Shared security creates systemic risk. A single vulnerability in a shared sequencer or bridge, like the Wormhole or Nomad exploits, compromises every connected rollup. This centralizes the attack surface, contradicting the modular scaling thesis.
the-modular-blockchain-thesis-explained
Blog
Why Shared Security Models Fail for Cross-Rollup Communication
Shared security models like those from EigenLayer or Celestia are being misapplied to cross-rollup messaging. This analysis argues that interoperability security is non-transferable and must be independently verified at the destination, exposing the critical flaw in 'borrowed' security for bridges.
introduction
THE FLAWED PREMISE
The Shared Security Mirage
Shared security models fail for cross-rollup communication because they create systemic risk and misaligned incentives.
Economic incentives are misaligned. A rollup's security budget funds its own state validation, not the security of a shared messaging layer like LayerZero or Hyperlane. This forces a subsidy model that is unsustainable at scale.
The liveness-leverage tradeoff is fatal. Shared security systems, such as EigenLayer's restaking for AVS, increase liveness assumptions. This creates leverage where a failure in the base layer, like Ethereum consensus, cascades across all dependent rollups.
Evidence: The 2022 Nomad bridge hack drained $190M across multiple chains in a single exploit, demonstrating the catastrophic failure mode of shared security for cross-chain messaging.
key-insights
WHY SHARED SECURITY BREAKS AT THE BORDER
Executive Summary: The Core Flaw
Current cross-rollup bridges rely on shared security models that are fundamentally misaligned with the sovereign nature of rollups, creating systemic risk.
01
The Trust Fallacy of Validator-Based Bridges
Models like LayerZero's Oracle/Relayer or Axelar's validator set impose a new, centralized trust layer. Rollups already have their own security (e.g., Ethereum L1). Forcing them to trust a separate, smaller validator set for cross-chain messages is a security downgrade.\n- Creates a new attack vector outside the rollup's native security model.\n- Introduces liveness dependencies on external, often permissioned, entities.
~10-100
External Validators
1M+
Ethereum Validators
02
The Economic Misalignment of Staked Bridges
Bridges like Across and Synapse use bonded security, where slashable stake protects the system. This fails at scale because the stake must cover all bridged value across all chains. A catastrophic exploit on one chain can drain the entire shared pool, creating a systemic contagion risk. The economic model does not scale linearly with interconnected rollup count.\n- Stake is fragmented across many competing applications.\n- TVL-to-Stake ratio becomes a critical, unstable vulnerability.
$10B+
Bridged Value at Risk
<$1B
Typical Bridge Stake
03
The Sovereignty Violation
Rollups are sovereign execution environments. A shared security bridge forces them to cede finality authority to an external committee. This breaks the core rollup premise: deriving security directly from L1. The bridge becomes a meta-consensus layer, creating a fragmented, insecure mesh of interdependencies rather than a clean hub-and-spoke model to Ethereum.\n- Undermines the rollup's security guarantees.\n- Creates complex, unpredictable failure modes during chain reorganizations.
1
Intended Security Source (L1)
N
Additional Trusted Parties
04
The Latency & Cost Imposition
Shared security requires consensus overhead for every message, adding latency and cost. This is antithetical to the high-throughput, low-cost promise of rollups. Bridges like Celer's State Guardian Network or Multichain (pre-exploit) introduced ~1-5 minute delays and high fees, making fast, cheap cross-rollup DeFi (e.g., UniswapX flows) impossible. The model optimizes for security theater over user experience.\n- Adds unnecessary consensus rounds for data already finalized on L1.\n- Fees compound, eroding small transaction value.
60-300s
Added Latency
2-10x
Cost Multiplier
thesis-statement
THE FLAW IN SHARED SECURITY
The Destination Chain Sovereignty Principle
Cross-rollup communication must respect the finality and security model of the receiving chain, a requirement that shared security bridges structurally violate.
Shared security is a liability. Protocols like LayerZero and Wormhole inject a third-party consensus layer (e.g., a validator set) between two sovereign rollups. This creates a trusted third-party that neither rollup's native security model governs, introducing a new, unaccountable attack vector.
Sovereignty defines finality. A rollup's security is its sequencer's L2 state commitment and the underlying L1's data availability. A shared security bridge must convince the destination chain to accept a foreign attestation, violating its sovereign validation rules and creating legal ambiguity during disputes.
The failure is architectural. This model forces a destination chain to outsource its most critical function: verifying incoming state. It's why native verification bridges, like the IBC protocol or Arbitrum's Nitro, succeed—they make the destination chain the sole arbiter of truth, preserving its security model.
CROSS-ROLLUP MESSAGE PASSING
Security Model Comparison: Borrowed vs. Verified
Compares the security assumptions and failure modes of shared (borrowed) security models against locally verified models for cross-rollup communication, explaining why the former fails for sovereign environments.
| Security Dimension | Borrowed Security (e.g., LayerZero, CCTP) | Locally Verified (e.g., IBC, Polymer, Hyperlane w/ISM) | Native L1 Bridge (Baseline) |
|---|---|---|---|
Underlying Security Source | External Validator Set / Guardian Network | Light Client + Fraud/Validity Proofs on destination chain | L1 Consensus & Execution (e.g., Ethereum PoS) |
Trust Assumption | Honest Majority of 3rd-party attesters | Cryptographic verification of source chain state | Full security of the underlying L1 |
Liveness Dependency | External network liveness | Only source & destination chain liveness | Only L1 liveness |
Failure Mode on Source Chain Halt | Uncertainty; attestations may stop | Provably frozen at last proven state | Provably frozen at last L1 state |
Sovereignty Violation | Yes - introduces external governance | No - verification is permissionless & local | No - uses neutral base layer |
Time to Finality (Optimistic) | ~3-5 minutes (off-chain attestation delay) | ~12-20 minutes (Ethereum light client sync) | ~12 minutes (Ethereum finality) |
Capital Efficiency for Security | Low (security not backed by slashable stake) | High (security derived from source chain's stake) | Maximum (security = L1 stake) |
Protocol Examples | LayerZero, Circle CCTP, Wormhole (Guardian) | IBC, Polymer, Hyperlane (ISM), Succinct | Arbitrum Nitro, Optimism Bedrock, zkSync Era |
deep-dive
THE FLAW IN FEDERATION
The Cascading Failure Problem
Shared security models for cross-rollup communication create systemic risk by linking the failure of one rollup to the liveness of all others.
Shared sequencers create a single point of failure. A single sequencer network like Espresso or Astria processes transactions for multiple rollups. If this sequencer fails or is censored, every rollup in its federation halts, creating a cascading liveness failure across the ecosystem.
Economic security is not shared, only liveness risk is. Models like Optimism's Superchain or Arbitrum's BOLD share a sequencer but maintain separate fraud-proof systems. This means a security failure is isolated, but a liveness failure is universal, inverting the intended safety guarantees.
The failure domain expands with adoption. Each new rollup added to a shared sequencer network, like another chain joining a Cosmos SDK appchain, increases the blast radius of a sequencer outage. This creates negative network effects for reliability.
Evidence: The Base <> Optimism Bedrock outage. When OP Stack's fault proof system had a bug, it didn't affect Base's sequencer. Under a fully shared sequencer model, that bug would have halted both chains, demonstrating the liveness coupling risk.
case-study
WHY SHARED SECURITY BREAKS AT THE BORDER
Case Studies in (Mis)Applied Security
Shared security models like restaking are powerful for single chains, but their guarantees shatter when stretched across sovereign rollup boundaries.
01
The Liveness-Security Tradeoff
Shared security pools like EigenLayer treat liveness and security as a single product. For cross-rollup messaging, this creates a critical failure mode. A liveness fault (e.g., a sequencer halting) on Rollup A can be misinterpreted as a security fault, triggering unnecessary and costly slashing of assets staked for Rollup B.
- Sovereign Fault Isolation is Impossible: A fault in one appchain shouldn't slash validators for an unrelated chain.
- Creates Systemic Risk: Correlated slashing across the ecosystem during localized outages.
0%
Fault Isolation
100%
Correlated Risk
02
The Oracle Problem Reborn
Bridges built on shared security (e.g., some LayerZero Omnichain Fungible Token configurations) must resolve a fundamental oracle problem: proving state on a foreign chain. A committee of restaked nodes voting on the "truth" reintroduces the very trust assumptions bridges should eliminate.
- Security ≠Data Availability: Restaking secures the voting process, not the validity of external chain data.
- Threshold Trust Model: Still requires honest majority assumption, unlike light-client bridges.
1/N
Honest Assumption
~2-5s
Voting Latency
03
Economic Abstraction Leak
Shared security abstracts the cost of capital. For a dedicated rollup bridge validator, slashing is a direct penalty for a protocol-specific failure. In a pooled model, the economic penalty is detached from the specific service, leading to misaligned incentives and underpriced risk.
- Security is Not Commoditized: The risk profile of securing a $10B bridge is not the same as a $10M NFT marketplace.
- Free-Rider Problem: Low-value services piggyback on security subsidized by high-value ones.
>90%
Cost Subsidy
Undefined
Risk Premium
04
Interoperability Trilemma: Pick Two
The Interoperability Trilemma posits you can only have two of: Trustlessness, Generalizability, and Capital Efficiency. Shared security models for cross-rollup comms (e.g., Cosmos IBC with shared security) optimize for the latter two at the expense of trustlessness.
- IBC with Interchain Security: Requires a central Coordinator Hub, a single point of liveness failure.
- Generalizability via Compromise: A 'general' messaging layer cannot provide the same trust-minimization as a dedicated, verifiable light client.
2/3
Trilemma Solved
1
Trust Assumptions
counter-argument
THE FLAWED PREMISE
Steelman: The Economic Security Argument
Shared security models fragment capital and create systemic risk, making them unsuitable for securing cross-rollup state.
Shared security is capital-inefficient. Protocols like Polygon Avail or EigenLayer require validators to secure multiple, unrelated chains. This dilutes the economic stake securing any single bridge or rollup, creating a weaker security floor than a dedicated validator set.
The slashing dilemma is unsolved. A validator's stake is slashed across all secured services for a fault on one. This creates perverse incentives where validators prioritize high-value chains, leaving cross-rollup messaging layers like Hyperlane or LayerZero under-protected.
Security becomes a commodity. When validators rent security to the highest bidder, the system's resilience depends on continuous subsidy. This model fails during black swan events where correlated failures across chains trigger mass, unstoppable slashing.
Evidence: Celestia's data availability security is decoupled from execution. A rollup built on it must still bootstrap its own validator set for bridging, proving shared security solves only half the problem.
FREQUENTLY ASKED QUESTIONS
FAQ: Unpacking the Technical Nuances
Common questions about why shared security models, like those from EigenLayer or Cosmos, fail to secure cross-rollup communication.
The biggest flaw is the lack of a unified, canonical data source for finality. Shared security models like EigenLayer secure individual chains, but cross-rollup messaging requires a single source of truth for state proofs. Without it, you face the verifier's dilemma and data availability gaps, which protocols like LayerZero and Across must solve externally.
future-outlook
THE FLAW
The Path Forward: Verified, Not Borrowed
Shared security models for cross-rollup communication are a fundamental architectural mismatch that creates systemic risk.
Shared security is a liability. It attempts to borrow finality from a parent chain (like Ethereum) for inter-rollup messages, but this creates a false equivalence. The security of a message's origin on Rollup A is not the same as the security of its execution on Rollup B, introducing a critical trust gap.
The validator problem is unsolved. Models like EigenLayer's restaking or Cosmos' Interchain Security require a unified validator set to attest to events across disparate systems. This forces validators to run light clients for every connected chain, a scaling and incentive nightmare that centralizes risk.
Intent solves for users, not states. Protocols like UniswapX and Across use intents for better UX, but they delegate verification to third-party solvers and relayers. This creates a new layer of intermediation and trust, contradicting the cryptographic verification principle of rollups themselves.
Evidence: The Polygon Avail team explicitly rejected shared security for data availability, stating it creates 'fragile dependencies.' Their analysis shows that sovereign verification—where each chain validates the others' proofs directly—is the only model that preserves modular independence.
takeaways
WHY SHARED SECURITY FAILS FOR CROSS-ROLLUP
TL;DR: Builder Mandates
Shared security models, while elegant for single chains, create critical vulnerabilities and inefficiencies when applied to cross-rollup communication.
01
The Sovereign Finality Problem
Rollups have independent state finality (e.g., Optimism's 12s, Arbitrum's ~1 block). A shared security layer must either delay until the slowest chain finalizes or accept reorg risk, creating a ~30s+ latency floor for cross-chain messages.
- Forces worst-case latency on all connected chains.
- Introduces liveness dependency on unrelated sequencers.
30s+
Latency Floor
1
Weakest Link
02
Economic Capture by Validator Cartels
A unified validator set for all rollups (e.g., Ethereum's L1) becomes a single point of economic failure. Cartels can censor or reorder transactions across the entire ecosystem, violating the sovereignty that rollups were designed to achieve.
- Centralizes economic power across all connected chains.
- Enables cross-chain MEV extraction at protocol level.
>33%
Attack Threshold
All Chains
Attack Surface
03
The Interoperability Trilemma
You cannot simultaneously have trust-minimization, general message passing, and low latency. Shared security (e.g., Cosmos IBC) optimizes for trust-minimization, sacrificing latency and flexibility. For DeFi, this is fatal; a UniswapX order expires before a secure attestation arrives.
- Forces a trade-off that kills UX.
- Makes fast, secure bridges like Across impossible.
Pick 2
Of 3
0
Optimal Solutions
04
Solution: Asynchronous Attestation Networks
Decouple security from latency. Use an optimistic or ZK-Proof attestation network (e.g., LayerZero's Oracle/Relayer, Succinct's Telepathy) that provides fast liquidity upfront and settles disputes later. This mirrors the rollup security model itself.
- Enables sub-second pre-confirmations for UX.
- Preserves crypto-economic security for finality.
<1s
Initial Confirm
ZK/OP
Security Layer
05
Solution: Specialized, Competing Bridges
Let the market decide security vs. speed trade-offs per asset and use case. A high-value NFT bridge can use a slow, ultra-secure validator set. A DEX aggregator like CowSwap can use a fast, economically secured bridge like Across. Shared security is a monopoly; competing bridges are a market.
- Drives innovation in security models.
- User/App selects their risk profile.
$10B+
Bridge TVL
Niche Opt.
Security
06
Solution: Intents & Solver Networks
Bypass the bridging problem entirely. Users submit intent-based orders (e.g., UniswapX, CowSwap). A decentralized solver network competes to fulfill them across domains using any liquidity source, internalizing bridging complexity. The security model shifts to solver bond slashing rather than cross-chain consensus.
- Abstracts complexity from end-user.
- Aligns incentives for efficient execution.
Solver
Risk Holder
Intent
New Primitive
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall