Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enhancing the Security of Rollup Sequencers using Decentrally Attested TEEs

Giovanni Maria Cristiano, Salvatore D'Antonio, Jonah Giglio, Giovanni Mazzeo, Luigi Romano

TL;DR

The paper tackles the centralization risk of Rollup Sequencers by proposing a targeted security approach that encloses the Sequencer in a Trusted Execution Environment and replaces centralized attestation with on-chain, decentralized verification. It presents a practical implementation using Intel SGX (via Gramine) and Automata libraries on an Optimism-based Rollup, plus a dual renewal mechanism to maintain attestation freshness. Through a detailed evaluation on a realistic testbed, the authors quantify security gains and overheads, showing substantial increases in latency and reductions in throughput but stronger guarantees against MEV, censorship, and host-level tampering. The work highlights the trade-offs between security and performance and points to future improvements with TDx to restore performance while preserving decentralization guarantees.

Abstract

The growing scalability demand of public Blockchains led to the rise of Layer-2 solutions, such as Rollups. Rollups improve transaction throughput by processing operations off-chain and posting the results on-chain. A critical component in Rollups is the Sequencer, responsible for receiving, ordering and batching transactions before they are submitted to the Layer-1 blockchain. While essential, the centralized nature of the Sequencer makes it vulnerable to attacks, such as censorship, transaction manipulation and tampering. To enhance its security, there are solutions in the literature that shield the Sequencer inside a Trusted Execution Environment (TEE). However, the attestation of TEEs introduces additional centralization, which is in contrast with the core Blockchain principle. In this paper, we propose a TEE-secured Sequencer equipped with a decentralized attestation mechanism. We outline the design and implementation of our solution, covering the system architecture, TEE integration, and the decentralization of the attestation process. Additionally, we present an experimental evaluation conducted on a realistic Rollup testnet. Our results show that this approach strengthens Sequencer integrity without sacrificing compatibility or deployability in existing Layer-2 architectures.

Enhancing the Security of Rollup Sequencers using Decentrally Attested TEEs

TL;DR

The paper tackles the centralization risk of Rollup Sequencers by proposing a targeted security approach that encloses the Sequencer in a Trusted Execution Environment and replaces centralized attestation with on-chain, decentralized verification. It presents a practical implementation using Intel SGX (via Gramine) and Automata libraries on an Optimism-based Rollup, plus a dual renewal mechanism to maintain attestation freshness. Through a detailed evaluation on a realistic testbed, the authors quantify security gains and overheads, showing substantial increases in latency and reductions in throughput but stronger guarantees against MEV, censorship, and host-level tampering. The work highlights the trade-offs between security and performance and points to future improvements with TDx to restore performance while preserving decentralization guarantees.

Abstract

The growing scalability demand of public Blockchains led to the rise of Layer-2 solutions, such as Rollups. Rollups improve transaction throughput by processing operations off-chain and posting the results on-chain. A critical component in Rollups is the Sequencer, responsible for receiving, ordering and batching transactions before they are submitted to the Layer-1 blockchain. While essential, the centralized nature of the Sequencer makes it vulnerable to attacks, such as censorship, transaction manipulation and tampering. To enhance its security, there are solutions in the literature that shield the Sequencer inside a Trusted Execution Environment (TEE). However, the attestation of TEEs introduces additional centralization, which is in contrast with the core Blockchain principle. In this paper, we propose a TEE-secured Sequencer equipped with a decentralized attestation mechanism. We outline the design and implementation of our solution, covering the system architecture, TEE integration, and the decentralization of the attestation process. Additionally, we present an experimental evaluation conducted on a realistic Rollup testnet. Our results show that this approach strengthens Sequencer integrity without sacrificing compatibility or deployability in existing Layer-2 architectures.

Paper Structure

This paper contains 41 sections, 7 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Rationale
  3. Proposed Solution and Contributions
  4. Related Work
  5. Background
  6. Layer-2 Blockchains
  7. Optimism Protocol
  8. Trusted Execution Environment
  9. Problem Statement
  10. The Problem of Sequencer Centralization
  11. The Problem of TEE Centralization
  12. Threat Model
  13. The Proposed Solution
  14. TEE-Enabled Sequencer
  15. Architectural Security Justification
  16. ...and 26 more sections

Figures (7)

  • Figure 1: The Optimism Protocol Architecture.
  • Figure 2: Decentralized Attestation Architecture for Sequencer in TEE.
  • Figure 3: Execution flow of the TEE-secured Sequencer with on-chain attestation and block publication on Layer-1.
  • Figure 4: Latency of the Optimism protocol with the Sequencer executed (a) outside a TEE and (b) inside a TEE.
  • Figure 5: Throughput of the Optimism protocol with the Sequencer executed (a) outside a TEE and (b) inside a TEE.
  • ...and 2 more figures