From dc663dae71660ec59ee8bae91e4bdd5a18423758 Mon Sep 17 00:00:00 2001 From: Othryades Date: Sun, 3 May 2026 17:11:27 +0300 Subject: [PATCH 1/7] docs(stack): add Trust model page New page under Stack > How it works covering trust assumptions per component, admin keys and upgrade authority, trust assumptions per deployment model, failure modes and recovery, and what participants can independently verify. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/stack/how-it-works/trust-model.mdx | 108 ++++++++++++++++++++++++ sidebars.js | 1 + 2 files changed, 109 insertions(+) create mode 100644 docs/stack/how-it-works/trust-model.mdx diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx new file mode 100644 index 0000000000..f8afb943e8 --- /dev/null +++ b/docs/stack/how-it-works/trust-model.mdx @@ -0,0 +1,108 @@ +--- +title: Trust model +description: >- + Trust assumptions, control responsibilities, and failure modes for Linea stack + deployments +sidebar_position: 3 +image: /img/socialCards/trust-model.jpg +--- + +This page describes the trust assumptions, control responsibilities, and failure modes of a Linea Stack deployment. It is meant for architects and operators evaluating Linea Stack before deployment. + +What this page covers: who operates each component, what each component can do unilaterally, what participants can independently verify, what happens when something fails, and how trust assumptions change across deployment models. + +What this page does not cover: configuration flags, deployment topology, or component internals. For those, see [Core components](./core-components) and [Deployment models](./deployment-models). + +## Trust assumptions per component + +| Component | Operated by | Can do unilaterally | Cannot do | Independently verifiable by participants | +| --- | --- | --- | --- | --- | +| Sequencer | Operator | Order, delay, or omit transactions within a block | Forge state. Invalid blocks fail proof verification | Block contents and ordering, by running a full or archive node | +| Prover | Operator | Stall proof generation, halting finalization | Produce a valid proof for an invalid state transition | Proof verification by reading the verifier contract on the finalization layer | +| Coordinator | Operator | Stall the conflation, prover, submission pipeline | Modify state independently of the sequencer or prover | L1 submission events | +| Data availability (rollup) | Ethereum | (none) | Withhold data: DA is on L1 as EIP-4844 blobs | State reconstruction from L1 blobs | +| Data availability (validium) | DA committee chosen by operator | Withhold data, halting recovery | Forge state: proofs still verify on L1 | What participants observe via DA committee access | +| Canonical bridge (to Ethereum / Linea-anchored chain) | Operator (admin keys) + protocol (proofs) | Pause bridging via pause roles; upgrade contracts | Forge messages: both sides verify ZK proofs | Bridge events and proof verification on the finalization layer | +| Trusted bridge (to private or non-anchored chain) | Operator (admin keys) + trusted relayer | Pause bridging; relayer can withhold or delay messages | Forge messages: relayer signs over verified source-chain events | Bridge events on each side; no shared proof. Depends on trust in the relayer | +| System contracts | Operator (role holders) | Pause, upgrade, change verifier address, change rate limits | Bypass role gating: every privileged function is role-gated | Role assignments and contract state on the finalization layer | +| Participant nodes | Each participant | Read state visible to them, broadcast transactions | Modify network state | Their own observed state, by running a node | + +## Admin keys and upgrade authority + +The Stack contracts ship with a fixed set of roles. Holders are decided by the operator at deploy time. The most consequential decisions: + +| Role | What it can do | Recommended holder | +| --- | --- | --- | +| `DEFAULT_ADMIN_ROLE` | Grant or revoke any other role | Multisig or governance contract; assignable only at initialization | +| `OPERATOR_ROLE` | Submit blobs/calldata, finalize blocks | Day-to-day operator address | +| `SECURITY_COUNCIL_ROLE` | Reserved for governance pause/upgrade authority | Governance contract | +| `PAUSE_*_ROLE` / `UNPAUSE_*_ROLE` | Pause and unpause specific subsystems (L1↔L2, L2→L1, finalization, state submission, etc.) | Split between operator (pause) and governance (unpause) for fast incident containment | +| `VERIFIER_SETTER_ROLE` | Change the verifier contract for a given proof type | Governance contract | +| `RATE_LIMIT_SETTER_ROLE` | Change L2→L1 withdrawal rate limits | Governance contract | + +Contracts are upgradeable via the OpenZeppelin upgradeable proxy pattern. Upgrade authority is held by `DEFAULT_ADMIN_ROLE`. There is no protocol-enforced timelock: operators must implement timelocks via the governance contract holding the role. + +:::warning +`DEFAULT_ADMIN_ROLE` cannot be assigned through `__Permissions_init`. It is set only via the explicit `defaultAdmin` initializer field. Plan the holder before initialization. +::: + +For the full list of roles, see [LineaRollup contracts reference](/network/build/contracts). + +## Trust assumptions per deployment model + +| Trust dimension | Public rollup (L1=Ethereum) | Private validium (L2 on Ethereum) | Private validium (L3 on Linea Mainnet) | +| --- | --- | --- | --- | +| Data availability | Ethereum | Operator-run DA committee | Operator-run DA committee | +| Finality anchor | Ethereum | Ethereum | Linea Mainnet (which itself anchors to Ethereum) | +| Sequencer trust | Operator can reorder/delay; cannot forge state | Same | Same | +| Bridge trust | Cryptographic proof + admin key for upgrades/pauses | Same | Adds Linea Mainnet bridge trust on top | +| Inherited trust assumptions | Ethereum L1 only | Ethereum L1 only | Ethereum L1 + Linea Mainnet (sequencer, prover, Security Council, admin keys) | +| State reconstruction without operator | Yes, from L1 blobs | No: depends on DA committee | No: depends on DA committee | + +A private validium deployed as L3 on Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. + +## Failure modes and recovery + +| Failure | Participant impact | Recovery path | Status | +| --- | --- | --- | --- | +| Sequencer halt | Block production stops; pending transactions not included | Operator restart; multi-sequencer setups via distributed sequencing (QBFT) | Single-sequencer is the default; multi-sequencer is operator-implemented | +| Prover stall | Proofs not generated; finalization stops; soft-finalized blocks remain on L2 but not finalized to L1 | Operator restart; alternate prover instance | Single-prover is the default | +| Coordinator stall | L1 submission stops; same effect as prover stall downstream | Operator restart | Single-coordinator is the default | +| DA withhold (validium) | Participants cannot reconstruct state independently; new state still verifiable via proof | Operator-defined wind-down procedure; depends on consortium agreement | Operator-defined; not protocol-enforced | +| Finality layer reorg | Affects depth of L1 finality; ZK proofs once accepted on L1 cannot be reorged without breaking L1 | Wait for L1 finality depth | Inherent to L1 finality model | +| Admin key compromise | Compromised role can act within its scope until revoked; `DEFAULT_ADMIN_ROLE` compromise affects all roles | Multi-sig key revocation via Web3Signer/KMS; emergency pause via `PAUSE_ALL_ROLE`; contract pause via Multi-Sig Governance Contract | Operator-implemented | +| Bridge halt | Cross-chain transfers stop | Pause roles can halt bridging; resumption via unpause role | Live | +| Forced transaction (escape hatch) | Allows participants to bypass a censoring sequencer | L1-submitted forced transactions, gated by `AddressFilter` | **Not yet live**; planned | + +The default deployment topology assumes single-instance sequencer, prover, and coordinator. For high availability, operators run multi-instance setups via the Fleet plugin (documented separately). + +## What participants can independently verify + +The set of guarantees a participant can verify *without* trusting the operator depends on the deployment model. + +**Public rollup** + +- Full transaction history, by reading L1 blobs and reconstructing L2 state. +- Proof validity, by reading the verifier contract on L1. +- Bridge events and message status, on L1. +- Contract role assignments and admin actions, on L1. + +**Private validium (L2 on Ethereum)** + +- Proof validity, by reading the verifier contract on L1. +- That a state transition was proved, even if its contents are private. +- Bridge events on L1. +- Their own observed state, by running a node with DA committee access. +- They cannot reconstruct state without DA committee access. This is the validium trade-off. + +**Private validium (L3 on Linea Mainnet)** + +- Same as private validium on L2, but proofs are verified on Linea Mainnet (which is itself proved to Ethereum). +- Verifying the L3 chain end-to-end requires verifying both the L3 proof on Linea Mainnet and Linea Mainnet's proofs on Ethereum. + +## See also + +- [Linea Mainnet risk disclosures](/network/risk-disclosures): applies when finalizing to Linea Mainnet +- [Core components](./core-components) +- [Deployment models](./deployment-models) +- [LineaRollup contracts reference](/network/build/contracts) diff --git a/sidebars.js b/sidebars.js index 3de30bcb30..f1f900ae06 100644 --- a/sidebars.js +++ b/sidebars.js @@ -467,6 +467,7 @@ const sidebars = { label: "Protocol components", }, "stack/how-it-works/deployment-models", + "stack/how-it-works/trust-model", "stack/how-it-works/data-availability-finalization", ], }, From fe59ddacdd02188bc9bbe4f0e296f8cfc8705458 Mon Sep 17 00:00:00 2001 From: Othryades Date: Sun, 3 May 2026 17:20:07 +0300 Subject: [PATCH 2/7] docs(stack): fix trust model contradictions and formatting Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/stack/how-it-works/trust-model.mdx | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx index f8afb943e8..662a6f38d2 100644 --- a/docs/stack/how-it-works/trust-model.mdx +++ b/docs/stack/how-it-works/trust-model.mdx @@ -17,13 +17,13 @@ What this page does not cover: configuration flags, deployment topology, or comp | Component | Operated by | Can do unilaterally | Cannot do | Independently verifiable by participants | | --- | --- | --- | --- | --- | -| Sequencer | Operator | Order, delay, or omit transactions within a block | Forge state. Invalid blocks fail proof verification | Block contents and ordering, by running a full or archive node | +| Sequencer | Operator | Order, delay, or omit transactions within a block | Forge state, since invalid blocks fail proof verification | Block contents and ordering, by running a full or archive node | | Prover | Operator | Stall proof generation, halting finalization | Produce a valid proof for an invalid state transition | Proof verification by reading the verifier contract on the finalization layer | -| Coordinator | Operator | Stall the conflation, prover, submission pipeline | Modify state independently of the sequencer or prover | L1 submission events | -| Data availability (rollup) | Ethereum | (none) | Withhold data: DA is on L1 as EIP-4844 blobs | State reconstruction from L1 blobs | -| Data availability (validium) | DA committee chosen by operator | Withhold data, halting recovery | Forge state: proofs still verify on L1 | What participants observe via DA committee access | +| Coordinator | Operator | Stall the pipeline that conflates blocks, requests proofs, and submits them to L1 | Modify state independently of the sequencer or prover | L1 submission events | +| Data availability (rollup) | Ethereum | N/A | Withhold data, since DA is on L1 as EIP-4844 blobs | State reconstruction from L1 blobs | +| Data availability (validium) | DA committee chosen by operator | Withhold data, halting recovery | Forge state, since proofs still verify on L1 | What participants observe via DA committee access | | Canonical bridge (to Ethereum / Linea-anchored chain) | Operator (admin keys) + protocol (proofs) | Pause bridging via pause roles; upgrade contracts | Forge messages: both sides verify ZK proofs | Bridge events and proof verification on the finalization layer | -| Trusted bridge (to private or non-anchored chain) | Operator (admin keys) + trusted relayer | Pause bridging; relayer can withhold or delay messages | Forge messages: relayer signs over verified source-chain events | Bridge events on each side; no shared proof. Depends on trust in the relayer | +| Trusted bridge (to private or non-anchored chain) | Operator (admin keys) + trusted relayer | Pause bridging; relayer can withhold or delay messages | Forge messages, since the relayer signs over verified source-chain events | Bridge events on each side; no shared proof, so verifiability depends on trust in the relayer | | System contracts | Operator (role holders) | Pause, upgrade, change verifier address, change rate limits | Bypass role gating: every privileged function is role-gated | Role assignments and contract state on the finalization layer | | Participant nodes | Each participant | Read state visible to them, broadcast transactions | Modify network state | Their own observed state, by running a node | @@ -43,7 +43,9 @@ The Stack contracts ship with a fixed set of roles. Holders are decided by the o Contracts are upgradeable via the OpenZeppelin upgradeable proxy pattern. Upgrade authority is held by `DEFAULT_ADMIN_ROLE`. There is no protocol-enforced timelock: operators must implement timelocks via the governance contract holding the role. :::warning + `DEFAULT_ADMIN_ROLE` cannot be assigned through `__Permissions_init`. It is set only via the explicit `defaultAdmin` initializer field. Plan the holder before initialization. + ::: For the full list of roles, see [LineaRollup contracts reference](/network/build/contracts). @@ -72,9 +74,9 @@ A private validium deployed as L3 on Linea Mainnet inherits Linea Mainnet's trus | Finality layer reorg | Affects depth of L1 finality; ZK proofs once accepted on L1 cannot be reorged without breaking L1 | Wait for L1 finality depth | Inherent to L1 finality model | | Admin key compromise | Compromised role can act within its scope until revoked; `DEFAULT_ADMIN_ROLE` compromise affects all roles | Multi-sig key revocation via Web3Signer/KMS; emergency pause via `PAUSE_ALL_ROLE`; contract pause via Multi-Sig Governance Contract | Operator-implemented | | Bridge halt | Cross-chain transfers stop | Pause roles can halt bridging; resumption via unpause role | Live | -| Forced transaction (escape hatch) | Allows participants to bypass a censoring sequencer | L1-submitted forced transactions, gated by `AddressFilter` | **Not yet live**; planned | +| Forced transaction (escape hatch) | Allows participants to bypass a censoring sequencer | L1-submitted forced transactions, gated by `AddressFilter` | Not yet live; planned | -The default deployment topology assumes single-instance sequencer, prover, and coordinator. For high availability, operators run multi-instance setups via the Fleet plugin (documented separately). +The default deployment topology assumes single-instance sequencer, prover, and coordinator. For high availability, operators run multi-instance setups via distributed sequencing (QBFT). ## What participants can independently verify From 5c826e94c4a522bd871cfbb76a73b7d4060ffef9 Mon Sep 17 00:00:00 2001 From: Othryades Date: Sun, 3 May 2026 17:45:09 +0300 Subject: [PATCH 3/7] docs(stack): fix trust model admonition and remaining separators Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/stack/how-it-works/trust-model.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx index 662a6f38d2..e1279a4b63 100644 --- a/docs/stack/how-it-works/trust-model.mdx +++ b/docs/stack/how-it-works/trust-model.mdx @@ -22,9 +22,9 @@ What this page does not cover: configuration flags, deployment topology, or comp | Coordinator | Operator | Stall the pipeline that conflates blocks, requests proofs, and submits them to L1 | Modify state independently of the sequencer or prover | L1 submission events | | Data availability (rollup) | Ethereum | N/A | Withhold data, since DA is on L1 as EIP-4844 blobs | State reconstruction from L1 blobs | | Data availability (validium) | DA committee chosen by operator | Withhold data, halting recovery | Forge state, since proofs still verify on L1 | What participants observe via DA committee access | -| Canonical bridge (to Ethereum / Linea-anchored chain) | Operator (admin keys) + protocol (proofs) | Pause bridging via pause roles; upgrade contracts | Forge messages: both sides verify ZK proofs | Bridge events and proof verification on the finalization layer | +| Canonical bridge (to Ethereum / Linea-anchored chain) | Operator (admin keys) + protocol (proofs) | Pause bridging via pause roles; upgrade contracts | Forge messages, since both sides verify ZK proofs | Bridge events and proof verification on the finalization layer | | Trusted bridge (to private or non-anchored chain) | Operator (admin keys) + trusted relayer | Pause bridging; relayer can withhold or delay messages | Forge messages, since the relayer signs over verified source-chain events | Bridge events on each side; no shared proof, so verifiability depends on trust in the relayer | -| System contracts | Operator (role holders) | Pause, upgrade, change verifier address, change rate limits | Bypass role gating: every privileged function is role-gated | Role assignments and contract state on the finalization layer | +| System contracts | Operator (role holders) | Pause, upgrade, change verifier address, change rate limits | Bypass role gating, since every privileged function is role-gated | Role assignments and contract state on the finalization layer | | Participant nodes | Each participant | Read state visible to them, broadcast transactions | Modify network state | Their own observed state, by running a node | ## Admin keys and upgrade authority @@ -59,7 +59,7 @@ For the full list of roles, see [LineaRollup contracts reference](/network/build | Sequencer trust | Operator can reorder/delay; cannot forge state | Same | Same | | Bridge trust | Cryptographic proof + admin key for upgrades/pauses | Same | Adds Linea Mainnet bridge trust on top | | Inherited trust assumptions | Ethereum L1 only | Ethereum L1 only | Ethereum L1 + Linea Mainnet (sequencer, prover, Security Council, admin keys) | -| State reconstruction without operator | Yes, from L1 blobs | No: depends on DA committee | No: depends on DA committee | +| State reconstruction without operator | Yes, from L1 blobs | No, depends on DA committee | No, depends on DA committee | A private validium deployed as L3 on Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. From 9de69e14d3df70b0daed41209ee71561e0739ff1 Mon Sep 17 00:00:00 2001 From: Othryades Date: Sun, 3 May 2026 17:57:04 +0300 Subject: [PATCH 4/7] docs(stack): broaden DA framing, polish trust model copy Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/stack/how-it-works/trust-model.mdx | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx index e1279a4b63..e3961daea0 100644 --- a/docs/stack/how-it-works/trust-model.mdx +++ b/docs/stack/how-it-works/trust-model.mdx @@ -21,7 +21,7 @@ What this page does not cover: configuration flags, deployment topology, or comp | Prover | Operator | Stall proof generation, halting finalization | Produce a valid proof for an invalid state transition | Proof verification by reading the verifier contract on the finalization layer | | Coordinator | Operator | Stall the pipeline that conflates blocks, requests proofs, and submits them to L1 | Modify state independently of the sequencer or prover | L1 submission events | | Data availability (rollup) | Ethereum | N/A | Withhold data, since DA is on L1 as EIP-4844 blobs | State reconstruction from L1 blobs | -| Data availability (validium) | DA committee chosen by operator | Withhold data, halting recovery | Forge state, since proofs still verify on L1 | What participants observe via DA committee access | +| Data availability (validium) | Operator-run archive nodes or DA committee | Withhold data, halting recovery | Forge state, since proofs still verify on L1 | What participants observe via DA committee access | | Canonical bridge (to Ethereum / Linea-anchored chain) | Operator (admin keys) + protocol (proofs) | Pause bridging via pause roles; upgrade contracts | Forge messages, since both sides verify ZK proofs | Bridge events and proof verification on the finalization layer | | Trusted bridge (to private or non-anchored chain) | Operator (admin keys) + trusted relayer | Pause bridging; relayer can withhold or delay messages | Forge messages, since the relayer signs over verified source-chain events | Bridge events on each side; no shared proof, so verifiability depends on trust in the relayer | | System contracts | Operator (role holders) | Pause, upgrade, change verifier address, change rate limits | Bypass role gating, since every privileged function is role-gated | Role assignments and contract state on the finalization layer | @@ -52,14 +52,14 @@ For the full list of roles, see [LineaRollup contracts reference](/network/build ## Trust assumptions per deployment model -| Trust dimension | Public rollup (L1=Ethereum) | Private validium (L2 on Ethereum) | Private validium (L3 on Linea Mainnet) | +| Trust dimension | Public rollup (L1 = Ethereum) | Private validium (L2 on Ethereum) | Private validium (L3 on Linea Mainnet) | | --- | --- | --- | --- | -| Data availability | Ethereum | Operator-run DA committee | Operator-run DA committee | +| Data availability | Ethereum | Operator-run archive nodes or DA committee | Operator-run archive nodes or DA committee | | Finality anchor | Ethereum | Ethereum | Linea Mainnet (which itself anchors to Ethereum) | | Sequencer trust | Operator can reorder/delay; cannot forge state | Same | Same | | Bridge trust | Cryptographic proof + admin key for upgrades/pauses | Same | Adds Linea Mainnet bridge trust on top | | Inherited trust assumptions | Ethereum L1 only | Ethereum L1 only | Ethereum L1 + Linea Mainnet (sequencer, prover, Security Council, admin keys) | -| State reconstruction without operator | Yes, from L1 blobs | No, depends on DA committee | No, depends on DA committee | +| State reconstruction without operator | Yes, from L1 blobs | No, depends on operator-run DA | No, depends on operator-run DA | A private validium deployed as L3 on Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. @@ -72,7 +72,7 @@ A private validium deployed as L3 on Linea Mainnet inherits Linea Mainnet's trus | Coordinator stall | L1 submission stops; same effect as prover stall downstream | Operator restart | Single-coordinator is the default | | DA withhold (validium) | Participants cannot reconstruct state independently; new state still verifiable via proof | Operator-defined wind-down procedure; depends on consortium agreement | Operator-defined; not protocol-enforced | | Finality layer reorg | Affects depth of L1 finality; ZK proofs once accepted on L1 cannot be reorged without breaking L1 | Wait for L1 finality depth | Inherent to L1 finality model | -| Admin key compromise | Compromised role can act within its scope until revoked; `DEFAULT_ADMIN_ROLE` compromise affects all roles | Multi-sig key revocation via Web3Signer/KMS; emergency pause via `PAUSE_ALL_ROLE`; contract pause via Multi-Sig Governance Contract | Operator-implemented | +| Admin key compromise | Compromised role can act within its scope until revoked; `DEFAULT_ADMIN_ROLE` compromise affects all roles | Multi-sig key revocation via Web3Signer or equivalent KMS; emergency pause via `PAUSE_ALL_ROLE`; contract pause via the multi-sig governance contract | Operator-implemented | | Bridge halt | Cross-chain transfers stop | Pause roles can halt bridging; resumption via unpause role | Live | | Forced transaction (escape hatch) | Allows participants to bypass a censoring sequencer | L1-submitted forced transactions, gated by `AddressFilter` | Not yet live; planned | @@ -94,8 +94,8 @@ The set of guarantees a participant can verify *without* trusting the operator d - Proof validity, by reading the verifier contract on L1. - That a state transition was proved, even if its contents are private. - Bridge events on L1. -- Their own observed state, by running a node with DA committee access. -- They cannot reconstruct state without DA committee access. This is the validium trade-off. +- Their own observed state, by running a node with access to the operator's DA layer. +- They cannot reconstruct state without access to the operator's DA layer. This is the validium trade-off. **Private validium (L3 on Linea Mainnet)** @@ -107,4 +107,5 @@ The set of guarantees a participant can verify *without* trusting the operator d - [Linea Mainnet risk disclosures](/network/risk-disclosures): applies when finalizing to Linea Mainnet - [Core components](./core-components) - [Deployment models](./deployment-models) +- [Security](/stack/features/security) - [LineaRollup contracts reference](/network/build/contracts) From cd6401c202e80043cd421650b7215cbb83394f94 Mon Sep 17 00:00:00 2001 From: Othryades Date: Sun, 3 May 2026 18:10:42 +0300 Subject: [PATCH 5/7] docs(stack): rework deployment-model trust table for clarity Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/stack/how-it-works/trust-model.mdx | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx index e3961daea0..8272a4c1a5 100644 --- a/docs/stack/how-it-works/trust-model.mdx +++ b/docs/stack/how-it-works/trust-model.mdx @@ -52,12 +52,11 @@ For the full list of roles, see [LineaRollup contracts reference](/network/build ## Trust assumptions per deployment model -| Trust dimension | Public rollup (L1 = Ethereum) | Private validium (L2 on Ethereum) | Private validium (L3 on Linea Mainnet) | +| Trust dimension | Rollup, finalized to Ethereum | Validium, finalized to Ethereum | Validium, finalized to Linea Mainnet | | --- | --- | --- | --- | -| Data availability | Ethereum | Operator-run archive nodes or DA committee | Operator-run archive nodes or DA committee | -| Finality anchor | Ethereum | Ethereum | Linea Mainnet (which itself anchors to Ethereum) | -| Sequencer trust | Operator can reorder/delay; cannot forge state | Same | Same | -| Bridge trust | Cryptographic proof + admin key for upgrades/pauses | Same | Adds Linea Mainnet bridge trust on top | +| Data availability provided by | Ethereum (EIP-4844 blobs) | Operator-run archive nodes or DA committee | Operator-run archive nodes or DA committee | +| Finalization layer | Ethereum | Ethereum | Linea Mainnet (which itself anchors to Ethereum) | +| Bridge trust to the finalization layer | Canonical bridge: ZK proofs + admin keys for upgrades/pauses | Same as rollup | Canonical bridge to Linea Mainnet (proofs + admin keys), plus Linea Mainnet's own canonical bridge to Ethereum | | Inherited trust assumptions | Ethereum L1 only | Ethereum L1 only | Ethereum L1 + Linea Mainnet (sequencer, prover, Security Council, admin keys) | | State reconstruction without operator | Yes, from L1 blobs | No, depends on operator-run DA | No, depends on operator-run DA | From 9a84638e7f04e4937148a248bd63d5f7b6f7c885 Mon Sep 17 00:00:00 2001 From: Othryades Date: Sun, 3 May 2026 18:23:08 +0300 Subject: [PATCH 6/7] docs(stack): align deployment-mode terminology across page Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/stack/how-it-works/trust-model.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx index 8272a4c1a5..3912d4d78c 100644 --- a/docs/stack/how-it-works/trust-model.mdx +++ b/docs/stack/how-it-works/trust-model.mdx @@ -21,7 +21,7 @@ What this page does not cover: configuration flags, deployment topology, or comp | Prover | Operator | Stall proof generation, halting finalization | Produce a valid proof for an invalid state transition | Proof verification by reading the verifier contract on the finalization layer | | Coordinator | Operator | Stall the pipeline that conflates blocks, requests proofs, and submits them to L1 | Modify state independently of the sequencer or prover | L1 submission events | | Data availability (rollup) | Ethereum | N/A | Withhold data, since DA is on L1 as EIP-4844 blobs | State reconstruction from L1 blobs | -| Data availability (validium) | Operator-run archive nodes or DA committee | Withhold data, halting recovery | Forge state, since proofs still verify on L1 | What participants observe via DA committee access | +| Data availability (validium) | Operator-run archive nodes or DA committee | Withhold data, halting recovery | Forge state, since proofs still verify on L1 | What participants observe via access to the operator's DA layer | | Canonical bridge (to Ethereum / Linea-anchored chain) | Operator (admin keys) + protocol (proofs) | Pause bridging via pause roles; upgrade contracts | Forge messages, since both sides verify ZK proofs | Bridge events and proof verification on the finalization layer | | Trusted bridge (to private or non-anchored chain) | Operator (admin keys) + trusted relayer | Pause bridging; relayer can withhold or delay messages | Forge messages, since the relayer signs over verified source-chain events | Bridge events on each side; no shared proof, so verifiability depends on trust in the relayer | | System contracts | Operator (role holders) | Pause, upgrade, change verifier address, change rate limits | Bypass role gating, since every privileged function is role-gated | Role assignments and contract state on the finalization layer | @@ -60,7 +60,7 @@ For the full list of roles, see [LineaRollup contracts reference](/network/build | Inherited trust assumptions | Ethereum L1 only | Ethereum L1 only | Ethereum L1 + Linea Mainnet (sequencer, prover, Security Council, admin keys) | | State reconstruction without operator | Yes, from L1 blobs | No, depends on operator-run DA | No, depends on operator-run DA | -A private validium deployed as L3 on Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. +A validium finalized to Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. ## Failure modes and recovery @@ -81,14 +81,14 @@ The default deployment topology assumes single-instance sequencer, prover, and c The set of guarantees a participant can verify *without* trusting the operator depends on the deployment model. -**Public rollup** +**Rollup, finalized to Ethereum** - Full transaction history, by reading L1 blobs and reconstructing L2 state. - Proof validity, by reading the verifier contract on L1. - Bridge events and message status, on L1. - Contract role assignments and admin actions, on L1. -**Private validium (L2 on Ethereum)** +**Validium, finalized to Ethereum** - Proof validity, by reading the verifier contract on L1. - That a state transition was proved, even if its contents are private. @@ -96,9 +96,9 @@ The set of guarantees a participant can verify *without* trusting the operator d - Their own observed state, by running a node with access to the operator's DA layer. - They cannot reconstruct state without access to the operator's DA layer. This is the validium trade-off. -**Private validium (L3 on Linea Mainnet)** +**Validium, finalized to Linea Mainnet** -- Same as private validium on L2, but proofs are verified on Linea Mainnet (which is itself proved to Ethereum). +- Same as validium finalized to Ethereum, but proofs are verified on Linea Mainnet (which is itself proved to Ethereum). - Verifying the L3 chain end-to-end requires verifying both the L3 proof on Linea Mainnet and Linea Mainnet's proofs on Ethereum. ## See also From d8e1a3ef702416775d27c752890e3db50c2a6579 Mon Sep 17 00:00:00 2001 From: Othryades Date: Mon, 4 May 2026 17:54:08 +0300 Subject: [PATCH 7/7] docs(stack): adopt unified deployment-mode naming --- docs/stack/how-it-works/trust-model.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/stack/how-it-works/trust-model.mdx b/docs/stack/how-it-works/trust-model.mdx index 3912d4d78c..bd1f510a27 100644 --- a/docs/stack/how-it-works/trust-model.mdx +++ b/docs/stack/how-it-works/trust-model.mdx @@ -52,7 +52,7 @@ For the full list of roles, see [LineaRollup contracts reference](/network/build ## Trust assumptions per deployment model -| Trust dimension | Rollup, finalized to Ethereum | Validium, finalized to Ethereum | Validium, finalized to Linea Mainnet | +| Trust dimension | Public rollup on Ethereum | Private validium on Ethereum | Private validium on Linea Mainnet | | --- | --- | --- | --- | | Data availability provided by | Ethereum (EIP-4844 blobs) | Operator-run archive nodes or DA committee | Operator-run archive nodes or DA committee | | Finalization layer | Ethereum | Ethereum | Linea Mainnet (which itself anchors to Ethereum) | @@ -60,7 +60,7 @@ For the full list of roles, see [LineaRollup contracts reference](/network/build | Inherited trust assumptions | Ethereum L1 only | Ethereum L1 only | Ethereum L1 + Linea Mainnet (sequencer, prover, Security Council, admin keys) | | State reconstruction without operator | Yes, from L1 blobs | No, depends on operator-run DA | No, depends on operator-run DA | -A validium finalized to Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. +A private validium on Linea Mainnet inherits Linea Mainnet's trust assumptions in addition to its own. See [Linea Mainnet risk disclosures](/network/risk-disclosures) for those. ## Failure modes and recovery @@ -81,14 +81,14 @@ The default deployment topology assumes single-instance sequencer, prover, and c The set of guarantees a participant can verify *without* trusting the operator depends on the deployment model. -**Rollup, finalized to Ethereum** +**Public rollup on Ethereum** - Full transaction history, by reading L1 blobs and reconstructing L2 state. - Proof validity, by reading the verifier contract on L1. - Bridge events and message status, on L1. - Contract role assignments and admin actions, on L1. -**Validium, finalized to Ethereum** +**Private validium on Ethereum** - Proof validity, by reading the verifier contract on L1. - That a state transition was proved, even if its contents are private. @@ -96,9 +96,9 @@ The set of guarantees a participant can verify *without* trusting the operator d - Their own observed state, by running a node with access to the operator's DA layer. - They cannot reconstruct state without access to the operator's DA layer. This is the validium trade-off. -**Validium, finalized to Linea Mainnet** +**Private validium on Linea Mainnet** -- Same as validium finalized to Ethereum, but proofs are verified on Linea Mainnet (which is itself proved to Ethereum). +- Same as private validium on Ethereum, but proofs are verified on Linea Mainnet (which is itself proved to Ethereum). - Verifying the L3 chain end-to-end requires verifying both the L3 proof on Linea Mainnet and Linea Mainnet's proofs on Ethereum. ## See also