Starknet

Website	starknet.io starkware.co/starknet starkware.co/ecosystem community.starknet.io
App	www.dappland.com www.starknet-ecosystem.com
Documentation	starknet.io/learn/what-is-starknet
Explorer	voyager.online starkscan.co
Repository	github.com/starkware-libs
Social	discord.com/invite/qypnmzkhbc @StarkWareLtd starkware starkware.co youtube.com

Milestones

StarkGate Alpha

2022 May 9th

Bridge is live on mainnet, serving as gateway between Ethereum and Starknet.

Learn more

Starknet Alpha

2021 Nov 29th

Rollup is live on mainnet, enabling general computation using ZK Rollup technology.

Learn more

Starknet is a general purpose ZK Rollup built using STARK cryptographic proof system. Starknet uses the Cairo programming language both for its infrastructure and for writing Starknet contracts. L2 <–> L1 messaging infrastructure is available and contracts are fully composable. It is currently launched with a single Sequencer.

If you find something wrong on this page you can submit an issue or edit the information.

Risk analysis

Sequencer failureState validationData availabilityUpgradeabilityProposer failure

State validation

ZK proofs (ST)

zkSTARKS are zero knowledge proofs that ensure state correctness.

Data availability

On chain (SD)

All of the data (SD = state diffs) needed for proof construction is published on chain.

Upgradeability

Yes

The code that secures the system can be changed arbitrarily and without notice.

Sequencer failure

No mechanism

There is no mechanism to have transactions be included if the sequencer is down or censoring.

Proposer failure

Cannot withdraw

Only the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.

Rollup stage

Starknet is a

Stage 0

ZK Rollup.

Learn more about Rollup stages

Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.

Technology

Validity proofs ensure state correctness

Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.

What is Starknet

Zero knowledge STARK cryptography is used

Despite their production use zkSTARKs proof systems are still relatively new, complex and they rely on the proper implementation of the polynomial constraints used to check validity of the Execution Trace.

Funds can be lost if the proof system is implemented incorrectly.

STARK Core Engine Deep Dive

All data required to reconstruct rollup state is published on chain

State diffs are publish on-chain as calldata on every state update. The state diffs contain information on every contact whose storage was updated, and additional information on contract deployments. From diffs full system state can be recovered. Contracts’ code is not published on L1, but can be trustlessly verified if available elsewhere.

On-Chain Data - Starknet documentation

State derivation

Node software

The Juno node software can be used to reconstruct the L2 state entirely from L1. The feature has not been released yet, but can be found in this PR.

Compression scheme

Starknet doesn’t use any compression scheme.

Genesis state

There is no non-empty genesis state.

Data format

The data format has been updated with different versions, and the full specification can be found here.

Operator

The system has a centralized operator

The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system. Typically, the Operator is the hot wallet of the Starknet service submitting state updates for which proofs have been already submitted and verified.

MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

Users can't force any transaction

There is no general mechanism to force the sequencer to include the transaction.

Users can be censored if the operator refuses to include their transactions.

Censorship resistance of Starknet - Forum Discussion

Withdrawals

Regular exit

The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is proven the funds become available for withdrawal on L1. Finally the user submits an L1 transaction to claim the funds. This transaction does not require a merkle proof. Note that the withdrawal request can be censored by the Sequencer.

Funds can be frozen if the operator censors withdrawal transaction.

Withdrawing is based on l2 to l1 messages - Starknet documentation

Emergency exit

There is no generic escape hatch mechanism as Starknet cannot be forced by users into a frozen state. Note that a freezing mechanism on L2, to be secure, requires anti-censorship protection.

Permissions

The system uses the following set of permissioned addresses:

Starknet Proxy Governors 0xD5fB…B263 0x83C0…e988

Can upgrade implementation of the system, potentially gaining access to all funds stored in the bridge. Can also upgrade implementation of the StarknetCore contract, potentially allowing fraudulent state to be posted. Currently there is no delay before the upgrade, so the users will not have time to migrate.

Proxy Multisig 0x83C0…e988

One of Proxy Governors. This is a Gnosis Safe with 2 / 4 threshold.

Proxy Multisig participants 0x2871…B403 0x64F4…5770 0x5923…8558 0xCe95…23a0

Those are the participants of the Proxy Multisig.

Starknet Implementation Governors 0x16C8…eA3E 0x86fD…b1Bd

The governors are responsible for: appointing operators, changing program hash, changing config hash, changing message cancellation delay. There is no delay on governor actions.

SHARP Verifier Governors 0x3DE5…F5C6 0x21F9…AEc4

Can upgrade implementation of SHARP Verifier, potentially with code approving fraudulent state. Currently there is 28d delay before the upgrade.

SHARPVerifierGovernorMultisig 0x21F9…AEc4

SHARP Verifier Governor. This is a Gnosis Safe with 2 / 3 threshold.

SHARPVerifierGovernorMultisig participants 0x5923…8558 0xebc8…fD7F 0x955B…2Fec

Those are the participants of the SHARPVerifierGovernorMultisig.

Operators 0xFf6B…c591 0x2C16…0CA7

Allowed to post state updates. When the operator is down the state cannot be updated.

MakerDAO Governance 0x0a3f…dDC0

In DAI bridge it can set max deposit per bridge and per user. In DAI escrow it can approve token transfers.

StarkGate ETH owner 0xC91E…B2Ae 0x0152…C6Ec

Can upgrade implementation of the ETH escrow, potentially gaining access to all funds stored in the bridge. Currently there is 7d delay before the upgrade.

StarkGate WBTC owner 0xdc29…1D23 0x0152…C6Ec

Can upgrade implementation of the WBTC escrow, potentially gaining access to all funds stored in the bridge. Currently there is 7d delay before the upgrade.

StarkGate USDC owner 0xf5EF…30b4 0x0152…C6Ec

Can upgrade implementation of the USDC escrow, potentially gaining access to all funds stored in the bridge. Currently there is 7d delay before the upgrade.

StarkGate USDT owner 0x8dB2…2981 0x0152…C6Ec

Can upgrade implementation of the USDT escrow, potentially gaining access to all funds stored in the bridge. Currently there is 7d delay before the upgrade.

StarkGate wstETH owner 0x5751…f21A

Can upgrade implementation of the wstETH escrow, potentially gaining access to all funds stored in the bridge. Currently there is no delay before the upgrade, so the users will not have time to migrate.

StarkGate rETH owner 0x5751…f21A

Can upgrade implementation of the rETH escrow, potentially gaining access to all funds stored in the bridge. Currently there is no delay before the upgrade, so the users will not have time to migrate.

BridgeMultisig 0x0152…C6Ec

Can upgrade the following bridges: WBTC, ETH, USDT, USDC. This is a Gnosis Safe with 2 / 4 threshold.

BridgeMultisig participants 0xd388…d3F8 0x5923…8558 0xCe95…23a0 0x64F4…5770

Those are the participants of the BridgeMultisig.

Smart contracts

A diagram of the smart contract architecture

The system consists of the following smart contracts:

Starknet 0xc662…C8c4 Implementation (Upgradable)

Starknet contract receives (verified) state roots from the Sequencer, allows users to read L2 -> L1 messages and send L1 -> L2 message.

Can be upgraded by: Starknet Proxy Governors

Upgrade delay: No delay

SHARPVerifierProxy 0x4731…Db60 Implementation (Upgradable 28 days delay)

CallProxy for GpsStatementVerifier.

SHARPVerifier 0x6cB3…1BF6

Starkware SHARP verifier used collectively by Starknet, Sorare, ImmutableX, Apex, Myria, rhino.fi and Canvas Connect. It receives STARK proofs from the Prover attesting to the integrity of the Execution Trace of these Programs including correctly computed state root which is part of the Program Output.

FriStatementContract 0x3E61…d2DD

Part of STARK Verifier.

MerkleStatementContract 0x5899…5fa4

Part of STARK Verifier.

MemoryPageFactRegistry 0xFD14…D1b4

MemoryPageFactRegistry is one of the many contracts used by SHARP verifier. This one is important as it registers all necessary on-chain data.

CairoBootloaderProgram 0x5d07…9dDf

Part of STARK Verifier.

L1DaiGateway 0x9F96…388d

Custom DAI Gateway, main entry point for users depositing DAI to L2 where “canonical” L2 DAI token managed by MakerDAO will be minted. Managed by MakerDAO.