Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability

Cryptographic safety for the AggLayer requires a novel solution. It’s called the pessimistic proof and it treats all chains suspiciously. Here’s how it works.

Polygon Labs
May 28, 2024
Image source: Dribbble


  • In its endstate, the AggLayer will be a decentralized protocol that scales blockchains by unifying liquidity, users, and state. It does so in part via a unified bridge
  • The pessimistic proof provides the cryptographic guarantee that allows chains to connect to a shared bridge without additional trust assumptions; it ensures that, even if a chain’s security is compromised, it cannot drain funds from other chains
  • A pessimistic proof does this by constantly ensuring that no chains are lying about deposits to their chain 
  • Practically speaking, it will eventually allow users to move assets from Chain A to Chain B without needing to take an intermediate step via the L1
  • The earliest iteration of the AggLayer will prioritize safety over speed; but, by design, the AggLayer supports interoperability that is faster than Ethereum’s finality

When a blockchain connects to the AggLayer, it joins many other chains in a single, unified bridge connected to Ethereum. This is already the case for OKX’s X Layer, Astar zkEVM, and Polygon zkEVM—with more coming soon.

A shared bridge allows users to seamlessly send and receive fungible assets between L2s, providing far better UX than third-party bridges, which result in users receiving wrapped synthetic versions of an asset on the destination chain, or multiple native bridges, which would impose delays of up to seven days (!) in the case of optimistic rollups. 

But this solution comes with a novel problem: As the AggLayer expands to support different provers and consensus mechanisms, the chance of a soundness error rises. Without a proper safety mechanism, a malicious actor on one chain could potentially exploit the entire bridge. 

The solution is what we’re calling the pessimistic proof, a novel zero-knowledge proof ensuring cryptographic safety for cross-chain transactions. 

We call it pessimistic because the AggLayer assumes all chains are unreliable and can’t play nice with one another. With the pessimistic proof, one chain’s issues definitionally cannot contaminate the rest of the chains on the unified bridge. 

Taking a pessimistic view of every individual chain ensures the collective safety of all chains. 

(**Note**: The AggLayer does not extend security guarantees to any chain. Every chain connected to the AggLayer continues to use its existing finality mechanism. What the pessimistic proof ensures is cross-chain security for the entire aggregated blockchain network: A security issue on any one chain cannot drain deposits made to any other chain on the unified bridge.) 

Let’s break down how pessimistic proofs work, both at a conceptual level, and in practice.

Tracking the state of the unified bridge

From the AggLayer’s perspective, the unified bridge is a big network of chains—a network that grows more complicated as more chains join.

To keep this network safe, the AggLayer needs a full view of all the transfers of assets and messages across the chains in order to guarantee a crucial piece of information: At no point can any chain withdraw more from the bridge than what has been deposited on the chain’s L1 contract

The AggLayer is charged with checking three key pieces of information required to generate a pessimistic proof and make the above guarantee. These checks are:

  1. Chain updates have been done correctly;
  2. Chains have done their internal accounting correctly—meaning they didn’t try to withdraw tokens they didn’t have; and
  3. All of the chains together do all of the internal accounting together, correctly.

This is the AggLayer’s way of interrogating each chain to make sure it hasn’t tried to withdraw more from the bridge than has been deposited. In this way, a chain that can’t play nice with others is only a threat to itself—but not to the rest of the aggregated network.

In other words, if Chain A says it has 100 POL deposited on the bridge, the AggLayer keeps track to make sure it does not subsequently attempt to withdraw 200 POL, whether through equivocation or an exploit by some malicious actor. 

So how does the AggLayer provide a ZK proof to the underlying L1 that guarantees no chain balance dips below zero? 

And, importantly, how can this be done in a way that minimizes complexity so as to keep cost and latency low?

Leafs, exit roots, and Merkle trees

Here’s how the pessimistic proof ensures safety: Each chain connected to the AggLayer maintains a local exit tree, which tracks all withdrawals from that chain. 

Using the root of each chain’s local exit tree, the AggLayer can build a global view of all withdrawals from all chains on the unified bridge; this is called the “global exit tree.”

In short, the AggLayer tracks two numbers, withdrawals and deposits, so that it can get a view of the current balance across all chains. 

Because the global exit tree is committed to the L1, the AggLayer must know that all local exit trees are valid, too, to ensure that the next global exit tree is also valid. 

In other words, the AggLayer needs to know that the cumulative state of all connected chains checks out. 

To ensure this cryptographically, the AggLayer generates a pessimistic proof, which requires three inputs from each chain: 

  1. The chain’s local exit tree, as of its most recent update
  2. The list of new withdrawals included in the current update
  3. The chain’s expected new local exit root

Using inputs 1 and 2, the AggLayer computes the new local exit root, compares it with the chain’s expected local exit root, and generates a proof that answers the question: Did the local exit root update properly? 

Before committing a new global exit root to the L1, the AggLayer must also make sure that no chain is withdrawing more tokens than have been deposited to it. This is its way of interrogating each chain to make sure no chain is lying and trying to rug the unified bridge.

Using the pessimistic proof, the AggLayer is able to compute how many tokens of each type were withdrawn from each chain. These values are then summed across all chains, leaving a single view of the total balances available for each token on the AggLayer.

If any chain is found to have a negative balance, the AggLayer determines that the chain has attempted to withdraw tokens that were not deposited into it. Not good.

In that case, the chain’s update is invalid, and any pessimistic proof containing that chain’s invalid state cannot be verified on the L1. This prevents the offending chain’s update from settling to Ethereum—keeping the aggregated network safe.

So to sum up: The AggLayer scrutinizes all chain balances on the unified bridge and generates a cryptographic guarantee that no bad actors are draining the bridge. In the end, a prover generates a single, final pessimistic proof. 

This is the AggLayer’s way of temporarily suspending pessimism. All chain updates were done correctly, and none of these updates resulted in negative balances for the unified bridge. OK, good to go. 

By isolating bad actors, the AggLayer cryptographically guarantees the safety of funds flowing across the entire network.

There is more coming on the pessimistic proof tomorrow. Stay tuned. 

*  *  * 

Tune into the blog and our social channels to keep up with updates about the Polygon ecosystem.

The future of Web3 is aggregated.

Website | Twitter | Forum | Telegram | Discord | Instagram | LinkedIn | Polygon Knowledge Layer

More from blogs