Optimistic payout in BitVM implementations like Citrea?

The investigation into Citrea, a Layer 2 solution live on the mainnet and based around BitVM designs, reveals significant insights and concerns regarding its security architecture. Citrea, alongside its associated technology Clementine, which serves as a Bitcoin bridge, has been developed with close adherence to the BitVM core concepts. Notably, the system is already operational, as evidenced by its mainnet activity, detailed in the batch explorer available at live. The Clementine whitepaper provides foundational knowledge about this technology.

A critical aspect of Citrea’s design that raises security concerns involves its exit protocol. The protocol allows for exits via two distinct methods: a trustless exit requiring complex BitVM style proofs and a simpler method involving a transaction co-signed by all members of the signing committee. This dual approach theoretically balances the need for trust minimization with practical functionality. However, the reliance on a signing committee for co-signing optimistic exits introduces potential vulnerabilities. From a security perspective, while it might seem negligible to trust the same committee responsible for initial setup, the implications of such trust extend beyond initial transactions. Trusting these signers to also authorize exits means the integrity of the entire Layer 2 funds depends significantly on their continuous honesty and resistance to collusion.

Moreover, the potential for these verifiers or signers to approve fraudulent exits poses a substantial risk to the security model. Even if users can specify exit destinations during setup, the possibility remains that malicious actors could manipulate the system to authorize invalid withdrawals, leading to unbacked Layer 2 positions and creating scenarios akin to bank runs. The current design does not adequately address these concerns, suggesting a fundamental vulnerability in the reliance on custodial signers under regulatory pressure.

The discussion further questions whether the design's vulnerabilities are necessary compromises to avoid other risks, such as fund immobility or slow transaction times. These considerations highlight the need for a more robust mechanism that ensures both functionality and security without exposing the system to such significant risks. As Citrea and similar technologies continue to evolve, addressing these challenges will be crucial for maintaining user trust and systemic stability.