Watchtowers require altruism. These off-chain services monitor for fraud in systems like the Lightning Network or optimistic rollups, but their operators have no direct financial stake in the outcome.
cross-chain-future-bridges-and-interoperability
Blog
Why Watchtower Models Are Fundamentally Flawed
An analysis of why watchtower-based security, used by bridges like Across and optimistic rollups, is a critical design flaw. It relies on altruistic vigilance, lacks economic guarantees, and creates systemic risk in cross-chain infrastructure.
introduction
THE INCENTIVE MISMATCH
The Altruism Assumption: Crypto's Fatal Flaw
Watchtower models fail because they rely on altruistic actors to perform critical security functions without sufficient economic reward.
Economic incentives are misaligned. A watchtower earns fees for submitting fraud proofs, but the cost of constant monitoring often exceeds the reward, creating a classic public goods problem.
Real-world failure is inevitable. The Lightning Network's reliance on user-run watchtowers has led to widespread fund loss, proving the model is not scalable for mass adoption.
Contrast with bonded systems. Protocols like Across Protocol and Optimism's fault proofs use bonded validators who slash their own stake for inaction, creating a direct penalty for failure.
key-insights
WHY WATCHTOWERS ARE A DEAD END
Executive Summary: The Core Flaws
Watchtowers are a security crutch for state channels and rollups, but their economic and technical model is fundamentally broken.
01
The Liveness Trap
Watchtowers require users to be perpetually online or delegate to a third party, reintroducing the custodial risk they aim to solve. This creates a security vs. convenience trade-off that users consistently fail at.\n- User Liveness is a Fantasy: Expecting users to monitor 24/7 is a UX failure.\n- Delegated Custody: Shifts trust from the protocol to a watchtower operator, a single point of failure.
>99%
Users Offline
1
SPOF
02
The Economic Misalignment
Watchtowers have no sustainable revenue model. Their service is a public good with near-zero marginal cost, leading to a race to the bottom on fees and eventual centralization or collapse.\n- Free-to-Start, Expensive-to-Sustain: Initial subsidies mask the long-term cost of secure, decentralized liveness.\n- Prisoner's Dilemma: Operators are incentivized to cut corners (e.g., lower uptime) to remain profitable, degrading network security.
$0
Sustainable Fee
Oligopoly
End State
03
The Data Availability Blind Spot
Watchtowers are useless if they can't access the data needed to construct fraud proofs. This makes them entirely dependent on the underlying chain's data availability, which is the actual hard problem.\n- Garbage In, Garbage Out: A watchtower with censored or unavailable data is a paper tiger.\n- Architectural Redundancy: Solutions like EigenDA, Celestia, and validiums solve the root cause, making the watchtower layer obsolete.
100%
DA Dependent
0
Value Add
thesis-statement
THE ARCHITECTURAL FLAW
Thesis: Watchtowers Invert Crypto's Security Premise
Watchtower models reintroduce centralized trust assumptions that directly contradict the self-custody ethos of blockchain.
Watchtowers reintroduce trusted third parties. The core promise of crypto is user-controlled security. Watchtowers, like those in the Lightning Network or for optimistic rollups, require users to delegate monitoring and enforcement to a third-party server.
This creates a liveness dependency. The user's security model now depends on the watchtower's uptime and honesty. If the watchtower fails, the user's funds are at risk from old-state attacks, a problem solved by self-custody.
The economic model is broken. Running a watchtower is a public good with no sustainable revenue. This leads to under-provisioning or forces protocols like Arbitrum to temporarily centralize fraud proofs, creating a systemic risk.
Evidence: The Lightning Network's watchtower ecosystem remains negligible. Most users rely on their own node's liveness, proving the model's failure to solve the custodial trade-off.
market-context
THE INCENTIVE MISMATCH
Current Landscape: Where Watchtowers Hide
Existing watchtower models fail because they misalign economic incentives with network security.
Watchtowers are free riders. They provide a public good—monitoring for fraud—but capture no direct value from preventing it. This creates a classic tragedy of the commons where rational actors under-invest in security.
The staking model is insufficient. Protocols like Optimism and Arbitrum rely on bonded operators, but the cost of honest monitoring often exceeds slashing penalties. Attackers can economically outspend defenders.
Evidence: In 2023, over $1.8B was lost to bridge hacks (Chainalysis). Systems like Polygon PoS and Gnosis Chain use external watchtowers, yet catastrophic withdrawals still occur, proving reactive monitoring is flawed.
WHY WATCHTOWERS ARE FLAWED
Security Model Comparison: Guarantees vs. Hope
A first-principles breakdown of security guarantees in cross-chain bridging, contrasting economic finality with optimistic watchtower models.
| Security Feature / Metric | Economic Finality (e.g., Across, LayerZero) | Optimistic Watchtower (e.g., Nomad, early Hop) | Native Mint/Burn (e.g., Canonical Bridges) |
|---|---|---|---|
Liveness Assumption | None (Relayer can't censor) | 1+ Honest Watchtower | Validator Set Liveness |
Time to Finality | ~3-5 min (Optimism) / ~12 min (Arbitrum) | 30 min - 24 hr Challenge Window | Native Chain Finality (~15 min ETH) |
Capital Efficiency |
| <50% (Locked in escrow) | 0% (Minted on-demand) |
Slashing Condition | Bond forfeiture for fraud | Watchtower bond slashing | Validator slashing (if PoS) |
User Recovery Path | Instant via fallback relayers | Manual claim after window | Redeem on source chain |
Max Extractable Value (MEV) Risk | Low (Fixed relayer fee) | High (Watchers can front-run claims) | None (Deterministic mint) |
Protocol Attack Surface | Relayer bond size & fraud proof verifier | Watchtower collusion & speed race | Validator set compromise (51%) |
Post-Exploit Recovery | LPs bear loss; bridge pauses | Escrowed funds are lost; game theory failure | Chain halts; governance fork |
deep-dive
THE INCENTIVE MISMATCH
First-Principles Breakdown: The Three Failure Modes
Watchtower models fail because they misalign economic incentives, centralize trust, and create systemic fragility.
Economic Misalignment: Watchtowers are paid to monitor, not to act. A rational operator minimizes cost by running minimal infrastructure, creating a principal-agent problem where their profit conflicts with network security. This is why Lightning Network watchtowers remain a niche, user-managed service.
Trust Centralization: The model reintroduces a trusted third party, the exact problem decentralized systems solve. Users must trust watchtower honesty and liveness, creating a single point of failure more fragile than the underlying chain. This is the core flaw in early optimistic rollup designs.
Systemic Fragility: Watchtower failure is correlated and silent. A bug or coordinated attack disables protection for all clients simultaneously, unlike distributed validator networks where faults are isolated. The Flashbots SUAVE design avoids this by making the execution path itself decentralized.
Evidence: The 2022 Lightning watchtower study by River Financial showed over 60% of towers exhibited unreliable uptime, proving the incentive model is broken. Modern systems like Arbitrum Nitro and zkSync use cryptographic proofs, not watchmen, for this reason.
counter-argument
THE FUNDAMENTAL FLAWS
Steelman: The Case for Watchtowers
Watchtowers introduce systemic risks and economic inefficiencies that undermine their security guarantees.
Watchtowers centralize security. The model outsources a user's liveness requirement to a third-party service, creating a single point of failure. This reintroduces the trusted intermediary that layer-2s like Arbitrum and Optimism were designed to eliminate.
The economic model is broken. Watchtowers earn fees for inactivity, creating a perverse incentive to not perform their duty. This misalignment is a core vulnerability absent in cryptographic solutions like validity proofs used by zkSync and Starknet.
They create a meta-game. Attackers target the watchtower, not the chain. A successful DDoS or bribe against services like Helix or Themis renders all protected channels insecure simultaneously, a systemic risk.
Evidence: No major L2 (Arbitrum, Optimism, Base) integrates native watchtowers. The reliance is on social consensus and fraud proofs, proving the industry rejects this layer of delegated trust.
case-study
WHY WATCHTOWER MODELS ARE FUNDAMENTALLY FLAWED
Case Studies: Flaws in Practice
The watchtower model, a common security abstraction, suffers from inherent economic and operational failures that compromise its guarantees.
01
The Economic Misalignment
Watchtowers are paid to watch, not to act. This creates a principal-agent problem where the watcher's profit is decoupled from the user's security outcome.\n- No Skin in the Game: Watchtowers risk no capital, only their service fee.\n- Free-Rider Problem: A single successful watchtower action secures all users, disincentivizing others from maintaining vigilance.\n- Race to the Bottom: Competition drives fees to zero, eliminating margins needed for robust infrastructure.
$0
Capital at Risk
~0%
Profit Margin
02
The Liveness Trap
Security guarantees evaporate if the watchtower goes offline. This reintroduces the very custodial risk the model aims to solve.\n- Centralized SPOF: User funds are only as secure as their chosen watchtower's uptime.\n- Monitoring Gaps: ~99.9% uptime still implies ~8.76 hours of annual vulnerability per user.\n- State Bloat: Scaling requires watching an exponentially growing set of on-chain states, increasing costs and failure points.
1
Single Point of Failure
8.76h
Annual Risk Window
03
The Lightning Network Precedent
Lightning's watchtower ecosystem demonstrates the model's practical failure. Despite ~$200M+ in capacity, adoption is negligible.\n- Market Failure: Few profitable, public watchtower services exist; users run their own.\n- Complexity Burden: Shifts operational overhead from the protocol back to the user.\n- Proven Inefficacy: Contrast with intent-based systems like UniswapX or CowSwap which solve coordination without passive watchers.
<1%
Adoption Rate
$200M+
TVL Exposed
04
The Cryptographic Alternative
Modern architectures like zk-proofs and threshold signatures make watchtowers obsolete by enforcing rules cryptographically.\n- Trust Minimization: Security derived from math, not a third-party's vigilance.\n- Passive Enforcement: Invalid state transitions are impossible, not just punishable.\n- Protocol-Level Guarantees: Seen in zkRollups (Starknet, zkSync) and MPC bridges (like Across), eliminating the watchtower role entirely.
100%
Uptime Guarantee
0
Active Monitors
future-outlook
THE FLAWED WATCHTOWER
The Path Forward: Models That Actually Work
Watchtower-based security models for optimistic bridges and rollups are economically unsustainable and architecturally fragile.
Watchtowers are economically unviable. Their revenue is a public good, but their costs are private. This creates a classic free-rider problem where no rational actor runs a watchtower, leaving the system's security to altruists.
The liveness assumption is fatal. Systems like Arbitrum's classic rollup or early optimistic bridges require at least one honest, always-online watchtower to catch fraud. This is a single point of failure that degrades to a permissioned security model.
Proof-of-Stake slashing solves this. Modern designs like Arbitrum Nitro and Optimism Bedrock replace watchtowers with cryptoeconomic security. Validators post bonds that are slashed for fraud, aligning incentives directly. The network's security budget scales with its staked value.
Evidence: The migration from Arbitrum Classic to Nitro eliminated the watchtower requirement, shifting security to a permissionless validator set. Similarly, Across Protocol uses bonded relayers with on-chain fraud proofs, not passive observers.
takeaways
WHY WATCHTOWERS FAIL
TL;DR for Architects
Watchtowers are a brittle security patch for off-chain protocols, creating systemic risk and misaligned incentives.
01
The Liveness Assumption is a Systemic Risk
Watchtowers assume a trusted third party is always online to monitor and act. This reintroduces a single point of failure that decentralized systems aim to eliminate.\n- Failure means loss: If the watchtower is offline during a malicious challenge, user funds are forfeited.\n- Creates attack vectors: DDoS or regulatory takedowns on watchtower infrastructure can cripple the entire protocol.
100%
Liveness Required
Single Point
Of Failure
02
Economic Incentives Are Perversely Aligned
Watchtower models often rely on slashing bonds or service fees, which do not scale with the value they protect. This leads to chronic under-securing.\n- Capital inefficiency: A $1M bond might be tasked with securing $100M+ in TVL.\n- Race to the bottom: Competition on service fees disincentivizes robust, costly infrastructure, creating a market for lemons.
>100x
TVL-to-Bond Ratio
Weak
Security Guarantee
03
A Bridge to Nowhere for User Experience
Watchtowers offload security responsibility from users to an opaque service, creating a worse UX than custodial solutions. Users gain no real sovereignty.\n- False sense of security: Users think they're 'decentralized' but are reliant on a black-box service.\n- Protocols like UniswapX and Across solve similar finality problems with intents and atomicity, not liveness-dependent watchers.
0
Sovereignty Gain
Opaque
Security Layer
04
The Solution: Cryptographic Proofs, Not Promises
The endgame is validity proofs and light clients, not liveness-based monitoring. zk-SNARKs and zk-STARKs provide cryptographic certainty without active watchdogs.\n- State is verified, not watched: A proof of fraud is incontrovertible and can be verified by anyone, anytime.\n- Eliminates liveness race: Security becomes a function of cryptographic assumptions, not network uptime.
Cryptographic
Certainty
Async
Verification
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall