Risks on CEX’s Confirmation Number on Arbitrum and Optimism: An In-Depth Analysis

This article examines the risks associated with centralized exchange (CEX) confirmation numbers on Arbitrum and Optimism, Ethereum Layer 2 solutions, highlighting the importance of understanding their distinct finality mechanisms and transaction processing methods to ensure secure and transparent deposit and withdrawal processes for users.

June 12, 2024

Risks on CEX’s Confirmation Number on Arbitrum and Optimism: An In-Depth Analysis

Introduction

As Web3 security researchers, audit firms, and developers of smart contracts, understanding the intricacies of Layer 2 (L2) solutions on Ethereum, particularly Arbitrum and Optimism, is essential. These solutions promise scalability and lower fees but come with their unique security challenges, especially regarding transaction finality and the confirmation processes used by centralized exchanges (CEXs). This article delves into the risks associated with CEX confirmation numbers on Arbitrum and Optimism, offering insights into the best practices for mitigating these risks.

Background

Blockchain’s immutability, ensured by its consensus mechanism, is a cornerstone of its trustworthiness. The concept of "finality" refers to the irreversible confirmation of transactions, guaranteeing that once a block is finalized, it cannot be altered. However, achieving finality varies across blockchain designs. Arbitrum and Optimism, both Ethereum L2 chains, have distinct finality mechanisms due to their unique architectures.

Finality from a CEX Perspective

For CEXs, the relationship between deposit/withdrawal processes and transaction finality is critical. If a transaction reverts after a CEX confirms it, financial losses can occur. Therefore, CEXs must ensure that transactions are final before processing them.

Deposit and Withdrawal Risks

  1. Deposits (External Wallet → CEX Wallet): If a transaction reverts after confirmation, exchanges may lose assets. The deposit might be reverted on the blockchain, but the CEX may still consider the assets deposited, leading to potential double-spend issues.
  2. Withdrawals (CEX Wallet → External Wallet): If a transaction reverts, users may lose assets. The withdrawal might be considered complete by the CEX server, necessitating manual asset recovery processes.

Thus, exchanges should wait for final transaction confirmation, often determined by the number of blocks generated after the transaction on the base network (Ethereum in this case).

Finality Mechanisms of Arbitrum and Optimism

To understand how finality is achieved in Arbitrum and Optimism, we need to explore their transaction processes.

Arbitrum

Transaction Processing

Arbitrum uses two methods for transaction submission:

  1. Submission through the Sequencer: A centralized entity processes transactions, arranges them into a list, and publishes them on the Arbitrum chain, later submitting the batch to Ethereum.
  2. Submission via the "Delayed Inbox" on Ethereum: This method is less common for exchanges due to higher fees and poorer user experience.

Potential Issues with Arbitrum

  1. Sequencer’s Batch Submission Faces Reorgs: If the batch submission gets reorged, finality is delayed until resubmission, causing instability.
  2. Malicious Sequencer: The sequencer can rearrange transactions or delay batches, potentially causing instability if it halts operations for an extended period.
  3. Sequencer Stalls: Since launch, Arbitrum’s sequencer has halted thrice, causing block production to cease temporarily.
  4. Delayed Inbox Transactions: Normally, these transactions are appended to the off-chain inbox periodically. However, prolonged sequencer stalls can lead to instability.

Optimism

Transaction Processing

Optimism also processes transactions through a sequencer, which arranges and publishes them on the Optimism chain and periodically uploads proofs to Ethereum. Additionally, users can submit transactions to an Ethereum contract.

Potential Issues with Optimism

  1. Sequencer Malfunctions or Stalls: Optimism’s block creation has halted due to bugs, impacting transaction processing.
  2. Ethereum Finality Issues: Performance degradations in syncing blocks with Ethereum have historically caused delays.

Current CEX Confirmation Practices

CEXs have varying block confirmation requirements for L2 deposits. These requirements reflect their awareness of Ethereum finality issues and the distinct mechanisms of Arbitrum and Optimism.

Conclusion

Setting appropriate confirmation numbers is crucial for safeguarding both users and exchanges. The varying confirmation requirements across CEXs highlight different risk assessments. Exchanges must explain their confirmation numbers to users, ensuring transparency and trust.

References

Author's image

TRUSTBYTES