Zcash to sovereign rollup

Good writeup @januszgrze. Coincidentally, I have been thinking along similar lines recently. The topic has been on my mind because of my rollup research and because of the ongoing work to transition Zcash from PoW to PoS.

I am generally supportive of the idea of Zcash transitioning to be a rollup rather than an independent PoS chain. I think it’s going to be hard for Zcash to compete as an independent chain when we have shielded rollups like Aztec coming online that are much closer to a much larger ecosystem (Ethereum). Transitioning to a rollup would level the playing field, making the competition less about proximity to existing users, apps, and large pools of liquidity and more about features, performance, culture, vibes, etc. It’s like building an app and competing with other apps vs building a separate internet and trying to compete with the internet. I know which I’d rather do.

Taking the decision to transition to a rollup as a given, for me the key questions are: which rollup model, sovereign rollup or smart contract rollup? And rollup to which chain?

My preference would be for Zcash to transition to be a sovereign rollup on bitcoin with the long term goal of becoming a smart contract rollup on bitcoin once that capability exists. I’ll break each part of this down and explain my rationale for these choices.

The decision to do a sovereign vs smart contract rollup basically comes down to: do we want the Zcash rollup to have a trustless bridge to its parent chain? I say “yes”, which implies becoming a smart contract rollup. The benefits of trustless access to assets with much more liquidity and much larger user bases than what Zcash has today are hard to overstate. And the risk to Zcash sovereignty is not as great as one might initially think.

In your post, you state:

But this is not true! First, it should be noted that smart contract rollups can have immutable contracts. Uniswap, a popular DEX on Ethereum, uses immutable contracts. Every time there’s a new contract version, the Uniswap developers simply deploy the new contracts and let users know that they can move their liquidity over if they want to, or remain on the previous Uniswap version if that’s their preference. A smart contract rollup can do the same. This is not unlike the transition between shielded pool versions that Zcash has gone through several times.

Additionally, even when smart contract rollups have mutable smart contracts (which remain trustless in best case scenarios but degrade to less-than-trustless in worst case scenarios) users don’t necessarily lose all sovereignty. For example, a time delay could be added to updates to give users time to withdraw their funds from the rollup if they disagree with the new proposed smart contract version. This is similar to the way Zcash hard forks have been activated, where a hard fork full node client is published with a block height set to activate the new consensus rules some time in the future.

Going back to my question: do we want the Zcash rollup to have a trustless bridge to its parent chain? If we answer “no”, which implies a sovereign rollup, then we are deciding that any bridges between Zcash and other blockchains (aside from smart contract rollups built on Zcash) will be strictly less-than-trustless. Basically, all bridges would be at best secured by fancy k-of-n multisigs with a large N-sized signer set. I believe Zcash users deserve better; smart contract rollup it is!

Now we turn to the question of “rollup to which chain?” Earlier I said my preference is for Zcash to be a sovereign rollup on bitcoin, with the goal of becoming a smart contract rollup once that capability exists. First I’ll explain why bitcoin then discuss this transition from sovereign to smart contract rollup.

The decision about which chain to rollup to boils down to: which chain is most likely to be the foundational chain of the future economy? Here’s how I think through this question:

First, I think there’s a fundamental values question to answer. Do we have any strong opinions about what mechanism should be used for securing the chain against Sybil attacks? For reasons I have explained elsewhere, I believe PoW is the best basis for the security of the monetary system. I understand not everyone in the Zcash community agrees, hence the push for transitioning to PoS. In part I hope this discussion about transitioning to a rollup can help us reverse (or more accurately, augment) this decision which I see as a mistake. But I digress.

If we accept that PoW is the best basis for the security of the monetary system, then we can refine our earlier question: which PoW chain is most likely to be the foundational chain of the future economy? To answer this we should evaluate the different options on the basis of criteria such as history, current traction and network effects (users, liquidity, tooling etc), and inertia (potential and trajectory of future growth). This leads me to bitcoin.

Now to return to the idea of starting as a sovereign rollup on bitcoin and transitioning to a smart contract rollup on bitcoin. Currently, bitcoin cannot support smart contract rollups. Research is ongoing into how that could change to enable either optimistic rollups or validity (zk) rollups, or both. Based on conversations I’ve had with many devs, entrepreneurs, and users in the community, there seems to be wide support for this among those who understand it. The main questions seem to be around timing and implementation details – a matter of when, not if. That said, until we get the necessary opcodes to support smart contract rollups on bitcoin, the best we can do is a sovereign rollup.

But even as a sovereign rollup on bitcoin, Zcash gains a lot:

  • Double-spend resistance and DA guarantees equivalent to the bitcoin mainchain
  • Closer connection to bitcoin, which could help grow the Zcash userbase and developer community
  • Operational experience and understanding of what is required to run a rollup on bitcoin, which will ease the transition to a smart contract rollup if/when that becomes possible

So I think it would still be worth the effort to start as a sovereign rollup now, even though the long term goal is to become a smart contract rollup on bitcoin.

The elephant in the room

Regardless of whether we’re talking about sovereign rollups or smart contract rollups, a question that one might have when considering using bitcoin as the DA layer for a rollup is: what happens when we hit the bitcoin block size limit? Bitcoin blocks are already mostly full most of the time, so this question is not theoretical. Competition for block space will only become fiercer once rollups enter the picture. Here I see multiple options, and they’re not necessarily mutually exclusive:

  • Increase the bitcoin block size limit (this would require a bitcoin soft fork)
  • Add EIP-4844-like data blobs to bitcoin (this on its own would be less resource intensive than a block size limit increase, but still require a soft fork)
  • Use a zkPorter-like offchain DA protocol, with ZEC as the staking asset (this would not require a soft fork)

The other elephant in the room

So far I haven’t said anything about what the fee asset of the Zcash rollup should be. My preference would be for the fee asset to either be BTC or to be left undefined, so users can pay whatever the rollup block producers are willing to accept. Bitcoin users already use BTC to pay mining fees so it will make it easier for them to use a rollup built on bitcoin if they can also pay fees to the rollup block producers using BTC. But as I said, I am also supportive of leaving the option open for users and block producers to converge on whatever asset(s) they want for paying fees.