Ethereum layer 2 rollups tackle a huge problem for the blockchain by cutting transaction fees, but the potential for trouble hasn't gotten a close enough look. skesslr reports
As they’ve grown in popularity – more than $3 billion in Ethereum user funds have been locked up on Arbitrum and Optimism, the largest rollup networks – what has been underappreciated is that they’re riskier and more centralized than most users recognize.
“We should get to the point where technology is mature enough that it's completely trustless and we don't need to trust any external third party,” Bartek Kiepuszewski, the founder of layer 2 watchdog site L2BEAT, said in an interview. But, he added, “we still have a long way to get there." Without fully baked, fraud-proof systems, Arbitrum and Optimism cannot claim they “share” Ethereum’s security. Instead, centralized actors – the chains’ builders – technically have the ability to alter how transactions are processed.
As with other rollups, another security risk when using Optimism and Arbitrum is that their core codebases – the Ethereum-based smart contracts that allow them to operate – are vulnerable to hacks like any other blockchain-based programs. Today, Optimism and Arbitrum have systems that grant their teams the ability to quickly upgrade their software to fix unforeseen issues.“On the one hand, you'd like your contracts to be immutable,” said Kiepuszewski, because updates can be used to “upgrade the contract to something that is either outright malicious or is buggy.”, where a buggy upgrade enabled the theft of nearly $200 million.