Phala
Badges
About
Phala is cloud computing protocol which aims at offering developers a secure and efficient platform for deploying and managing AI-ready applications in a trusted environment (TEE). Phala rollup on Ethereum leverages the Op-Succinct stack, a... combination of OP stack contracts and Zero-Knowledge Proofs (ZK) using the SP1 zkVM.
Badges
About
Phala is cloud computing protocol which aims at offering developers a secure and efficient platform for deploying and managing AI-ready applications in a trusted environment (TEE). Phala rollup on Ethereum leverages the Op-Succinct stack, a... combination of OP stack contracts and Zero-Knowledge Proofs (ZK) using the SP1 zkVM.
The section shows the operating costs that L2s pay to Ethereum.
Funds can be stolen if
- in non-optimistic mode, the validity proof cryptography is broken or implemented incorrectly,
- optimistic mode is enabled and no challenger checks the published state,
- the proposer routes proof verification through a malicious or faulty verifier by specifying an unsafe route id,
- the contracts or their dependencies (e.g. SuccinctGateway) receive a malicious code upgrade. There is no delay on upgrades.
Funds can be frozen if
MEV can be extracted if
Sequencer failure
Self sequenceState validation
ZK proofs (SN)SNARKs are zero knowledge proofs that ensure state correctness, but require trusted setup.
Exit window
NoneThere is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.
Proposer failure
Cannot withdrawOnly the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.
Phala is a Validity proofs ensure state correctness
Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract. Through the SuccinctL2OutputOracle, the system also allows to switch to an optimistic mode, in which no proofs are required and a challenger can challenge the proposed output state root within the finalization period.
Funds can be stolen if in non-optimistic mode, the validity proof cryptography is broken or implemented incorrectly.
Funds can be stolen if optimistic mode is enabled and no challenger checks the published state.
Funds can be stolen if the proposer routes proof verification through a malicious or faulty verifier by specifying an unsafe route id.
Funds can be frozen if the permissioned proposer fails to publish state roots to the L1.
Funds can be frozen if in non-optimistic mode, the SuccinctGateway is unable to route proof verification to a valid verifier.
Zero knowledge SNARK cryptography is used
Despite their production use zkSNARKs are still new and experimental cryptography. Cryptography has made a lot of advancements in the recent years but all cryptographic solutions rely on time to prove their security. In addition zkSNARKs require a trusted setup to operate.
All data required for proofs is published on chain
All the data that is used to construct the system state is published on chain in the form of cheap blobs or calldata. This ensures that it will be available for enough time.
EthereumThe system has a centralized operator
The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.
MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.
Regular exit
The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is settled the funds become available for withdrawal on L1. Once funds are added to the withdrawal queue, operator must ensure there is enough liquidity for withdrawals. If not, they need to reclaim tokens from Yield Providers.
Ethereum
Actors:
- A Multisig with 4 / 9 threshold.
- Can act on behalf of ProxyAdmin.
- Is allowed to interact with AddressManager - set and change address mappings - acting via ProxyAdmin.
- Is allowed to interact with OPSuccinctL2OutputOracle - can toggle between the optimistic mode and not optimistic (ZK) mode.
- Is allowed to interact with SystemConfig - it can update the preconfer address, the batch submitter (Sequencer) address and the gas configuration of the system.
- Can upgrade the implementation of L1StandardBridge - upgrading the bridge implementation can give access to all funds escrowed therein - acting via ProxyAdmin.
- Can upgrade the implementation of OptimismPortal, L1ERC721Bridge, OPSuccinctL2OutputOracle, SystemConfig, SuperchainConfig, OptimismMintableERC20Factory - acting via ProxyAdmin.
Participants (9):
0x5093…66280xA073…bda20xF331…647D0xF0B7…A4f00xa400…e6e40x3840…Fd5f0xa0C6…90380xefCf…dD5C0x4D80…5BAeUsed in:
Is allowed to interact with SP1VerifierGateway - can verify proofs for the header range [latestBlock, targetBlock] proof.
- A Multisig with 2 / 2 threshold.
- Member of OpFoundationOperationsSafe.
Used in:
Ethereum
Sends messages from host chain to this chain, and relays messages back onto host chain. In the event that a message sent from host chain to this chain is rejected for exceeding this chain’s epoch gas limit, it can be resubmitted via this contract’s replay function.
- Can be used to interact with AddressManager - set and change address mappings.
- Can be used to upgrade implementation of L1StandardBridge - upgrading the bridge implementation can give access to all funds escrowed therein.
- Can be used to upgrade implementation of OptimismPortal, L1ERC721Bridge, OPSuccinctL2OutputOracle, SystemConfig, SuperchainConfig, OptimismMintableERC20Factory.
This contract is the router for zk proof verification. It stores the mapping between identifiers and the address of onchain verifier contracts, routing each identifier to the corresponding verifier contract.
Implementation used in:
Legacy contract used to manage a mapping of string names to addresses. Modern OP stack uses a different standard proxy system instead, but this contract is still necessary for backwards compatibility with several older contracts.
The main entry point to deposit ERC20 tokens from host chain to this chain. This contract can store any token.
The main entry point to deposit funds from host chain to this chain. It also allows to prove and finalize withdrawals. This contract stores the following tokens: ETH.
Used to bridge ERC-721 tokens from host chain to this chain.
Contains a list of proposed state roots which Proposers assert to be a result of block execution. The SuccinctL2OutputOracle modifies the L2OutputOracle to support whenNotOptimistic mode, in which a validity proof can be passed as input argument to the proposeL2Output function.
Implementation used in:
This is NOT the shared SuperchainConfig contract of the OP stack Superchain but rather a local fork. It manages the PAUSED_SLOT, a boolean value indicating whether the local chain is paused, and GUARDIAN_SLOT, the address of the guardian which can pause and unpause the system.
A helper contract that generates OptimismMintableERC20 contracts on the network it’s deployed to. OptimismMintableERC20 is a standard extension of the base ERC20 token contract designed to allow the L1StandardBridge contracts to mint and burn tokens. This makes it possible to use an OptimismMintablERC20 as this chain’s representation of a token on the host chain, or vice-versa.
Value Secured is calculated based on these smart contracts and tokens:
The current deployment carries some associated risks:
Funds can be stolen if the contracts or their dependencies (e.g. SuccinctGateway) receive a malicious code upgrade. There is no delay on upgrades.