Skip to content

Commit

Permalink
deploy: 6892147
Browse files Browse the repository at this point in the history
  • Loading branch information
smartcontracts committed Dec 16, 2024
1 parent c3f5778 commit 8ff3fbc
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 106 deletions.
68 changes: 13 additions & 55 deletions print.html
Original file line number Diff line number Diff line change
Expand Up @@ -7124,16 +7124,6 @@ <h1 id="safe-contract-extensions"><a class="header" href="#safe-contract-extensi
<li><a href="protocol/safe-extensions.html#deputy-guardian-module-security-properties">Deputy Guardian Module Security Properties</a></li>
</ul>
</li>
<li><a href="protocol/safe-extensions.html#deputy-guardian-safe">Deputy Guardian Safe</a>
<ul>
<li><a href="protocol/safe-extensions.html#deputy-pause-module">Deputy Pause Module</a>
<ul>
<li><a href="protocol/safe-extensions.html#invariants">Invariants</a></li>
<li><a href="protocol/safe-extensions.html#implementation">Implementation</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="protocol/safe-extensions.html#security-council-liveness-checking-extensions">Security Council Liveness Checking Extensions</a>
<ul>
<li><a href="protocol/safe-extensions.html#the-liveness-guard">The Liveness Guard</a></li>
Expand Down Expand Up @@ -7238,43 +7228,6 @@ <h3 id="deputy-guardian-module-security-properties"><a class="header" href="#dep
<li>The module must format calldata correctly such that the target it calls performs the expected
action.</li>
</ol>
<h2 id="deputy-guardian-safe"><a class="header" href="#deputy-guardian-safe">Deputy Guardian Safe</a></h2>
<h3 id="deputy-pause-module"><a class="header" href="#deputy-pause-module">Deputy Pause Module</a></h3>
<p>The Deputy Guardian Safe (currently the Optimism Foundation Safe) utilizes the Deputy Pause Module
to remove the need for brittle pre-signed pause transactions and to speed up the reaction speed of
the Deputy Guardian Safe for the specific purpose of triggering the Superchain-wide pause action.
The Deputy Pause Module is explicitly designed to be used with an Externally Owned Account and is
not designed to function with a smart contract deputy.</p>
<h4 id="invariants-1"><a class="header" href="#invariants-1">Invariants</a></h4>
<ol>
<li>Must enforce that the Deputy account is an EOA.</li>
<li>Must correctly enforce access control so that only the Deputy account can act.</li>
<li>Must always allow the Deputy account to act even if the private key for this account is leaked.</li>
<li>Must not allow the Deputy to create authentication signatures that are indefinitely valid.</li>
<li>Must only allow the Deputy account to carry out the singular action of causing the Guardian to
trigger the Superchain-wide pause function on the <code>SuperchainConfig</code> contract via the Deputy
Guardian and the <code>DeputyGuardianModule</code>. Must not allow the Deputy account to authenticate any
other action.</li>
</ol>
<h4 id="implementation"><a class="header" href="#implementation">Implementation</a></h4>
<ol>
<li>Deputy Pause Module is not proxied and all values are hard-coded into the contract. Any changes
to these values must be implemented by re-deploying the contract, removing the old module, and
adding the new module.</li>
<li>Deputy Pause Module verifies a signature from the Deputy over a fixed string in the constructor
to confirm that the Deputy is an EOA that can generate valid signatures and that the creator at
least indirectly has access to the key.</li>
<li>Pause action is gated and must come with a valid signature from the Deputy account.</li>
<li>Signed pause messages must contain an expiry timestamp so that the message can only be used to
trigger the pause when the block timestamp is less than the signed expiry. Signed expiry
timestamp cannot be more than a fixed number of seconds in the future as defined by a
constructor parameter of the module itself.</li>
<li>Signed pause messages must contain a nonce so that the signature can only be used a single time
to carry out the pause action. Pause action must verify that the provided nonce has not been
used before.</li>
<li>Any account can supply the signature as long as the recovered signer is the Deputy account. This
means that the Deputy account does not need to hold any ETH to act as the Deputy.</li>
</ol>
<h2 id="security-council-liveness-checking-extensions"><a class="header" href="#security-council-liveness-checking-extensions">Security Council Liveness Checking Extensions</a></h2>
<p>The Security Council Safe is extended by the Liveness Checking Module and Guard. These extensions
are intended to ensure that any loss of access to a signer's keys is identified and addressed
Expand Down Expand Up @@ -7496,7 +7449,8 @@ <h2 id="configuration-of-safes"><a class="header" href="#configuration-of-safes"
<li>
<p><strong>The Foundation Operations Safe:</strong> This Safe acts as the Deputy Guardian, meaning that (via the
Guardian Safe's <code>DeputyGuardianModule</code>) it can call any functions in the system which impacts
liveness.</p>
liveness. It is extended with the <code>DeputyPauseModule</code> to allow a signing key to execute the
Superchain-wide pause function quickly.</p>
</li>
</ol>
<h2 id="ownership-model-diagram"><a class="header" href="#ownership-model-diagram">Ownership model diagram</a></h2>
Expand Down Expand Up @@ -7527,18 +7481,22 @@ <h2 id="ownership-model-diagram"><a class="header" href="#ownership-model-diagra
end

subgraph GuardianSystem[Guardian System]
FndOps[Foundation Ops Safe]
subgraph GuardianSafe[Guardian Safe]
GS[Guardian Safe]
DGM[Deputy Guardian Module]
end
subgraph FndOpsSafe[Foundation Ops Safe]
FndOps[Foundation Ops Safe]
DPM[Deputy Pause Module]
end
end

POA --&gt;|controls| Safety
FndUp --&gt; POA
Council --&gt; POA
Council --&gt; GS
FndOps --&gt;|pause\nunpause\nsetRespectedGameType\nblackListDisputeGame| DGM
DPM --&gt;|execTransactionFromModule| FndOps
FndUp --&gt;|set versions|PV
LM --&gt;|execTransactionFromModule| Council
DGM --&gt;|execTransactionFromModule| GS
Expand Down Expand Up @@ -11180,7 +11138,7 @@ <h4 id="converted"><a class="header" href="#converted"><code>Converted</code></a
</code></pre>
<p>where <code>from</code> is the address of the input token, <code>to</code> is the address of the output token,
<code>caller</code> is the <code>msg.sender</code> of the function call and <code>amount</code> is the converted amount.</p>
<h3 id="invariants-2"><a class="header" href="#invariants-2">Invariants</a></h3>
<h3 id="invariants-1"><a class="header" href="#invariants-1">Invariants</a></h3>
<p>The <code>convert</code> function conserves the following invariants:</p>
<ul>
<li>Conservation of amount:
Expand Down Expand Up @@ -11288,7 +11246,7 @@ <h3 id="diagram"><a class="header" href="#diagram">Diagram</a></h3>
SuperERC20_B--&gt;SuperERC20_B: emit CrosschainMint(to, amount)
L2SBB--&gt;L2SBB: emit RelayedERC20(tokenAddr, from, to, amount, source)
</pre>
<h3 id="invariants-3"><a class="header" href="#invariants-3">Invariants</a></h3>
<h3 id="invariants-2"><a class="header" href="#invariants-2">Invariants</a></h3>
<p>The bridging of <code>SuperchainERC20</code> using the <code>SuperchainERC20Bridge</code> will require the following invariants:</p>
<ul>
<li>Conservation of bridged <code>amount</code>: The minted <code>amount</code> in <code>relayERC20()</code> should match the <code>amount</code>
Expand Down Expand Up @@ -11850,7 +11808,7 @@ <h2 id="diagram-1"><a class="header" href="#diagram-1">Diagram</a></h2>
SuperERC20_B--&gt;SuperERC20_B: emit CrosschainMint(to, amount, sender)
L2SBB--&gt;L2SBB: emit RelayedERC20(tokenAddr, from, to, amount, source)
</pre>
<h2 id="implementation-1"><a class="header" href="#implementation-1">Implementation</a></h2>
<h2 id="implementation"><a class="header" href="#implementation">Implementation</a></h2>
<p>An example implementation for the <code>sendERC20</code> and <code>relayERC20</code> functions is provided.</p>
<pre><code class="language-solidity">function sendERC20(SuperchainERC20 _token, address _to, uint256 _amount, uint256 _chainId) external returns (bytes32 msgHash_) {
_token.crosschainBurn(msg.sender, _amount);
Expand Down Expand Up @@ -12013,7 +11971,7 @@ <h2 id="constants-2"><a class="header" href="#constants-2">Constants</a></h2>
</div>
<h2 id="superchainweth"><a class="header" href="#superchainweth">SuperchainWETH</a></h2>
<!-- TODO (https://github.com/ethereum-optimism/specs/issues/479) re-write invariants to use imperative form -->
<h3 id="invariants-4"><a class="header" href="#invariants-4">Invariants</a></h3>
<h3 id="invariants-3"><a class="header" href="#invariants-3">Invariants</a></h3>
<h4 id="deposit"><a class="header" href="#deposit"><code>deposit</code></a></h4>
<ul>
<li>Reverts if triggered on a chain that does not use ETH as a native token.</li>
Expand Down Expand Up @@ -12073,7 +12031,7 @@ <h4 id="relayeth"><a class="header" href="#relayeth"><code>relayETH</code></a></
<li>Emits a <code>RelayETH</code> event with details about the sender, recipient, amount, and source chain.</li>
</ul>
<h2 id="ethliquidity"><a class="header" href="#ethliquidity">ETHLiquidity</a></h2>
<h3 id="invariants-5"><a class="header" href="#invariants-5">Invariants</a></h3>
<h3 id="invariants-4"><a class="header" href="#invariants-4">Invariants</a></h3>
<h4 id="global-invariants"><a class="header" href="#global-invariants">Global Invariants</a></h4>
<ul>
<li>Initial balance must be set to <code>type(uint248).max</code> (wei). Purpose for using <code>type(uint248).max</code> is to guarantees that
Expand Down Expand Up @@ -12370,7 +12328,7 @@ <h3 id="getter-methods"><a class="header" href="#getter-methods">Getter Methods<
/// @notice All contracts for a chain can be found from its SystemConfig.
function systemConfig(uint256 chainId) external view returns (SystemConfig);
</code></pre>
<h2 id="implementation-2"><a class="header" href="#implementation-2">Implementation</a></h2>
<h2 id="implementation-1"><a class="header" href="#implementation-1">Implementation</a></h2>
<h3 id="batch-inbox-address-1"><a class="header" href="#batch-inbox-address-1">Batch Inbox Address</a></h3>
<p>The chain's <a href="experimental/../protocol/configurability.html#consensus-parameters">Batch Inbox</a> address is computed at deploy time using the recommend approach defined
in the <a href="experimental/../protocol/configurability.html">standard configuration</a>. This improves UX by removing an input, and ensures uniqueness of
Expand Down
47 changes: 0 additions & 47 deletions protocol/safe-extensions.html
Original file line number Diff line number Diff line change
Expand Up @@ -179,16 +179,6 @@ <h1 id="safe-contract-extensions"><a class="header" href="#safe-contract-extensi
<li><a href="#deputy-guardian-module-security-properties">Deputy Guardian Module Security Properties</a></li>
</ul>
</li>
<li><a href="#deputy-guardian-safe">Deputy Guardian Safe</a>
<ul>
<li><a href="#deputy-pause-module">Deputy Pause Module</a>
<ul>
<li><a href="#invariants">Invariants</a></li>
<li><a href="#implementation">Implementation</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#security-council-liveness-checking-extensions">Security Council Liveness Checking Extensions</a>
<ul>
<li><a href="#the-liveness-guard">The Liveness Guard</a></li>
Expand Down Expand Up @@ -293,43 +283,6 @@ <h3 id="deputy-guardian-module-security-properties"><a class="header" href="#dep
<li>The module must format calldata correctly such that the target it calls performs the expected
action.</li>
</ol>
<h2 id="deputy-guardian-safe"><a class="header" href="#deputy-guardian-safe">Deputy Guardian Safe</a></h2>
<h3 id="deputy-pause-module"><a class="header" href="#deputy-pause-module">Deputy Pause Module</a></h3>
<p>The Deputy Guardian Safe (currently the Optimism Foundation Safe) utilizes the Deputy Pause Module
to remove the need for brittle pre-signed pause transactions and to speed up the reaction speed of
the Deputy Guardian Safe for the specific purpose of triggering the Superchain-wide pause action.
The Deputy Pause Module is explicitly designed to be used with an Externally Owned Account and is
not designed to function with a smart contract deputy.</p>
<h4 id="invariants"><a class="header" href="#invariants">Invariants</a></h4>
<ol>
<li>Must enforce that the Deputy account is an EOA.</li>
<li>Must correctly enforce access control so that only the Deputy account can act.</li>
<li>Must always allow the Deputy account to act even if the private key for this account is leaked.</li>
<li>Must not allow the Deputy to create authentication signatures that are indefinitely valid.</li>
<li>Must only allow the Deputy account to carry out the singular action of causing the Guardian to
trigger the Superchain-wide pause function on the <code>SuperchainConfig</code> contract via the Deputy
Guardian and the <code>DeputyGuardianModule</code>. Must not allow the Deputy account to authenticate any
other action.</li>
</ol>
<h4 id="implementation"><a class="header" href="#implementation">Implementation</a></h4>
<ol>
<li>Deputy Pause Module is not proxied and all values are hard-coded into the contract. Any changes
to these values must be implemented by re-deploying the contract, removing the old module, and
adding the new module.</li>
<li>Deputy Pause Module verifies a signature from the Deputy over a fixed string in the constructor
to confirm that the Deputy is an EOA that can generate valid signatures and that the creator at
least indirectly has access to the key.</li>
<li>Pause action is gated and must come with a valid signature from the Deputy account.</li>
<li>Signed pause messages must contain an expiry timestamp so that the message can only be used to
trigger the pause when the block timestamp is less than the signed expiry. Signed expiry
timestamp cannot be more than a fixed number of seconds in the future as defined by a
constructor parameter of the module itself.</li>
<li>Signed pause messages must contain a nonce so that the signature can only be used a single time
to carry out the pause action. Pause action must verify that the provided nonce has not been
used before.</li>
<li>Any account can supply the signature as long as the recovered signer is the Deputy account. This
means that the Deputy account does not need to hold any ETH to act as the Deputy.</li>
</ol>
<h2 id="security-council-liveness-checking-extensions"><a class="header" href="#security-council-liveness-checking-extensions">Security Council Liveness Checking Extensions</a></h2>
<p>The Security Council Safe is extended by the Liveness Checking Module and Guard. These extensions
are intended to ensure that any loss of access to a signer's keys is identified and addressed
Expand Down
9 changes: 7 additions & 2 deletions protocol/stage-1.html
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,8 @@ <h2 id="configuration-of-safes"><a class="header" href="#configuration-of-safes"
<li>
<p><strong>The Foundation Operations Safe:</strong> This Safe acts as the Deputy Guardian, meaning that (via the
Guardian Safe's <code>DeputyGuardianModule</code>) it can call any functions in the system which impacts
liveness.</p>
liveness. It is extended with the <code>DeputyPauseModule</code> to allow a signing key to execute the
Superchain-wide pause function quickly.</p>
</li>
</ol>
<h2 id="ownership-model-diagram"><a class="header" href="#ownership-model-diagram">Ownership model diagram</a></h2>
Expand Down Expand Up @@ -288,18 +289,22 @@ <h2 id="ownership-model-diagram"><a class="header" href="#ownership-model-diagra
end

subgraph GuardianSystem[Guardian System]
FndOps[Foundation Ops Safe]
subgraph GuardianSafe[Guardian Safe]
GS[Guardian Safe]
DGM[Deputy Guardian Module]
end
subgraph FndOpsSafe[Foundation Ops Safe]
FndOps[Foundation Ops Safe]
DPM[Deputy Pause Module]
end
end

POA --&gt;|controls| Safety
FndUp --&gt; POA
Council --&gt; POA
Council --&gt; GS
FndOps --&gt;|pause\nunpause\nsetRespectedGameType\nblackListDisputeGame| DGM
DPM --&gt;|execTransactionFromModule| FndOps
FndUp --&gt;|set versions|PV
LM --&gt;|execTransactionFromModule| Council
DGM --&gt;|execTransactionFromModule| GS
Expand Down
2 changes: 1 addition & 1 deletion searchindex.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion searchindex.json

Large diffs are not rendered by default.

0 comments on commit 8ff3fbc

Please sign in to comment.