Blog

Zero-Knowledge Rollups for RWAs: Architecture, Costs, Pitfalls

Tokenized real-world assets (RWAs) are no longer fringe crypto concepts. As of mid-2025, analytics show roughly $26.5B in RWAs live on public chains. Here's how ZK rollups fit into that infrastructure.

Juan Manuel Sobral portrait

Juan Manuel Sobral

CTO & Co-founder
10 min read

Reality Check

Tokenized real-world assets have achieved meaningful scale, with roughly $26.5B in RWAs live on public chains as of mid-2025. Industry growth accelerated from $50B to $65B over six months, demonstrating institutional adoption focused on “finality guarantees, compliance gates, and operational uptime.”

RWA builders face competing demands: delivering throughput and user experience while maintaining auditability and regulatory compliance. ZK rollups address this tension by executing transactions off-chain, generating validity proofs, and anchoring results on-chain. However, RWAs introduce unique constraints around off-chain truth sources, data availability commitments, and oracle dependencies that require explicit architectural choices.

When to Use ZK Rollups

ZK rollups fit RWA use cases when three conditions matter:

  • Fast finality without dispute windows. Unlike optimistic systems with multi-hour challenge periods, ZK proofs “validate state transitions at proof submission,” supporting regulated workflows with tight operational timelines.

  • Controlled data footprint. Only summary data posts on-chain, reducing costs while preserving state reconstructability.

  • Compliance composability. Circuit design enables KYC/AML gating and selective disclosure without public exposure of sensitive information.

ZK is optimal when your system cannot tolerate optimistic-style challenge periods and demands “predictable finality” alongside strong correctness assurance.

Core Building Blocks

Successful implementations compose seven pieces:

  1. Sequencer: Orders transactions; trade-offs exist between centralized responsiveness and decentralized censorship resistance.

  2. Prover(s): Generate validity proofs; performance determines latency and cost.

  3. Verifier contract: On-chain proof validation; verification gas depends on proof system selection.

  4. Data availability: Ensures users can reconstruct state and exit if sequencers fail.

  5. Compliance & identity layer: Standards like ERC-3643 encode permissioned behavior.

  6. Attestation layer: Systems like Ethereum Attestation Service provide tamper-evident statements for off-chain facts.

  7. Oracles: External signals with built-in staleness checks and failover mechanisms.

Data Availability Strategy

DA design determines whether users retain genuine exit guarantees. Two primary paths exist:

Ethereum Blobs (EIP-4844): Cheaper than calldata, blobs remain accessible for approximately 18 days before pruning. They’re “inaccessible to the EVM” but forward-compatible with Ethereum’s scaling roadmap. Teams must plan for this retention window and communicate recovery procedures clearly.

External DA Layers: Celestia specializes in DA sampling allowing light nodes to verify availability probabilistically. EigenDA leverages Ethereum restaking for high-throughput DA through actively validated services. Each presents distinct cost/throughput/assumption profiles.

Decision framework: Document per-batch size, fee targets, and finality expectations. If this doesn’t fit a single page, your strategy lacks clarity. Recent analysis shows “DA costs for L2s materially dropped with blob usage,” though small rollups may under-utilize fixed blob sizes.

Proving vs. Verification Budgets

Two cost categories require separate analysis:

Proof generation (off-chain compute) depends on circuit size, proof system, and hardware. Recent research indicates costs declining from “tens of cents per proof in 2024 toward lower-tens of cents or below.” Treat vendor claims as workload-specific and validate empirically.

Verification gas (on-chain) scales primarily with proof system:

  • Groth16: approximately 200k gas for small public inputs
  • PLONK: typically 290k gas
  • STARKs: potentially millions of gas depending on scheme

Express verification budgets in gas units before modeling cost bands across historical price ranges. Gas consumption remains stable for a given system; ETH and gas price volatility complicate projections.

The Five Failure Modes

Mode 1: Off-Chain Data Provenance Gap

RWA systems depend on facts originating outside the chain: custodian inventory statements, auditor attestations, transfer agent records. Teams sometimes omit how external claims become verifiable circuit inputs.

Fix: Adopt an attestation layer with explicit schemas. EAS supports both on-chain and off-chain attestations, cryptographically binding external claims to identities and timestamps. Reference attestation hashes in batch metadata or circuit logic.

Mode 2: Proof-Size and Circuit-Complexity Explosion

All-in-one circuits combining transfers, limits, and compliance gates become expensive as workloads grow, increasing proving time and verification gas.

Fix: Modularize circuits and employ recursive proofs. Isolate core transfer logic while moving compliance and analytics into separate modules that roll up recursively, reducing per-batch proof weight and enabling independent submodule evolution.

Mode 3: Data Availability Strategy Ambiguity

DA receives only cursory treatment (“we’ll use blobs”), without modeling retention windows or layer assumptions.

Fix: Write explicit DA rationale: identify which data users need for trust-minimized exit, document storage location and duration, clarify user procedures if sequencers fail. For blobs, communicate the approximately 18-day window; for Celestia, explain data availability sampling assumptions; for EigenDA, detail restaking and AVS model dependencies.

Mode 4: Compliance Bolted On Late

Teams ship permissionless MVPs, then add KYC when partners demand it, creating UX friction and brittle code paths.

Fix: Select permissioned token standards upfront if your asset faces regulation. ERC-3643 encodes on-chain gating; ERC-1404 defines restricted transfers with human-readable restriction codes. Integrate gating at the token layer and reference these flags in circuit logic.

Mode 5: Oracle Sync and Heartbeat Failures

RWAs depending on price or status oracles face risks when staleness isn’t a design priority. Slow feeds can halt rollups or enable settlement on stale data.

Fix: Implement heartbeat-based staleness checks rejecting or penalizing stale reads. Maintain multiple feeds with medianization or fallback logic. Expose failure modes through metrics. “Chainlink’s docs make heartbeats explicit per feed;” your implementation should verify timestamps and fail safely.

Sizing UX and Safety

Users experience latency tails (p95/p99 percentiles), not averages. Research on tail-at-scale effects shows “latency variability at the component level magnifies at the service level.” For RWA flows (onboarding, mint/burn windows, redemptions), define SLOs on percentile latencies and monitor queue depth during traffic spikes.

By Little’s Law (L = λW), rising queue depth at steady arrival rates signals increasing time-in-system before user complaints emerge, providing early warning of backpressure.

Track:

  • Queue depth per partition (KYC, matching, settlement)
  • p95/p99 latency for end-to-end flows and critical substeps
  • Error budget burn against SLOs to inform deployment decisions

Architecture Options

Option A: Minimalist Validity Rollup: Sequencer and prover off-chain; on-chain verifier checks proofs; DA via blobs or calldata; off-chain attestations referenced in batch metadata. Simple to deploy but risks under-designed attestation and DA rationale.

Option B: Validity Rollup + Explicit DA + Oracle Anchoring: Formalizes DA choice (blobs with clear retention or external DA layer) and oracle heartbeat/fallback rules. Improves user promises and incident response.

Option C: Modular Circuits + Recursive Proofs + Compliance-Aware Tokens: Splits logic into core transfer, compliance, and audit subcircuits; uses ERC-3643/1404 for on-chain gating. Enables evolvability and predictable verification gas per module.

Practical Blueprint

For a platform issuing redeemable, custody-backed commodity tokens:

  1. Token layer: Implement ERC-3643 to enforce verified-address-only holding/transfer with jurisdictional flags.

  2. Attestation layer: Custodian publishes daily holdings as EAS attestations (signer identity, period, checks performed). Sequencer references attestation hashes in batch metadata; circuits consume them for mint/burn validation.

  3. Sequencer & batcher: Partition queues (onboarding, transfers, redemption) to prevent cascade failures. Monitor queue depth per partition using Little’s Law to detect early backpressure.

  4. Prover setup: Use Groth16 or PLONK for core transfer logic; reserve separate compliance subcircuits for KYC and limits; minimize public inputs. Verify per-module gas empirically before finalizing.

  5. DA strategy: Publish batch data to blobs with clear operator playbooks for the ~18-day window; monitor retrieval health. Evaluate Celestia (DAS) or EigenDA (restaked AVS) for high-volume scenarios with documented trade-offs.

  6. Oracles: Deploy Chainlink feeds (or equivalents) with heartbeat staleness checks and fallback sources. Contracts reject stale readings.

  7. Operations: SLOs on p95/p99 for critical flows. Error budgets tie to deployment decisions. Incident drills include sequencer failure and oracle staleness scenarios.

FAQ

Is ZK always better than optimistic for RWAs? Not necessarily. If your use case tolerates multi-hour/multi-day challenge windows and prioritizes infrastructure simplicity, optimistic rollups suffice. ZK delivers finality without challenges, preferred by many regulated workflows.

How do I select a proof system? Start with constraints: public input count, verification gas, developer tooling. Groth16 tends toward lowest verification gas for small inputs; PLONK offers universality with moderate costs; STARKs avoid trusted setup but may cost more to verify. Measure on your own circuits before committing.

What do I owe users for DA? Provide mechanisms for state reconstruction and exit if your sequencer fails, respecting your chosen DA guarantees. EIP-4844 blobs require explicit recovery procedures and time windows (~18 days). Celestia or EigenDA deployments must document security assumptions and user verification methods.

How should I project proving costs? Costs trend downward through zkVMs, parallelization, and proving competition, but only your workload matters. Treat market estimates as directional; benchmark your circuits end-to-end.

What KPI indicates rollout safety? Monitor queue depth on critical paths and p95/p99 latency for end-to-end flows. Pair with error-budget-based SLOs to determine when to pause feature shipping and prioritize stability.

Practical Checklist

Architecture & Proofs

  • Circuit modularity (core transfer vs. compliance vs. audit)
  • Proof system benchmarked with verification gas measured on your verifier
  • Batch sizing and cadence modeled against proving time and user-visible latency

Data Availability

  • DA rationale documented (blobs vs. external DA)
  • Recovery runbook tested (sequencer disappears; users still exit)

Compliance & Identity

  • Permissioned token standard (ERC-3643) adopted where needed
  • Attestation schemas (EAS) defined for custody, audits, or facts

Oracles & Monitoring

  • Multiple oracle feeds with heartbeat staleness checks enforced
  • p95/p99 SLOs and error budgets wired to deployment gates
  • Queue depth dashboards per partition (onboarding, transfers, redemption)
#Web3 Infrastructure #DeFi

Keep reading

Blockchain Trends
5 min read

Blockchain and AI Convergence in 2026: How Distributed Ledgers Make AI More Trustworthy

Juan Manuel Sobral portrait

Juan Manuel Sobral

CTO & Co-founder
Blockchain Trends
5 min read

The Role of Smart Contracts in DeFi: How They Work, What They Power, and Why Security Is Non-Negotiable

Juan Manuel Sobral portrait

Juan Manuel Sobral

CTO & Co-founder
Blockchain Trends
11 min read

What Web3 Protocols Need to Succeed in 2026

Federico Sendra portrait

Federico Sendra

CEO & Co-founder
Product Development that Sparks Innovation