
Re-evaluating Layer2 and Rollup through L2BEAT's Risk Rating Metrics
TechFlow Selected TechFlow Selected

Re-evaluating Layer2 and Rollup through L2BEAT's Risk Rating Metrics
Most rollups won't give up on the multisig security council, and L2 contracts will remain "immediately upgradeable" for a long time.
Author: Faust
When it comes to the name L2BEAT, most people may have heard of it but don't fully understand what it does. For a long time before 2023, L2BEAT was generally perceived merely as a "data visualization platform for Ethereum Layer2," and beyond displaying TVL data and categorizing technical solutions within the L2 space, few were aware of its broader functionalities. However, with the launch of its Layer2 risk rating metrics in June this year, L2BEAT—functioning like a niche "Ethereum L2 rating agency"—has gradually gained wider recognition.

When referring to the term "rating agency," there's a vivid metaphor from the book *The World Is Flat*: "We live in a world dominated by two superpowers: one is the United States, and the other is the credit rating agencies. The U.S. can destroy a country with bombs; rating agencies can ruin a country by downgrading its bonds. Sometimes, it’s hard to say which power is greater."
From the 1997 Asian financial crisis to the 2007 subprime mortgage crisis, Wall Street rating agencies played pivotal roles—often acting as key drivers behind these disasters. In Web3—a world that outwardly champions "trustlessness" yet fundamentally relies on "social consensus"—"risk ratings" remain an unavoidable cornerstone. Whether it's smart contract audits or on-chain anomaly detection, their importance rivals (if not surpasses) that of zero-knowledge proofs and consensus algorithms.
For the emerging field of modular blockchains, having an objective, comprehensive risk assessment framework capable of differentiating between various Layer2 solutions is especially critical. With Layer2 ecosystems now safeguarding close to tens of billions of dollars in assets, identifying potential risks and effectively warning users has become an urgent real-world challenge.

In a forum post from 2022, Vitalik noted that nearly all current Rollups are immature, relying heavily on what he called “Training Wheels” to maintain normal operations. These "training wheels" reflect how much a Rollup depends on "manual intervention" and "social consensus." The less reliance a Rollup has on such mechanisms, the more "trustless" and secure it becomes; conversely, higher dependence implies greater risk.

For example, optimistic Rollups like Optimism generally lack fraud proof systems, significantly increasing their risk level. Other Layer2s, such as Immutable X, implement data availability (DA) off-chain relative to Ethereum, while others like Starknet lack immediately accessible forced withdrawal or forced transaction functions. For Layer2s, these features are essential prerequisites to achieving security "equivalent to Ethereum." Beyond these issues, nearly all current L2 teams retain a "backdoor"—a set of multi-signature wallets controlling the L2 contracts on Ethereum, allowing them to alter state hashes at will, representing another major vulnerability.

To better distinguish and define Rollups, Vitalik and others proposed classifying Rollups into three levels—Stage 0, Stage 1, and Stage 2—based on their degree of reliance on training wheels or human intervention. Later, L2beat refined this classification through community feedback, leading to the following general framework:
Stage 0 — Fully reliant on training wheels; the minimum standard for any Rollup:
· The project claims to be a Rollup.
· Transactions processed by the Rollup must be “on-chain”—meaning data related to L2 state transitions must be disclosed on L1, along with the hash of the L2 state (Stateroot).
· A set of permissionless, open-source full Rollup nodes should exist, enabling users to verify the complete state of all accounts (including balances, transaction counts, etc.) on L2.


Only L2 projects meeting all the above criteria are labeled as Stage 0 by L2beat—representing the bare minimum for being considered a Rollup. Otherwise, they are not classified as Rollups (e.g., Arbitrum Nova).

Stage 1 — Partially reliant on training wheels, characterized by the following:
· Must have implemented a fraud proof or validity proof system to ensure the correctness of L2 state transitions.
· For optimistic Rollups, at least five non-official entities must be able to run L2 nodes and submit fraud proofs (i.e., the challenger whitelist must include at least five parties outside the Rollup team).
For example, as of November 2022, Arbitrum One’s challenger whitelist included nine entities: Consensys, Ethereum Foundation, L2BEAT, Mycelium, Offchain Labs, P2P, Quicknode, DLRC, and Unit410.

· Users must always have the ability to bypass the Sequencer (Operator), enabling forced withdrawals of assets from L2 back to L1 to prevent fund freezing; if the sequencer launches a censorship attack by refusing certain transactions, users can force-submit those transactions directly onto the L1 Rollup transaction queue. Aside from publishing incorrect Stateroots, the sequencer would have no other viable way to act maliciously.
· A security council composed of a multi-sig group may exist, authorized to perform emergency upgrades to the Rollup contract or override the L2 state hash recorded on-chain. However, the private keys of this multi-sig must be sufficiently decentralized, with a high threshold. Vitalik himself suggests a minimum of 6 out of 8 signers—meaning more than eight individuals control the keys, with a 75% approval threshold required for execution.

· Any Rollup contract upgrade not authorized by the security council must be subject to a timelock delay of at least seven days. This provides users with a minimum of seven days to safely withdraw funds in case of a malicious governance proposal (such as the Tornado Cash governance attack incident).


Currently, only mainstream Rollups such as Arbitrum One, dYdX, and zkSync Lite meet Stage 1 requirements. All other major Rollups remain at Stage 0.
Stage 2 — Fully eliminating training wheels, becoming a truly trustless Rollup:
· Fraud proof submission in optimistic Rollup networks must be permissionless, removing any whitelist restrictions (Arbitrum One recently introduced a protocol called BOLD toward this goal).
· All Rollup contract upgrades must be delayed by at least 30 days via timelock, or the contracts must be entirely immutable. This ensures users have at least 30 days to safely withdraw funds in the event of a malicious upgrade.
To better understand the risk rating metrics outlined by L2BEAT, let’s examine three Rollup examples across different security tiers.
Stage 0 – Base, Stage 1 – Arbitrum One, Stage 2 – Fuel:
Base is one of the leading projects among optimistic Rollups. It uses an L1 contract to record the L2 state root (Stateroot), manage deposits and withdrawals, leverages Ethereum for data availability (DA), and maintains a bridge connection with L1.

The Base sequencer discloses L2 transaction data to L1. Specifically, every few minutes, the sequencer sends a transaction to a designated address on Ethereum, embedding compressed transaction data within the calldata field. Since L2 full nodes automatically sync L1 blocks, they can detect this transaction, parse the calldata to extract L2 transaction data, determine the latest sequencer state, compute the correct Stateroot, and compare it against the one submitted on L1.

Currently, Base lacks a fraud proof system, meaning there's no guarantee that the L2 Stateroot recorded on the L1 contract is accurate. However, users running full L2 nodes can quickly identify discrepancies. Additionally, Base lacks forced withdrawal mechanisms to resist censorship attacks—if the sequencer goes down for an extended period or deliberately ignores user requests, L2 users cannot securely withdraw to L1, creating significant security vulnerabilities.
Clearly, such a Rollup is insecure at the mechanism design level. However, users and community members can issue warnings via social media when necessary, alerting bodies such as the Ethereum Foundation or even regulators like the SEC. This is known as "social consensus"—leveraging high data transparency and community-driven oversight to deter malicious behavior through public scrutiny, manual intervention, and potential legal accountability. This represents the lowest tier of security, as it cannot prevent wrongdoing upfront, only respond after the fact.
Yet, "social consensus" remains a foundational element of blockchain security (for instance, if someone attempts a malicious Ethereum fork, the community determines which chain to follow). Moreover, wrongdoers often refrain from taking risks due to fear of exposure—though exceptions exist (e.g., FTX, ZT, Mt. Gox).

Switching our focus to Arbitrum One reveals clear differences. For example, it has implemented a functional fraud proof system with a challenger whitelist—including nodes operated by nine distinct entities such as the Ethereum Foundation and L2BEAT. If the sequencer submits an incorrect Stateroot on L1, challenger nodes can submit fraud proofs, ensuring the accuracy of the L2 state recorded in the Rollup contract.
Furthermore, Arbitrum One features a forced transaction mechanism to counter sequencer censorship attacks, allowing users to call the forceInclusion function of the Sequencer Inbox contract on L1 to directly submit transaction instructions. If the sequencer fails to process a forced inclusion request within 24 hours, the transaction or withdrawal is automatically added to the Rollup transaction sequence, providing users with a "safe exit" to forcibly withdraw from L2.
It should be emphasized that in Stage 1 Rollups, users who can obtain the full state of L2 accounts and construct Merkle Proofs corresponding to their own balances can initiate forced withdrawals via designated functions in the Rollup contract (commonly referred to as an "escape hatch"). How users access account states depends on whether the Rollup network offers publicly accessible full nodes (which nearly all L2s do).
Additionally, contract upgrades on Arbitrum One are constrained by multiple safeguards: standard upgrade proposals require on-chain governance voting, followed by a 12-day timelock delay before automatic execution. If a proposed upgrade contains malicious logic, it can be vetoed by the Security Council via multi-sig approval.

However, the Arbitrum One Security Council itself can bypass the timelock restriction—for example, if 9 out of 12 multi-sig signers approve, the council can immediately upgrade the contract code or forcibly modify the L2 Stateroot recorded in the Rollup contract.
As for why the Security Council holds such power, Vitalik once explained:
“Some Rollups may employ multiple independent state transition functions—for instance, two disputing fraud proof submitters, multiple provers submitting conflicting validity proofs, a sequencer attempting to fork the L2 ledger on L1, or failure to submit validity proofs within seven days—all of which could lead to systemic collapse. In such dangerous scenarios, the Security Council can intervene manually to guide the system toward the correct outcome.”
Of course, Vitalik only cited a few simple "dangerous situations." Given that Rollup contracts may face hacking attempts and sequencers could be compromised (or have insider threats), emergency response measures are clearly necessary.
According to Vitalik, a mature Rollup may allow contract upgrades, but only with a timelock delay exceeding 30 days—to give users and the community ample time to react.

Clearly, since Arbitrum’s Security Council can instantly upgrade contracts upon multi-sig approval, malicious code in a new version could theoretically steal user funds on L2. Therefore, Arbitrum One does not meet Vitalik’s definition of a fully mature Rollup—it simply operates at a relatively lower risk level.

When examining "fully mature Rollups," only two projects listed on L2BEAT qualify: Fuel V1 and DeGate. Among them, Fuel V1 was the first optimistic Rollup to implement a fraud proof system, with permissionless fraud proof submission—anyone can operate a node and submit proofs when needed. Additionally, Fuel V1’s contracts are immutable—no upgrades are possible, and the Security Council cannot alter the L2 Stateroot recorded on the Rollup contract, eliminating any council-related risks.
Fuel V1 achieves the lowest possible risk level, but each update requires redeploying the entire contract and manual asset migration by users—effectively launching a new project each time. This leads to liquidity fragmentation and severely limits flexibility. Due to factors such as its UTXO-based programming model (incompatible with EVM) and the founder later joining Celestia, Fuel’s development has stalled, and its ecosystem growth has been disappointing.
In summary, pursuing absolute security comes at the cost of inflexible updates. Given that fraud proof and validity proof technologies are still evolving, maintaining some degree of contract upgradability may be a necessary feature for Rollups today.
For the foreseeable future, we can expect the following: Most Rollups will retain their Security Council multi-sigs, and L2 contracts will maintain "immediate upgradability" (one ZK Rollup project kept its council multi-sig for years before abandoning it to launch a new project entirely). Considering the complexity of developing fraud proof systems, many non-top-tier optimistic Rollups likely won’t deploy them in the near term (probably not even by end of 2023). As a result, Arbitrum One will likely maintain its leadership in the Rollup space—not because it offers the highest security, but because it combines a relatively robust fraud proof system, a well-distributed Security Council multi-sig (9 out of 12 signers, including both core team and community members), and the largest DApp ecosystem, hosting over 440 applications. Whether Base, despite its poor security and heavy marketing focus, can sustain its recent growth momentum remains to be seen. If Base overtakes Arbitrum One in TVL, it might signal a collapse of the "trustlessness" ethos itself.
Above all, the most important takeaway is that we will always need institutions like L2BEAT. In this volatile and chaotic era, a clear, comprehensive risk rating framework remains essential to the healthy development of the Ethereum ecosystem—and Web3 as a whole.

Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














