From cd0dac10d1f28cae793bc8ed76aa34da87ecd01b Mon Sep 17 00:00:00 2001 From: Adrian Sutton Date: Fri, 20 Sep 2024 10:23:12 +1000 Subject: [PATCH] configurability: Add additional fault dispute game settings (#379) --- specs/protocol/configurability.md | 44 +++++++++++++++++++------------ 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/specs/protocol/configurability.md b/specs/protocol/configurability.md index 78606e620..9df002347 100644 --- a/specs/protocol/configurability.md +++ b/specs/protocol/configurability.md @@ -41,23 +41,33 @@ The recommended way to deploy L1 contracts for an OP chain that meet the standar ## Consensus Parameters -| Config Property | Description | Administrator | Standard Config Requirement | Notes | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|-------------------------------------|-------------------------------------| -| [Batch Inbox address](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L176) | L1 address where calldata/blobs are posted (see [Batcher Transaction](../glossary.md#batcher-transaction)). | Static | Current convention is versionByte || keccak256(bytes32(chainId))\[:19\], where || denotes concatenation, `versionByte` is `0x00`, and `chainId` is a `uint256`. | It is recommended, but not required, to follow this convention. | -| [Batcher Hash](./system-config.md#batcherhash-bytes32) | A versioned hash of the current authorized batcher sender(s). | [System Config Owner](#admin-roles) | `bytes32(uint256(uint160(batchSubmitterAddress)))` | [Batch Submitter](../protocol/batcher.md) address padded with zeros to fit 32 bytes. | -| [Chain ID](https://github.com/ethereum-optimism/superchain-registry/blob/2a011e700e8be22bc18502f3d41c440e7a05015d/chainList.json) | Unique ID of Chain used for TX signature validation. | Static | Foundation-approved, globally unique value [^chain-id]. | Foundation will ensure chains are responsible with their chain IDs until there's a governance process in place. | -| [Proof Maturity Delay](../fault-proof/stage-one/bridge-integration.md#fpac-optimismportal-mods-specification) | The length of time that must pass between proving and finalizing a withdrawal. | [L1 Proxy Admin](#admin-roles) | 7 days | High security. Excessively safe upper bound that leaves enough time to consider social layer solutions to a hack if necessary. Allows enough time for other network participants to challenge the integrity of the corresponding output root. | -| [Dispute Game Finality](../fault-proof/stage-one/bridge-integration.md#fpac-optimismportal-mods-specification) | The amount of time given to the `Guardian` role to [blacklist a resolved dispute game](../fault-proof/stage-one/bridge-integration.md#blacklisting-disputegames) before any withdrawals proven against it can be finalized, in the case of a system failure. | [L1 Proxy Admin](#admin-roles) | 3.5 days | High security. Allows enough time for the `Guardian` to blacklist games. | -| [Respected Game Type](../fault-proof/stage-one/bridge-integration.md#new-state-variables) | The respected game type of the `OptimismPortal`. Determines the type of dispute games that can be used to finalize withdrawals. | [Guardian](#service-roles) | [`CANNON` (`0`)](https://github.com/ethereum-optimism/optimism/blob/op-contracts/v1.5.0/packages/contracts-bedrock/src/dispute/lib/Types.sol#L28) | The game type may be changed to [`PERMISSIONED_CANNON` (`1`)](https://github.com/ethereum-optimism/optimism/blob/op-contracts/v1.5.0/packages/contracts-bedrock/src/dispute/lib/Types.sol#L31) as a fallback to permissioned proposals, in the event of a failure in the Fault Proof system. | -| [Fee Scalar](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L288-L294) | Markup on transactions compared to the raw L1 data cost. | [System Config Owner](#admin-roles) | Set such that Fee Margin is between 0 and 50%. | | -| [Gas Limit](./system-config.md#gaslimit-uint64) | Gas limit of the L2 blocks is configured through the system config. | [System Config Owner](#admin-roles) | No higher than 200_000_000 gas | Chain operators are driven to maintain a stable and reliable chain. When considering to change this value, careful deliberation is necessary. | -| Genesis state | Initial state at chain genesis, including code and storage of predeploys (all L2 smart contracts). See [Predeploy](../glossary.md#l2-genesis-block). | Static | Only standard predeploys and preinstalls, no additional state. | Homogeneity & standardization, ensures initial state is secure. | -| [L2 block time](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/L2OutputOracle.sol#L105) | Frequency with which blocks are produced as a result of derivation. | [L1 Proxy Admin](#admin-roles) | 2 seconds | High security & [interoperability](../interop/overview.md) compatibility requirement, until de-risked/solved at app layer. | -| [Resource config](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L338-L340) | Config for the EIP-1559 based curve used for the deposit gas market. | [L1 Proxy Admin](#admin-roles) | See [resource config table](#resource-config). | Constraints are imposed in [code](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L345-L365) when setting the resource config. | -| [Sequencing window Size](../glossary.md#sequencing-window) | Maximum allowed batch submission gap, after which L1 fallback is triggered in derivation. | Static | 3_600 base layer blocks (12 hours for an L2 on Ethereum, assuming 12 second L1 blocktime). e.g. 12 second blocks, $3600 * 12\ seconds \div 60\frac{seconds}{minute} \div 60\frac{minute}{hour} = 12\ hours$. | This is an important value for constraining the sequencer's ability to re-order transactions; higher values would pose a risk to user protections. | -| [Start block](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L184) | Block at which the system config was initialized the first time. | [L1 Proxy Admin](#admin-roles) | The block where the SystemConfig was initialized. | Simple clear restriction. | -| [Superchain target](../protocol/superchain-upgrades.md#superchain-target) | Choice of cross-L2 configuration. May be omitted in isolated OP Stack deployments. Includes SuperchainConfig and ProtocolVersions contract addresses. | Static | Mainnet or Sepolia | A superchain target defines a set of layer 2 chains which share `SuperchainConfig` and `ProtocolVersions` contracts deployed on layer 1. | -| Governance Token | OP token used for the Optimism Collective's Token House governance. | n/a | Disabled | Simple clear restriction. | +| Config Property | Description | Administrator | Standard Config Requirement | Notes | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Batch Inbox address](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L176) | L1 address where calldata/blobs are posted (see [Batcher Transaction](../glossary.md#batcher-transaction)). | Static | Current convention is versionByte || keccak256(bytes32(chainId))\[:19\], where || denotes concatenation, `versionByte` is `0x00`, and `chainId` is a `uint256`. | It is recommended, but not required, to follow this convention. | +| [Batcher Hash](./system-config.md#batcherhash-bytes32) | A versioned hash of the current authorized batcher sender(s). | [System Config Owner](#admin-roles) | `bytes32(uint256(uint160(batchSubmitterAddress)))` | [Batch Submitter](../protocol/batcher.md) address padded with zeros to fit 32 bytes. | +| [Chain ID](https://github.com/ethereum-optimism/superchain-registry/blob/2a011e700e8be22bc18502f3d41c440e7a05015d/chainList.json) | Unique ID of Chain used for TX signature validation. | Static | Foundation-approved, globally unique value [^chain-id]. | Foundation will ensure chains are responsible with their chain IDs until there's a governance process in place. | +| [Proof Maturity Delay](../fault-proof/stage-one/bridge-integration.md#fpac-optimismportal-mods-specification) | The length of time that must pass between proving and finalizing a withdrawal. | [L1 Proxy Admin](#admin-roles) | 7 days | High security. Excessively safe upper bound that leaves enough time to consider social layer solutions to a hack if necessary. Allows enough time for other network participants to challenge the integrity of the corresponding output root. | +| [Dispute Game Finality](../fault-proof/stage-one/bridge-integration.md#fpac-optimismportal-mods-specification) | The amount of time given to the `Guardian` role to [blacklist a resolved dispute game](../fault-proof/stage-one/bridge-integration.md#blacklisting-disputegames) before any withdrawals proven against it can be finalized, in the case of a system failure. | [L1 Proxy Admin](#admin-roles) | 3.5 days | High security. Allows enough time for the `Guardian` to blacklist games. | +| [Respected Game Type](../fault-proof/stage-one/bridge-integration.md#new-state-variables) | The respected game type of the `OptimismPortal`. Determines the type of dispute games that can be used to finalize withdrawals. | [Guardian](#service-roles) | [`CANNON` (`0`)](https://github.com/ethereum-optimism/optimism/blob/op-contracts/v1.5.0/packages/contracts-bedrock/src/dispute/lib/Types.sol#L28) | The game type may be changed to [`PERMISSIONED_CANNON` (`1`)](https://github.com/ethereum-optimism/optimism/blob/op-contracts/v1.5.0/packages/contracts-bedrock/src/dispute/lib/Types.sol#L31) as a fallback to permissioned proposals, in the event of a failure in the Fault Proof system. | +| Fault Game Max Depth | The maximum depth of fault dispute [game trees](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#game-tree). | Static | 73 | Sufficiently large to ensure the fault proof VM execution trace fits within the number of leaf nodes. | +| Fault Game Split Depth | The depth in fault dispute [game trees](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#game-tree) after which claims correspond to VM state commitments instead of output root commitments. | Static | 30 | Sufficiently large to ensure enough nodes at the split depth to represent all L2 blocks since the anchor state. | +| [Max Game Clock Duration](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#max_clock_duration) | The maximum amount of time that may accumulate on a dispute game team's chess clock. | Static | 3.5 days | High security. Allows enough time for honest actors to counter invalid claims. | +| [Game Clock Extension](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#clock_extension) | The flat credit that is given to a dispute game team's clock if their clock has less than CLOCK_EXTENSION seconds remaining. | Static | 3 hours | Allows enough time for honest actors to counter freeloader claims. | +| [Bond Withdrawal Delay](https://specs.optimism.io/fault-proof/stage-one/bond-incentives.html#delay-period) | The length of time that must pass before dispute game bonds can be withdrawn. | Static | 7 days | High security. Allows enough time for the `Guardian` to recover funds from `DelayedWETH` if bonds were allocated incorrectly. | +| [Minimum Large Preimage Proposal Size](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#preimageoracle-interaction) | The minimum size of preimage allowed to be submitted via the PreimageOracle large preimage proposal process. | Static | 126000 bytes | Large enough to ensure posting the large preimage is expensive enough to act as a deterrent but small enough to be used for any preimage that is too large to be submitted in a single transaction. | +| [Large Preimage Proposal Challenge Period](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#preimageoracle-interaction) | The amount of time that large preimage proposals can be challenged before they can be published to the `PreimageOracle` | Static | 24 hours | High security. Allows enough time for honest actors to challenge invalid large preimage proposals. | +| [Fault Game Absolute Prestate](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#execution-trace) | The VM state commitment to use as the starting point when executing the fault proof VM | Static | The state commitment of a governance approved op-program release. | The op-program version must have the rollup config and L2 genesis of the chain built in via the superchain registry. | +| [Fault Game Genesis Block](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#anchor-state) | The L2 block number used as the initial anchor state for fault dispute games | Static | Block number of any finalized block between bedrock activation and enabling fault proofs. 0 for chains using fault proofs from genesis. | | +| [Fault Game Genesis Output Root](https://specs.optimism.io/fault-proof/stage-one/fault-dispute-game.html#anchor-state) | The output root at the Fault Game Genesis Block | Static | The output root from the canonical chain at Fault game Genesis Block. | | +| [Fee Scalar](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L288-L294) | Markup on transactions compared to the raw L1 data cost. | [System Config Owner](#admin-roles) | Set such that Fee Margin is between 0 and 50%. | | +| [Gas Limit](./system-config.md#gaslimit-uint64) | Gas limit of the L2 blocks is configured through the system config. | [System Config Owner](#admin-roles) | No higher than 200_000_000 gas | Chain operators are driven to maintain a stable and reliable chain. When considering to change this value, careful deliberation is necessary. | +| Genesis state | Initial state at chain genesis, including code and storage of predeploys (all L2 smart contracts). See [Predeploy](../glossary.md#l2-genesis-block). | Static | Only standard predeploys and preinstalls, no additional state. | Homogeneity & standardization, ensures initial state is secure. | +| [L2 block time](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/L2OutputOracle.sol#L105) | Frequency with which blocks are produced as a result of derivation. | [L1 Proxy Admin](#admin-roles) | 2 seconds | High security & [interoperability](../interop/overview.md) compatibility requirement, until de-risked/solved at app layer. | +| [Resource config](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L338-L340) | Config for the EIP-1559 based curve used for the deposit gas market. | [L1 Proxy Admin](#admin-roles) | See [resource config table](#resource-config). | Constraints are imposed in [code](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L345-L365) when setting the resource config. | +| [Sequencing window Size](../glossary.md#sequencing-window) | Maximum allowed batch submission gap, after which L1 fallback is triggered in derivation. | Static | 3_600 base layer blocks (12 hours for an L2 on Ethereum, assuming 12 second L1 blocktime). e.g. 12 second blocks, $3600 * 12\ seconds \div 60\frac{seconds}{minute} \div 60\frac{minute}{hour} = 12\ hours$. | This is an important value for constraining the sequencer's ability to re-order transactions; higher values would pose a risk to user protections. | +| [Start block](https://github.com/ethereum-optimism/optimism/blob/c927ed9e8af501fd330349607a2b09a876a9a1fb/packages/contracts-bedrock/src/L1/SystemConfig.sol#L184) | Block at which the system config was initialized the first time. | [L1 Proxy Admin](#admin-roles) | The block where the SystemConfig was initialized. | Simple clear restriction. | +| [Superchain target](../protocol/superchain-upgrades.md#superchain-target) | Choice of cross-L2 configuration. May be omitted in isolated OP Stack deployments. Includes SuperchainConfig and ProtocolVersions contract addresses. | Static | Mainnet or Sepolia | A superchain target defines a set of layer 2 chains which share `SuperchainConfig` and `ProtocolVersions` contracts deployed on layer 1. | +| Governance Token | OP token used for the Optimism Collective's Token House governance. | n/a | Disabled | Simple clear restriction. | [^chain-id]: The chain ID must be globally unique among all EVM chains.