Module F – Interactive Quiz – 20 Multiple-Choice Questions
Click an answer to check. Your score is tracked below.
0 / 20 answered
Q1Understand
[Understand] The scalability trilemma states that a blockchain can fully optimize for at most how many of these three properties simultaneously: security, scalability, decentralization?
Explanation
A blockchain can optimize for at most two of the three properties; L2 solutions attempt all three by inheriting L1 security while executing off-chain.
Q2Understand
[Understand] What is the primary function of a sequencer in a Layer 2 rollup?
Explanation
The sequencer orders and batches transactions, then submits compressed data to L1.
Q3Understand
[Apply] Ethereum L1 processes approximately 15 TPS. An optimistic rollup claims 2,000 TPS. By approximately what factor does the rollup improve throughput?
Explanation
133x (2,000 / 15 ≈ 133), achieved by executing off-chain and posting only compressed calldata (or blobs post-Dencun) to L1.
Q4Understand
[Apply] A user submits a withdrawal from an optimistic rollup. The challenge period is 7 days. On which day at the earliest can the user access their funds on L1?
Explanation
Day 8 — the full 7-day challenge period must elapse before the withdrawal finalizes.
Q5Understand
[Apply] Before the Dencun upgrade, an Arbitrum swap cost approximately $0.50. After Dencun (EIP-4844), it costs $0.01. What is the percentage fee reduction?
[Understand] What type of cryptographic proof do ZK-rollups use to verify transaction validity directly on L1?
Explanation
ZK-rollups use validity proofs (SNARKs or STARKs) to mathematically prove all batched transactions are correct without revealing individual details.
Q7Understand
[Apply] A ZK-rollup batches 1,000 transactions into a single L1 proof. If the on-chain proof verification costs $10, what is the per-transaction L1 cost?
Explanation
$0.01 per transaction ($10 / 1,000) — cost amortization across the batch is the core economic advantage of rollups.
Q8Understand
[Analyze] Why do optimistic rollups have a 7-day withdrawal delay while ZK-rollups can finalize in minutes?
Explanation
Optimistic rollups need the 7-day window for fraud proofs; ZK-rollups submit a validity proof with each batch, allowing L1 to finalize immediately.
Q9Understand
[Understand] What makes flash loans "atomic" and distinguishes them from traditional uncollateralized loans?
Explanation
The entire sequence — borrow, use, repay — executes in one transaction; if repayment fails the EVM reverts all state changes.
Q10Understand
[Analyze] In the Beanstalk attack ($182M), the attacker used a flash loan to acquire governance tokens and immediately pass a malicious proposal. Why couldn’t the protocol simply “undo” the governance vote?
Explanation
Governance execution happened within the same atomic transaction as the flash loan — by confirmation, the funds were already drained.
Q11Understand
[Analyze] A sandwich attack involves a MEV bot trading immediately before AND after a user’s swap. Which participant ultimately bears the economic cost?
Explanation
The user — the bot front-runs to push the price up, then back-runs to capture the spread, so the user receives fewer tokens than expected.
Q12Understand
[Apply] A user swaps 10 ETH for USDC on a DEX. A MEV bot front-runs the trade, pushing the effective USDC price from $2,500 to $2,510 per ETH. How much value did the user lose to the sandwich?
Explanation
$100 (10 ETH × \10 price impact = $100$) — the “invisible tax” of MEV on every poorly protected swap.
Q13Understand
[Apply] A smart contract sends ETH to an external address before updating the sender’s internal balance. Which vulnerability does this pattern create?
Explanation
Reentrancy — the receiving contract’s fallback() re-calls withdraw() before the balance is zeroed, draining funds repeatedly (The DAO, 2016, $60M).
Q14Understand
[Analyze] The Checks-Effects-Interactions (CEI) pattern defends against reentrancy. In what order should a secure withdraw() function execute its three steps?
Explanation
Check, then Effect (zero the balance), then Interaction (send ETH) — balance is zeroed before the external call, so reentrant calls find nothing to withdraw.
Q15Understand
[Apply] A lending protocol uses a single DEX’s spot price as its price oracle. An attacker uses a flash loan to manipulate the pool reserves within one block. Which defense would most effectively prevent this attack?
Explanation
A TWAP (Time-Weighted Average Price) averages price over many blocks, making single-block flash loan manipulation economically infeasible.
Q16Understand
[Analyze] The Ronin Bridge used a 9-validator multisig, and the attacker compromised 5 validators to authorize a $625M drain. What percentage of validators did the attacker need to control?
Explanation
56% (5/9 ≈ 55.6%) — a simple majority threshold made it vulnerable to social engineering of just 5 individuals.
Q17Understand
[Apply] A security team runs Slither on a contract and finds zero issues. Should the team deploy to mainnet immediately?
Explanation
Slither catches known patterns quickly but misses logic bugs and economic design flaws — defense-in-depth requires multiple complementary tools.
Q18Understand
[Analyze] Why are cross-chain bridge exploits typically larger in dollar terms than single-protocol exploits?
Explanation
Bridges concentrate cross-chain liquidity into one target — Ronin ($625M), Wormhole ($320M), and Nomad ($190M) all followed this pattern.
Q19Understand
[Evaluate] Protocol A has 3 audits, a $5M bug bounty, formal verification, and a 48-hour timelock. Protocol B has 1 audit and $500M TVL. Which has a stronger security posture?
Explanation
Protocol A demonstrates defense in depth; Protocol B’s high TVL is a target, not a security property, and a single audit is insufficient assurance.
Q20Understand
[Evaluate] An L2 protocol uses a single centralized sequencer, has no fraud proof mechanism deployed, and holds $2B in TVL. What is your risk assessment?
Explanation
A centralized sequencer is a single point of failure, absent fraud proofs leave users unable to verify validity, and $2B TVL makes it a prime target — security theater, not genuine guarantees.