[FINAL] Protocol Upgrade #8: Guardian, Security Council Threshold and L2 ProxyAdmin Ownership changes for Stage 1 Decentralization

On behalf of the Developer Advisory Board, here is a non-technical summary of this upgrade proposal:

The Optimism team has proposed three important changes to enhance the security and decentralization of the network. This is a summary of these changes aimed to be digestible by non-technical members of the Optimism Collective.

All of these changes are aimed at achieving a technical description of Stage 1 Decentralization, which is a critical step towards decentralizing the OP stack. These changes have the goal of increasing the security of the OP stack, improving decentralization, and enabling strong incident response.

These changes have been audited by third party auditors in a Cantina contest which ended on May 10th. A Lead Security Researcher from Spearbit was also engaged to audit the system in parallel. The audits uncovered no High severity issues.

1. Increase in Security Council Threshold:

  • Current State: Decisions require 4 out of 13 members to approve.
  • Proposed Change: Increase this to 10 out of 13 members.
  • Reason: This higher threshold ensures that more members must agree before any decision is made, significantly improving the network’s security by reducing the risk of a small group making unilateral decisions.

Thresholds: Threshold signatures are ways to ensure that some group of authorized organizations or individuals have to agree before authorizing an action. For example Imagine you and your friends have a magical treasure chest. To open it, you need a special key. But, instead of one person having the key, the key is split into pieces. Each friend holds a piece of the key.

To open the chest, you need a certain number of friends (say 3 out of 5) to put their pieces together. This way, no single person can open the chest alone; it requires teamwork. This makes sure the treasure is safe and only opened when enough friends agree. In general when the threshold is higher, this requires more parties to agree on unlocking the chest.

The Security council makes decisions in a similar way to ensure one entity doesn’t have the ability to make unilateral decisions. The chest in this scenario is a smart contract that authorizes actions. Right now the threshold is low (only 4 out of 13 members need to put their key piece together) this upgrade increases the security by requiring that 10 out of 13 key pieces are needed to authorize upgrade changes. The increase in the security council threshold requires that members of the security council need to agree before decisions are made, which improves the network security by reducing the risk that a small group makes unilateral decisions. Notably this meets the 75% threshold requirement for a Stage 1 rollup outlined in L2Beat’s Stages framework which is a respected framework for evaluating the stages of decentralization of rollups.

2. Guardian Role Transfer:

  • Current State: The Foundation currently holds the Guardian role.
  • Proposed Change: Transfer this role to a new entity called the Guardian Safe, which will be controlled by the Security Council.
  • The foundation will be appointed the Deputy Guardian Role, which has the ability to act as a guardian through the Guardian Safe.

The Guardian Role is able to pause withdrawals from the OP stack in an unprecedented event in which there is a critical vulnerability in the fault proof system. Withdrawals are the act of withdrawing assets from an OP chain to Ethereum mainnet. The fault proofs are meant to make this process permissionless. But in the scenario where an attacker could withdraw more than they have (withdrawing other users’ funds from the OP Chain), the Guardian Role can stop the attacker. This is considered a short term safeguard, but critical to ensure the safety of the Optimism ecosystem in the case of a catastrophic event. In practice the Guardian Role is a smart contract that can only be called by an authorized wallet. This proposal sets the Security Councils threshold (as described above) as the authorized Guardian. This change also delegates the Guardian capabilities to the foundation by assigning them the Deputy Guardian Role, allowing the foundation the same abilities as the Guardian Role (to pause withdrawals). In practice this upgrade only changes the configuration of the Guardian such that the Optimism network can move closer to the stage 1 decentralization described by L2 Beat.

  • Current State: The ownership of the L2ProxyAdmin contract is the Optimism Foundation multisig.
  • Proposed Change: Reassign this ownership to a 2/2 threshold between the Security Council and the Optimism Foundation.
  • Reason: By transferring the ownership to the Security Council, the control over key administrative functions becomes more decentralized, preventing any single entity from having too much control over the system’s critical upgrades and changes.

This change ensures that the Security Council Safe has a blocking vote for L2 pre-deploy upgrades and is a requirement for Stage 1. This means that when a networking upgrade is being voted on, the security council can vote against a network upgrade and prevent the vote from passing. This is important because not all upgrades are safe and if there is a network upgrade that is proposed that has security vulnerabilities, the security council should be able to stop the proposal from passing.