From 404c263d3b8379996dcd864c9ccf65824a8654b5 Mon Sep 17 00:00:00 2001 From: Maurelian Date: Fri, 22 Mar 2024 13:28:38 -0400 Subject: [PATCH 1/4] Move Security Council Safe spec to experimental --- .../security-council-safe.md} | 0 specs/root.md | 1 + 2 files changed, 1 insertion(+) rename specs/{protocol/safe-liveness-checking.md => experimental/security-council-safe.md} (100%) diff --git a/specs/protocol/safe-liveness-checking.md b/specs/experimental/security-council-safe.md similarity index 100% rename from specs/protocol/safe-liveness-checking.md rename to specs/experimental/security-council-safe.md diff --git a/specs/root.md b/specs/root.md index 1530b078c..6ff9d1f46 100644 --- a/specs/root.md +++ b/specs/root.md @@ -46,6 +46,7 @@ Specifications of new features in active development. - [Cannon VM](./experimental/fault-proof/cannon-fault-proof-vm.md) - [Plasma](./experimental/plasma.md) - [Interoperability](./interop/overview.md) +- [Security Council Safe](./experimental/security-council-safe.md) ## Design Goals From 584de3e1c86426b1e5e93070fdc496443585e740 Mon Sep 17 00:00:00 2001 From: Maurelian Date: Fri, 22 Mar 2024 16:55:03 -0400 Subject: [PATCH 2/4] Add spec for Deputy Guardian module --- specs/experimental/security-council-safe.md | 45 ++++++++++++++++++++- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/specs/experimental/security-council-safe.md b/specs/experimental/security-council-safe.md index 0167bfb10..98c24e1fd 100644 --- a/specs/experimental/security-council-safe.md +++ b/specs/experimental/security-council-safe.md @@ -1,4 +1,4 @@ -# Safe Liveness Checking +# Security Council Safe @@ -23,7 +23,48 @@ -## Liveness checking Mechanism +The Security Council uses a specially extended Safe multisig contract to provide additional security +guarantees on top of those provided by the Safe contract. + +## Deputy guardian module + +The Security Council acts as the Guardian, which is authorized to activate the [Superchain Pause](../protocol/superchain-configuration.md#pausability) functionality and for [blacklisting](../experimental/fault-proof/stage-one/bond-incentives.md#authenticated-roles) dispute game contracts. + +However the Security Council cannot be expected to react quickly in an emergency situation. +Therefore the Pausability Pass Through module enables the Security Council to delegate share this +authorization with another account. + +The module has the following minimal interface: + +```solidity +interface DeputyGuardianModule { + /// @dev The address of the Security Council Safe + function safe() external view returns(address); + + /// @dev The address of the account which can pause superchain withdrawals by calling this module + function deputyGuardian() external view returns(address); + + /// @dev Calls to the Security Council's `execTransactionFromModule()`, with the arguments + /// necessary to call `pause()` on the `SuperchainConfig` contract. + //// Only the deputy guardian can call this function. + function pause() external; + + /// @dev Calls to the Security Council's `execTransactionFromModule()`, with the arguments + /// necessary to call `unpause()` on the `SuperchainConfig` contract. + //// Only the deputy guardian can call this function. + function unpause() external; + + /// @dev When called, this function will call to the Security Council's `execTransactionFromModule()` + /// with the arguments necessary to call `pause()` on the `SuperchainConfig` contract. + //// Only the deputy guardian can call this function. + function blacklistDisputeGame(address) external; +} +``` + +For simplicity, the `DeputyGuardianModule` module does not have functions for updating the `safe` and +`deputyGuardian` addresses. If necessary these can be modified by swapping out with a new module. + +## Liveness checking mechanism The Security Council uses a specially extended Safe multisig contract to ensure that any loss of access to a signer's keys is identified and addressed within a predictable period of From 7f38fd601c06a5b6081f63132a6a4f7cfb7b5aef Mon Sep 17 00:00:00 2001 From: Maurelian Date: Mon, 25 Mar 2024 16:07:38 -0400 Subject: [PATCH 3/4] Address reviewer feedback --- specs/experimental/security-council-safe.md | 32 +++++++++++++-------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/specs/experimental/security-council-safe.md b/specs/experimental/security-council-safe.md index 98c24e1fd..832a23f5d 100644 --- a/specs/experimental/security-council-safe.md +++ b/specs/experimental/security-council-safe.md @@ -28,36 +28,45 @@ guarantees on top of those provided by the Safe contract. ## Deputy guardian module -The Security Council acts as the Guardian, which is authorized to activate the [Superchain Pause](../protocol/superchain-configuration.md#pausability) functionality and for [blacklisting](../experimental/fault-proof/stage-one/bond-incentives.md#authenticated-roles) dispute game contracts. +The Security Council acts as the Guardian, which is authorized to activate the [Superchain +Pause](../protocol/superchain-configuration.md#pausability) functionality and for +[blacklisting](../experimental/fault-proof/stage-one/bond-incentives.md#authenticated-roles) dispute +game contracts. However the Security Council cannot be expected to react quickly in an emergency situation. -Therefore the Pausability Pass Through module enables the Security Council to delegate share this +Therefore the Deputy Guardian module enables the Security Council to share this authorization with another account. The module has the following minimal interface: ```solidity interface DeputyGuardianModule { + /// @dev The address of the Security Council Safe function safe() external view returns(address); /// @dev The address of the account which can pause superchain withdrawals by calling this module function deputyGuardian() external view returns(address); - /// @dev Calls to the Security Council's `execTransactionFromModule()`, with the arguments + /// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments /// necessary to call `pause()` on the `SuperchainConfig` contract. - //// Only the deputy guardian can call this function. + /// Only the deputy guardian can call this function. function pause() external; - /// @dev Calls to the Security Council's `execTransactionFromModule()`, with the arguments + /// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments /// necessary to call `unpause()` on the `SuperchainConfig` contract. - //// Only the deputy guardian can call this function. + /// Only the deputy guardian can call this function. function unpause() external; - /// @dev When called, this function will call to the Security Council's `execTransactionFromModule()` - /// with the arguments necessary to call `pause()` on the `SuperchainConfig` contract. - //// Only the deputy guardian can call this function. + /// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments + /// with the arguments necessary to call `blacklistDisputeGame()` on the `DisputeGameFactory` contract. + /// Only the deputy guardian can call this function. function blacklistDisputeGame(address) external; + + /// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments + /// with the arguments necessary to call `setRespectedGameType()` on the `DisputeGameFactory` contract. + /// Only the deputy guardian can call this function. + function setRespectedGameType(uint32) external; } ``` @@ -66,9 +75,8 @@ For simplicity, the `DeputyGuardianModule` module does not have functions for up ## Liveness checking mechanism -The Security Council uses a specially extended Safe multisig contract to ensure that -any loss of access to a signer's keys is identified and addressed within a predictable period of -time. +The Security Council's liveness checking mechanism is intended to ensure that any loss of access to +a signer's keys is identified and addressed within a predictable period of time. This mechanism is intended only to be used to remove signers who have lost access to their keys, or are otherwise inactive. It is not intended to be used to remove signers who are acting in bad faith, From 292391b638ed4ef94341c521f6bd7fc9abaf9e41 Mon Sep 17 00:00:00 2001 From: Maurelian Date: Tue, 26 Mar 2024 14:35:05 -0400 Subject: [PATCH 4/4] Update DeputyGuardianModule interface --- specs/experimental/security-council-safe.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/specs/experimental/security-council-safe.md b/specs/experimental/security-council-safe.md index 832a23f5d..b13bcf27e 100644 --- a/specs/experimental/security-council-safe.md +++ b/specs/experimental/security-council-safe.md @@ -4,7 +4,8 @@ **Table of Contents** -- [Liveness checking Mechanism](#liveness-checking-mechanism) +- [Deputy guardian module](#deputy-guardian-module) +- [Liveness checking mechanism](#liveness-checking-mechanism) - [Liveness checking methodology](#liveness-checking-methodology) - [The liveness guard](#the-liveness-guard) - [The liveness module](#the-liveness-module) @@ -41,7 +42,6 @@ The module has the following minimal interface: ```solidity interface DeputyGuardianModule { - /// @dev The address of the Security Council Safe function safe() external view returns(address); @@ -61,12 +61,16 @@ interface DeputyGuardianModule { /// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments /// with the arguments necessary to call `blacklistDisputeGame()` on the `DisputeGameFactory` contract. /// Only the deputy guardian can call this function. - function blacklistDisputeGame(address) external; + /// @param _portal The `OptimismPortal2` contract instance. + /// @param _game The `IDisputeGame` contract instance. + function blacklistDisputeGame(address _portal, address _game) external; - /// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments - /// with the arguments necessary to call `setRespectedGameType()` on the `DisputeGameFactory` contract. + /// @dev When called, this function will call to the Security Council's `execTransactionFromModule()` + /// with the arguments necessary to call `setRespectedGameType()` on the `OptimismPortal2` contract. /// Only the deputy guardian can call this function. - function setRespectedGameType(uint32) external; + /// @param _portal The `OptimismPortal2` contract instance. + /// @param _gameType The `GameType` to set as the respected game type + function setRespectedGameType(address _portal, uint32 _gameType) external; } ```