When institutional infrastructure (white-label L2, Privacy L2, operator-managed rollup) goes offline or censors a user, there is currently no documented mechanism for end users to recover assets on L1 without operator cooperation.
Deliverables
New pattern: pattern-forced-withdrawal.md
- Intent: Guarantee end users can recover assets on L1 without operator cooperation, within bounded time
- Ingredients: L1 escape hatch contract, commitment inclusion proofs, timelock-based fallback, privacy-preserving withdrawal proofs
- Protocol: How a user triggers forced withdrawal when the operator is unresponsive or hostile
- Guarantees: Funds recoverable within bounded time; privacy preserved during escape (no forced deanonymization to exit)
- Trade-offs: Liveness delay, L1 gas costs, privacy leakage during escape vs. normal operation, complexity of proving commitment membership on L1
Reference in existing approaches
Update approach-white-label-deployment.md and approach-private-payments.md to reference this pattern where relevant. The white-label exit strategy currently covers vendor failure but not operator/institution failure from the user's perspective.
Update CHANGELOG.md
When institutional infrastructure (white-label L2, Privacy L2, operator-managed rollup) goes offline or censors a user, there is currently no documented mechanism for end users to recover assets on L1 without operator cooperation.
Deliverables
New pattern:
pattern-forced-withdrawal.mdReference in existing approaches
Update
approach-white-label-deployment.mdandapproach-private-payments.mdto reference this pattern where relevant. The white-label exit strategy currently covers vendor failure but not operator/institution failure from the user's perspective.Update CHANGELOG.md