Privileged Roles in BOB Mainnet
BOB uses the OP Stack as its foundation and has upgraded to a hybrid zk rollup powered by Kailua, which enables validity proofs for dispute resolution and on-demand fast withdrawals.
OP Stack chains still include "privileged" roles that allow certain addresses to carry out specific actions. Read this page to understand these roles, why they exist, and what risks they pose.
For independent reviews of BOB's security and decentralization status, see:
- L2Beat - Comprehensive analysis of L2 scaling solutions
- Bitcoin Layers - Bitcoin-focused layer analysis
L1 Proxy Adminโ
The L1 Proxy Admin is an address that can be used to upgrade most BOB system contracts.
Risksโ
- Compromised L1 Proxy Admin could upgrade contracts to malicious versions.
- Compromised L1 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
- Compromised L1 Proxy Admin could fail to mitigate a risk as described on this page.
Mitigationsโ
- L1 Proxy Admin owner is a 4-of-6 multisig.
Addressโ
L2 Proxy Adminโ
The L2 Proxy Admin is an address that can be used to upgrade most BOB system contracts on L2.
Risksโ
- Compromised L2 Proxy Admin could upgrade contracts to malicious versions.
- Compromised L2 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
- Compromised L2 Proxy Admin could fail to mitigate a risk as described on this page.
Mitigationsโ
- L2 Proxy Admin is a 4-of-6 multisig.
Addressโ
System Config Ownerโ
The System Config Owner is an address that can be used to change the values within the SystemConfig contract on Ethereum.
Risksโ
- Compromised System Config Owner could cause a temporary network outage.
- Compromised System Config Owner could cause users to be overcharged for transactions.
Mitigationsโ
- System Config Owner is a 4-of-6 multisig.
- System Config Owner can be replaced by the L1 Proxy Admin.
Addressโ
Batcherโ
Descriptionโ
The Batcher is a software service that submits batches of transactions to Ethereum on behalf of the current BOB Sequencer. BOB nodes will look for transactions from this address to find new batches of L2 transactions to process.
Risksโ
- Batcher address is typically a hot wallet.
- Compromised batcher address can cause L2 reorgs or sequencer outages.
Mitigationsโ
- Compromised batcher address cannot publish invalid transactions.
- Compromised batcher address can be replaced by the L1 Proxy Admin.
Addressโ
Proposerโ
Descriptionโ
The Proposer is a software service that submits proposals about the state of BOB to the DisputeGameFactory contract on Ethereum, which spawns a new KailuaGame contract for each proposal in which disputes can be resolved if necessary. BOB operates in Kailua's vanguard mode, where the BOB proposer has priority to submit proposals. If no proposal is made by the BOB proposer within 30 days, then any user can submit their own proposal.
Proposals can be finalized in multiple ways:
- After 4 days if there is no challenge
- Instantly when a challenge is resolved through a validity proof
- Instantly when a proposal is submitted with a validity proof
Proposer addresses are typically "hot wallets" as they must be available to frequently sign and publish new state proposals.
Risksโ
- Proposer address is typically a hot wallet.
- Compromised proposer address could propose invalid state proposals.
- Invalid state proposals can be used to execute invalid withdrawals if not challenged.
Mitigationsโ
- Compromised proposer address can be replaced by the L1 Proxy Admin.
- Invalid state proposals can be challenged by anyone with 0.5 ETH collateral.
- Validity proofs provide mathematical certainty during disputes.
Addressโ
Challengerโ
Descriptionโ
In BOB's Kailua-powered system, anyone can challenge invalid state proposals submitted by the Proposer role. Challenges require a collateral deposit of 0.5 ETH. When a challenge is initiated, the dispute is resolved through validity proofs that provide mathematical certainty about the correctness of the state transition.
Successful challengers are rewarded, while unsuccessful challengers forfeit their collateral. This permissionless challenging mechanism ensures the security of the hybrid zk rollup system.
Risksโ
- Economic barrier (0.5 ETH) may limit the number of potential challengers.
- If no one challenges invalid proposals within the challenge period, invalid withdrawals could be executed.
Mitigationsโ
- Low collateral requirement (0.5 ETH) makes challenging accessible to many participants.
- Validity proofs provide cryptographic certainty in dispute resolution.
- Anyone can participate in challenging, not limited to specific addresses.
- Economic incentives reward successful challengers.
Addressโ
- Anyone can challenge by depositing 0.5 ETH collateral
Guardianโ
Descriptionโ
The Guardian is an address that can be used to pause withdrawals from BOB. This is a backup safety mechanism that allows for a temporary halt in the event of a security concern. The Guardian role cannot pause specific withdrawals and can only pause all withdrawals.
Risksโ
- Compromised guardian could pause withdrawals indefinitely.
Mitigationsโ
- Compromised guardian address can be replaced by the L1 Proxy Admin.
- Withdrawals can be unpaused by replaced guardian address.
- Guardian is a 4-of-6 multisig.
Addressโ
ERC20 Contract Upgrade Proxyโ
Descriptionโ
The ERC20 Contract Upgrade Proxy is an address that can be used to upgrade four ERC20 contracts on BOB to new versions: USDC, tBTC, wstETH, and STONE. This is a temporary measure:
- USDC: The ERC20 is upgradable to allow Circle to take over the contract to enable native minting and redeeming on BOB.
- tBTC: The ERC20 is upgradable to allow Threshold governance to take over the contract to enable native minting and redeeming on BOB.
- wstETH: The ERC20 is upgradable to allow Lido governance to take over the contract to control the contract from the Ethereum side.
All other ERC20 contracts on BOB are not upgradable by this proxy.
Risksโ
- Compromised ERC20 Contract Upgrade Proxy could upgrade contracts to malicious versions.