Executive Summary
Hi I’m Dragan, a technical program manager at OP labs working on the OP blockchain development team, and a core contributor of the OP Stack. I reviewed this proposal in collaboration with Sebastian Stammler, Adrian Sutton, George Knee, Matt Solomon from the OP labs team and with Roberto Bayardo from the Base team.
Neither OP labs nor I represent or speak on behalf of the Optimism Foundation.
Holocene contains three changes:
- Holocene block derivation: a set of changes that render the derivation pipeline stricter and simpler, but also improve worst-case scenarios for Fault Proofs and Interoperability.
- EIP-1559 configurability: The elasticity and denominator EIP-1559 parameters become configurable via the
SystemConfig
L1 contract, allowing gas target and gas limit to be independently configured. - MIPS contract upgrade: Updates to support additional calls made by the new
op-program
version.
Specifications
Technical Specification:
The Holocene network upgrade (spec overview) activates the following features:
-
Holocene derivation (Holocene L2 Chain Derivation) comprises the following changes to the derivation process:
- Strict Batch Ordering requires batches within and across channels to be strictly ordered.
- Partial Span Batch Validity determines the validity of singular batches from a span batch individually, only invalidating the remaining span batch upon the first invalid singular batch.
- Fast Channel Invalidation, similar to Partial Span Batch Validity applied to the channel layer, forward-invalidates a channel upon finding an invalid batch.
- Steady Block Derivation derives invalid payload attributes immediately as deposit-only blocks.
-
EIP-1559 configurability (Dynamic EIP-1559 Parameters) allows configuring the elasticity and denominator EIP-1559 parameters via the L1 SystemConfig. A new config update event was added, which is parsed by CL clients and then inserted into the extra field of the payload attributes in a special encoding format. These parameters, in turn, are then read by the EL clients during block building and applied accordingly. As with other SystemConfig updates, setting this is restricted to the SystemConfig owner.
-
Simplified Fee Scalar Configuration with new methods in the
SystemConfig
- this allows chain operators to change fee scalars in a more direct way, reducing the chance of user errors
Security Considerations
Consistent with OP labs audit framework we did not have the contents of Holocene audited; however, Coinbase and OP Labs engineers did perform a security review (Failure Mode Analysis) of these changes. The linked FMA can be consulted for details.
As for any hardfork that changes derivation, there is a risk that either the spec itself has a bug or that any implementation has a bug.
We’ve mitigated these risks by thorough internal reviews of the spec and unit and end-to-end tests of the implementations in Go and Rust.
Also, we have added differential tests of the derivation changes between the Go and Rust fault-proof program implementations op-program and Kona for the first time.
Holocene has also already been activated on internal devnets of Base and OP Labs, and it was confirmed that these networks operate as expected and that the new EIP1559 reconfigurability works as intended.
Specific security considerations for the Holocene upgrade are discussed in the respective section of the Holocene derivation spec. A noteworthy change in Holocene derivation behavior is that invalid payload attributes got second chances to replace valid, future payload attributes.
Because they are immediately replaced by deposit-only attributes with Holocene, there is a theoretically heightened risk for unsafe chain reorgs; however, it is only if a buggy or malicious sequencer batches an invalid block. To the best of our knowledge, we haven’t experienced this on OP Mainnet or other mainnet OP Stack chains yet.
Such a scenario would still be automatically resolved: the batcher would detect the reorg and submit the reorged unsafe section of the chain.
With the stricter derivation rules, some complexity gets shifted from the derivation pipeline to the batcher because it now has to adhere to stricter rules in order not to produce invalid channels or batches.
We’ve implemented a set of improvements to the batcher to guarantee the stricter ordering rules by design. Next to that, the Holocene contains the fail-safe rule that any first frame of a new channel replaces old buffered frames of non-completed channels. An invalid batch forwards-invalidates any remaining batches and the channel that contained the batch.
This means that an emergency batcher restart should be able to resolve any deadlock in the derivation pipeline if it were to occur.
Impact Summary
We do not anticipate any downtime due to this upgrade.
Bringing Holocene derivation changes is making our derivation pipeline stricter and simpler.
It also allow us to improve and unlock new development paths for Fault Proofs and Interoperability features.
EIP-1559 configurability allows chain operators to change the gas target independently from the gas limit. Before, a workaround had to be taken to raise the limit to indirectly raise the target, and then enforce the old limit via a sequencer block building policy.
Action Plan for this release
If this vote passes, the Holocene upgrade will be planned for execution on the 9th of Jan 2025 18:00:01 UTC. The upgrade will occur automatically for chains on the Granite mainnet release if those chains have opted-in to activate at Superchain times via their superchain-registry configuration (i.e., have the superchain_time
set to a timestamp before or at the mainnet activation time, or have set their holocene_time
directly). The mainnet release will be prepared at a later time during the governance process, but no later than 4 weeks before the proposed activation time.
Holocene is code complete in the optimism monorepo at tag v1.10.0
and op-geth at tag v1.101411.2
The op-node release op-node v1.10.0
and op-geth release v1.101411.2
contain these changes. They do not yet contain the Mainnet activation times, only the Sepolia testnet times.
SystemConfig Update
The SystemConfig
L1 contract will get upgraded to version 2.3.0, which is part of the OP Contracts v1.8.0-rc.3 release.
Also, the following contracts are updated in this release:
- MIPS: 1.2.1
- FaultDisputeGame: 1.3.1
- PermissionedDisputeGame: 1.3.1
The upgrade will happen after the Holocene activation. The upgraded SystemConfig
enables chain operators to update the EIP-1559 parameters via a new function setEIP1559Params
.
Fault Proofs Update
This update involves a new release of the op-program
(v1.2.0) that contains the Holocene activation and generate the absolute pre-state for it, which is a commitment to the program and its starting state. This requires deploying new FaultDisputeGame
and PerimissionedDisputeGame
contracts to L1 Mainnet with the new op-program pre-state hash. These are deployed at addresses: ________ (will be added during the governance review period, pending deployment).
After the veto period has ended, we will ask the Security Council to sign transactions to update the DisputeGameFactory
to begin using these new contract implementations. This transaction has to be executed before the actual Holocene activation to avoid a broken Fault Proofs system after the activation.
Updates to the MIPS contract
As part of the Holocene upgrade, the Go compiler was updated from 1.21 to 1.22. This impacts the op-program as the go1.22 runtime makes additional syscalls that are not supported by the pre-Holocene MIPS Fault Proof Virtual Machine (FPVM).
As such, Holocene includes an update to MIPS.sol that supports go1.22 programs. This change to the FPVM is very minimal; an update to the fcntl
syscall emulation that was partially implemented by the pre-Holocene FPVM. In order to make sure we implemented this in a proper way, we conducted an external audit for this change. In order to make sure we implemented this in a proper way, we conducted an external audit for this change, which is open for reviews under this link - no major findings reported.
Emergency Cancellation
The optimistic mainnet releases will contain a Holocene activation at the above mentioned time.
If there is a critical security issue found between approval and rollout, the Optimism Foundation and Security Council will work to coordinate an emergency cancellation. We have included functionality for node operators to quickly react by using the --override.holocene
flag on both op-node & op-geth.
Conclusion
This proposal outlines the network upgrade after Granite titled Holocene. This network upgrade brings all the listed features and we hope we will get your votes to bring all the suggested improvements to the OP stack.