Hybrid rollups: discover Metis, Fraxchain, Aztec, Miden, and Ola
Table of Contents
Hybrid rollups are a new class of Ethereum L2 solutions that can be split into two groups: those that combine optimistic and ZK technology and those that enable both public and private smart contracts. We break down these two approaches and compare the 5 main projects.
What is a hybrid rollup?
The term “hybrid rollup” can have two meanings:
1) an L2 scaling solution, mostly for Ethereum, that combines the scalability of optimistic rollups and the security of ZK rollups. The best examples are the rollups built by Metis DAO and Frax Finance.
2) an L2/L3 scaling solution that supports both public and private smart contracts and transactions. Uses who want privacy can execute contracts on their own devices, generate their own ZK proofs, and upload them to the rollup. These are very cost-efficient, because the rollup only needs to verify the proofs, not the transactions themselves.
To unpack both definitions, let’s first remember how the two basic rollup types work.
Optimistic vs. ZK-proof rollups
Rollups improve Ethereum’s high fees, and slow speed. Rollups are essentially separate chains that take a batch of transactions, process them quickly and cheaply, then packageand upload the results to the mainnet.
The main problem here is how to verify that all the transactions in a batch are valid. It’s here that optimistic and ZK (zero-knowledge) rollups differ.
An optimistic rollup, such as Arbitrum or Optimism, presumes that all transactions are valid. It doesn’t do any serious checks and thus saves time and resources. The main advantages of optimistic rollups are scalability and fast confirmation.
However, when the batch is uploaded to Ethereum, there is a 7-day challenge window when any validator can contest a transaction that they believe to be fraudulent. This means regular users have to wait a week when bridging funds from Arbitrum or OP Mainnet back to the mainnet. This is the “real” finality time – and 7 days is extremely long, considering that the best L1s like Aptos boast sub-second finality.
Another issue is that optimistic bundles are heavy; uploading them to Ethereum consumes a lot of gas.
A ZK rollup (such as zkSync Era) generates a special proof of validity and attaches it to the batch, so that everyone on Ethereum can be sure that transactions uploaded from the rollup are valid. Thus, ZK rollups do not need challenge windows, and have improved security and faster finality.
The power of ZK is that you can verify information is true without revealing it. ZK proofs can also be lightweight, though they take a lot of resources to calculate. On the rollup chain itself, confirmation time is slower for ZK than optimistic L2s.
Technical complexity and cost are the main reasons why it took longer for fully operative ZK solutions to appear on the market.
Hybrid Combinations of Optimistic and ZK: Metis and Fraxchain
Metis is an optimistic rollup for Ethereum that was created by forking Optimism (now called “OP Mainnet”) and optimized for advanced use cases like decentralized autonomous corporations (DAC). Metis can support many optimistic L2 chains, so that each DAC gets its own.
For now, there is one such chain: Metis Andromeda, the third-largest optimistic chain by TVL, according to L2Beat ($100M). It’s also the cheapest: sending ETH on the L2 costs just $0.01, and the swap fee is around $0.03. On Arbitrum, it’s $0.05 and $0.014, respectively.
In Greek mythology, Metis was the goddess of good counsel, while Andromeda was a beautiful princess who was saved from a sea dragon by the hero Perseus. In fact, the logo of Metis DAO is the head of a Greek goddess. With this mythological connection, don’t be surprised that many projects in the Metis ecosystem are also named for ancient gods and heroes: Hera, Hermes, Maia, Athena, Tethys, etc.
Metis DAO’s hybrid rollup project
In March 2023, Metis DAO announced it was working on a hybrid rollup, which should reduce the time needed for withdrawing funds to Ethereum from 7 days to 4 hours. The announcement happened at the ETH Denver event, where Pontem Network hosted MoveCon, the biggest-ever event fully dedicated to Aptos and Move.
The new L2 will be an optimistic chain at its core, but it will use ZK validity proofs. ZK proofs can be really small, , so you can send many of them to the mainnet while using very little gas. This will help relieve congestion on Ethereum.
Metis’ hybrid rollup will also leverage the same off-chain storage system (called Smart L2) as Andromeda. In Smart L2, transaction data is sent to MEMO, decentralized cloud storage protocol, instead of being kept on-chain. In case of necessity (like potential fraud), data can be pulled back from MEMO and sent to Ethereum.
Instead of sending full transaction data to Ethereum, Metis sends just the Merkle Tree Root (MTR) of the batch – the rest goes to MEMO. This solution is much cheaper than Optimism or Arbitrum. Metis DAO en believes that it’s not fully accurate to call it an optimistic rollup, preferring “on-demand rollup”instead.
Coming back to the hybrid solution in the works, apparently it will also post transaction data to MEMO and retrieve it on-demand. The information needed for retrieval will be stored on Ethereum mainnet to maximize security.
The hybrid rollup will be compatible with EVM, so dApp developers should have no trouble building on the new chain.
MIPS and zkMIPS
We’ve saved the most complex (and the most interesting) part for last. Metis is going back to the 80s to build a system where withdrawal times are short and ZK proofs are cheap.
MIPS stands for “Microprocessor without Interlocked Pipeline Stages”. It’s a type of microprocessor architecture released in 1985 and first used in devices like Nintendo consoles. You give a computer instructions for every small task, and you make each instruction as simple as possible.
Because the instructions are so short, you need more lines of code for a program. But MIPS also maximizes processing speed, so that the processor can execute the program faster than those that use more complex instructions, and the processor chip itself can be smaller.
MIPS instructions are also called opcodes, and its opcode tables are well-known in the IT world. If you’re familiar with Ethereum Virtual Machine, you may see the similarity to EVM’s opcodes - the machine-readable instructions used to run smart contracts. Every opcode in EVM is also quite simple: ADD, SSTORE (save data in storage), and so on.
Metis plans to use MIPS in its hybrid rollup architecture. You can find a technical (and very technical) description here, but in very simplified terms, the prover (the program that computes ZK proofs) should use the simplest set of opcodes possible to save time and resources. Unfortunately, the EVM opcode set is large and changes often, with new commands added and others deprecated. The MIPS set is a much better fit for ZK provers.
MIPS is already used by Optimism in its Cannon tool - a MIPS instruction emulator used to investigate a rollup transaction that is challenged as potentially fraudulent. In fact, Metis will incorporate Cannon, too.
The MIPS instruction set was developed 40 years ago for very different tasks, so in order to use it for ZK proofs, Metis will have to make modifications. The new system is called zkMIPS, and it will usable any applications that relies on ZK proofs.
Fraxchain: a hybrid rollup for the Frax Finance ecosystem
You may have heard of Frax ($FRAX), one of the biggest decentralized stablecoins. Frax Finance is its larger ecosystem with an AMM, a lending protocol, a utility token (FXS) and a liquid staking derivative, Frax ether (frxETH). Frax Finance plans to add a hybrid rollup, Fraxchain, by the end of 2023.
The architecture should be similar to that of Metis, with an optimistic rollup base and ZK proofs. It will also be EVM-compatible.The difference is that Fraxchain is designed to be integrated with existing Frax products and stablecoins.
- he rollup will use frxETH, FRAX, and FPI (Frax Price Index) for gas fees. This can increase the demand for frxETH and their liquid staking product. Right now the main incentive to hold frxETH is yield;
- Frax CEO Sam Kazemian even said that Fraxchain users will get an allowance of gasless transactions depending on how much FRAX and frxETH they hold;
- Gas fees generated by Fraxchain will be distributed to the users who lock their FXS to get vote-escrowed veFXS tokens;
- It will use Fraxferry - a protocol that makes it possible to transfer FXS stablecoins between blockchains trustlessly and without bridges (FXS runs on Ethereum, Polygon, Arbitrum, etc.). Thus, it should be possible to send FRAX, frxETH, and other protocol tokens from Ethereum to Fraxchain far more efficiently than if sending ETH to Arbitrum, for example;
- veFXS holders (FXS stakers) will vote to decide who can be a sequencer on Fraxchain.
Let’s decipher this last point on sequencers. In optimistic rollups, a sequencer is a party that orders (sequences) and verifies transactions sent by users, compiles them into batches (rollup blocks), and submits batch data to the L1. Thanks to the sequencer’s ability to compress transactions, end users pay less in fees than if they were to send transactions to the Ethereum mainnet themselves.
Sequencers have a lot of power: they can decide to include or omit a transaction from a block, as well as extract profit (MEV) from ordering operations in a particular way. By giving the community the ability to vote for sequencers, Frax Finance will strengthen its decentralized governance.
Even those Frax users who don’t join the new chain will benefit. Right now, all the yield for frxETH goes into the sfrxETH vault and divided among the stakers. Now imagine that a significant proportion of frxETH migrates to Fraxchain to be used for transaction fees. The total vault yield will remain the same (because the amount of liquid-staked ETH won’t change), but it will be distributed to a smaller number of holders. The resulting APR for each frxETH holder will increase.
Hybrid Combinations of Public and Private Contract Execution: Aztec, Ola and Polygon Miden
Public vs. private contracts
In this paradigm, a hybrid rollup is one that can support both public and private smart contracts and transactions.
With public contracts, any party can view how all other users interact with a contract, including both user inputs and outputs. Users send transaction requests to the contract, a validator approves them and the state of the blockchain is updated. All the “normal” dApps that we are used to, like Liquidswap, Compound, etc., run on public contracts.
With private contracts, transaction data is encrypted, and only authorized users can view the inputs and outputs. Even blockchain validators can’t see what’s in a transaction.
A hybrid rollup is one that allows a user to execute both types of transactions, public and private. With this technology, private smart contracts can even be executed locally, on the user’s own device.
Private contracts have many potential uses:
- voter privacy for DAOs
- AMM security, so that bots can’t see transactions submitted to the mempool;
- private gaming tournaments within a public game
- corporate security for institutional users.
Three main projects are developing public/private hybrid rollups: Aztec Network, Polygon Miden, and Ola. Let’s take a look:
Aztec positions itself as “Ethereum, Encrypted,” and as the first hybrid ZK rollup. Users will be able to make encrypted transactions from their device, generate ZK proofs locally,, and submit them to Aztec to be included in the batches that are sent to Ethereum.
Aztec’s best-known product so far is Aztec Connect, a privacy layer for Ethereum launched in July 2022. It allowed developers to build confidential DeFi dApps on Ethereum, the biggest being Aztec’s own zk.money protocol.
Work on Aztec Connect and zk.money was shut down in March 2023 so that the team could allocate resources to its new hybrid rollup, Aztec Network. However, the code is open-source and can be used by anyone to build new products.
Aztec Network architecture
With the new rollup, you don’t need to send a transaction request to validators; instead, you send proof that the transaction was completed to the contract. Neither the L1 or the rollup will know the content of the transaction.
The difficulty is that Ethereum and EVM are designed for maximum transparency rather than privacy. On the other hand, blockchains developed for privacy (like zCash) can’t support dApps.
The big difference between Ethereum and privacy coins like zCash is how they record transactions:
- Ethereum uses the account model. Each user has an account with a balance which changes with each transaction. The blockchain tracks all account balance changes across the network.
- Privacy coins uses the Unspent Transaction Output (UTXO) model. The blockchain on the whole doesn’t care about account balances, only whether a coin unit was spent during a transaction. Bitcoin also uses UTXO, though it doesn’t have any built-in privacy.
Very importantly, devs will be able to create dApps that are fully audited and compliant.. They can customize viewing and interaction privileges for various entiries. . Coins like zCash were almost delisted from Binance in some EU countries because of regulatory concerns, but tokens issued on Aztec might avoid these problems.
There is a lot of flexibility in terms of contract types and functions interacting with each other, too. For example, a user can issue a private call to a public contract to deposit funds in a regular AMM pool in such a way that nobody will be able to view that liquidity transaction.
Use cases for Aztec include corporate finance, private trading, AMMs that completely block front-running, confidential DAO voting, NFT auctions, games, and any other projects that call for keeping some information private. Privacy in Aztec is programmable: dApp creators can decide how much of it to include in their smart contracts.
Aztec won’t be compatible with EVM or Solidity. Instead, the team developed a new open-source programming language for private smart contracts called Noir. It’s based on Rust and should be easy for Ethereum developers to master. Teams on any other blockchain (presumably Aptos, too) will be able to incorporate ZK proofs using Noir.
A sandbox testnet for developers should go live in Q3 2023. Users will be able to create local nodes and emulate Ethereum and Aztec, deploying contracts in Noir. None of the transactions will go to the public blockchain, though.
A public testnet is planned for Q1 2024. For now, the best way for builders to engage with Aztec Network is to study the Noir contract language: there is a special GitHub repository with a huge list of learning resources.
Ola is p a privacy-focused ZKVM: a blockchain virtual machine that supports zero-knowledge proofs. It is developed by Sin7y Labs, whose team members previously worked for ZKSpace, Huobi, Qtum, and Accenture.
Note that Ola isn’t a zkEVM (such as zkSync), inthat it’s not supposed to be equivalent to or compatible with Ethereum Virtual Machine (EVM). It will be possible to build and run any kind of dApps with Ola's virtual machine (OlaVM), though you won’t be able to migrate an Ethereum dApp to it without re-coding.
Ola shares a few key features with Aztec Connect:
- Programmable privacy: developers will be able to decide how much of it to build into their dApps.
- A new coding language: Ola-lang. Both Ola-lang and Noir are based on Rust, but they belong to different types. Noir is a domain-specific language (DSL), created for writing smart contracts, while Ola-lang is a general-purpose language (GPL) and can be used in any domain. So theoretically even developers outside of Web3 could use it.
- Compliance: special viewing permissions (viewing keys) can be given to third-parties for account monitoring. This can be done at the end-user level, tool.
- Two blockchain states: public and private. These correspond to the two types of transactions and smart contracts; the private state uses UTXOs.
Differences between Ola and Aztec
The need for key pairs for each function
In Aztec, each smart contract function requires its own pair of keys (public and verification key), which needs to be computed and stored. OlaVM doesn’t require these key pairs, which saves resources and storage space.
As explained in this excellent comparison post by Sin7y Labs, users don’t always need their transactions to be untraceable. Rather, they may want to be sure that nobody can use the information about their on-chain activities for criminal purposes or for profit.
Because of this, Sin7y Labs decided to implement two privacy schemes, with untraceable and with traceable transactions. The latter will cost users less and will still provide privacy at the level of user data.
STARK instead of SNARK
ZK rollups use one of the two types of proofs: SNARK (Succinct Non-Interactive Arguments of Knowledge) and STARK (Scalable Transparent Arguments of Knowledge). We have a detailed article on ZK proofs, but the practical difference boils down to this:
SNARKs require trust to generate proofs, often through multiparty “setup ceremonies,” which entails security risks. On the other hand, SNARKs are lightweight and cheap to write to Ethereum mainnet.
STARKs have no need for trusted third parties to create a proof, and are more resistant to attacks and manipulations. The proofs are much larger, though, so uploading them to Ethereum costs more. STARKs were developed by StarkNet, another ZK rollup project.
SNARKs are used by the majority of popular ZK rollups, including zkSync Era and Polygon zkEVM. Aztec Network is also SNARK-based. But Ola, as well as Polygon Miden (see below), use STARKs. Ola’s proof generation algorithm is called Starky.
Olla will also be integrated into the LLVM framework - a universal compiler that makes it possible to “translate” different human-readable coding languages into computer-readable languages used by virtual machines. Pontem Network is using the same LLVM tool to develop the first-ever implementation of Move (Aptos’s coding language) for EVM. It’s a powerful way to connect different blockchain ecosystems, so stay tuned!
According to the roadmap, a public testnet should arrive in Q4 2023, followed by the mainnet at the start of 2024.
Polygon has a lot of experience with zero-knowledge proofs: its zkEVM network is one of the major projects in the space and is available in mainnet beta. (Don’t confuse it with Miden, a brand-new ZK chain announced in March 2023, with a public testnet coming sometime in Q4 2023.)
Miden is similar to Ola and Aztec in a few ways:
- Users run private smart contracts, verify their own transactions, and generate ZK proofs;
- Chain is split into public and private states;
- Flexible compliance, so a private smart contract can be built in such a way that only regulating bodies can access the information in it;
- Resource-efficient data verification.
Miden will be compatible with EVM on some level, though privacy will be the main priority. The network will still send ZK proofs to the Ethereum mainnet, just like other rollups, but developers used to Ethereum will need to learn a lot in order to build on Miden.
Resource-efficiency combined with privacy
Miden distinguishes between private transactions and private contracts:
- Private transactions can be executed on public contracts, to hide a specific NFT trade, for example.
- Private contracts have their code and state invisible to other users, but can also communicate with public contracts. For example, a privacy wallet built on Miden will be able to interact with a public AMM -- a great feature for liquidity providers or project teams that don’t want to reveal their operations to potential hackers.
With private smart contracts, all computations are done locally on the user’s device. This means no gas costs, and users can execute complex contracts cheaply.
Validators just need to check the ZK proofs, which is easy and cheap. Even parallel execution becomes possible, meaning that a hybrid rollup like Miden can be much faster than a regular ZK rollup. Thus, staying private on Miden will also save users money and time.
Client-side verification is possible only for transactions that don't affect the public blockchain state. According to the team, most of the transactions on Miden will fall into this category, including most token transfers and NFT trading. These transactions can even be reverted before the ZK proof gets recorded on the blockchain.
For those transactions that require a change in the public state, Miden will also have the option of regular on-chain execution.
What makes Miden particularly interesting for us at Pontem Network is that it will use the Move language for smart contract development, the same language as Aptos.!In fact, the founder of Miden, the pseudonymous Bobbin Threadbare, used to work for Facebook’s Diem blockchain project which developed Move.
Account abstraction in Miden
Another innovation planned by Miden is account abstraction. This could be the topic of a separate article, but we’ll try to break it down in simple terms. On Ethereum, every user has what is called an Externally Owned Account (EOA), which is essentially a public/private key pair. An EOA can only issue calls to smart contracts, pay transaction fees, and send tokens.
By contrast, a smart contract can perform very complex actions, but it can’t initiate transactions: it needs to wait for a call from an EOA. In other words, an EOA is active but weak; a smart contract is passive but powerful.
Account abstraction is a way to combine the best features of EOAs and smart contracts. All users get their own smart contract accounts which can n both initiate transactions and execute complex operations.
There are many other things you can do with account abstraction. For example, you can build a dApp on Miden that will let a user recover their seed phrases without compromising it.
Account abstraction was introduced on Ethereum mainnet in March 2023 as ERC-4337. Aztec Network will have it, too, though the exact implementation is still not clear.
STARK proof recursion
Like Ola, Miden uses STARK proofs rather than SNARKs. Bobbin Threadbare was inspired by Vitalik Buterin and used his examples to develop genSTARK, a simple algorithm for generating ZK proofs for any kind of data. This eventually led to him collaborating with StarkNet and developing his own virtual machine.
Threadbare found a solution to the problem of STARK proof size: recursion. First, you produce a single ZK proof for a group of transactions, then a second one for a group of individual ZK proofs. This way you include many times more transactions into one proof, so the cost to upload per transaction will be low. In theory, you could even add more recursion levels: a STARK proof for a batch of proofs, each of which verifies a bigger batch of transactions.
There aren’t any working hybrid rollups yet, and no public testnets for you to try. But, it’s a fast-developing and exciting space. We’ll keep bringing you the latest news from the space, so make sure to follow Pontem Network on Telegram and Discord!
Pontem Network is a product studio building foundational dApps for Aptos. Our products include: