance
    • Can interact with Governance
      • manage validators, update the address that manages the insurance fund, update the treasury address that collects fees from markets, add and update markets and assets
    Lighter Security Council0x4972…eFDb
    • Can interact with UpgradeGatekeeper
      • can reduce the upgrade delay to zero seconds
    A dashboard to explore contracts and permissions
    Go to Disco
    Disco UI Banner
    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    Robinhood Chain

    UpgradeGatekeeper0x43Cf…2716

    Governance contract functioning like an upgrade timelock for downstream contracts. The current delay is 21d and can be entirely skipped by 0x4972E0CaCb2AC45644BA054838e96fF4f6f7eFDb.

    • Roles:
    DesertVerifier0x443C…A5Bc

    The verifier used for desert-mode withdrawals. It does not validate proofs or public inputs.

    The main rollup contract. It processes L2 batches, manages token deposits and withdrawals, allows users to submit priority requests and controls desert mode (escape hatch). This variant uses a configurable quote asset and commits state differences through host-chain calldata instead of EIP-4844 blob hashes. Logic is split between two contracts because of code-size limits, with many operations delegated to AdditionalZkLighter.

    • Roles:
      • admin: UpgradeGatekeeper; ultimately Lighter Governor
    The following tokens are included in the value secured calculation:
    ETH token logoUSDG token logoAAPL token logoAMZN token logoGOOGL token logoMETA token logoMSFT token logoNVDA token logoTSLA token logoORCL token logoSPCX token logoBABA token logoUSAR token logoUSO token logoCOIN token logoCRCL token logoQQQ token logoSPY token logoSGOV token logoSLV token logoAMD token logoINTC token logoMU token logoSNDK token logoCRWV token logoPLTR token logo

    The main ZK verifier of Lighter, settles the proofs of correct L2 state transition in the case of normal rollup operation.

    • Roles:
      • admin: UpgradeGatekeeper; ultimately Lighter Governor

    Manages the list of validators and the network governor.

    The current deployment carries some associated risks:

    • Funds can be stolen if desert mode is activated, because withdrawals are not constrained by a valid proof (CRITICAL).

    • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).