The OP Mainnet upgrade to the Bedrock release will take place on June 6, 2023 at 16:00 UTC!
There will be 2-4 hours of downtime.
See here for additional details. (opens new window)
Privileged Roles in Bedrock
In our current state of decentralization, there are still some privileged roles in Bedrock. This document explains what they are, and why they exist.
# Hot wallets
These are addresses that need to have their private key online somewhere for a component of the system to work.
# Batcher
This is the component that submits new transaction batches.
- Goerli address:
0x7431310e026B69BFC676C0013E12A1A11411EEc9(opens new window)
If this account is compromised, that would enable denial of service attacks against the rollup.
# Proposer
This is the component that submits new state roots for the L2 output.
- Goerli address:
0x02b1786A85Ec3f71fBbBa46507780dB7cF9014f6(opens new window)
If this account is compromised then we might have invalid output proposals that we need the challenger to cancel. As long as we do it within seven days, the risk is minimalized.
# Cold wallets
These addresses are cold, meaning the private key is not on any device connected to the network, and cannot be used without human intervention.
On the Optimism mainnet these are usually multisig contracts, controlled by groups of community members.
On OP Stack (opens new window) these wallets are set by default to the ADMIN account.
When you create a new OP Stack blockchain you specify them in the deployment configuration JSON file (opens new window).
# MintManager Owner
On Optimism mainnet this account controls the MintManager (opens new window) that can mint new OP tokens.
On OP Stack it is usually meaningless.
If access to this account is lost, there is no more ability to mint new OP tokens. If access to this account is compromised, attackers can mint an endless supply of OP tokens.
# System Config Owner
This is the address authorized to change the settings in the SystemConfig (opens new window) contract.
- Goerli address:
0xAe851f927Ee40dE99aaBb7461C00f9622ab91d60(opens new window)
If access to this account is lost, it would make it more difficult to modify the system configuration (not impossible, because we can upgrade the contract at the proxy). If access to this account is compromised, an attack can raise the gas markup and drain users' funds.
# Migration SystemDictator Controller
This is the address authorized to control SystemDictator (opens new window), used for upgrades.
It can be used to perform an upgrade, and to revert out of one until a certain stage is reached.
- Goerli address:
0x1f0613A44c9a8ECE7B3A2e0CdBdF0F5B47A50971(opens new window)
If access to the owner is lost, or compromised, it can prevent upgrades.
# Challenger
This is the address authorized to call deleteL2Outputs() (opens new window) to remove a faulty state commitment.
Currently this is a multisig with trusted community members. Eventually, once fault proofs are completed, it will be a contract that verifies challenges are correct.
- Goerli address:
0xBc1233d0C3e6B5d53Ab455cF65A6623F6dCd7e4f(opens new window)
If this account is compromised, an attacker could delay finalization by challenging valid states. If this account is lost, it needs to be upgraded into a new value. To do anything beyond slow down service, an attack would need to make sure challenger is not operational and control the Proposer.
# L1 ProxyAdmin Owner
This is the owner of most of the L1 contracts, which can upgrade them if necessary.
- Goerli address:
0xBc1233d0C3e6B5d53Ab455cF65A6623F6dCd7e4f(opens new window)
If this account is compromised, there could be a catastrophic loss of funds, because it controls the bridge. If access to this account is lost, we will not be able to upgrade in an emergency.
# L2 ProxyAdmin Owner
This is the owner of most of the L2 contracts, which can upgrade them if necessary.
- Optimistic Goerli address:
0xe534cca2753acfbcdbceb2291f596fc60495257e(opens new window)
If this account is compromised, there could be a catastrophic loss of funds, because it controls the bridge. If access to this account is lost, we will not be able to upgrade in an emergency.
# Guardian
The OptimismPortal is pausable as a backup safety mechanism that allows a specific GUARDIAN address to temporarily halt deposits and withdrawals to mitigate security issues if necessary.
- Goerli address:
0xBc1233d0C3e6B5d53Ab455cF65A6623F6dCd7e4f(opens new window)