Paper 2020/175

Lower Bounds for Off-Chain Protocols: Exploring the Limits of Plasma

Stefan Dziembowski, Grzegorz Fabiański, Sebastian Faust, and Siavash Riahi


Blockchain is a disruptive new technology introduced around a decade ago. It can be viewed as a method for recording timestamped transactions in a public database. Most of blockchain protocols do not scale well, i.e., they cannot process quickly large amounts of transactions. A natural idea to deal with this problem is to use the blockchain only as a timestamping service, i.e., to hash several transactions $\mathit{tx}_1,\ldots,\mathit{tx}_m$ into one short string, and just put this string on the blockchain, while at the same time posting the hashed transactions $\mathit{tx}_1,\ldots,\mathit{tx}_m$ to some public place on the Internet (``off-chain''). In this way the transactions $\mathit{tx}_i$ remain timestamped, but the amount of data put on the blockchain is greatly reduced. This idea was introduced in 2017 under the name \emph{Plasma} by Poon and Buterin. Shortly after this proposal, several variants of Plasma have been proposed. They are typically built on top of the Ethereum blockchain, as they strongly rely on so-called \emph{smart contracts} (in order to resolve disputes between the users if some of them start cheating). Plasmas are an example of so-called \emph{off-chain protocols}. In this work we initiate the study of the inherent limitations of Plasma protocols. More concretely, we show that in every Plasma system the adversary can either (a) force the honest parties to communicate a lot with the blockchain, even though they did not intend to (this is traditionally called \emph{mass exit}); or (b) an honest party that wants to leave the system needs to quickly communicate large amounts of data to the blockchain. What makes these attacks particularly hard to handle in real life is that these attacks do not have so-called \emph{uniquely attributable faults}, i.e.~the smart contract cannot determine which party is malicious, and hence cannot force it to pay the fees for the blockchain interaction. An important implication of our result is that the benefits of two of the most prominent Plasma types, called \emph{Plasma Cash} and \emph{Fungible Plasma}, cannot be achieved simultaneously. Besides of the direct implications on real-life cryptocurrency research, we believe that this work may open up a new line of theoretical research, as, up to our knowledge, this is the first work that provides an impossibility result in the area of off-chain protocols.

Available format(s)
Publication info
Preprint. MINOR revision.
blockchainoff-chain protocolssmart contracts
Contact author(s)
stefan dziembowski @ crypto edu pl
grzegorz fabianski @ gmail com
sebastian faust @ gmail com
siavash riahi @ cysec de
2020-10-14: revised
2020-02-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Stefan Dziembowski and Grzegorz Fabiański and Sebastian Faust and Siavash Riahi},
      title = {Lower Bounds for Off-Chain Protocols: Exploring the Limits of Plasma},
      howpublished = {Cryptology ePrint Archive, Paper 2020/175},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.