You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security/fma-shared-lockbox.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@
9
9
10
10
## Introduction
11
11
12
-
This document covers the changes introduced by the addition of the Shared Lockbox design, a singleton contract that stores all ETH liquidity for a given set of interoperable chains. It addresses the [ETH withdrawals problem](https://github.com/ethereum-optimism/specs/issues/362) by the introduction of [SuperchainWETH](https://github.com/ethereum-optimism/specs/blob/main/specs/interop/superchain-weth.md). The following components are:
12
+
This document covers the changes introduced by the addition of the Shared Lockbox design, a singleton contract that stores all ETH liquidity for a given set of interoperable chains. It addresses the [ETH withdrawals problem](https://github.com/ethereum-optimism/specs/issues/362) by the introduction of [SuperchainETHBridge](https://github.com/ethereum-optimism/specs/blob/main/specs/interop/superchain-eth-bridge.md). The following components are:
13
13
14
14
-**Contracts**:
15
15
- Introducing `SharedLockbox`: Stores all ETH liquidity for an interoperable graph. Only authorized `OptimismPortal` addresses can call `lockETH` and `unlockETH`.
Copy file name to clipboardExpand all lines: security/fma-superchainethbridge.md
+17-15
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
# SuperchainWETH: Failure Modes and Recovery Path Analysis
1
+
# SuperchainETHBridge: Failure Modes and Recovery Path Analysis
2
2
3
3
| Author | Joxes, Gotzen, Parti |
4
4
| --- | --- |
@@ -9,20 +9,22 @@
9
9
10
10
## Introduction
11
11
12
-
This document covers the addition of SuperchainWETH, an interop-enabled version of the WETH contract that allows ETH to be moved across a set of interoperable chains. It act as a wrapper contract compliant with the SuperchainERC20 standard and also have built-in bridging logic. The following components are included:
12
+
This document covers the addition of the `SuperchainETHBridge` contract, an abstraction layer on top of the `L2toL2CrossDomainMessenger` specifically designed for native ETH transfers between chains. The following components are included:
13
13
14
14
-**Contracts**:
15
-
- Introducing the `SuperchainWETH`predeploy proxy and implementation contract. It enables wrapping ETH into SuperchainWETH and includes logic for direct ETH interop transfers.
16
-
- Introducing the `ETHLiquidity` predeploy proxy and implementation contract. It is designed to facilitate the conversion of SuperchainWETH into native ETH—triggered when the supply increases through `crosschainMint` via `relayERC20`—by maintaining a large reserve of native ETH.
15
+
- Introducing the `SuperchainETHBridge`predeploy proxy and implementation contract. It uses the `L2toL2CrossDomainMessenger` to send and relay messages that handle ETH transfers between chains.
16
+
- Introducing the `ETHLiquidity` predeploy proxy and implementation contract. It is designed to provide the ETH for the `SuperchainETHBridge` to facilitate ETH transfers between chains, by maintaining a large reserve of native ETH.
17
17
18
18
Below are references for this project:
19
19
20
20
- Design doc:
21
-
- Introduction of SuperchainWETH: https://github.com/ethereum-optimism/design-docs/blob/main/protocol/interoperable-ether.md
@@ -37,17 +39,17 @@ Below are references for this project:
37
39
38
40
### FM1: Insufficient ETH in `ETHLiquidity`
39
41
40
-
-**Description:** If `ETHLiquidity` lacks sufficient ETH, mint calls will revert when the contract attempts to forward funds using `SafeSend`. This breaks bridging flows dependent on `relayETH` and `crosschainMint`.
42
+
-**Description:** If `ETHLiquidity` lacks sufficient ETH, mint calls will revert when the contract attempts to forward funds using `SafeSend`. This breaks bridging flows dependent on `relayETH`.
41
43
-**Risk Assessment:** Medium.
42
-
- Potential Impact: High. Not having enough ETH balance in `ETHLiquidity` prevents relaying ETH or mint SuperchainWETH through `crosschainMint`, which would greatly degrade the user experience, as they would be temporarily stuck. The situation becomes even more serious if the affected cross-chain messages expire before the issue can be resolved, making it impossible to retry the relay and get the funds in destination chain.
44
+
- Potential Impact: High. Not having enough ETH balance in `ETHLiquidity` prevents relaying ETH, which would greatly degrade the user experience, as they would be temporarily stuck. The situation becomes even more serious if the affected cross-chain messages expire before the issue can be resolved, making it impossible to retry the relay and get the funds in destination chain.
43
45
- Likelihood: Very low. `ETHLiquidity` starts with a maximum balance (`type(uint248).max`).
44
46
-**Mitigations:** Our current codebase includes tests to check if the `mint` request exceeds the contract’s balance ([test](https://github.com/ethereum-optimism/optimism/blob/dd37e6192c37ed4c5b18df0269f065f378c495cc/packages/contracts-bedrock/test/L2/ETHLiquidity.t.sol#L103)). Initial ETH supply in `ETHLiquidity` is `type(uint248).max` ([test](https://github.com/ethereum-optimism/optimism/blob/dd37e6192c37ed4c5b18df0269f065f378c495cc/packages/contracts-bedrock/test/L2/ETHLiquidity.t.sol#L29)) and equally set in all chains.
45
47
-**Detection:** Perform checks on the `ETHLiquidity` balance as a preventive monitoring measure. User-filed support tickets may flag this issue in case of failure.
46
-
-**Recovery Path(s):** Coordinate an L2 hard fork to replenish the `ETHLiquidity` contract. Investigate the causes of the depletion to determine if other factors are involved. Messages will need to be retried for relaying; otherwise, use the `expireMessage` feature if it is available and integrated into `SuperchainWETH`.
48
+
-**Recovery Path(s):** Coordinate an L2 hard fork to replenish the `ETHLiquidity` contract. Investigate the causes of the depletion to determine if other factors are involved. Messages will need to be retried for relaying; otherwise, use the `expireMessage` feature if it is available and integrated into `SuperchainETHBridge`.
47
49
48
50
### FM2: Overflow during `burn` in `ETHLiquidity` due to max Balance
49
51
50
-
-**Description:** If the `ETHLiquidity` contract has already reached the maximum allowed ETH balance (`type(uint256).max`), invoking the `sendETH` function (which triggers `crosschainBurn`) could cause an overflow. This occurs when `burn` is called with an amount that, when added to the current balance, exceeds the maximum `uint256` value. Such an overflow would cause a revert, since the proper Solidity version is used.
52
+
-**Description:** If the `ETHLiquidity` contract has already reached the maximum allowed ETH balance (`type(uint256).max`), invoking the `sendETH` function could cause an overflow. This occurs when `burn` is called with an amount that, when added to the current balance, exceeds the maximum `uint256` value. Such an overflow would cause a revert, since the proper Solidity version is used.
51
53
-**Risk Assessment:** Low.
52
54
- Potential Impact: Medium. Reverts during `sendETH` calls are expected when the requested amount exceeds the maximum value representable by a `uint256`.
53
55
- Likelihood: Very low. `ETHLiquidity` starts with a maximum balance (`type(uint248).max`) which is still far from `uint256` limit.
@@ -61,7 +63,7 @@ See [fma-generic-contracts.md](https://github.com/ethereum-optimism/design-docs/
61
63
62
64
-[x] Check this box to confirm that these items have been considered and updated if necessary.
63
65
64
-
See [relevant FMAs to SuperchainWETH, To Do]
66
+
See [relevant FMAs to SuperchainETHBridge, To Do]
65
67
66
68
-[ ] Check this box to confirm that these items have been considered and updated if necessary.
67
69
@@ -70,8 +72,8 @@ See [relevant FMAs to SuperchainWETH, To Do]
70
72
-[x] Resolve all the comments.
71
73
-[ ] FM1, FM2: Establish a balance monitoring measure in `ETHLiquidity` (optional).
72
74
-[ ] Ensure the support team is aware of these failure modes and prepared to respond.
73
-
-[ ]**Ensure that the actions items specified in each FMAs on which SuperchainWETH depends are completed.**
75
+
-[ ]**Ensure that the actions items specified in each FMAs on which SuperchainETHBridge depends are completed.**
74
76
75
77
## Audit Requirements
76
78
77
-
Following the [Audit Framework](https://gov.optimism.io/t/op-labs-audit-framework-when-to-get-external-security-review-and-how-to-prepare-for-it/6864), SuperchainWETH fits within the second budget, which includes smart contract code that secures assets. That means the `SuperchainWETH.sol` and `ETHLiquidity.sol` and associated interop contract dependencies (`CrossL2Inbox`, `L2ToL2CrossDomainMessenger`, `SuperchainTokenBridge`, `L1BlockInterop`, `SystemConfigInterop`, `OptimismPortalInterop`) require an audit before going to production.
79
+
Following the [Audit Framework](https://gov.optimism.io/t/op-labs-audit-framework-when-to-get-external-security-review-and-how-to-prepare-for-it/6864), SuperchainETHBridge fits within the second budget, which includes smart contract code that secures assets. That means the `SuperchainETHBridge.sol` and `ETHLiquidity.sol` and associated interop contract dependencies (`CrossL2Inbox`, `L2ToL2CrossDomainMessenger`, `SuperchainTokenBridge`, `L1BlockInterop`, `SystemConfigInterop`, `OptimismPortalInterop`) require an audit before going to production.
0 commit comments