What happens if no output roots are submitted?

[norswap]

I don't think we currently tie the rollup driver to submitted outputs. I think we should, otherwise the sequencer can happily keep chugging along (as well as the validators) without ever posting an output root, which means that no withdrawals are possible.

The simple form of what I'm suggesting is to simply consider that every single block is empty if we end up in a situation where no output roots have been posted for a pre-defined time period.

(Note that if we do this, this would be another good reason to let the epoch size float.)

[protolambda]

We still need output roots to make deposits withdrawable, it's just a must in the system and cannot really be enforced by halting sequencers. Technically anyone should be able to post an output root, if they bond + we enable the fault proof.

[maurelian]

what did you mean by "tie the rollup driver to submitted outputs" @norswap ?

[norswap]

@maurelian Essentially, specify the derivation function such that if no output root is submitted, the canonical chain contains only deposits-only block (batches are ignored). So the rollup driver needs to track the submitted outputs in order to know when to ignore batches.

To continue to harp on this idea:

I think the merit of this is to force a discrepancy between validators and the sequencer, which while theoretically not doing much, at least creates a bit of smoke.

Risks of letting a sequencer run ahead are a little murky, but I imagine it could let a sequencer "enshrine a fault" in the sense that it would include a bad transition, and then build upon it long enough that rolling back the chain would become a major hassle.

Saying that everybody will be able to submit an output root is a good answer, but does not satisfy me entirely. Rolling back the chain due a fault proof (after 7 days if the proposer declines to defend!) is a huge hassle, and as such we should make it extremely expensive (high bond!). Therefore, it's unlikely that there will be more than a couple of actors interested in doing this. I guess a new (rich) actor can step up in extraodinary situations, but the "attack" here is a malicious sequencer running ahead and never submitting, and also equivocating on what it's doing (maybe it will claim it encounters some issues with its infrastructure it is trying to fix). The goal is to wait long enough that rolling the chain becomes a big problem (e.g. one week or more) at absolutely no cost to the sequencer (who never submits an output root, so cannot be slashed). This would be an attack geared at undermining trust in the rollup.