Skip to main content

Privileged Roles in BOB Mainnet

BOB uses the OP Stack, just like Optimism Mainnet and Base. As a result, BOB is on the same Pragmatic Path to Decentralization.

For now, OP Stack chains still include "privileged" roles that allow certain addresses to carry out specific actions. Read this page to understand these roles, why they exist, and what risks they pose.

L1 Proxy Admin

The L1 Proxy Admin is an address that can be used to upgrade most BOB system contracts.

Risks

  • Compromised L1 Proxy Admin could upgrade contracts to malicious versions.
  • Compromised L1 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
  • Compromised L1 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

  • L1 Proxy Admin owner is a 4-of-6 multisig.

Address

L2 Proxy Admin

The L2 Proxy Admin is an address that can be used to upgrade most BOB system contracts on L2.

Risks

  • Compromised L2 Proxy Admin could upgrade contracts to malicious versions.
  • Compromised L2 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
  • Compromised L2 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

Address

System Config Owner

The System Config Owner is an address that can be used to change the values within the SystemConfig contract on Ethereum.

Risks

  • Compromised System Config Owner could cause a temporary network outage.
  • Compromised System Config Owner could cause users to be overcharged for transactions.

Mitigations

Address

Batcher

Description

The Batcher is a software service that submits batches of transactions to Ethereum on behalf of the current BOB Sequencer. BOB nodes will look for transactions from this address to find new batches of L2 transactions to process.

Risks

  • Batcher address is typically a hot wallet.
  • Compromised batcher address can cause L2 reorgs or sequencer outages.

Mitigations

  • Compromised batcher address cannot publish invalid transactions.
  • Compromised batcher address can be replaced by the L1 Proxy Admin.

Address

Proposer

Description

The Proposer is a software service that submits proposals about the state of BOB to the L2OutputOracle contract on Ethereum. Proposals submitted to the L2OutputOracle contract can be used to execute withdrawal transactions on Ethereum after 7 days. Proposer addresses are typically "hot wallets" as they must be available to frequently sign and publish new state proposals.

Risks

  • Proposer address is typically a hot wallet.
  • Compromised proposer address could propose invalid state proposals.
  • Invalid state proposals can be used to execute invalid withdrawals after 7 days.

Mitigations

  • Compromised proposer address can be replaced by the L1 Proxy Admin.
  • Invalid state proposals can be challenged by the Challenger within 7 days.

Address

Challenger

Description

The Challenger is an address that can be used to challenge invalid state proposals submitted by the Proposer role.

Risks

  • Compromised challenger could invalidate valid state proposals.
  • Compromised challenger could fail to challenge invalid state proposals.

Mitigations

  • Compromised challenger address can be replaced by the L1 Proxy Admin.
  • Challenges can be executed by replaced challenger address.
  • Challenger is a 4-of-6 multisig.

Address

Guardian

Description

The Guardian is an address that can be used to pause withdrawals from BOB. This is a backup safety mechanism that allows for a temporary halt in the event of a security concern. The Guardian role cannot pause specific withdrawals and can only pause all withdrawals.

Risks

  • Compromised guardian could pause withdrawals indefinitely.

Mitigations

  • Compromised guardian address can be replaced by the L1 Proxy Admin.
  • Withdrawals can be unpaused by replaced guardian address.
  • Guardian is a 4-of-6 multisig.

Address

ERC20 Contract Upgrade Proxy

Description

The ERC20 Contract Upgrade Proxy is an address that can be used to upgrade four ERC20 contracts on BOB to new versions: USDC, tBTC, wstETH, and STONE. This is a temporary measure:

  • USDC: The ERC20 is upgradable to allow Circle to take over the contract to enable native minting and redeeming on BOB.
  • tBTC: The ERC20 is upgradable to allow Threshold governance to take over the contract to enable native minting and redeeming on BOB.
  • wstETH: The ERC20 is upgradable to allow Lido governance to take over the contract to control the contract from the Ethereum side.

All other ERC20 contracts on BOB are not upgradable by this proxy.

Risks

  • Compromised ERC20 Contract Upgrade Proxy could upgrade contracts to malicious versions.

Mitigations

  • USDC and wstETH Contract Upgrade Proxy is a 3-of-5 multisig.
  • tBTC Contract Upgrade Proxy is a 3-of-5 multisig.