Open Source, Zero Knowledge, and the Age of Copypasta
There is no standardized measure of how many Zero Knowledge (ZK) rollup projects are in development. By one count, it's more than 300. By another it's closer to 20. But by either metric, the overwhelming majority of ZK rollups are still maturing. And as these rollups mature to testnet and mainnet, they will be faced with a decision about licensing.
At the industry level, crypto has a longstanding commitment to open-source code. But the specifics of licensing around ZK proving systems, widely seen as one key precursor for mass adoption of crypto technology, will have far-reaching effects. These choices will directly impact the cost of developing and maintaining any application built with ZK tooling, as well as how users model risk.
Not unrelatedly, Polygon zkEVM is now source-available with a public testnet. This means anyone can access and view the code—we’ll even walk you through it. It also means that anyone can connect to the testnet, bridge assets, and deploy a ZK-verified smart contract. There is no other Ethereum Virtual Machine–equivalent ZK rollup that can claim all of that. And for any ZK prover to be licensed open-source, making the source code available is a necessary step.
So what are the options for open-source licenses? How do they differ? And how have innovations in crypto, particularly within ZK tech, led to new licensing practices?
Copyright vs Copyleft
The license applied to code is a grant of rights for how that source code may be used. Copyright refers to a spectrum of open-source licenses that vary in degrees of restrictiveness, from the most permissive, like MIT, to the more restrictive, such as Apache 2.0, which includes conditions for derivative works that are commercialized.
Both copyright and copyleft licenses are free and open-source. Importantly, though, copyright licenses grant derivative or modified works the right to be made proprietary. Copyleft licenses, like GPLv2, are not only free and open source, but all derivative works are obligated to use the same license. This means that the source code and its freedoms are legally inseparable. GPLv2 is one of a suite of GNU licenses, though all variations are informed by an underlying philosophy distinct from copyright.
With few exceptions, ZK rollups are using copyright licenses on the publicly available portions of their proving systems. Many use multiple licenses across multiple repositories to grant rights. Polygon Zero, for example, lists Apache 2.0 and MIT as licenses on their Plonky2 prover and Starky repositories. Anyone that wishes to copy or modify either source code is free to do so, and can select which of the two licenses best suits them. The primary distinction between MIT and Apache 2.0 is that the latter grants free use on the condition that any meaningful modifications be noted and described.
ZkSync’s supporting architecture is similarly licensed with MIT and Apache 2.0, however the repo for their prover currently contains no open-source licensing. Matter Labs, the leadership behind the rollup, has expressed commitment to eventually doing so.
As of this writing, Scroll’s ZK proving system is currently in pre-alpha testnet, available only to whitelisted users. However, a portion of Scroll’s rollup relies on a fork of Go Ethereum, which offers a domain-specific example for the usefulness of open-source code.
Go Ethereum, often referred to as Geth, is one of the original implementations of the Ethereum protocol. Because Geth is licensed with GPLv3, another of GNU’s copyleft licenses, so is Scroll’s fork repo. Devs building on Ethereum have benefited from the many contributions and optimizations other devs made to Geth: That Geth has been forked more than 15,000 times makes a strong case for the implicit value of open source.
Copypasta and New Licensing Paradigms
Within the ZK rollup realm, there is one notable exception to the open-sourcing trend: StarkWare’s ZK rollup and their Polaris license. Last year, StarkWare announced it would license the STARK Prover, the critical component of their ZK proving system, with a new kind of license. Polaris grants rights to commercial use with one meaningful condition: Every proof generated by the Prover must be submitted to a whitelisted Polaris Verifier. These verifiers are empowered to collect fees, gas-like or other.
Alongside StarkWare’s announcement of Polaris was one by Aztec, who said they would also use the Polaris license on their forthcoming PLONK Prover. However, last summer, Aztec reversed that decision and announced that all future code would be licensed with Apache 2.0.
The creation of Polaris was informed by an interest in protecting the capital-intensive research and development required to bring a project to maturity. Which brings us to Uniswap and SushiSwap. Consider that SushiSwap’s forking of Uniswap allowed a siphoning-off of ~55% of Uniswap’s liquidity by (among other things) incentivizing staking of Uniswap’s liquidity provider tokens. Following this clone war, Uniswap relicensed their code with V3, a business-source license aimed at preempting future SushiSwaps. V3 prevents users from copying Uniswap’s code wholesale, and limits the commercial use of derivatives or clones for up to two years.
Uniswap and StarkWare aren’t the only crypto projects inching away from the industry’s open source standards. Metamask’s new license allows developers to copy, modify, and distribute the code, but if that code is then used commercially and serves more than 10,000 customers per month, a commercial agreement must follow.
Aztec’s recommitment to open source is meaningful. The accelerated progress of zero knowledge-powered proving systems is not unrelated to the free exchange of ideas facilitated by open source. And as other ZK proving systems catch up and move into testnet, optimizations will follow. The Polaris license won’t prevent those optimizations, but developers leveraging ZK tooling with such a license will depend on the license holder to maintain and update the code base—and then take it on good faith that access to those optimizations isn’t prohibitively expensive.
Trust But Verify
So what’s Polygon’s position on open source? We do a great deal of open-sourcing, even though not everything about our work-in-progress ZK products is as of yet officially licensed. For now, as mentioned, Zero’s Plonky2 prover is licensed open-source—both as a matter of best practice and for the benefit of the Ethereum community more broadly. Additionally, the repos for Hermez’s ZK SNARK circuits are open source with AGPLv3, GNU’s strongest copyleft license. The ZK VM in development from the Miden team is MIT-licensed.
Open-source and source-available code are ultimately about trust. In order to trust the code itself, rather than a given set of people maintaining the code, it helps a great deal if you can view it yourself and understand exactly how it works. And for such a review to be possible, well, the source code must be available. Polygon is committed to doing what we can to make sure you can trust our code.