Review of Linea system components that can lead to malicious minority indefinitely blocking an L2->L1 message

[kyzooghost]

Description

Review Linea contracts system for components which allow a 'malicious minority (<= 25%) of Security Council members to indefinitely block an L2->L1 message'

Motivation

The guiding principle for Stage 1 of L2Beat's Stages Framework for Rollups is:

The only way (other than bugs) for a rollup to indefinitely block an L2→L1 message (e.g. a withdrawal) or push an invalid L2→L1 message (e.g. an invalid withdrawal) is by compromising ≥75% of the Security Council.

Please refer to https://forum.l2beat.com/t/stages-update-a-high-level-guiding-principle-for-stage-1/338

Tasks

• Review Zodiac role modifiers that delegate the pause to an EOA managed by the Security Council. EOA and 4 signers (minority) can block the unpause function
• Grant EOA the OZ role to pause with cooldown
• Review what responsibilities we want to grant to the Operational Safe.
• Review other relevant areas of the Linea system
• Presentation & discussion of above design work

Acceptance criteria

• Presentation, discussion and action plan

Risks

• Taking too much time

Remember to

• Add the documentation label in case there is an impact on the documentation
• Add priority and team labels
• Add Task for updating the Runbook or adding/updating existing metrics and alerts.

[kyzooghost]

Review Zodiac role modifiers that delegate the pause to an EOA managed by the Security Council. EOA and 4 signers (minority) can block the unpause function

With the unauthenticated unpauseDueToExpiry function introduced in #723, this becomes less of a concern because anyone can 'force' the unpause.

However if the SECURITY_COUNCIL_ROLE performs the pause, then we intend for only for the Security Council be authorised to unpause. If the Security Council does not delegate any unpause roles (i.e. Security Council multisig is the only address with unpause roles), then the remaining vulnerability area lies in the threshold/quorum mechanics for the Security Council multisig. Specifically, can a malicious minority (<=25% of the Security Council) block the unpause operation? The first instinct is that with a 75% threshold is the maximum that can be tolerated for the multisig.

[kyzooghost]

Grant EOA the OZ role to pause with cooldown

Review what responsibilities we want to grant to the Operational Safe.

These items come down to mapping which accounts have which roles. As a guide we would like the following roles to be exclusive to the Security Council:

• DEFAULT_ADMIN_ROLE
• MINIMUM_FEE_SETTER_ROLE
• RATE_LIMIT_SETTER_ROLE
• VERIFIER_UNSETTER_ROLE
• VERIFIER_SETTER_ROLE
• OPERATOR_ROLE (as long as there is no forced exit mechanism from the chain)
• L1_L2_MESSAGE_SETTER_ROLE
• UNPAUSE_ roles
• SET_MESSAGE_SERVICE_ROLE (consider removing this entirely from smart contracts)