zkEVMs Reach Milestones, But More Work Lies Ahead
March has been a big month for zkEVM development, with several new zkEVM projects being announced and existing ones reaching major development milestones. Matter Labs, the development team behind zkSync, a Layer-2 rollup, announced the launch of their zkEVM in a public and open-source mode on March 24. Polygon delivered on its March 27 target launch date for the Polygon zkEVM mainnet beta. Then on that same day, ConsenSys announced Linea—its own zkEVM solution—and opened its testnet to developers and users. Alongside these announcements, Taiko, another zkEVM project, announced the launch of their second alpha testnet on March 22. The list of significant zkEVM-related developments that made headlines in March include:
3/20: Immutable Layer-2 rollup announces new zkEVM project in partnership with Polygon
3/27: Say Hello to Linea, a Developer Friendly zk-Rollup, Powered by ConsenSys
The concentration of zkEVM related news in March has renewed excitement around zkEVMs as a promising scaling solution for Ethereum. As background, ZK-rollups (“ZKRUs”) are widely considered to be the “holy grail” of scaling, offering benefits over their optimistic counterparts including higher scaling potential, faster finality (no 7-day waiting period for withdrawals), and privacy/security benefits via zero-knowledge proofs. However, there is still much technical development that needs to be done before ZKRUs achieve that vision and become a viable solution to onboard the masses. Several ZKRUs have been live in production for years (e.g., Loopring, zkSync, Starknet, Immutable), but applications on ZKRUs have been limited to simple functions such as payments and trading as the Ethereum Virtual Machine (EVM), which enables more robust general computation, was not designed to support zk-circuits.
To overcome these limitations, researchers have proposed the zkEVM as a solution for general purpose ZKRUs. The goal of the zkEVM is to make ZKRUs capable of executing any Ethereum-based smart contract compatible using zk-based cryptographic proofs – or in other words, to make ZKRUs EVM-compatible and provide builders and users much of the same functionality in addition to the benefits of zk-technology. There are several different zkEVM approaches pursued by the different ZKRU teams that each have slight nuances in their implementations and level of EVM compatibility. For a more detailed background on zkEVMs, read this Galaxy Research report.
Following several months of testing and guarded access, ZK-rollups reached a major technical milestone with the zkSync Era Mainnet launch, which is the first public zkEVM that is permissionless for everyone to use. While the race between the teams to launch the first zkEVM may be largely inconsequential (serving only as bragging rights between teams), these zkEVM launches are particularly significant for the adoption of ZKRUs to maintain mindshare for developers and users that have grown impatient with the practical limitations of using ZKRUs despite their promising potential.
This report offers a comprehensive update on the competitive landscape between different zkEVM projects and the outlook for zkEVMs going into Q2 2023 and beyond.
Background Info
What are ZKRUs?
A rollup is a scaling solution that processes transactions outside of the main Ethereum network and publishes the record of the transaction data on the Ethereum mainnet (i.e., the Layer 1 or L1). Rollups rely on the Ethereum mainnet for its consensus mechanism, data availability, and settlement. The main value proposition of rollups is to move computation and storage off the L1 while ensuring data availability – in other words, the goal of rollups is to minimize their data footprint by modularizing core functions and offloading data to Ethereum, both of which ultimately allows for greater scalability and cheaper fees for end-users.
Rollup transactions are typically sent through an aggregator (known as a “sequencer” or “prover”) that executes the transactions off-chain, batches them up, and publishes a compressed blog of the data (called “calldata”), ensuring data availability so anyone can reconstruct the state of the rollup using public information and determine/verify its correct state, or so if a sequencer goes offline, a new sequencer can be launched to continue where things left off.
Rollups typically come in two forms: (i) optimistic rollups (“ORUs”), and (ii) zero-knowledge rollups (“zk-rollups” or “ZKRUs”). The primary difference between the two is their security models, which differ in when the cost of proof generation or validation is paid. Optimistic rollups derive their name because submitted transaction batches are optimistically assumed to be valid by default; the cost of validation (i.e., generating a fraud/(fault) proof) is only paid if the posted data is disputed. In contrast, zero-knowledge rollups pay the cost of validation upfront by publishing a succinct validity proof for every state transition that is posted to the base layer.
What are zkEVMs?
zkEVMs are a type of ZK rollup that tries to achieve equivalence with the Ethereum Virtual Machine (EVM). The EVM is the execution environment of Ethereum which dictates the rules around how transactions and smart contracts are deployed on-chain and calculates the computational cost associated with each operation. There are nuances to the level of EVM equivalence that ZKRUs can achieve, as explained by Vitalik’s post on the different types of zkEVMs and summarized in the following diagram:
Aside from zkEVM equivalence, zkEVMs can differ by data availability strategy, proving algorithms, as well as development process. The following is an updated table of the various zkEVM projects on Ethereum as of March 2023:
Given recent developments from the zkSync and Polygon teams, the next section of this report will go into deeper detail about the zkEVM projects being developed by each.
zkSync Background
zkSync is developed by Matter Labs, which launched zkSync v1 (now known as zkSync Lite), its first version of its ZKRU for simple payments in December 2020. Matter Labs also developed zkPorter, a Validium network similar to a ZKRU except that it moves data availability off-chain for more scale at the cost of greater trust assumptions.
In November, Matter Labs closed a $200m Series C funding round co-led by Blockchain Capital and Dragonfly, bringing total funding for zkSync to $458m, which includes a separate $200m dedicated ecosystem fund.
Last year, Matter Labs had introduced the term “zkEVM” and shared its plans to launch zkSync 2.0 to mainnet in October 2022, but later pushed back its planned roadmap for ongoing security audits. Since then, zkSync 2.0 was rebranded to zkSync Era and opened its mainnet to developers to deploy registered projects in February 2023 before publicly launching last week.
Polygon Background
Polygon, known for its popular Proof-of-Stake sidechain, acknowledged shortcomings in its design and has been working towards developing a more performant zk-based blockchain. In August 2021, Polygon announced a $1bn strategic fund to spend on development of zk-related technology. That same month, Polygon announced the acquisition of the Hermez Network for $250m to jointly develop the zkEVM product (later rebranded to the current Polygon zkEVM product).
In addition to Hermez, Polygon made the announcement of several other additions to its zk product suite including Polygon Miden, a STARK-based rollup, and Polygon Nightfall, a privacy-focused hybrid rollup built in collaboration with E&Y, and Polygon Zero, a ZKRU with recursive proof generation developed alongside the Mir team (acquired by Polygon in a $400m deal in December 2021). In March 2022, Polygon announced Polygon ID, an identity solution using zk-proofs. Polygon also introduced Polygon Avail as a data availability platform in June 2021, but spun off the modular blockchain project earlier this month, which also saw co-founder Anurag Arjun depart from Polygon Labs and acquire Avail.
The Polygon team launched the Polygon zkEVM beta on Mainnet on March 27, opening up access to all builders and users and successfully meeting its targeted launch date of 1Q23. During the livestream of the launch party, Vitalik Buterin performed the first transaction on the chain, which sent 0.005 ETH, costing a transaction fee of ~$0.61 and included the message: "A few million constraints for man, unconstrained scalability for mankind."
zkSync Era & Polygon zkEVM
Key features and differences of each zkEVM include:
Level of compatibility with Ethereum.
zkSync Era. According to Vitalik’s taxonomy of zkEVMs based on the level of EVM-equivalence, Era falls in the Type 4 category (high-level-language equivalent). Despite not having bytecode-level equivalence as with Type 2 and Type 3 zkEVMs, Matter Labs invested heavily in its LLVM Compiler specific for EVM languages (Solidity, Vyper, Yul) to compile Solidity code into a custom, circuit-compatible bytecode set for its custom zkSync EVM. The LLVM Compiler was also built to preserve DevEx – developers do not need to rewrite code in new languages or use different tooling. Eventually, the LLVM-based compiler will enable developers to write smart contracts in C++, Rust and other languages. Matter Labs is also working on a separate product with higher levels of compatibility with Ethereum toolkits—a L3 prototype called zkSync Opportunity.
Polygon zkEVM. Compared to Era’s language-level compatibility, Polygon zkEVM is more bytecode-equivalent, which is more EVM-equivalent, placing it under the Type 3 zkEVM category (bytecode-equivalence). It does not require a compiler so Nearly all existing smart contracts, developer tooling, and wallets on Ethereum may be re-used on Polygon zkEVM, providing developers and users with an EVM-like experience. Polygon intends to move from Type 3 to Type 2 zkEVM once all pre-compiled contracts are supported.
Prover efficiency & performance.
zkSync Era. Without the constraints of higher levels of compatibility with Ethereum, Matter Labs optimized Era’s internal VM for prover performance. Era is also unique among other existing zkEVM projects as it publishes state diffs instead of transaction inputs, providing greater compression, more frequent oracle updates, cheaper fees, and seamless off-chain storage extension using zkPorter.
Polygon zkEVM. For prover efficiency, Polygon zkEVM’s leverages a novel Proof of Efficiency consensus algorithm, which uses the State Machine approach in contrast to an arithmetic circuit approach used many other projects. PoE can also support permissionless participation to produce L2 batches.
Account Abstraction
zkSync Era. Using its custom internal VM allows Era to offer users native account abstraction, providing core benefits such as payment for transaction fees using any token or even enabling zero fee transactions for protocols willing to subsidize costs.
Polygon zkEVM. Polygon zkEVM’s closer equivalence to the EVM prohibits the protocol from offering account abstraction natively – instead, it will support account abstraction via EIP-4337.
Prioritizing Security over Trustlessness at Launch
Prior to their public mainnet launches, both zkSync Era and Polygon zkEVM went through rigorous security testing:
zkSync Era. Matter Labs noted that they spent $3.8m in testing and auditing zkSync Era prior to its public launch. This included several security audits (including tworeports from OpenZeppelin), security contests, open-sourcing zkSync Era code under an Apache 2.0 license, and establishing bug bounty program with maximum bounty of $1.1m for critical vulnerabilities.
Polygon zkEVM. Polygon similarly passed several third-party audits (including a recently completed audit report by Hexens), and open-sourced its code under an AGPL v3 license, and has an active bug bounty program paying up to $1m bounty for critical vulnerabilities.
Despite the stringent security testing completed so far, both teams are still urging users to exert caution and deploy small amounts of capital when porting over to the new zkEVM networks, which the Matter Labs team currently considers to be “test flight mode”. The Polygon team shared similar thoughts as Polygon co-founder and COO Sandeep Nailwal told Blockworks that he does not wish users to bridge millions of dollars to its zkEVM, saying, “Zk is new technology…so we [want] people [to be] as cautious as possible.”
Guardrails
On top of the active security audits and bug bounty programs, both teams have several risk mitigating mechanisms in place, at least initially at launch. They emphasize the longer-term goal for trustless cryptography but given the novelty of the technology, both teams introduce some trust assumptions as additional lines of defense as they prioritize safety.
zkSync Era
The “alpha” label attached to the zkSync launch is to inspire confidence in the state of the system while still implying that Era is still in a trusted system.
At launch, Matter Labs is implementing an execution delay or a timelock of 24 hours before committed L2 blocks committed to L1 are executed and finalized. The timelock is intended to provide the team with sufficient time to monitor for anomalies in withdrawals transactions and prevent a quick drain of the protocol should a critical bug be discovered. The length of the timelock will eventually be reduced as the system matures.
Matter Labs is also introducing instant upgradability for zkSync Era for emergency protocol upgrades. Eventually as the protocol stabilizes and matures, the team plans to transition approval for accelerated emergency upgrades to the zkSync Security Council (requiring 9/15 multisig) comprised on well-known and trusted Ethereum community members (as is currently the case for zkSync Lite). From there, Matter Labs intends to continue lowering trust assumptions gradually by limiting the influence of the Security Council in favor of broader protocol governance.
Polygon zkEVM
Similarly, Polygon also employs a dedicated Security Council capable of immediate upgrades to the protocol (requiring 4/7 multisig) with no timelocks during the initial launch phase (Stage I) of its Mainnet Beta. In addition, users will not have the ability to force transactions to the L1 in case of Sequencer downtime or censorship.
To progress on the path towards decentralizing, Polygon is following Vitalik’s proposed rollup milestones for “taking off training wheels”. Stage II of Polygon zkEVM involves removing the Emergency Halt Switch (Security Council can no longer upgrade the protocol without a timelock) and enabling users to force their transactions to L1 in case of sequencer failure to provide censorship resistance. To go from Stage I to Stage II will take at least 3-6 months to reach an adequate level of network maturity, requiring zero critical bugs to have been reported within the time period. Polygon still intends to operate with a single prover once reaching Stage II (contrasting with Vitalik’s recommendation to have at least two distinct provers), citing concerns such as interoperability obstacles between two provers.
Exploring Ecosystem Data
As of March 30, zkSync’s ecosystem page shows 23 live projects including several wallets (e.g, Argent), bridges (e.g., Celer, Multichain), infrastructure (e.g., Pyth), DeFi (e.g., rhino.fi), and NFTs. Including projects that have committed to launch brings the total ecosystem to 259 projects including many of the familiar Ethereum major DeFi protocols that have yet to go live.
Polygon does not have a page tracking live ecosystem projects and planned launches, but it has listed several prominent projects as launch partners on its website. In addition, Polygon announced a new partnership with Immutable just prior to its mainnet beta launch that will see the creation of the Immutable zkEVM rollup that is powered by Polygon’s technology.
Network Usage
While both networks just very recently launched, each is experiencing initial growth in usage.
Bridge activity shows users have already moved ~$65m in funds to zkSync Era in 250k transactions.
Users have bridged slightly more than $1.5m to Polygon zkEVM in just over 5k transactions.
Transaction Costs
While data sources on aggregate L2 fees aren’t readily available at launch, several users have complained about higher-than-expected fees on zkEVMs despite the low blockspace utilization. For example, Vitalik’s initial simple transfer transaction on Polygon zkEVM cost ~$0.61 while another user noted that their bridging transaction cost nearly $2 – providing minimal cost savings compared to Ethereum Mainnet.
However, ZKRUs provide greater cost efficiencies with higher network adoption in contrast with Ethereum and other networks. This is because proof generation and posting transaction batches comes with high fixed costs, which can be amortized across more transactions as network activity increases. So as more transactions are included in each proof batch, ZKRUs offer greater scaling potential compared to other networks as long as they cross a certain adoption threshold. In addition, zkEVM teams continue progressing on driving greater efficiencies in proof generation to lower transaction costs. EIP-4844 is also expected to result in significant cost improvements.
Data Snapshot
Key Takeaways & Outlook
Key takeaways from the first public launches of zkEVM chains and other recent developments in the zkEVM landscape:
The first zkEVM public launches represent a huge milestone for ZKRUs. For several years now, the Ethereum community has largely bought in to the belief that ZKRUs are the optimal scaling solution – yet a general purpose ZKRU capable of running all the familiar applications existing on Ethereum had yet to launch. With the public launches of the first zkEVMs, users can now access their preferred applications in a ZKRU environment, which not only provides scaling benefits but also privacy and security.
But the tech is still immature and requires significant trust assumptions as teams prioritize safety for now. As previously stated, representatives from Matter Labs and Polygon have told eager zkEVM users to exert caution when using the new technology and not to deploy excessive amounts of capital. Despite rigorous security testing and audits, the risk of unexpected bugs and technical failures in new zkEVMs remain high and the development teams have opted to introduce new trust assumptions. At launch, they have installed security fallbacks or “training wheels” such as instant upgradability or timelocks on withdrawals until they have greater assurances in the security of the protocol to remove some of the guardrails.
The path towards decentralization may be long and challenging. Decentralizing the sequencer is the long-term goal for all rollups, yet all rollup teams have a long technical roadmap before will happen. Given the frequent and rapid upgrades expected with novel rollup technology, especially on the zkEVM side, expect teams to maintain centralized control over the sequencers and network upgradability at least until they have greater confidence in performance and security of the protocols. Decentralization will be a slow progressive movement that will slowly relinquish control decisions to trusted security councils at first before granting more decision-making to broader governance structures. On the sequencer side, the steps involved for opening up the sequencer role will include token launches, enabling staking, and permissioning ZK proof generation before removing all whitelists.
Even though ZKRUs have greater scaling potential, costs will be uncompetitive until there is more usage. Transaction costs on ZKRUs remain high and uncompetitive with ORUs for now but, ZKRUs provide greater cost efficiencies with higher network adoption in contrast with Ethereum and other networks. This is because proof generation and posting transaction batches comes with high fixed costs, which can be amortized across more transactions as network activity increases. So as more transactions are included in each proof batch, ZKRUs offer greater scaling potential compared to other networks as long as they cross a certain adoption threshold. In addition, zkEVM teams continue progressing on driving greater efficiencies in proof generation to lower transaction costs. EIP-4844 is also expected to result in significant cost improvements. Still, ZKRUs have a long way to go before they become more economical than ORUs, which will likely remain Ethereum’s primary scaling solution for the near to medium term.
Competition will increase over the course of the year as more zkEVM and ZKRUs launch. zkEVM teams will continue striving for higher levels of equivalence with Ethereum. So far, the first zkEVMs to launch publicly have had lower levels of EVM equivalence (Type 3 and Type 4, according to Vitalik’s taxonomy). However, other zkEVM teams that have yet to launch are trying to achieve deeper EVM equivalence than zkSync Era and Polygon zkEVM, including Scroll and recent emergent projects Taiko and Linea. As highlighted in Galaxy’s zkEVM report, the EVM is not optimized for ZK systems and for a zkEVM to achieve higher levels of equivalence with Ethereum comes with tradeoffs such as longer and costlier proof generation. However, given that the EVM itself is likely to undergo upgrade in the future, zkEVMs with more native compatibility to the EVM are best poised to easily adopt future code changes. zkEVMs that rely on several layers of translation and re-compiling to achieve EVM equivalence will likely have a more difficult time adopting new changes to the EVM and require more engineering efforts to maintain full EVM coverage.
That said, Ethereum-level equivalence may not be the ultimate standard. zkSync intentionally launched Era as a Type-4 zkEVM (less equivalent than Polygon’s Type-3 zkEVM) using an LLVM-IR Compiler for prover performance and allowing for non-EVM features like native account abstraction without reliance on ERC-4337 support (like in the case of Polygon). Matter Labs is also working on a separate product with higher levels of compatibility called zkSync Opportunity. Polygon intends to upgrade its zkEVM from Type 3 to Type 2 once all pre-compiles are supported. While many projects strive for greater levels of Ethereum equivalence from the language-level (Type-4) to bytecode-level (Type 2 and 3) and eventually towards consensus-level (Type 1), these higher levels of equivalence may not be optimal for all projects and applications. The most complex and difficult route may not always be the most rewarding and it will be important for ZKRU teams to explore alternative approaches especially as the tech is still nascent.
Legal Disclosure:
This document, and the information contained herein, has been provided to you by Galaxy Digital Holdings LP and its affiliates (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsementof any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. For all inquiries, please email [email protected]. ©Copyright Galaxy Digital Holdings LP 2023. All rights reserved.