Overview of Facet Protocol
Last updated
Last updated
Ethereum was built for resilience—a trustless, decentralized system capable of weathering crises. But today, its scalability depends on Layer 2 solutions (L2s) that only work during "good times," when infrastructure is reliable, and trust is abundant. When "hard times" come—marked by government overreach, technical failures, or market instability—these L2s introduce vulnerabilities that undermine Ethereum's promise.
Facet exists to fix this. Purpose-built for "hard times," Facet is a new kind of rollup that removes trusted intermediaries, ensuring every user has the same level of power, even in the most adversarial conditions.
TLDR:
No Centralized Sequencer: Transactions are directly ordered by Ethereum's L1 consensus.
Sovereign Design: No reliance on L1 smart contracts or canonical bridges.
Fair Issuance Gas Token (FCT): Uses a native gas token that avoids bridge risks.
Admin-Free: No admin keys or multi-sigs, ensuring full decentralization.
Fork of OP Stack: Forked from OP Stack, maintaining EVM compatibility and L1 integration.
Unlike traditional rollups, which centralize transaction sequencing, rely on canonical bridges and empower privileged admin roles, Facet operates as an extension of Ethereum itself. Transactions are processed directly on Ethereum's L1, preserving its trustlessness while dramatically reducing costs. This unique approach positions Facet as a "Layer 1+" solution—offering the scalability of L2s without sacrificing the security of Ethereum.
Vitalik Buterin recently argued that Layer 1 blockchains (L1s) should be built for "hard times" so that Layer 2s (L2s) can build for "good times."
While "can" was the operative word, Ethereum's scaling path has led us to a situation where every major L2 is building only for "good times" - periods of stability and trust, when:
Infrastructure is reliable
Trusted parties act in good faith
Conditions are predictable
During good times, L2 rollups offer users increased transaction throughput and significantly reduced costs while safely empowering admins (via multi-sigs) to manage important protocol functions. This works because trusted parties can be assumed to act in good faith.
However, these trust assumptions become a serious vulnerability in "hard times" - periods characterized by:
Technical failures
Adversarial government actors
Extreme market volatility
Regulatory pressure
During hard times, users can no longer trust L2 admins to act in their interests and prevent attacks.
On a long enough timeline, hard times are inevitable. If rollups built for good times fail during hard times, the fallback is reverting activity to the L1—an expensive and unsustainable solution that threatens Ethereum’s ambition as a trustless, globally accessible computer.
Rollups optimized for good times leverage two key mechanisms that introduce vulnerabilities in hard times:
These entities are responsible for ordering transactions before they're grouped and sent to the main blockchain. Often, sequencers also perform the role of batchers, which involves batching the sequenced transactions for L1 inclusion. However, it's important to note that batching is a distinct function from sequencing, even though the two are commonly conflated.
In good times, centralized sequencers provide fast transaction confirmations, simulating short block times (e.g., 2-second latency vs. 12 seconds on L1), and protect users from maximal extractable value (MEV) exploitation.
In hard times, sequencers can systematically break promises about transaction order. This materializes in the form of transaction censoring, MEV extraction or halting transaction processing entirely, undermining the rollup’s functionality and credible neutrality when users need it most.
Virtually every L2 today has a canonical (built-in) bridge - the mechanism that connects the L2 with Ethereum, ensuring the secure transfer of assets and data between layers.
In good times, a single canonical bridge simplifies user experience by standardizing asset representation (e.g., Ether or USDC) on the L2, avoiding confusion from competing bridges. It also provides clarity on the “correct” fork of the L2, ensuring users can unambiguously align with the canonical state of the protocol.
In hard times, reliance on an "enshrined" bridge introduces a critical point of failure and centralizes control over the protocol’s evolution. These bridge operators have the privileged ability to upgrade the bridge and thereby directly influence which fork users must follow to retain their assets, effectively controlling the state transition function (STF) and the rules of the L2 itself.
The aforementioned vulnerabilities are compounded further because admin keys are necessary to operate centralized sequencers and canonical bridges. Why? Because someone (or some few) must choose the sequencer and maintain/upgrade the bridge. Thus, a rollup's security ultimately hinges on a small group of individuals that are members of the rollup's security council or multi-signature wallet (multi-sigs).
For example, on Optimism Mainnet (a leading "Stage 1" rollup):
Disabling the sequencer requires 5-of-7 multi-sig participants.
Disabling the entire rollup or seizing bridge funds requires coordination between two multi-sigs: a 5-of-7 and a 10-of-13, totaling 15 participants. Under certain circumstances this number can actually be 11 instead of 15.
While this level of decentralization may suffice in good times, it fails during hard times when:
A small group of individuals (even if geographically diverse) can be compromised.
Increasing the number of multi-sig members creates operational inefficiencies, as the same group is needed for both positive (e.g., fixing bugs) and negative (e.g., shutting down the rollup) actions.
To further complicate the multi-sig dilemma - consider the paradox introduced by the conflicting priorities of transparency (doxxed multi-sig members) and security (private membership). During good times, having doxxed council members enhances transparency and accountability, fostering trust. However, during hard times this doxxing exposes members to potential threats, such as targeted attacks or social engineering, which can compromise the protocol's security. How can these priorities be balanced to always serve the best outcome? (Spoiler alert: they can't.)
In hard times, the vulnerabilities of any system are often exposed, and multi-sig setups are no exception. The dilemma is clear: admin keys must strike a balance between being secure enough to prevent abuse and accessible enough to enable necessary interventions. This custodial setup is an inherently fragile balance—one that continues to prove unsustainable in the long run (from Mt. Gox to FTX). "Not your keys, not your coins" is unfortunately more an experienced reality than a meme for many in the space.
The solution lies in dispensing with L2 admins entirely. A truly resilient rollup cannot have admins of any kind. All users must share the same level of privilege.
A rollup without admin keys might seem unattainable, given that every major rollup today relies on them. However, Ethereum itself demonstrates that this is not an inherent requirement. Ethereum L1 has no privileged keys—every user operates on equal footing.
The question then for a “hard times” rollup is how to preserve this feature of the L1 while at the same time greatly reducing transaction costs.
Facet is a new kind of rollup that can operate in good times, but is purpose-built to withstand hard times. It is a rollup without admin keys or privileged roles.
Facet Protocol is the first rollup that runs on Ethereum, not on Trust.
Facet achieves "hard times" compatibility through three foundational changes to the standard rollup architecture:
Decentralized Sequencing Facet has no centralized sequencer. Instead of submitting transactions to a centralized entity for batching and ordering, users submit transactions directly to the Ethereum L1. These transactions are ordered by Ethereum’s consensus mechanism, ensuring trustless and decentralized sequencing. No admin key or centralized party has control over transaction ordering.
Sovereign Rollup Design Facet operates without any protocol-level L1 smart contracts—no canonical bridges, no upgradable contracts. This makes Facet a sovereign rollup, entirely independent of L1 smart contracts. Meanwhile - bridges can still operate at the application layer, and anyone can build a bridge for any L1 asset. This fosters a truly open and competitive ecosystem, where the market will decide which bridges to trust, as is already the case on L1.
Native Non-Bridged Gas Token Facet introduces a new gas token, FCT, as its native asset. Unlike bridged assets, FCT is not vulnerable to bridge-related risks because it exists only within Facet. This approach resolves the problem of Ethereum's native Ether being tied to bridge security, ensuring a stable and trustless native currency for Facet.
Facet Protocol is a public good, forked from Optimism's OP Stack - the rollup framework behind some of the largest L2 rollups, including Base, OP Mainnet, and Blast.
By forking OP Stack, Facet is able to offer an EVM compatible experience, while remaining maximally compatible with existing Ethereum infrastructure.
Users don't need to bridge to a separate L2 network to use Facet. Instead, they interact with Facet applications through regular Ethereum transactions that contain Facet-specific instructions in their calldata, which are processed by Facet nodes.
With this approach, Facet functions as an extension of the Ethereum mainnet, inheriting its security and trustlessness while providing the scaling benefits of an L2. Facet's unique ability to preserve core properties of Ethereum without introducing new dependencies or trust assumptions is what differentiates it from conventional L2s, and why we refer to Facet as a Layer 1+ (L1+).
