The fastest ZK Rollup on Bitcoin

Yona is an SVM-powered layer 2 (rollup) on Bitcoin.

Yona inherits Bitcoin’s cryptoeconomic security while enabling rich programmability and unprecedented execution scaling for Bitcoin and its assets.

To achieve this, Yona implements a trustless two-way peg between BTC on Bitcoin and BTC on Yona, with unilateral exit. We refer to this Yona-native peg as the canonical peg.

The key design feature of Yona is that it aims to move away from the traditional joint TSS-MPC bridge to a canonical two-way peg — a mechanism that relies entirely on cryptographic proofs and Bitcoin consensus. In other words, the two-way canonical peg does not rely on any external consensus.

Characteristics of an L2 Canonical Peg

Rollups must provide the ability for unilateral entry (deposits) and exit (withdrawals).

Unilateral deposits and withdrawals are essential to guarantee the availability and censorship resistance of Bitcoin and meta-assets.

While deposits are simple to implement (via SPV proofs), correct unilateral withdrawals require proof of validity directly on Bitcoin.

We propose a more pragmatic approach that will incrementally build on Ethereum’s existing cryptoeconomic infrastructure, aiming to incrementally incorporate as much Bitcoin security as possible so that it can be accepted by the most hardcore Bitcoin supporters.

Canonical Peg for Bitcoin (BTC)

Our native peg for BTC is powered by the cryptoeconomic security of EigenLayer and BitVM combined ...

BitVM allows for verification of off-chain execution of Bitcoin, where anyone can make fraud proofs and punish the prover. BitVM is the cryptographic source of security for Yona's canonical peg.

Eigenlayer provides access to the Ethereum staking capital base and a decentralized validator set. Eigenlayer is the source of economic security for Yona's canonical peg.

Yona Peg Operators are entities that assist with normal mode operations of the canonical peg (i.e. deposits/withdrawals of BTC). There are two roles that any Peg Operator needs to fulfill:

BitVM deposit/withdrawal contract counterparty (for normal mode operations)

AVS Operator (for one-sided withdrawals)

It is important to emphasize that the Yona Peg Operator will never have access to deposited Bitcoin that is not protected by the BitVM contract and is several orders of magnitude lower in value than the AVS collateral assets.

There are multiple peg operators, at least one of which must act honestly, but even in the case of all operators being dishonest, they cannot steal any deposits and at worst can only burn them.

When a user deposits BTC to the sidechain, they establish a withdrawal BitVM contract with the Peg Operator. Once the contract is established, the user sends a UTXO directly to the BitVM address. Note that at no point does this UTXO belong to the prover.

When a user (possibly a different user) provides proof of a valid withdrawal from Yona, they use the withdrawal contract again (or create a new contract with the operator if they did not deposit BTC to Yona).

In the event of a denial of service or censorship, the Peg operator will be unable or unwilling to create the BitVM contract. This is where the economic security of the EigenLayer comes into play. On the one hand, the operator cannot steal the deposited Bitcoin, so there is no benefit to refusing to provide withdrawal service. But this is obviously not enough. Therefore, we use EigenLayer slashing to introduce a significant downside to refusing withdrawals.

If for some reason the peg operator refuses to create a withdrawal contract, the user can submit a Bitcoin transaction with the request and prove to our EigenLayer contract that the withdrawal contract was not created. This will slash the operator's benefits.

Similarly, in the case of a unilateral withdrawal, the withdrawer can provide proof of a valid withdrawal from Yona. Peg operators have at most N blocks to provide proof that they have completed a withdrawal request. If no proof is provided, the operator will be slashed on the EigenLayer and users can withdraw directly from the BitVM contract.

Meta-protocol Spec Dual Peg, Trustless Unilateral Exit

Another major innovation is that Yona enables a completely trustless, pure cryptographic spec-pegged Bitcoin meta-protocol that does not rely on economic security.

Meta-protocols (such as BRC-20) use Bitcoin to record data and use off-chain indexers to independently verify meta-protocol transactions. This allows the construction of an efficient and trustless Rollup as a fast programmable layer for the meta-protocol.

The main difference between a Rollup and a sidechain is that a Rollup allows for a trustless unilateral exit: users can withdraw their BRC-20 from a Rollup by executing a Bitcoin transaction, without the involvement of a third party (such as a Rollup operation, a validator, or a bridge).

Next we will focus on the BRC-20 use case.

The hook mechanism is as follows:

To enter a rollup, a user needs to "burn" a BRC-20 on Bitcoin L1, prove the destruction to the rollup's smart contract (via a Bitcoin ZK light client), and can mint the same inscription on L2. The destruction can be achieved on L1 by sending a "TRANSFER" transaction to an "OP_RETURN" script that does not contain any data.

To exit a rollup, a user needs to "burn" BRC-20 on L2 and "mint" them on Bitcoin L1, along with a ZK proof of a valid withdrawal.

A ZK proof of a valid exit includes:

A commitment to the inputs of the L2 withdrawal transaction and the Merkle root of the rollup state tree

The Rollup's zkVM has performed the calculation correctly and the resulting BRC20 balance is greater than or equal to the withdrawal amount

Does not violate the total supply invariant (i.e., BRC20 total supply = BTC supply + L2 supply + pending withdrawal amount)

The Bitcoin network itself cannot verify zero-knowledge proofs because Bitcoin Script does not have the necessary opcodes. However, since Indexers can perform the verification, this is not required. BRC-20 already relies on off-chain Indexers to reconstruct BRC-20 balances, the only thing that needs to be done is to support exit proof verification of withdrawal transactions on the Indexer.

If L2 is unavailable, proof of no heartbeats for a certain period of time (e.g. 5 days) on the DA layer allows users to withdraw unilaterally by sending a Bitcoin transaction, i.e. the off-chain BRC20 Indexer can process the withdrawal without the L2 withdrawal transaction.

If L2 starts censoring withdrawals, users can initiate withdrawals by sending a Bitcoin transaction with a withdrawal request. The L2 peg operator has 24 hours to execute the withdrawal and submit the proof. If this does not happen, the user can submit a proof that:

Unilateral withdrawal requested via Bitcoin transaction

L2 did not process unilateral withdrawal in a timely manner

There is a valid outstanding balance in BRC20 that can be withdrawn

By verifying this proof, the off-chain BRC20 Indexer can return ownership without checking the L2 withdrawal transaction.

As a result, Yona is the first L2 to provide a completely trustless Bitcoin meta-asset peg.