Bottom line
The security model of any blockchain system is only as strong as its lowest common denominator. At the moment, it’s important to understand that the security of OP Stack chains is dependent on a multisig managed jointly by the Optimism Security Council and the Optimism Foundation. OP Stack chains may also contain unknown bugs that could lead to the loss of some or all of the ETH or tokens held within the system.OP Stack multisig
The security of OP Stack chains is currently dependent on a multisig managed jointly by the Optimism Security Council and the Optimism Foundation. This multisig is a 2-of-2 nested multisig which is in turn governed by a 10-of-13 multisig managed by the Optimism Security Council and a 5-of-7 multisig managed by the Optimism Foundation. This multisig can be used to upgrade core OP Stack smart contracts without upgrade delays to allow for quick responses to potential security concerns. All upgrades to the OP Stack system must be approved by both component multisigs and either can veto an upgrade.Fault proofs
It is important to understand that fault proofs are not a silver bullet and that fault proofs provide limited improvements to the security of a system if the system still has a multisig or security council that can instantly upgrade the system.
OP Stack chains are following a multi-client and multi-proof approach designed to eventually remove the need for instant upgrades entirely.
DisputeGameFactory contract.
Proposals can be submitted to the DisputeGameFactory contract by any user and submissions do not require any special permissions.
Each submitted proposal creates a FaultDisputeGame contract that allows any other user to challenge the validity of a proposal by participating in a “fault proof” process.
A more detailed explanation of the fault proof game can be found in the Fault Proofs Explainer.
Although the fault proof game is permissionless, the Optimism Security Council acting as the Guardian role provides a backstop in case of a failure in the fault proof game.
Each proposal must wait for a delay period during which the Guardian can prevent invalid proposals from being used to withdraw ETH or tokens through a number of safety hatches.
The Guardian can also choose to shift the system to use a PermissionedDisputeGame in which only specific PROPOSER and CHALLENGER roles can submit and challenge proposals.
Bugs and unknowns
Please also keep in mind that just like any other system, the Optimism codebase may contain unknown bugs that could lead to the loss of some or all of the ETH or tokens held within the system. The OP Stack has been audited on many occasions, but audits are not a stamp of approval and a completed audit does not mean that the audited codebase is free of bugs. It’s important to understand that using OP Stack chains inherently exposes you to the risk of bugs within the Optimism codebase, and that you use these chains at your own risk.Work in progress
Sequencer decentralization
The Optimism Foundation currently operates the sole sequencer on OP Stack chains. Although users can always bypass the Sequencer by sending transactions directly to theOptimismPortal contract, sequencer decentralization can still help mitigate the effect of short-term outages for users.