Each update to the system state must be accompanied by a ZK proof that ensures that the new state was derived by correctly applying a series of valid user transactions to the previous state. These proofs are then verified on Ethereum by a smart contract.

What is Starknet

Zero knowledge STARK cryptography is used

Despite their production use zkSTARKs proof systems are still relatively new, complex and they rely on the proper implementation of the polynomial constraints used to check validity of the Execution Trace.

Funds can be lost if the proof system is implemented incorrectly.

STARK Core Engine Deep Dive

All data required to reconstruct rollup state is published on chain

State diffs are publish onchain as blob or calldata on every state update. The state diffs contain information on every contact whose storage was updated, and additional information on contract deployments. From diffs full system state can be recovered. Contracts’ code is not published on L1, but can be trustlessly verified if available elsewhere.

On-Chain Data - Starknet documentation

Learn more about the DA layer here:

Ethereum

State derivation

Node software

The Juno node software can be used to reconstruct the L2 state entirely from L1. The feature has not been released yet, but can be found in this PR.

Compression scheme

Starknet doesn’t use any compression scheme.

Genesis state

There is no non-empty genesis state.

Data format

The data format has been updated with different versions, and the full specification can be found here.

State validation

Proven Program

The source code of the Starknet OS can be found here. The source code of the bootloader can be found here.

Operator

The system has a centralized operator

The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system. Typically, the Operator is the hot wallet of the Starknet service submitting state updates for which proofs have been already submitted and verified.

MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

Users can't force any transaction

There is no general mechanism to force the sequencer to include the transaction.

Users can be censored if the operator refuses to include their transactions.

Censorship resistance of Starknet - Forum Discussion

Withdrawals

Regular messaging

The user initiates L2->L1 messages by submitting a regular transaction on this chain. When the block containing that transaction is settled, the message becomes available for processing on L1. ZK proofs are required to settle blocks. Note that the message request can be censored by the Sequencer.

Funds can be frozen if the operator censors withdrawal transaction.

Withdrawing is based on l2 to l1 messages - Starknet documentation

Emergency exit

There is no generic escape hatch mechanism as Starknet cannot be forced by users into a frozen state. Note that a freezing mechanism on L2, to be secure, requires anti-censorship protection.

Permissions

Ethereum

Actors:

StarknetSecurityCouncil 0x15e8…C361

A Multisig with 9 / 12 threshold. Can upgrade the central Starknet constract, potentially potentially allowing fraudulent state to be posted and gaining access to all funds stored in the bridge. Can also appoint operators, change the programHash, configHash, or message cancellation delay without upgrading the contract.Currently there is 0s delay before the upgrade.

Participants (12):

0xfaEC…33B0 0x68c6…18f0 0x16aB…57CD 0x1027…8cac 0x7383…E560 0x590C…430C 0x7A3a…982E 0xFf71…0D90 0x81C1…5874 0xc196…53E7 0x033b…45e2 0xe810…4645

SHARP Verifier Governors 0x21F9…AEc4

Can upgrade implementation of SHARP Verifier, potentially with code approving fraudulent state. Currently there is 0s delay before the upgrade.

Used in:

SHARPVerifierAdminMultisig 0x21F9…AEc4

A Multisig with 2 / 4 threshold. SHARP Verifier Governor.

Participants (4):

0x0405…8488 0x5923…8558 0xebc8…fD7F 0x955B…2Fec

Used in:

StarkgateBridgeMultisig 0x0152…C6Ec

A Multisig with 2 / 4 threshold. Can upgrade most of the Starkgate bridge escrows including the Starkgate Multibridge. Can also configure the flowlimits of the existing Starkgate escrows or add new deployments.

Participants (4):

0xd388…d3F8 0x5923…8558 0xCe95…23a0 0x64F4…5770

Operators (2) 0x2C16…0CA7 0xF6b0…bC6B

Allowed to post state updates. When all operators are down the state cannot be updated.

StarknetSCMinorityMultisig 0xF6b0…bC6B

A Multisig with 3 / 12 threshold. An Operator. Allowed to post state updates. This minority multisig with the SecurityCouncil members is the only fallback in case of censorship by other operators.

Participants (12):

0xfaEC…33B0 0x68c6…18f0 0x16aB…57CD 0x1027…8cac 0x7383…E560 0x590C…430C 0x7A3a…982E 0xFf71…0D90 0x81C1…5874 0xc196…53E7 0x033b…45e2 0xe810…4645

StarkgateSecurityAgentMultisig 0x77Dd…88c5

A Multisig with 1 / 3 threshold. Can enable withdrawal limits for tokens in some Starkgate bridge Escrows.

Participants (3):

0x030c…5755 0x5923…8558 0x35FD…4a7b

StarkGate LUSD owner 0x5751…f21A

Can upgrade implementation of the LUSD escrow, potentially gaining access to all funds stored in the bridge. Currently there is 0s delay before the upgrade.

StarkGate token blacklister EOA 0xF689…e86b

Can remove and blacklist tokens from the Starkgate bridge.

Smart contracts

A diagram of the smart contract architecture

Ethereum

Starknet 0xc662…C8c4 Implementation (Upgradable)Admin

Starknet contract receives (verified) state roots from the Sequencer, allows users to read L2 -> L1 messages and send L1 -> L2 message.

Can be upgraded by:

StarknetSecurityCouncil with No delay delay

Implementation used in:

SHARPVerifierProxy 0x4731…Db60 Implementation (Upgradable)Admin

CallProxy for GpsStatementVerifier.

Proxy used in:

SHARPVerifier 0x9fb7…1942

Starkware SHARP verifier used collectively by Starknet, Sorare, ImmutableX, Apex, Myria, rhino.fi and Canvas Connect. It receives STARK proofs from the Prover attesting to the integrity of the Execution Trace of these Programs including correctly computed state root which is part of the Program Output.

Implementation used in:

FriStatementContract 0x30Ef…d400

Part of STARK Verifier.

Implementation used in:

MerkleStatementContract 0x32a9…FdAd

Part of STARK Verifier.

Implementation used in:

CairoBootloaderProgram 0x5860…c515

Part of STARK Verifier.

Implementation used in:

MemoryPageFactRegistry 0xe583…C460

MemoryPageFactRegistry is one of the many contracts used by SHARP verifier. This one is important as it registers all necessary onchain data.

Implementation used in:

OldMemoryPageFactRegistry 0xFD14…D1b4

Same as MemoryPageFactRegistry but stores facts proved by the old SHARP Verifier, used as a fallback.

Implementation used in:

L1DaiGateway 0x9F96…388d

Custom DAI Gateway, main entry point for users depositing DAI to L2 where “canonical” L2 DAI token managed by MakerDAO will be minted. Managed by MakerDAO.

StarkgateManager 0x0c5a…5B60 Implementation (Upgradable)Admin

This contract allows the permissionless creation and configuration of StarkGate token escrows. Tokens can also be blacklisted for creation, and already actively bridged tokens can be deactivated from depositing by a designated TokenAdmin.

Can be upgraded by:

StarkgateBridgeMultisig with 0s delay

StarkgateRegistry 0x1268…6812 Implementation (Upgradable)Admin

A central registry contract to map token addresses to their StarkGate bridge contract.

Can be upgraded by:

StarkgateBridgeMultisig with 0s delay