On the inherent tension between multileader consensus and inclusion-time proving

Parallelized L1s (e.g., Kaspa’s 10bps block-DAG, advanced multileader designs) inherently offer sub-RTT block time and strong intra-round censorship resistance. A key byproduct of their parallelism is execution uncertainty at inclusion time: transactions are included prior to final global ordering and execution. This uncertainty is not a flaw but an enabler for features such as MEV-resistance strategies which operate by obscuring sequence predictability from block composers. At the same time, for universal synchronous composability across multiple based ZK rollups (often conceived as distinct logic zones, each managing independent state), inclusion-time proving represents a near-ideal: Achieving atomic cross-zone operations for composable txns necessitates complex off-chain coordination—related to our framework for proof stitching—before these operations culminate in L1 settlement. Inclusion-time proving would offer immediate, verifiable L1 commitment for the state transitions resulting from these coordinated efforts.

The inherent counter-duality

The conflict between inclusion-time proving and execution uncertainty is direct:

  • Inclusion-time proving mandates a known, unambiguous pre-state for proof generation at the moment of L1 inclusion.
  • Execution uncertainty (resulting from multileader, and conducive to MEV-resistance) implies an indefinite pre-state at L1 inclusion, dependent on eventual sequencing of concurrently processed, potentially contending transactions.

This basic conflict presents a choice. We opt for multileader consensus, embracing its natural execution uncertainty. Consequently, true inclusion-time proving for L1-visible L2 effects (like state commitments) cannot be achieved. Proofs for such effects must therefore be deferred, appearing on L1 only after parallel processing converges and transaction order is sufficiently established to define a clear state.

Proof availability requirement

This inherent gap introduces a critical challenge: L1 has already accepted the transaction data (achieved DA for it) and the system is, in a sense, committed to its potential effects. What if the required proof never materializes? This immediately necessitates a robust proof DA mechanism—the eventual availability of the proof itself must be guaranteed or its absence handled gracefully.

Furthermore, in an ecosystem of autonomous Logic Zones (LGs)—where each LG is responsible for generating proofs for its own operational segments but cannot compel others—atomic cross-LG operations create interdependencies. The successful L1 settlement of such a composite transaction thus becomes reliant on the timely L1 submission and verification of valid proofs from all participating LGs. This critical interdependency, particularly given the autonomy of each LG, naturally leads to an operational model we term “Timebound proof settlement”.

Timebound proof settlement

Under this model, transaction data first achieves L1 DA. Ultimate L1 settlement of its cross-domain effects, however, is explicitly dependent on subsequent L1 verification of ZK proofs, which must be submitted within a defined time window, T, post-L1 sequencing. Confirmation of an L2 operation’s L1 impact is thus its proof-verified settlement within T; failure by any party in a multi-segment operation to provide its proof within this bound means that segment (and potentially the entire atomic operation) fails to settle, with penalties ensuring accountability.

A key implication of timebound proof settlement is the viability of fast, user-side optimistic confirmation well before L1 proof settlement. Unlike inclusion-time proving where prover censorship directly blocks L1 inclusion, here L1 DA of a transaction already binds it to a based rollup’s L1-registered program. Any designated prover failing to subsequently prove such an L1-committed transaction compromises their rollup’s liveness. This incentive structure extends to multi-rollup atomic operations: users running composite execution nodes can optimistically confirm transactions, relying on each participating rollup’s self-interest in maintaining its own liveness by submitting its proof segment. While such “fat node” optimistic confirmation offers immediate feedback, the underlying L1 settlement latency itself—determined by L1 sequencing plus the cumulative L2 proving times—remains crucial. Importantly, as ZK proving technology continues its rapid advance towards near real-time performance (where real-time << 12 seconds…), this L1 settlement latency under timebound proof settlement is poised to significantly decrease, enhancing the model’s practicality.

This timebound proof settlement approach contrasts with embedding full witness DA within L1 transaction payloads, which, while ensuring eventual provability, imposes substantial and constant DA overhead.


The architectural path an L1 takes will profoundly shape its multileader/MEV characteristics and the efficiency of its rollup ecosystem’s composability. Future L1 designs might explore tiered DA/execution models, offering distinct contexts for “uncertain inclusion” and “certain inclusion” (perhaps with different fee structures or trust assumptions). Ultimately, while timebound proof settlement offers a pragmatic path, novel cryptographic approaches (e.g., proofs over partially indeterminate states) could eventually reshape these trade-offs.

5 Likes

Would it be possible to have a common default deadline (e.g. 5 min), but allow rollups to explicitly set a longer one when needed – for async interop or complex composition cases?
In the interop layer, we’d isolate state impact, so if a cross-rollup proof fails, only the affected zone is rejected, and the rest of the rollup proceeds unaffected.

1 Like
  1. Async interop should generally be discouraged, but the issue there is in my opinion similar only in cosmetics - it would ressemble more a locking of outboxes and such, and of the top of my head as long as all parties know what they are into, it has no effect on others in the system and they can set their rules as they see fit. The difficulty with sync interop is that until the cross tx is settled all other tx of these logic zones cannot settle.

  2. for complex composition cases - I’d kind of say the opposite. The less the probability a tx is proven eventually, the less leeway I think it should get in terms of proving time. Allowing people to create complex transactions that could potentially fail to settle is an attack vector.

  3. Generally speaking, different logic zones can have different timeouts, or even different tx of the same logic zones can have different timeouts, but it’s still imperative that these be globally known - everyone involved directly or indirectly must agree on whether a tx succeeded or failed.

  4. The world I personally dream of is a permissionless world where anyone can participate and open a new zkapp (possibly constrained to standard code infras to maintain security), but their ability to interact with other zkapps is automatically in correlation to their credibility in supplying proofs. i.e. if your zkapp was unable to provide a proof for its part in a cross tx, you would get less and less leeway (and possibly higher fees) every time it happens henceforth - and the opposite.