1
1. State transition
A user submits a transaction on Psy. A Realm node executes it, producing a Plonky2 proof of correct execution against the Goldilocks field. Each transaction proof is small; thousands fit in a checkpoint.
Module · 5
Trust collapsed to circuit soundness.
Psy is a sovereign ZK-native L1 with cross-chain bridges anchored on EVM and TRON. The safety property is not held by validators or relayers. It is held by a Plonky2 proof, recursively aggregated, wrapped in Groth16/BN254, and verified by a Solidity contract on each L1.
The verification path
From a single transaction to an L1 verification — in four steps.
2
2. Recursive aggregation
Worker nodes recursively aggregate transaction proofs into one checkpoint proof per realm, then 128 realm proofs into one coordinator proof. Recursive Plonky2 makes this aggregation cheap — proof size stays constant.
3
3. Groth16 wrapper
The aggregated Plonky2 proof is wrapped in a Groth16 proof over BN254 (via gnark-plonky2-verifier). The wrapping is a one-time circuit that proves: 'I have verified a valid Plonky2 proof.' This step exists because BN254 has a cheap on-chain pairing — Goldilocks does not.
4
4. L1 verification
A Solidity contract on Ethereum (and a Tron equivalent) verifies the Groth16 proof and updates a Checkpoint Root Registry. Verification cost is ~285k gas — comparable to a single Uniswap swap. Anyone can read the registry to confirm a Psy state transition without trusting any operator.
What is actually being claimed
Three precise claims. Each one is checkable.
01
Claim 1 — No multisig holds the safety property
Bridge funds on L1 are released only when the L1 verifier accepts a Groth16 proof of the corresponding Psy state transition. There is no M-of-N keyholder set whose collusion can fabricate a fraudulent withdrawal. Compromising every Psy operator does not let anyone steal — without a valid proof, the L1 contract refuses.
02
Claim 2 — Relayers exist, but only for liveness
An M-of-N relayer set exists in the Psy bridge design. Their only role is to push proofs and checkpoints to L1 promptly. If they all go offline, any user can self-generate a withdrawal proof after the bot timeout (force-withdrawal). Liveness is degraded; safety is not. This is the structural distinction between safety-critical and liveness-only trust.
03
Claim 3 — Trust collapses to four objects
After every layer is unrolled, the safety property reduces to: (a) Plonky2 cryptographic soundness, (b) Groth16 cryptographic soundness, (c) the gnark-plonky2-verifier wrapper circuit being free of constraint bugs, and (d) the L1 verifier contract being free of bugs. Each is auditable. None require any human to remain honest. This is what 'trust minimization' means when made concrete.
⚠ What Psy does not solve
Psy reduces cross-chain and cross-realm trust to circuit soundness. It does not reduce: (a) bugs in user-deployed Psy-lang contracts (smart-contract risk persists), (b) bugs in the Psy compiler or VM (a circuit-generation bug would corrupt every contract built with it), (c) social-engineering attacks on individual users, (d) governance compromise of the L1 verifier upgrade key (an upgradeable verifier is itself a trust assumption — Psy's verifier is non-upgradeable). Honest framing matters.
verification cost
~285k gas
Comparable to one Uniswap swap. The L1 verifier accepts a Groth16 proof of an entire Psy checkpoint.
force-withdraw timeout
2 hours
If relayers stop pushing proofs, any user can self-generate a withdrawal proof and submit directly to L1.
trust set size
≈ 0
Safety property holds even if every Psy operator is malicious. Liveness degrades; safety does not.