Janusz, bitcoin research

  • Reviews
  • Research
  • About
Citrea logo

Citrea

Overview
Risk Summary
Trust Assumptions
Bridge Analysis
Additional Contracts
Bitcoin Security
Technology
Use Cases
Knowledge Bits
Overview
Status
Mainnet
Type
Rollup
Fee Token
BTC
Citrea is a bitcoin sidesystem. It is a bitcoin rollup that uses bitcoin as a data availability layer. Its execution environment is a EVM-compatible and supports expressive smart contracts.
Website
Docs
Explorer
GitHubGitHub
XTwitter
Risk Summary
The Citrea network is operated by a centralized operator. Users can not force their own transactions if they are censored by the operator or if the operator is offline.
The network is operated by a centralized operator. If this operator goes offline, the network can be halted which can freeze user funds. Please see the trust assumptions to learn if their is a fallback mechanism for liveness failures.
Citrea's official bridge, Clementine, can be upgraded by a 3/5 security council. If the security council is compromised, they can steal user funds.
If the security council is compromised, they can immediately upgrade specific contracts and potentially steal user funds. This risk may be relevant to BTC-backed tokens locked in the layer's official bridge contract.
There is no exit delay related to Clementine bridge upgrades
A centralized party can immediately upgrade specific system contracts. This risk may be relevant to BTC-backed tokens locked in the layer's official bridge contract.
Trust Assumption Review
BTC Custody
Citrea's bridge is an implementation of BitVM. There is a 3-of-5 security council that can upgrade the bridge
Clementine is primarily secured by 10 signers participating in a N-of-N multisig. If one of these signers goes offline, the bridge can fall back to operated funded withdrawals, which are bound to the rules of a specific BitVM program. There are currently two operators in Clementine's bridge set up. The bridge additionally includes a spend path where a 3-of-5 multisig, known as a security council, can spend funds out of the bridge unilaterally.

⚠️ Core assumption: Users trust Clementine signers and the security council to operate the protocol honestly.

Citrea's signer, operator, and verifier set are publicly available. Participants in the secuirty council are currently not.

Clementine is made of various participants. Clementine signers are 10, publicly known institutions. All of the Clementine signers also act as verifiers for the bridge. Clementine also has 2 publicly known operators who are able to run operated fronted withdrawals. Members of Citrea's security council are not publicly known. Users can learn more about the identities of the participants in the Clementine set up by visiting Citrea's documentation site. They can additionally use the Clementine CLI tool to verify the aggregate Musig2 key for Clementine's signers.

Source
Data Availability
Citrea posts state differentials to bitcoin
Data related to the network's transactions is made available by bitcoin full nodes. This means an alternative software queries bitcoin transactions to find transactions containing data related to the protocol. After finding this data, the software can reconstruct the state of the network from genesis and come to consensus with other nodes.

⚠️ Core assumption: Sequencer commitments are accepted into bitcoin blocks and bitcoin full nodes make Citrea state data available.

Network Operators
The system is operated by a centralized operator. Users can not force their own transactions if they are censored by the operator or if the operator is offline.
The network's sequencer is managed by one entity. The sequencer can censor transactions and can also cause liveness failures if it goes down. Users cannot sequencer their own transactions if the sequencer goes down or censors them.

⚠️ Core assumption: Users trust the Citrea sequencer to not censor them and not go offline. If a user's transaction is censored or the sequencer goes offline, they cannot exit the network.

Finality Guarantees
Citrea full nodes validate Citrea state transitions based on data made available by bitcoin full nodes
The network's state is updated offchain by rollup full nodes who apply state transition logic over the data made available by bitcoin full nodes. Once a state commitment is considered finalized by rollup full nodes, it cannot be reverted without reorging bitcoin.

⚠️ Core assumption: Sequencer commitments and prover's validity proofs are accepted into bitcoin blocks and bitcoin full nodes make said data available so Citrea full nodes can advance their state.

Rollups initially pull blocks from the sequencer, but state finalization depends on data being posted to bitcoin.

Bitcoin does not enforce the finality of rollup state transitions. Rollups initially pull blocks form the sequencer and execute proposed transactions locally. However, the sequencer must commit state updates to bitcoin in order for the rollup to view its state as committed. Additionally, the network's prover must post validity proofs to bitcoin for light client finalization and for full nodes to view its state as proven.

Learn more
Bridge Analysis
Loading bridge analysis...
Additional Contracts

Bridge Vault Contract

bc1pl7...20e9bc1pl7grnght2uhp75wm03djde5a56syp06ssdjf7ucm4wkq0tetpqas5e20e9
Main bridge contract that holds and manages BTC backing Citrea cBTC.

Sequencer address

bc1pqq...yvz5bc1pqqjrzkc79qkgys40yfu48s8y04d4zud26cnt48qd98mywl9l70zsadyvz5
Address for the sequencer who is responsible for posting Citrea state differentials to bitcoin.

Prover address

bc1ppu...947jbc1ppuj4hke08g3qjqlspdud8mkymgfq6y9l4ud4vaglj7fc5k3rrudqm5947j
Address for the prover who is responsible for posting proofs of valid execution to bitcoin to finalize rollup state transitions.
Bitcoin Security
The network's data availability layer is bitcoin
The network's data availability layer is bitcoin. This means that it relies on bitcoin's security for the availability of data for its full node software (sometimes known as an indexer).
Feeds are paid in cBTC
Network fees are paid in a BTC-backed asset on the network.
No MEV is introduced to bitcoin
The network does not introduce any MEV on the Bitcoin L1. Users trust the sequencer to not reorder their transactions to extract MEV.
The sequencer and prover pay bitcoin transaction fees to get their data blobs and state commitments included into bitcoin blocks
The networks operators pay bitcoin transaction fees to get their data blobs and state commitments included into bitcoin blocks.
Technology
The network is EVM-compatible
The network uses an EVM-compatible virtual machine. The Ethereum Virtual Machine is software responsible for smart contract execution for a number of blockchains, namely the Ethereum Network. It uses Solidity/Vyper as its code and is the dominant environment for smart contract execution in the cryptocurrency ecosystem.
Citrea's bridge, Clementine, is an implementation of BitVM
BitVM is a way to perform arbitrary computation on bitcoin. The BitVM technique can be used to build layer 2 bridge contracts. These contracts enable layer 2s to have multiple operators escrow bitcoin that backs wrapped bitcoin assets on the layer 2. It additionally enables an optimistic fraud detection mechanism that can be used to dispute any malicious (or incorrect) withdrawal attempts from a bridge operator. This means that anyone acting as a verifier can challenge malicious withdrawal attempts from a bridge operator and stop them from going through.
Clementine is specifically an implementation of BitVM2.

Clementine leverages BitVM2 as a way to process operated funded withdrawals in the event that one (or many) of the bridge signers is unresponsive and the 10/10 signing path is unable to sign a withdrawal transaction. Operators front capital for a user withdrawal and the request a reimbursement from the Clementine bridge program for processing an honest withdrawal. Withdrawals are bound to the rules of the Clementine bridge program, which executes a bitcoin light client to ensure that processed withdrawals align with the state of Citrea. Clementine only needs to execute a bitcoin light client because Citrea is a bitcoin rollup.

Learn more
Use Cases
The network supports more expressive smart contracts
Onchain applications are supported. Onchain applications including borrowing and lending protocols, onchain exchanges (commonly referred to as decentralized exchanges), and more. These applications are supported with more expressive smart contract environments.
The network supports privacy solutions
The network supports offchain privacy solutions where user funds are locked in a smart contract. Users can engage in privacy-preserving transactions without revealing their identities or transaction details to the network. Smart contracts hosted on the network maintain the privacy layer's state tree and nullifier data.
Knowledge Bits
Learn more about Citrea below
Mega post on rollups based on Citrea's current design
My website • MIT license