Optimism Docs

Privileged Roles in OP Mainnet

In our current state of decentralization, there are still some privileged roles in OP Mainnet. This document explains what they are, and why they exist.

# Hot wallets

These are addresses that need to have their private key online somewhere for a component of the system to work.

# Batcher

This is the component that submits new transaction batches.

If this account is compromised, that would enable denial of service attacks against the rollup.

# Proposer

This is the component that submits new state roots for the L2 output.

If this account is compromised then we might have invalid output proposals that we need the challenger to cancel. As long as we do it within seven days, the risk is minimalized.

# Cold wallets

These addresses are cold, meaning the private key is not on any device connected to the network, and cannot be used without human intervention. On OP Mainnet these are usually multisig contracts, controlled by groups of community members. On OP Stack (opens new window) these wallets are set by default to the ADMIN account. When you create a new OP Stack blockchain you specify them in the deployment configuration JSON file (opens new window).

# MintManager Owner

On OP Mainnet this account controls the MintManager (opens new window) that can mint new OP tokens. On OP Stack it is usually meaningless.

Address of Goerli Mainnet
Contract 0x038a8825A3C3B0c08d52Cc76E5E361953Cf6Dc76 (opens new window) 0x5c4e7ba1e219e47948e6e3f55019a647ba501005 (opens new window)
Owner 0x18394B52d3Cb931dfA76F63251919D051953413d (opens new window) 0x2a82ae142b2e62cb7d10b55e323acb1cab663a26 (opens new window)

If access to this account is lost, there is no more ability to mint new OP tokens. If access to this account is compromised, attackers can mint an endless supply of OP tokens.

# System Config Owner

This is the address authorized to change the settings in the SystemConfig (opens new window) contract.

If access to this account is lost, it would make it more difficult to modify the system configuration (not impossible, because we can upgrade the contract at the proxy). If access to this account is compromised, an attack can raise the gas markup and drain users' funds.

# Migration SystemDictator Controller

This is the address authorized to control SystemDictator (opens new window), used for upgrades. It can be used to perform an upgrade, and to revert out of one until a certain stage is reached.

If access to the owner is lost, or compromised, it can prevent upgrades.

# Challenger

This is the address authorized to call deleteL2Outputs() (opens new window) to remove a faulty state commitment.

Currently this is a multisig with trusted community members. Eventually, once fault proofs are completed, it will be a contract that verifies challenges are correct.

If this account is compromised, an attacker could delay finalization by challenging valid states. If this account is lost, it needs to be upgraded into a new value. To do anything beyond slow down service, an attack would need to make sure challenger is not operational and control the Proposer.

# L1 ProxyAdmin Owner

This is the owner of most of the L1 contracts, which can upgrade them if necessary.

If this account is compromised, there could be a catastrophic loss of funds, because it controls the bridge. If access to this account is lost, we will not be able to upgrade in an emergency.

# L2 ProxyAdmin Owner

This is the owner of most of the L2 contracts, which can upgrade them if necessary.

If this account is compromised, there could be a catastrophic loss of funds, because it controls the bridge. If access to this account is lost, we will not be able to upgrade in an emergency.

# Guardian

The OptimismPortal is pausable as a backup safety mechanism that allows a specific GUARDIAN address to temporarily halt deposits and withdrawals to mitigate security issues if necessary.

Path to Decentralization (Feb 23rd, 2023) (opens new window)