GRVT Security Series (Part 1): Architecture High-Level Overview
TL;DR
- Layered security
GRVT’s hybrid exchange (HEX) model brings together the best security elements from decentralized and centralized models. - Web3 security layer
GRVT leverages an on-chain self-custody model that includes four key components: (1) Ethereum, (2) zkSync Layer 1 smart contracts, (3) GRVT Layer 2 smart contracts, (4) User private keys - Improving Web3 security with the ZK Stack
zkSync’s modular framework allows GRVT to bolster our security architecture with the integration of zero-knowledge proofs and Validium. - Web2 security layer
GRVT’s hyperchain, powered by zkSync, is fully private. Users requests are routed through our Backend infrastructure - the only permissioned entity allowed to execute transactions against our smart contracts. User funds remain safe under GRVT’s control as we are prevented from stealing users’ funds by integrating with Validium on zkSync.
As GRVT approaches our testnet open beta launch, we want to provide a peek into what our developers are building. This post presents a high-level overview of GRVT’s security architecture.
Layered Security of User Funds
GRVT’s security design combines elements from decentralized and centralized models. We implement a layered approach that involves multiple security measures at different layers.
This architecture establishes a series of barriers for attackers, making it challenging to access our system and steal sensitive data. Even if one layer is compromised, additional protective layers prevent attackers from accessing our users’ critical information.
GRVT’s security model is two-pronged: Web3 and Web2 security.
GRVT’s Web3 Security Layer
Given that our platform employs an on-chain self-custody model, funds are secured similarly to most decentralized finance (DeFi) projects. The trust boundary is not much different, extending to four components:
- Ethereum
- zkSync Layer 1 (L1) Smart Contracts (including bridge)
- GRVT Layer 2 (L2) Smart Contracts
- User Private Keys
However, unlike other DeFi projects, GRVT has additional layers that would need to be compromised in order to breach our security. We incorporate both GRVT L2 smart contracts and zkSync L1 smart contracts to make it more challenging for attackers to hack our system and thus user funds. When all four components are secure, user funds remain uncompromised.
Some features that we incorporate:
- On-chain Role-Based Access Control (RBAC)
- Multi-sig Approvals
- Data Privacy
- Session Keys
We will be delving deeper into these aspects in our subsequent posts of this series.
Improving Web3 security with the ZK Stack
GRVT enhances our Web3 security layer using zkSync’s modular ZK Stack, employing zero-knowledge (ZK) proofs and Validium.
ZK proofs
ZK proofs are used by zero-knowledge rollups to show that a rollup execution was performed properly, sending data to Ethereum mainnet via zkEVM. As a result, external verification of rollups is simplified. Participants can check the state of the rollup through proof validation, unlike traditional blockchains that require node operation.
zkSync enables trustless connection of rollups, forming a hyperchain network - the foundation for GRVT’s exchange.
As a hyperchain with a shared bridge contract on the Ethereum L1, GRVT is able to address various security challenges:
- Trustless validating bridges for rollups
- Seamless asset burning and minting within zkSync’s ecosystem through hyperbridges
- Ethereum L1 serving as a single source of truth, preventing rollup hard forks
In the event that a vulnerability is found, the zkSync ecosystem can collaboratively initiate a hard fork. This is done through employing a L1 governance framework, similar to Ethereum’s approach to addressing vulnerabilities.
Hyperchains like GRVT can be developed and permissionlessly deployed by anyone. To be trusted and fully interoperable, we rely on the zkEVM engine available on the ZK Stack. This means that all ZK-proof circuits are 100% identical, allowing GRVT’s hyperchain to inherit security from the Ethereum L1 mainnet.
Validium
GRVT’s hyperchain also integrates Validium - a key feature of the ZK Stack. Validium allows our platform to:
- Employ off-chain data availability
- Utilize off-chain computations for validity proofs on Ethereum
This design helps GRVT to reduce gas costs since less data will be published on the L1. Validium also allows us to develop our unique security architecture, focused on privacy and enterprise security.
When creating wallets on GRVT’s validium-powered chain, trust in the operator is essential to avoid fund loss. Unlike CEXs, your funds cannot be stolen - only frozen. This will hurt GRVT as well. Thus, the risks are transparent for both parties.
GRVT’s Web2 Security Layer
GRVT’s second layer integrates effective Web2 security, proven in safeguarding centralized exchanges (CEXs).
Our L2 chain is fully private, which prevents users from directly executing transactions on it. Instead, user requests are routed through our Backend infrastructure - the only permissioned entity allowed to execute transactions against our L2 smart contracts. Through the integration of the Validium technology on zkSync, GRVT is prevented from stealing users’ funds.
Any potential smart contract vulnerability requires attackers to compromise both our L2 chain and the backend network. We also incorporate additional features, such as user login and two-factor authentication (2FA). These extra barriers help to mitigate the event of a successful exploit.
Looking ahead
The above is simply a high-level overview of GRVT’s security architecture. As we get closer to our testnet open beta launch, we will do further deep dives into the different security layers for subsequent posts of this series.