Is L2 really protected by Ethereum?

Ethereum's growth over the past decade has been shaped by a simple promise: scaling the network without compromising decentralization. According to its roadmap, the answer is a future centered around Rollups—Layer 2 networks (L2s or "Rollups") that execute transactions off-chain to achieve lower costs and higher throughput while still deriving core security guarantees from Ethereum's base layer (Layer 1). Nearly all major Rollups, such as Arbitrum, Optimism, Base, zkSync, and Scroll, market themselves as "secured by Ethereum." This powerful phrase is central to their marketing narrative, but does it align with reality? Once you take a closer look at how Rollup actually works and how assets flow in and out, this claim becomes murky.

This article will unpack the gap between rhetoric and reality, starting with the bridge (where user funds reside), moving on to the sorter (who orders transactions), and finally the governance mechanism (who sets the rules).

The Reality of Rollup Bridges

The “security provided by Ethereum” narrative ignores how users actually interact with these systems.

To use a Rollup, whether for DeFi, payments, or applications, your assets first need to exist on it. Ethereum has no built-in way to directly move assets in or out; you can’t simply “teleport” ETH into a Rollup. That requires a bridge. Bridges are the on- and off-ramps between Ethereum and Rollup, and they define the security that users actually experience.

How the Bridge Works

Deposits

When you deposit ETH into Rollup, you send it to a bridge contract on Ethereum. This contract locks your ETH and tells Rollup to create an equivalent amount of tokens in your L2 wallet. For example, if you deposit 1 ETH, the bridge securely holds your 1 ETH on Ethereum, and your Rollup account shows 1 ETH. Because Ethereum holds custody of the locked ETH, deposits are trust-minimized.

Withdrawals

The complications of withdrawing. To withdraw, the process is reversed:

1. You burn (or lock) tokens on Rollup. You send a message to the Ethereum bridge contract: “I burned tokens on L2, please release my locked ETH.” The key is this: Ethereum can’t see what’s happening inside the Rollup. It’s blind to L2 computations. Therefore, Ethereum will only release your funds if the bridge provides proof that the withdrawal was legitimate. This proof can be: Fraud proof (Optimistic Rollup): Transaction is assumed to be valid unless challenged within the dispute period. Validity proof (ZK Rollup): A cryptographic proof that all transactions followed the rules up front, so Ethereum can trust the outcome immediately.

2. Multi-sig or Committee: Relies on trusted parties for attestation.

The bridge defines how you access the Rollup. Think of it like a window in a house. Even if the window (the bridge) is broken, the house (the Rollup) itself remains standing. But if the window is shattered, you can’t enter or exit safely. Similarly, a compromised bridge cuts off users’ access, even if the Rollup machine itself is still running.

This is why the bridge layer is the true lens through which to measure the security of a Rollup. Whether an asset “secured by Ethereum” is truly secure depends on the bridge you use and the trust model it relies on, not the Rollup itself. The Bridge Model and Its Assumptions Canonical Bridges (aka "official" Rollup bridges): These are tied to Ethereum. When you lock up assets, Ethereum validators guarantee that you can eventually withdraw them back to L1, even if L2 ceases to function. Canonical Bridges are the only bridges that directly inherit Ethereum's security properties. External Bridges (e.g., Wormhole, LayerZero, Axelar): These offer a faster user experience and cross-chain transfers through independent validator committees or multi-sig mechanisms, but are not enforced by Ethereum consensus. If these off-chain operators are hacked or collude, users could lose funds even if Ethereum is operating perfectly.

3. Native Issuance (tokens minted directly on Rollup): For example, USDC on Base or OP on Optimism. These assets never go through a canonical bridge and cannot be redeemed on L1. Their security comes from the governance and infrastructure of the Rollup, not Ethereum.

Where are Rollup assets actually stored?

As of August 29, 2025, Ethereum Rollups have a total of approximately $43.96 billion in assets locked. Here’s the breakdown:

• External Bridges: $16.95B (39%) — Largest category

• Canonical Bridges: $14.81B (34%) — Assets secured by Ethereum

• Native Minting: $12.20B (27%) — Rollup native assets



Trend over time

Looking back from 2019 to 2022, canonical bridges were the primary force driving Rollup adoption. Almost all of the early growth came from official bridges that put Ethereum at the core. However, starting from the end of 2023, the situation begins to change:

• Canonical bridging continues to grow in absolute terms, peaking in 2024, but its share begins to shrink.

• Native issuance expands steadily, especially from 2024 to 2025.

• External bridges accelerate fastest starting in late 2023, and by early 2025 they surpass canonical bridges - this is the crossover point where Ethereum loses majority share of Rollup assets.

Today, two-thirds of Rollup assets (external bridges + native) are outside the direct security of Ethereum.

Rollup Level Breakdown

The market is highly concentrated: the top six Rollups account for 93.3% of total TVL. Across these ecosystems, the distribution is as follows:

• Canonical Bridge: 32.0%

• Native Issuance: 28.8%

• External Bridge: 39.2%

Aggregation Pattern Illustration

• External Focus: Arbitrum and Unichain, where users seek fast exits/liquidity through third-party bridges.

• Canonical Focus: Linea (and to a lesser extent OP Mainnet), where more L1-sourced collateral is routed through the official bridge. Native Focus: zkSync Era and Base, numerous L2-issued assets (such as native USDC on Base), and direct deposit channels. Importance: In the largest Rollups, the majority of value lies outside of Ethereum's direct guarantee. The actual security users receive depends on the bridge model behind each asset. Beyond Bridges: Other Risks Bridges explain where assets reside, but even if every asset is canonical, users still face other trust and security gaps. Three areas are particularly important: how transactions are ordered, who governs the stack, and how composability impacts the user experience. 1. Collators: A Centralized Point of Control Ordering is the sequential process of incorporating transactions into the blockchain. Almost all Rollups use a centralized sorter. This setup is both fast and profitable. However, centralized sorters can: censor transactions by refusing to include them in blocks. Block withdrawals indefinitely, as they determine when withdrawal requests are batched and submitted to Ethereum. Go offline entirely, ceasing activity until they are back online. (For example, Arbitrum experienced a 78-minute outage). Ethereum incorporates “forced inclusion” mechanisms that allow users to submit transactions directly to L1, bypassing the sorter. However, these mechanisms do not guarantee fairness. Collators still control block ordering, often enough to harm users.

  Here's an example of a transaction that can be included but still fail:

  1. Suppose you try to withdraw funds from Aave on L2.

  2. You submit a withdrawal request on Ethereum with a forced inclusion, which means the collator can't ignore it.

  3. But the collator can insert its own transaction before yours—for example, to borrow additional funds from the same pool.

  4. By the time your withdrawal runs, the pool no longer has enough liquidity, and your withdrawal fails.

  Your transaction is "included," but its consequences are corrupted. Forced inclusion also comes with practical concerns: wait times can be hours (sometimes exceeding 12 hours), throughput is limited, and there's a risk that transactions can be reordered even after submission. It acts more like a slow safety valve than a guarantee of fair execution. Meanwhile, momentum is building towards decentralization. Projects like Espresso and Astria are building shared sorter networks to improve resiliency and interoperability. A key concept here is pre-confirmation: an early commitment by a sorter or shared network that a transaction will be included, even before it's finalized on Ethereum. This helps mitigate the latency penalty imposed by decentralization, giving users faster guarantees without sacrificing neutrality. However, centralized sorters remain dominant because they are simple, profitable, and attractive to institutions—at least until competition or user demand forces a change. 2. Governance and Incentive Risk (Corporatized L2s) Who operates the L2 does matter. Many leading rollups are run by corporations or venture-backed teams (e.g., Coinbase's Base, Offchain Labs' Arbitrum, OP Labs' Optimism). Their obligations are primarily to shareholders/investors, not to Ethereum's social contract. Shareholder Responsibility → Profitability Pressure: Fees are initially low to attract users, then rise once liquidity and adoption are locked in (a classic "platform tax" model). Expect higher sorter fees, preferential integrations, or rules that favor the operator's broader business. Lock-in Effect → Leverage: After accumulating billions of dollars in TVL and users, switching costs make exit difficult. Operators can change economic models or policies without fear of mass migration. Cultural Mismatch: Ethereum relies on public developer meetings, multi-client diversity, and open governance (EIPs). Corporatized Rollups are more top-down, often with admin keys/multisigs that can be suspended, upgraded, or frozen—prioritizing compliance or profitability over neutrality. Over time, Rollups may increasingly resemble walled gardens. The result is a growing gap between Ethereum's open ethos and the incentives shaping corporatized Rollups. This gap not only affects governance but also ripples into how applications interact and how users experience the system. 3. Composability and User Experience (UX) The “magic” of Ethereum lies in atomic composability: contracts can be read/written synchronously in a single transaction (imagine a Uniswap swap atomically repaying Aave and triggering an action on Maker). L2s break this composability: Asynchronicity: Cross-Rollup messages are delayed, canonical bridge exits can take days, and third-party bridges impose trust assumptions. Silos: Liquidity and state are fragmented across L2s, reducing the seamless DeFi user experience that makes Ethereum compelling. What can fix this? Ethereum-native Rollup (designed and governed to L1 standards) can enable synchronous L2→L1 reads, synchronous L1→L2 writes, and atomic cross-Rollup writes, restoring much of L1's composability while expanding the blockspace. Without this, the user experience will continue to gravitate towards convenience layers that aren't secured by Ethereum. The Future of Rollup If "secured by Ethereum" is to become more than just a slogan, the core guarantees must reside on L1, not in off-chain committees or sorters controlled by a single company. Three designs point in this direction. Native Rollup shifts validity entirely to Ethereum.

• Rather than requiring users to trust an independent fraud proof system, a ZK prover they can’t audit, or a security committee, Rollups will provide a transaction trail that Ethereum itself can re-execute.

• In effect, this turns withdrawals and state correctness into L1 rights rather than promises: if a Rollup claims your balance is X, Ethereum can directly check that claim.

• This reduces the attack surface of bridges, reduces the need for suspended keys, and makes Rollups consistent with future Ethereum upgrades.

• The cost is higher costs on L1, but the reward is simple: when a dispute arises, L1 adjudicates.

• No native Rollup is currently live. Based Rollup anchors transaction ordering to Ethereum's validator set. Today, a single orderer can reorder or delay transactions, which in practice is enough to undermine the "forced inclusion" mechanism. With ordering based on L1 consensus, the canonical ordering comes from L1, making censorship and last-second reordering much more difficult. Forced inclusion becomes a normal path rather than a slow safety valve. Projects add "pre-confirmations" to keep the user experience smooth while still letting L1 serve as the final arbiter of ordering. You give up some of the revenue and flexibility of L2, but you remove the largest single point of control in the current stack. The core team working on Based Rollup design includes Taiko, Spire, and Puffer.

  Keystore Rollup addresses a more insidious but persistent source of risk: keys and upgrades.

  Rather than having each Rollup (and application) handle account recovery, session keys, and rotation independently, a minimal "Keystore" Rollup standardizes the logic once and syncs it everywhere.

  Users rotate or recover keys in one place; changes are propagated to all L2s. Operators need fewer emergency keys; administrators need fewer "God mode" switches.

  The result is fewer wallet compromises, fewer hasty upgrades after incidents, and a cleaner separation between account security and application logic.

  The Keystore Rollup design is currently theoretical and has not yet been launched.

  To sum up, these approaches are consistent with the problems users actually face: exit mechanisms that rely on trust, ordering controlled by a single company, and fragile key/upgrade paths.

  Bringing validity, ordering, and account security under the Ethereum umbrella is how Rollup can earn the claim of being “secured by Ethereum” rather than just using it as a marketing slogan.