L2 Network Security Phase Division: From Theory to Practice

The security of L2 networks has always been a focus of attention in the industry regarding Ethereum's scaling solutions. Recently, the community has had in-depth discussions on the three phases of L2 network security, which not only relates to the stable operation of the Ethereum mainnet and L2 networks but is also closely tied to the actual development status of L2 networks.

Community members proposed the naming label #BattleTested for the L2 network Stage 2, believing that only L2 networks that meet the following conditions can earn this title:

1. Code and configuration have been live on the Ethereum mainnet for over 6 months.
2. Total locked value ( TVL ) continues to maintain above 100 million USD.
3. At least 50 million USD worth of ETH and major stablecoins.

The title adopts a dynamic evaluation mechanism to avoid the phenomenon of "on-chain ghosting."

In this regard, one of the founders of Ethereum provided a detailed explanation and shared his views. He divides the security of L2 networks into three stages, mainly based on the extent to which the security committee covers the trustless components:

• Stage 0: The Security Committee has full control. The proof system is only advisory in nature.
• Stage 1: Approval from more than 75% of the security committee members is required to override the operating system.
• Phase 2: The Security Committee can only take action in cases of provable errors.

These three stages can be represented by the "voting shares" of the security committee. The key issue is the best timing for the L2 network to transition from one stage to the next.

The only reasonable reason not to immediately enter Stage 2 is a lack of complete trust in the proof system. The more confidence there is in the proof system ( or the less confidence there is in the security committee ), the more inclined one is to push the network to progress to the next stage.

Through a simplified mathematical model, we can quantify this. The assumptions include:

• Each member of the security committee has a 10% individual failure probability.
• The probability of active failures and security failures is equal.
• The security committee judgment criteria for Phase 0 and Phase 1 are 4/7 and 6/8 respectively.
• There is a single unified proof system

Under these assumptions, considering the specific probability of the proof system crashing, we aim to minimize the likelihood of the L2 network crashing.

Calculated using the binomial distribution:

• Phase 0 integration system has a fixed failure probability of 0.2728%
• The failure probability of Stage 1 depends on the failure rate of the proof system and the failure situation of the security committee.
• The failure probability of Stage 2 is consistent with the failure probability of the proof system.

The results show that as the quality of the proof system improves, the optimal stage shifts from 0 to 1, and then from 1 to 2. Using a proof system of stage 0 quality for stage 2 network operation yields the worst results.

However, this simplified model has limitations:

1. Members of the safety committee in reality are not completely independent and may have "common mode failures."
2. The proof system may be composed of multiple independent systems.

These two points indicate that Phase 1 and Phase 2 are actually more attractive than what the model shows.

From a mathematical perspective, the existence of Stage 1 seems difficult to justify, and we should directly move to Stage 2. However, considering the potential critical errors that may arise, it is recommended to grant any member of the security committee the authority to delay withdrawals for 1-2 weeks, so that other members have sufficient time to take remedial action.

At the same time, jumping to phase 2 too early can also be a mistake, especially at the expense of strengthening the underlying proof system. Ideally, data providers should demonstrate audit and maturity indicators of the proof system, along with displaying the current phase.

In summary, the division and transition of the security phases of L2 networks require weighing multiple factors, considering both theoretical models and practical situations, to ensure the stable and secure operation of the network.