I didn’t want to speculate on “what could go wrong” because usually the consequences of high risk and the resulting black swan events are often unanticipated. But consider that Optimism is basically like a CEX currently and comes with all of the same risks:
a) Due to negligence (malice I think is very unlikely), Optimism’s multi-sig is compromised, and the malicious entity executes an upgrade that could be as bad as draining all funds in the bridge.
b) Hackers only need to target Optimism Foundation and its founders, employees etc. Or worse still, kidnappers looking for a steep ransom or whatever.
c) US Treasury or some authority wants to sanction an app or a user on Optimism for whatever criminal activity. If it’s an immutable contract ala Tornado Cash, their best method of attack is to simply sanction members of Optimism - who as far as I know are US citizens. Now, the details of their multi-sig is very much obscured, and I also don’t know about which jurisdiction(s) Optimism Foundation comes under. But the fact that there’s no transparency about any of this is a big problem.
d) Alternatively, an authority can force Optimism to censor certain users or dapps, enforce an irregular state transition, freeze funds - Optimism can do any of that, really, while Optimism Foundation maintains an emergency backdoor.
Now, the bigger the TVL, the more the economic activity, Optimism becomes a signficantly bigger target. While its TVL is <$1B, it’s OK as a beta product. But as we go past $2B, and with more incentives flowing out unthrottled, it could be $5B, and it could end up being the biggest target after Ethereum itself. Ethereum is very difficult to attack, but Optimism - you just need to compromise their multi-sig.
Of course, some may say all of this is dramatic and unrealistic, which is why I didn’t want to go into more details. But my answer is simple - Ethereum was designed to be maximally robust, decentralized and secure, that could survive under the most extreme of black swans. I’m holding Optimism to the same standard.
I have suggested pragmatic steps multiple times - even moving to an timelocks + emergency council like zkSync has done for over 2 years now is a big step forward, versus a non-transparent multi-sig.