Opinion: L2 is supposed to be secured by Ethereum, but this is no longer true

Author: Ishita

Translation: TechFlow

The past decade of Ethereum’s development has revolved around a simple promise: scaling the network without sacrificing decentralization. According to its roadmap, the answer is a future centered on rollups. In this architecture, Layer 2 networks (L2s or “rollups”) execute transactions off-chain, achieving lower costs and higher throughput, while still deriving core security guarantees from Ethereum as the base layer (Layer 1).

Almost all major rollup projects, including Arbitrum, Optimism, Base, zkSync, and Scroll, have “secured by Ethereum” as a core brand message. This slogan is powerful and central to their marketing narrative—but does it really hold true? A deeper look into how these rollups actually operate and how assets flow within them reveals that this claim is ambiguous.

This article will dissect the gap between the slogan and reality, starting from bridges (where user funds reside), to sequencers (the entities responsible for transaction ordering), and finally to governance (the rule-makers), discussing each aspect in turn.

The Reality of Rollup Bridges

Rollups claim to be “secured by Ethereum,” but this statement obscures how users actually interact with these systems.

To use a rollup—whether for DeFi, payments, or applications—you first need to move assets onto the rollup. However, Ethereum does not have built-in functionality for direct deposits or withdrawals—you can’t simply “teleport” ETH to a rollup. This is where bridges come in. Bridges are the entry and exit points between Ethereum and rollups, and they determine the actual security users experience.

How Bridges Work

Deposits

When you deposit ETH into a rollup, you are actually sending it to a bridge contract on Ethereum. This contract locks your ETH and instructs the rollup to credit your L2 wallet with the same amount of ETH. For example, if you deposit 1 ETH, the bridge contract securely holds that 1 ETH on Ethereum, and your rollup account shows 1 ETH as well. Since the ETH is locked on Ethereum, this deposit is trust-minimized.

Withdrawals

Withdrawals are much more complex. The process is the reverse of deposits:

1. You burn (or lock) tokens on the rollup.

2. You send a message to the Ethereum bridge contract: I have burned tokens on L2, please release my locked ETH.

3. The problem: Ethereum cannot see what happens inside the rollup; it is blind to L2 computations.

Therefore, Ethereum will only release your funds if the bridge provides proof that the withdrawal is legitimate. This proof may include:

• Fraud Proofs (Optimistic schemes): Transactions are assumed valid by default unless challenged within a dispute window.

• Validity Proofs (Zero-Knowledge schemes): Cryptographic proofs are provided in advance to show all transactions follow the rules, allowing Ethereum to immediately trust the results.

• Multisigs or Committees: Relying on trusted parties for certification.

The bridge is the key for users to access rollups. You can think of it as a window into a house. Even if the window (bridge) breaks, the house (rollup) still stands. But if the window shatters, you can no longer safely enter or exit. Similarly, a bridge failure cuts off user access, even if the rollup’s core mechanisms are still running.

Therefore, the bridge layer is the true perspective for rollup security. Whether assets are truly “secured by Ethereum” depends on the bridge you use and its trust model, not the rollup itself.

Bridge Models and Their Assumptions

• Canonical Bridges: These are the “official bridges” directly tied to Ethereum for each rollup. When users lock assets here, Ethereum validators guarantee that even if the L2 stops operating, users can eventually withdraw back to Layer 1. This is the only bridge type that directly inherits Ethereum’s security properties.

• External Bridges: Bridges like Wormhole, LayerZero, and Axelar optimize user experience with fast chain-to-chain transfers, but rely on their own validator committees or multisig mechanisms. These bridges are not enforced by Ethereum consensus. If these off-chain operators are hacked or collude maliciously, users can lose funds even if Ethereum itself is functioning properly.

• Native Issuance: Refers to tokens minted directly on the rollup, such as USDC on Base or OP on Optimism. These assets never pass through canonical bridges and cannot be redeemed on Layer 1. Their security comes from the rollup’s governance and infrastructure, not Ethereum.

The Actual Distribution of Rollup Assets

As of August 29, 2025, Ethereum rollups collectively secure approximately $43.96 billions in assets, distributed as follows:

• External Bridges: $16.95 billions (39%)—the largest share

• Canonical Bridges: $14.81 billions (34%)—assets secured by Ethereum

• Native Issuance: $12.20 billions (27%)—rollup-native assets

Historical Trend Analysis

Looking back at 2019–2022, canonical bridges were the main driver of rollup adoption. Almost all early growth was achieved through canonical bridges, keeping Ethereum at the core.

However, starting from the end of 2023, things began to change:

• Canonical bridges continued to grow, but their market share began to decline, peaking in 2024.

• Native issuance gradually expanded, especially between 2024 and 2025.

• External bridges grew sharply from late 2023, surpassing canonical bridges by early 2025, marking Ethereum’s loss of the majority share of rollup assets.

• Today, two-thirds of rollup assets (external + native) are no longer directly secured by Ethereum.

Breakdown of the Rollup Ecosystem

The market is highly concentrated: the top six rollups account for 93.3% of total value locked (TVL). Asset distribution across ecosystems is as follows:

• Canonical Bridges: 32.0%

• Native Issuance: 28.8%

• External Bridges: 39.2%

Pie Chart Overall Pattern Analysis

• External Bridges Dominate: For rollups like Arbitrum and Unichain, users seek fast exits and liquidity, preferring third-party bridges.

• Canonical Bridges Dominate: For rollups like Linea (and to a lesser extent OP Mainnet), more collateral from L1 sources flows through canonical bridges.

• Native Issuance Dominates: For rollups like zkSync Era and Base, assets are minted directly on L2 (such as native USDC on Base) and flow in through direct entry points.

Key Point: The majority of assets on major rollups are now outside the direct security guarantees of Ethereum. The actual security users receive depends on the trust mechanisms behind each bridge model, not the rollup itself.

Beyond Bridges: What Other Risks Exist?

The bridge model determines asset custody, but even if all assets use canonical bridges, users still face other trust and security vulnerabilities. The following three areas are especially important: transaction ordering mechanisms, governance structures, and the impact of composability on user experience.

1. Sequencers: Centralized Points of Control

Sequencers are responsible for deciding the order and packaging of transactions. Currently, the vast majority of rollups use centralized sequencers—a design that is efficient and profitable, but also introduces the following risks:

• Transaction Censorship: Sequencers can refuse to include certain transactions, enabling censorship.

• Withdrawal Blocking: Sequencers decide when to batch exit transactions to Ethereum, so they can indefinitely block withdrawals.

• Complete Downtime: If a sequencer goes offline, rollup activity pauses until it comes back online. (For example, Arbitrum once experienced 78 minutes of downtime.)

Ethereum provides a “force inclusion” mechanism, allowing users to submit transactions directly to Layer 1 to bypass the sequencer. However, this mechanism does not guarantee fairness, as the sequencer still controls block ordering, which can be enough to undermine user experience. For example:

• Suppose you try to withdraw funds from Aave on L2.

• You submit a force-inclusion withdrawal request via Ethereum, meaning the sequencer cannot ignore your transaction.

• However, the sequencer can insert its own transactions before yours—for example, borrowing more from the same liquidity pool.

• By the time your withdrawal executes, the pool has insufficient liquidity, causing your withdrawal to fail.

• Although your transaction was “included,” the outcome was sabotaged.

Additionally, force inclusion has practical issues: wait times can be hours (sometimes over 12 hours), throughput is limited, and even after submission, transactions can be reordered. Thus, this mechanism is more of a slow safety valve than a guarantee of fair execution.

Decentralized sequencers are gradually gaining attention. Projects like Espresso and Astria are building shared sequencer networks to improve resilience and interoperability.

One core concept is “pre-confirmations”: sequencers or shared networks can promise in advance that a transaction will be included, even if it has not yet been finalized on Ethereum. This reduces the latency introduced by decentralization, providing users with faster assurances while maintaining neutrality.

Nevertheless, centralized sequencers remain dominant because they are simple, profitable, and more attractive to institutions—at least until competition or user demand forces a change.

2. Governance and Incentive Risks: The Corporate L2

Who operates the rollup is crucial. Many leading rollups are run by companies or VC-backed teams, such as Coinbase’s Base, Offchain Labs’ Arbitrum, and OP Labs’ Optimism.

The primary obligation of these teams is to their shareholders and investors, not to Ethereum’s social contract.

• Shareholder Responsibility → Profit Pressure: Initially low fees to attract users, followed by fee increases as liquidity and applications become locked in (the classic “platform tax” model). In the future, we may see higher sequencer fees, preferential integrations, or rules that favor the operator’s overall business.

• Lock-in Effect → Leverage: As billions of dollars in TVL and users accumulate, the cost of exit rises, allowing operators to change economics or policies with limited risk of migration.

• Cultural Misalignment: Ethereum relies on open development meetings, multi-client diversity, and open governance (such as EIPs). Corporate rollups, on the other hand, tend toward top-down management, often holding admin keys or multisig permissions to pause, upgrade, or freeze the system—prioritizing compliance or profitability over neutrality. Over time, these rollups may resemble “walled gardens” rather than Ethereum’s open ecosystem.

The result is a growing gap between Ethereum’s open ethos and the incentive structures shaping corporate rollups. This gap not only affects governance, but also spreads to how applications interact and how users experience the system.

3. Composability and User Experience

The “magic” of Ethereum lies in atomic composability: smart contracts can synchronously read and write in a single transaction (e.g., swapping assets on Uniswap, repaying Aave debt, and triggering Maker operations all at once). However, L2s break this composability:

• Asynchronicity: Cross-rollup messaging is delayed, canonical withdrawals can take days, and third-party bridges add trust assumptions.

• Fragmentation: Liquidity and state are scattered across different L2s, weakening Ethereum’s seamless DeFi user experience.

What’s the solution?

Ethereum-native rollups (designed and governed to Layer-1 standards) can enable synchronous L2→L1 reads, L1→L2 writes, and atomic cross-rollup writes, thus restoring much of Layer-1 composability while scaling blockspace. Without these features, user experience (UX) will continue to gravitate toward convenience layers that lack Ethereum security.

The Future of Rollups

If “secured by Ethereum” is to be more than a slogan, its core security must be anchored in Layer 1, not in off-chain committees or a single company’s sequencer. The following three design philosophies illustrate possible trends:

Native Rollups: Moving Verification Fully On-Chain to Ethereum

• Unlike requiring users to trust independent fraud proof systems, unauditable zk provers, or security committees, rollups can provide a transaction trace that Ethereum can independently re-execute.

• In practice, this makes withdrawals and state correctness a Layer 1 right, not a promise: if a rollup claims your balance is X, Ethereum can directly verify this claim.

• This design narrows the attack surface of bridges, reduces the need for pause keys, and keeps rollups aligned with Ethereum’s future upgrades.

• The trade-off is higher Layer 1 costs, but the payoff is simple: in case of disputes, Layer 1 decides.

• No native rollups are live yet.

Ethereum Validator-Based Sequencing Rollups

• Today, a single sequencer can reorder or delay transactions, which is enough to undermine “force inclusion” in practice.

• With sequencing-based designs, the canonical order of transactions is determined by Layer 1 consensus, making censorship and last-minute reordering much harder.

• Force inclusion becomes a normal path, not just a slow safety valve. Projects can add “pre-confirmations” to maintain smooth UX while letting Layer 1 be the final arbiter of ordering.

• This design sacrifices some Layer 2 revenue and flexibility, but eliminates the biggest single point of control in current architectures.

• Core teams currently researching sequencing-based rollup designs include Taiko, Spire, and Puffer.

Key Storage Rollups: Addressing Key and Upgrade Risks

• Instead of each rollup and app independently handling account recovery, session keys, and key rotation, a minimal “key storage” rollup standardizes this logic and synchronizes it everywhere.

• Users can rotate or recover keys in one place, with changes propagating to all Layer 2s. Operators need fewer emergency keys, and admins need fewer “god-mode” switches.

• The end result is fewer compromised wallets, fewer emergency upgrades after incidents, and a clearer separation between account security and application logic.

• Key storage rollup designs are currently only theoretical and not yet live.

In summary, these design philosophies collectively address the real issues users face: trust-dependent withdrawal mechanisms, transaction ordering controlled by a single company, and fragile key and upgrade paths.

Bringing verification, sequencing, and account security into Ethereum’s domain is how rollups can truly be “secured by Ethereum”—not just as a marketing slogan.