Merge pull request #330 from ethereum-optimism/sc/priv-roles-update

fix: clean up priviledged roles page
ethereum-optimism · Feb 8, 2024 · c9ee140 · c9ee140
2 parents da2be1d + 129599b
commit c9ee140
Show file tree

Hide file tree

Showing 2 changed files with 135 additions and 59 deletions.
diff --git a/pages/chain/security/privileged-roles.mdx b/pages/chain/security/privileged-roles.mdx
@@ -6,98 +6,173 @@ description: Learn about the privileged roles in OP Mainnet.
 
 # Privileged Roles in OP Mainnet
 
-In our current state of decentralization, there are still some privileged roles in OP Mainnet. This document explains what they are, and why they exist.
+OP Mainnet is on a [Pragmatic Path to Decentralization](https://medium.com/ethereum-optimism/our-pragmatic-path-to-decentralization-cb5805ca43c1).
+In its current state, the network still includes some "privileged" roles that give certain addresses the ability to carry out specific actions.
+Read this page to understand these roles, why they exist, and what risks they pose.
 
-## Hot wallets
+## L1 Proxy Admin
 
-These are addresses that *need* to have their private key online somewhere for a component of the system to work.
+The L1 Proxy Admin is an address that can be used to upgrade most OP Mainnet system contracts.
 
-### Batcher
+### Risks
 
-This is the component that submits new transaction batches.
+*   Compromised L1 Proxy Admin could upgrade contracts to malicious versions.
+*   Compromised L1 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
+*   Compromised L1 Proxy Admin could fail to mitigate a risk as described on this page.
 
-*   **Mainnet address**: [`0x6887246668a3b87F54DeB3b94Ba47a6f63F32985`](https://etherscan.io/address/0x6887246668a3b87F54DeB3b94Ba47a6f63F32985)
-*   **Sepolia address**: [`0x8F23BB38F531600e5d8FDDaAEC41F13FaB46E98c`](https://sepolia.etherscan.io/address/0x8F23BB38F531600e5d8FDDaAEC41F13FaB46E98c)
+### Mitigations
 
-If this address is compromised, that would enable denial of service attacks against the rollup.
+*   L1 Proxy Admin is a 5-of-7 [multisig](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A#readProxyContract).
+*   L1 Proxy Admin may eventually be operated by a [Security Council](https://gov.optimism.io/t/intro-to-optimisms-security-council/6885).
 
-### Proposer
+### Addresses
 
-This is the component that submits new state roots for the L2 output.
+*   **Ethereum**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
+*   **Sepolia:** [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
 
-*   **Mainnet address**: [`0x473300df21D047806A082244b417f96b32f13A33`](https://etherscan.io/address/0x473300df21D047806A082244b417f96b32f13A33)
-*   **Sepolia address**: [`0x49277EE36A024120Ee218127354c4a3591dc90A9`](https://sepolia.etherscan.io/address/0x49277EE36A024120Ee218127354c4a3591dc90A9)
+## L2 Proxy Admin
 
-If this address is compromised then we might have invalid output proposals that we need the [challenger](#challenger) to cancel.
-As long as we do it within seven days, the risk is minimized.
+The L2 Proxy Admin is an address that can be used to upgrade most OP Mainnet system contracts on L2.
 
-## Cold wallets
+### Risks
 
-These addresses are *cold*, meaning the private key is not on any device connected to the network, and cannot be used without human intervention.
-On OP Mainnet these are usually multisig contracts, controlled by groups of community members.
-On [OP Stack](/stack/getting-started) these wallets are set by default to the `ADMIN` address.
-When you create a new OP Stack blockchain you specify them in [the deployment configuration JSON file](https://github.com/ethereum-optimism/optimism/blob/62c7f3b05a70027b30054d4c8974f44000606fb7/packages/contracts-bedrock/deploy-config/getting-started.json).
+*   Compromised L2 Proxy Admin could upgrade contracts to malicious versions.
+*   Compromised L2 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
+*   Compromised L2 Proxy Admin could fail to mitigate a risk as described on this page.
 
-### MintManager Owner
+### Mitigations
 
-On OP Mainnet this address controls the [`MintManager`](https://github.com/ethereum-optimism/optimism/blob/62c7f3b05a70027b30054d4c8974f44000606fb7/packages/contracts-bedrock/contracts/governance/MintManager.sol) that can mint new OP tokens.
-On OP Stack it is usually meaningless.
+*   L2 Proxy Admin is a 5-of-7 [multisig](https://optimistic.etherscan.io/address/0x7871d1187a97cbbe40710ac119aa3d412944e4fe#readProxyContract).
+*   L2 Proxy Admin may eventually be operated by a [Security Council](https://gov.optimism.io/t/intro-to-optimisms-security-council/6885).
 
-| Address of | Sepolia                                                                                                                         | Mainnet                                                                                                                            |
-| ---------- | ------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- |
-| Contract   | [`0xfd1d2e729ae8eee2e146c033bf4400fe75284301`](https://sepolia.etherscan.io/address/0xfd1d2e729ae8eee2e146c033bf4400fe75284301) | [`0x5c4e7ba1e219e47948e6e3f55019a647ba501005`](https://optimistic.etherscan.io/address/0x5c4e7ba1e219e47948e6e3f55019a647ba501005) |
-| Owner      | [`0xfd1d2e729ae8eee2e146c033bf4400fe75284301`](https://sepolia.etherscan.io/address/0x18394B52d3Cb931dfA76F63251919D051953413d) | [`0x2a82ae142b2e62cb7d10b55e323acb1cab663a26`](https://optimistic.etherscan.io/address/0x2a82ae142b2e62cb7d10b55e323acb1cab663a26) |
+### Addresses
 
-If access to this address is lost, there is no more ability to mint new OP tokens.
-If access to this address is compromised, attackers can mint an endless supply of OP tokens.
+*   **Ethereum**: [`0x7871d1187a97cbbe40710ac119aa3d412944e4fe`](https://optimistic.etherscan.io/address/0x7871d1187a97cbbe40710ac119aa3d412944e4fe)
+*   **Sepolia**: [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia-optimism.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
 
-### System Config Owner
+## System Config Owner
 
-This is the address authorized to change the settings in the [`SystemConfig`](https://github.com/ethereum-optimism/optimism/blob/62c7f3b05a70027b30054d4c8974f44000606fb7/packages/contracts-bedrock/contracts/L1/SystemConfig.sol) contract.
+The System Config Owner is an address that can be used to change the values within the [`SystemConfig`](https://github.com/ethereum-optimism/optimism/blob/62c7f3b05a70027b30054d4c8974f44000606fb7/packages/contracts-bedrock/contracts/L1/SystemConfig.sol) contract on Ethereum.
 
-*   **Mainnet address**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
-*   **Sepolia address**: [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
+### Risks
 
-If access to this address is lost, it would make it more difficult to modify the system configuration (not impossible, because we can upgrade the contract at the proxy).
-If access to this address is compromised, an attack can raise the gas markup and cause users to overpay for transactions.
+*   Compromised System Config Owner could cause a temporary network outage.
+*   Compromised System Config Owner could cause users to be overcharged for transactions.
 
-### Challenger
+### Mitigations
 
-This is the address authorized to call [`deleteL2Outputs()`](https://github.com/ethereum-optimism/optimism/blob/62c7f3b05a70027b30054d4c8974f44000606fb7/packages/contracts-bedrock/contracts/L1/L2OutputOracle.sol#L133-L167) to remove a faulty state commitment.
+*   System Config Owner is a 5-of-7 [multisig](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A#readProxyContract).
+*   System Config Owner may eventually be operated by a [Security Council](https://gov.optimism.io/t/intro-to-optimisms-security-council/6885).
+*   System Config Owner can be replaced by the [L1 Proxy Admin](#l1-proxy-admin).
 
-Currently this is a multisig with trusted community members.
-Eventually, once fault proofs are completed, it will be a contract that verifies challenges are correct.
+### Addresses
 
-*   **Mainnet address**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
-*   **Sepolia address:** [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
+*   **Ethereum**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
+*   **Sepolia**: [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
 
-If this address is compromised, an attacker could delay finalization by challenging valid states.
-If this address is lost, it needs to be upgraded into a new value.
-To do anything beyond slow down service, an attack would need to make sure challenger is not operational *and* control the Proposer.
+## Batcher
 
-### L1 ProxyAdmin Owner
+### Description
 
-This is the owner of most of the L1 contracts, which can upgrade them if necessary.
+The Batcher is a software service that submits batches of transactions to Ethereum on behalf of the current OP Mainnet Sequencer.
+OP Mainnet nodes will look for transactions from this address to find new batches of L2 transactions to process.
 
-*   **Mainnet address**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
-*   **Sepolia address:** [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
+### Risks
 
-If this address is compromised, there could be a catastrophic loss of ETH or tokens, because it controls the bridge.
-If access to this address is lost, we will not be able to upgrade in an emergency.
+*   Batcher address is typically a hot wallet.
+*   Compromised batcher address can cause L2 reorgs or sequencer outages.
 
-### L2 ProxyAdmin Owner
+### Mitigations
 
-This is the owner of most of the L2 contracts, which can upgrade them if necessary.
+*   Compromised batcher address cannot publish invalid transactions.
+*   Compromised batcher address can be replaced by the [L1 Proxy Admin](#l1-proxy-admin).
 
-*   **Mainnet address**: [`0x7871d1187a97cbbe40710ac119aa3d412944e4fe`](https://optimistic.etherscan.io/address/0x7871d1187a97cbbe40710ac119aa3d412944e4fe)
-*   **Sepolia address:** [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia-optimism.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
+### Addresses
 
-If this address is compromised, there could be a catastrophic loss of ETH or tokens, because it controls the bridge.
-If access to this address is lost, we will not be able to upgrade in an emergency.
+*   **Ethereum**: [`0x6887246668a3b87F54DeB3b94Ba47a6f63F32985`](https://etherscan.io/address/0x6887246668a3b87F54DeB3b94Ba47a6f63F32985)
+*   **Sepolia**: [`0x8F23BB38F531600e5d8FDDaAEC41F13FaB46E98c`](https://sepolia.etherscan.io/address/0x8F23BB38F531600e5d8FDDaAEC41F13FaB46E98c)
 
-### Guardian
+## Proposer
 
-The `OptimismPortal` is pausable as a backup safety mechanism that allows a specific `GUARDIAN` address to temporarily halt deposits and withdrawals to mitigate security issues if necessary.
+### Description
 
-*   **Mainnet address**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
-*   **Sepolia address:** [`0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B`](https://sepolia.etherscan.io/address/0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B)
+The Proposer is a software service that submits proposals about the state of OP Mainnet to the `L2OutputOracle` contract on Ethereum.
+Proposals submitted to the `L2OutputOracle` contract can be used to execute withdrawal transactions on Ethereum after 7 days.
+Proposer addresses are typically "hot wallets" as they must be available to frequently sign and publish new state proposals.
+
+### Risks
+
+*   Proposer address is typically a hot wallet.
+*   Compromised proposer address could propose invalid state proposals.
+*   Invalid state proposals can be used to execute invalid withdrawals after 7 days.
+
+### Mitigations
+
+*   Compromised proposer address can be replaced by the [L1 Proxy Admin](#l1-proxy-admin).
+*   Invalid state proposals can be challenged by the [Challenger](#challenger) within 7 days.
+
+### Addresses
+
+*   **Ethereum**: [`0x473300df21D047806A082244b417f96b32f13A33`](https://etherscan.io/address/0x473300df21D047806A082244b417f96b32f13A33)
+*   **Sepolia**: [`0x49277EE36A024120Ee218127354c4a3591dc90A9`](https://sepolia.etherscan.io/address/0x49277EE36A024120Ee218127354c4a3591dc90A9)
+
+## Challenger
+
+### Description
+
+The Challenger is an address that can be used to challenge invalid state proposals submitted by the [Proposer](#proposer) role.
+
+### Risks
+
+*   Compromised challenger could invalidate valid state proposals.
+*   Compromised challenger could fail to challenge invalid state proposals.
+
+### Mitigations
+
+*   Compromised challenger address can be replaced by the [L1 Proxy Admin](#l1-proxy-admin).
+*   Challenges can be executed by replaced challenger address.
+
+### Addresses
+
+*   **Ethereum**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
+*   **Sepolia**: [`0xfd1D2e729aE8eEe2E146c033bf4400fE75284301`](https://sepolia.etherscan.io/address/0xfd1D2e729aE8eEe2E146c033bf4400fE75284301)
+
+## Guardian
+
+### Description
+
+The Guardian is an address that can be used to pause withdrawals from OP Mainnet.
+This is a backup safety mechanism that allows for a temporary halt in the event of a security concern.
+The Guardian role cannot pause specific withdrawals and can only pause all withdrawals.
+
+### Risks
+
+*   Compromised guardian could pause withdrawals indefinitely.
+
+### Mitigations
+
+*   Compromised guardian address can be replaced by the [L1 Proxy Admin](#l1-proxy-admin).
+*   Withdrawals can be unpaused by replaced guardian address.
+
+### Addresses
+
+*   **Ethereum**: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
+*   **Sepolia**: [`0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B`](https://sepolia.etherscan.io/address/0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B)
+
+## Mint Manager Owner
+
+The Mint Manager Owner is an address that controls the [`MintManager`](https://github.com/ethereum-optimism/optimism/blob/62c7f3b05a70027b30054d4c8974f44000606fb7/packages/contracts-bedrock/contracts/governance/MintManager.sol) contract that can be used to mint new OP tokens on OP Mainnet.
+
+### Risks
+
+*   Compromised Mint Manager Owner could mint arbitrary amounts of OP tokens.
+*   Compromised Mint Manager Owner could prevent OP tokens from being minted.
+
+### Mitigations
+
+*   Mint Manager Owner is a 3-of-5 [multisig](https://optimistic.etherscan.io/address/0x2a82ae142b2e62cb7d10b55e323acb1cab663a26#readProxyContract).
+
+### Addresses
+
+*   **Ethereum**: [`0x2a82ae142b2e62cb7d10b55e323acb1cab663a26`](https://optimistic.etherscan.io/address/0x2a82ae142b2e62cb7d10b55e323acb1cab663a26)
+*   **Sepolia**: [`0x5c4e7ba1e219e47948e6e3f55019a647ba501005`](https://optimistic.etherscan.io/address/0x5c4e7ba1e219e47948e6e3f55019a647ba501005)
diff --git a/words.txt b/words.txt
@@ -85,6 +85,7 @@ MFHI
 MFLO
 Mintable
 Mintplex
+Mitigations
 MIPSEVM
 mmap
 MOVN