OP Mainnet
Security
Privileged Roles

Privileged Roles in OP Mainnet

OP Mainnet is on a Pragmatic Path to Decentralization (opens in a new tab). In its current state, OP Mainnet still includes some "privileged" roles that give certain addresses the ability to carry out specific actions. Read this page to understand these roles, why they exist, and what risks they pose.

L1 Proxy Admin

The L1 Proxy Admin is an address that can be used to upgrade most OP Mainnet system contracts.

Risks

  • Compromised L1 Proxy Admin could upgrade contracts to malicious versions.
  • Compromised L1 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
  • Compromised L1 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

Addresses

L2 Proxy Admin

The L2 Proxy Admin is an address that can be used to upgrade most OP Mainnet system contracts on L2. The L2 Proxy Admin owner is the aliased address of the L1ProxyAdmin owner, which means the L2 ProxyAdmin Owner is equal to the L1 ProxyAdmin Owner, but due to aliasing it's a different address. Here's how that works:

  • Given an L1 contract address, the aliased L2 address is equal to L1_contract_address + 0x1111000000000000000000000000000000001111.
  • Using 0x6B1BAE59D09fCcbdDB6C6cceb07B7279367C4E3b as an example, the 0x6B address is the L2 address that's been aliased, so to figure out the original L1 address you calculate 0x6B1BAE59D09fCcbdDB6C6cceb07B7279367C4E3b - 0x1111000000000000000000000000000000001111.
  • That result gives an L1 contract address of 0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A, which should be the 2/2 Safe owned by Foundation + Security Council that is L1 ProxyAdmin Owner.
  • No one has the private key for 0x6B1BAE59D09fCcbdDB6C6cceb07B7279367C4E3b on OP Mainnet, which means the only way for the L2 ProxyAdmin owner to send transactions is via deposit transactions from the L1 0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A address.
  • For help with the calculations, see the AddressAliasHelper library (opens in a new tab).

Risks

  • Compromised L2 Proxy Admin could upgrade contracts to malicious versions.
  • Compromised L2 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
  • Compromised L2 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

Addresses

💡

These addresses are controlled by the same L1 Proxy Admin addresses. Please read the descriptions above for more details.

System Config Owner

The System Config Owner is an address that can be used to change the values within the SystemConfig (opens in a new tab) contract on Ethereum.

Risks

  • Compromised System Config Owner could cause a temporary network outage.
  • Compromised System Config Owner could cause users to be overcharged for transactions.

Mitigations

Addresses

Batcher

Description

The Batcher is a software service that submits batches of transactions to Ethereum on behalf of the current OP Mainnet Sequencer. OP Mainnet nodes will look for transactions from this address to find new batches of L2 transactions to process.

Risks

  • Batcher address is typically a hot wallet.
  • Compromised batcher address can cause L2 reorgs or sequencer outages.

Mitigations

  • Compromised batcher address cannot publish invalid transactions.
  • Compromised batcher address can be replaced by the L1 Proxy Admin.

Addresses

Proposer

Description

The Proposer is a role that is allowed to create instances of the PermissionedDisputeGame dispute game type. The PermissionedDisputeGame can be used as a fallback dispute game in the case that the FaultDisputeGame is found to include a critical security vulnerability. The Guardian role is responsible for changing the respected dispute game type if necessary.

Capabilities

  • Can create instances of the PermissionedDisputeGame dispute game type.
  • Can participate in the PermissionedDisputeGame dispute game process.

Risks

  • Proposer address is typically a hot wallet.
  • Compromised proposer address could propose invalid state proposals.
  • Invalid state proposals can be used to execute invalid withdrawals after 7 days.

Mitigations

  • Compromised proposer address can be replaced by the L1 Proxy Admin.
  • Invalid state proposals can be challenged by the Challenger within 7 days.

Addresses

Challenger

Description

The Challenger is an address that can participate in and challenge PermissionedDisputeGame instances created by the Proposer role.

Capabilities

  • Can participate in the PermissionedDisputeGame dispute game process.

Risks

  • Compromised challenger could invalidate valid state proposals.
  • Compromised challenger could fail to challenge invalid state proposals.

Mitigations

  • Compromised challenger address can be replaced by the L1 Proxy Admin.
  • Challenges can be executed by replaced challenger address.

Addresses

Guardian

Description

The Guardian is an address that can be used to pause several system contracts on OP Mainnet. This is a backup safety mechanism that allows for a temporary halt, particularly of withdrawal logic, in the event of a security concern. The Guardian can also manage various aspects of the OptimismPortal contract to address active security concerns.

Capabilities

  • Pause several system contracts on OP Mainnet.
  • Disable the ability for specific dispute game types from being used to execute withdrawals.
  • Disable the ability for specific dispute game instances from being used to execute withdrawals.

Risks

  • Compromised guardian could pause withdrawals indefinitely.

Mitigations

  • Compromised guardian address can be replaced by the L1 Proxy Admin.
  • Withdrawals can be unpaused by replaced guardian address.

Addresses

Mint Manager Owner

The Mint Manager Owner is an address that controls the MintManager (opens in a new tab) contract that can be used to mint new OP tokens on OP Mainnet.

Risks

  • Compromised Mint Manager Owner could mint arbitrary amounts of OP tokens.
  • Compromised Mint Manager Owner could prevent OP tokens from being minted.

Mitigations

Addresses

Security Model & FAQSecurity Policy