CANNON CANNON CANNON: Introducing Cannon

CANNON CANNON CANNON: Introducing Cannon

Today, we’re extremely excited to formally introduce Cannon to the world. Cannon is OP Mainnet’s next-gen fault proof. Its initial implementation by geohot became the first public fault proof implementation that can run an EVM-equivalent L2. Oh, and it also enables the theoretical minimum calldata gas costs.

From day 1, Cannon has been built with OP Mainnet: Bedrock — our next major release — in mind. Cannon will become a foundation of OP Mainnet for years to come.

Today, we are taking our next step in realizing Cannon’s promise, by launching a bug bounty with up to $250k in prizes! Details can be found at the bottom.

But what exactly is Cannon?

Cannon …

… is EVM equivalent

Cannon (github) is the world’s first EVM-equivalent fault proof implementation. Cannon allows us to run the unaltered EVM on L2 with no sacrifices.

… reuses the geth EVM

Cannon takes a fresh approach to fault proofs compared to existing rollups, achieving true EVM equivalence: instead of re-implementing the EVM, it leverages an existing EVM implementation (geth!).

In particular, minigeth — a minimally modified subset of go-ethereum (no JSON-RPC, no proof-of-work) — is compiled to MIPS, a Reduced Instruction Set Computer (RISC). RISC is designed to be as simple as possible. If you know anything about Optimism, you know that we ❤️ simplicity — the MIPS VM is then implemented on-chain in less than 400 lines! 😍

… uses stateless magic

Unlike our previous fault proof design, which re-ran the EVM over a whole transaction on L1, Cannon only needs to execute a single minigeth MIPS instruction on chain. This is a similar approach to existing projects like Truebit, Arbitrum, and Cartesi, but it introduces a key new feature.

Minigeth replaces geth’s state database with a new¹ primitive called the preimage oracle. The preimage oracle can be queried with a 32 byte hash, and will return the preimage for that hash into the machine memory. This may sound counterintuitive, but it works. And it’s incredibly powerful.

This simple abstraction allows the fault proof program to access anything in the L1 or L2 state, with an on-chain overhead independent of the size of that state. Other L2 implementations, such as Arbitrum’s AVM, required from-scratch implementations of state management to achieve this. But — since the database used by geth already maps hashes to their preimages, the preimage oracle accomplishes this without sacrificing EVM equivalence and with minimal changes to code.

… minimizes transaction costs

All existing rollups today submit transaction data to a smart contract, and a hash of the calldata is stored in the state. That overhead imposes costs which must then be passed on to users.

This is necessary² because transactions need to be accessible to dispute contracts during a fault proof. However, the preimage oracle gives us a new way to access transaction data: the L1 block header itself.

Because no on-chain processing of transactions is required, they can be posted as calldata to an L1 account with no code at all.

This yields the smallest possible L1 gas cost for an L2 transaction. It also compounds with other savings techniques, such as calldata compression and blob transactions, together passing massive savings on to users.

… is coming to prod

(once you all break it!)

There is still a long road forward before we can deploy Cannon into production. It will play a critical role in OP Mainnet’s security, and it deserves an abundance of scrutiny and hardening.

Today, we’re taking the next step towards securing Cannon — we are launching a bug bounty!

Come Break the Cannon!

We now have a bug bounty open on ImmuneFi. The terms are simple: if you’re able to break Cannon, you’ll get $50k. Not to mention the clout you’ll get for hacking a famous hacker!

To get started, head right over the Cannon repository or check out the details on Immunefi. We also recommend checking out the Cannon high-level overview as well as the detailed overview.


We would like to give a huge shoutout to geohot for pioneering cannon’s initial implementation and for so many conversations along the way. We’d also like to thank Immunefi for hosting the bug bounty for us!

As always, if you’re interested in joining a talented group of Optimists dedicated to building a scalable and sustainable future for Ethereum we’d love to hear from you! Check out all open roles on our jobs board.


[1] When we first started sharing cannon, we discovered that Cartesi had previously proposed a “dehashing device” as an area of future work. However, this was framed as a tool for reading external blockchain data — what is unique about our approach applying this method to the L2 state itself, and the advantages for EVM equivalence it brings.

[2] As mentioned in the previous footnote, Cartesi’s “dehasher” was proposed as future work to give a way to read other blockchains. The Arbitrum whitepaper also proposed mapping L1 blocks into AVM tuples as future work, and lightclients also proposed another way to implement this. Our contribution is to accomplish the optimal L1 data costs, and L2 state access costs, with a unified abstraction that preserves EVM equivalence.