Privileged Roles in OP Mainnet

OP Mainnet is on a Pragmatic Path to Decentralization (opens in a new tab). In its current state, the network still includes some "privileged" roles that give certain addresses the ability to carry out specific actions. Read this page to understand these roles, why they exist, and what risks they pose.

L1 Proxy Admin

The L1 Proxy Admin is an address that can be used to upgrade most OP Mainnet system contracts.

Risks

• Compromised L1 Proxy Admin could upgrade contracts to malicious versions.
• Compromised L1 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
• Compromised L1 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

• L1 Proxy Admin owner is a 2-of-2 multisig (opens in a new tab). One owner is an Optimism Foundation 5/7 multisig (opens in a new tab) and the other owner is the Security Council (opens in a new tab) multisig (opens in a new tab).

Addresses

• Ethereum: 0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A (opens in a new tab)
• Sepolia: 0xfd1D2e729aE8eEe2E146c033bf4400fE75284301 (opens in a new tab)

L2 Proxy Admin

The L2 Proxy Admin is an address that can be used to upgrade most OP Mainnet system contracts on L2.

Risks

• Compromised L2 Proxy Admin could upgrade contracts to malicious versions.
• Compromised L2 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
• Compromised L2 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

• L2 Proxy Admin is a 5-of-7 multisig (opens in a new tab).
• L2 Proxy Admin may eventually be operated by a Security Council (opens in a new tab).

Addresses

• Ethereum: 0x7871d1187a97cbbe40710ac119aa3d412944e4fe (opens in a new tab)
• Sepolia: 0xfd1D2e729aE8eEe2E146c033bf4400fE75284301 (opens in a new tab)

System Config Owner

The System Config Owner is an address that can be used to change the values within the SystemConfig (opens in a new tab) contract on Ethereum.

Risks

• Compromised System Config Owner could cause a temporary network outage.
• Compromised System Config Owner could cause users to be overcharged for transactions.

Mitigations

• System Config Owner is a 5-of-7 multisig (opens in a new tab).
• System Config Owner may eventually be operated by a Security Council (opens in a new tab).
• System Config Owner can be replaced by the L1 Proxy Admin.

Addresses

• Ethereum: 0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A (opens in a new tab)
• Sepolia: 0xfd1D2e729aE8eEe2E146c033bf4400fE75284301 (opens in a new tab)

Batcher

Description

The Batcher is a software service that submits batches of transactions to Ethereum on behalf of the current OP Mainnet Sequencer. OP Mainnet nodes will look for transactions from this address to find new batches of L2 transactions to process.

Risks

• Batcher address is typically a hot wallet.
• Compromised batcher address can cause L2 reorgs or sequencer outages.

Mitigations

• Compromised batcher address cannot publish invalid transactions.
• Compromised batcher address can be replaced by the L1 Proxy Admin.

Addresses

• Ethereum: 0x6887246668a3b87F54DeB3b94Ba47a6f63F32985 (opens in a new tab)
• Sepolia: 0x8F23BB38F531600e5d8FDDaAEC41F13FaB46E98c (opens in a new tab)

Proposer

Description

The Proposer is a software service that submits proposals about the state of OP Mainnet to the L2OutputOracle contract on Ethereum. Proposals submitted to the L2OutputOracle contract can be used to execute withdrawal transactions on Ethereum after 7 days. Proposer addresses are typically "hot wallets" as they must be available to frequently sign and publish new state proposals.

Risks

• Proposer address is typically a hot wallet.
• Compromised proposer address could propose invalid state proposals.
• Invalid state proposals can be used to execute invalid withdrawals after 7 days.

Mitigations

• Compromised proposer address can be replaced by the L1 Proxy Admin.
• Invalid state proposals can be challenged by the Challenger within 7 days.

Addresses

• Ethereum: 0x473300df21D047806A082244b417f96b32f13A33 (opens in a new tab)
• Sepolia: 0x49277EE36A024120Ee218127354c4a3591dc90A9 (opens in a new tab)

Challenger

Description

The Challenger is an address that can be used to challenge invalid state proposals submitted by the Proposer role.

Risks

• Compromised challenger could invalidate valid state proposals.
• Compromised challenger could fail to challenge invalid state proposals.

Mitigations

• Compromised challenger address can be replaced by the L1 Proxy Admin.
• Challenges can be executed by replaced challenger address.

Addresses

• Ethereum: 0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A (opens in a new tab)
• Sepolia: 0xfd1D2e729aE8eEe2E146c033bf4400fE75284301 (opens in a new tab)

Guardian

Description

The Guardian is an address that can be used to pause withdrawals from OP Mainnet. This is a backup safety mechanism that allows for a temporary halt in the event of a security concern. The Guardian role cannot pause specific withdrawals and can only pause all withdrawals.

Risks

• Compromised guardian could pause withdrawals indefinitely.

Mitigations

• Compromised guardian address can be replaced by the L1 Proxy Admin.
• Withdrawals can be unpaused by replaced guardian address.

Addresses

• Ethereum: 0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A (opens in a new tab)
• Sepolia: 0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B (opens in a new tab)

Mint Manager Owner

The Mint Manager Owner is an address that controls the MintManager (opens in a new tab) contract that can be used to mint new OP tokens on OP Mainnet.

Risks

• Compromised Mint Manager Owner could mint arbitrary amounts of OP tokens.
• Compromised Mint Manager Owner could prevent OP tokens from being minted.

Mitigations

• Mint Manager Owner is a 3-of-5 multisig (opens in a new tab).

Addresses

• Ethereum: 0x2a82ae142b2e62cb7d10b55e323acb1cab663a26 (opens in a new tab)
• Sepolia: 0x5c4e7ba1e219e47948e6e3f55019a647ba501005 (opens in a new tab)