-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add superchain-registry #699
base: main
Are you sure you want to change the base?
Changes from 5 commits
817c760
fbab36e
f506b8f
1f2c49a
970d94c
601c200
7c836f6
12c6fc6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,126 @@ | ||||||
# Overview of the Superchain Registry | ||||||
|
||||||
<Callout type="info"> | ||||||
⚠️ This repository is a work in progress. At a later date, it will be proposed to, and must be approved by, Optimism Governance. Until that time, the configuration described here is subject to change. | ||||||
|
||||||
</Callout> | ||||||
|
||||||
The Superchain Registry is a critical component of the Optimism ecosystem, particularly in managing the inclusion and | ||||||
configuration of Layer 2 (L2) chains within the Superchain framework. Optimism's vision for scalability involves the | ||||||
creation of a network of L2 chains, referred to as the Superchain, which leverages the OP Stack—a modular and open-source | ||||||
set of tools for building these chains. | ||||||
The Superchain Registry functions as an index that tracks which chains are part of the Superchain. | ||||||
It ensures transparency by documenting the configuration parameters for each chain, | ||||||
such as their protocol versions and governance settings. This registry is essential for maintaining consistency and | ||||||
security across the network by verifying that all included chains meet the criteria set forth by their | ||||||
respective Blockspace Charters [Optimism Collective](https://gov.optimism.io/t/season-6-introducing-blockspace-charters-superchain-first-governance/8133) | ||||||
[Optimism Docs](https://docs.optimism.io/chain/addresses). | ||||||
|
||||||
The Superchain Registry repository hosts Superchain-configuration data in a minimal human-readable form. | ||||||
This includes mainnet and testnet Superchain targets, and their respective member chains. | ||||||
|
||||||
Other configuration, such as contract-permissions, and `SystemConfig` parameters are hosted and governed onchain. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clarify the use of commas in complex lists. The use of commas in the list of configurations is inconsistent. Consider adding a comma after 'contract-permissions' to improve readability: - Other configuration, such as contract-permissions and `SystemConfig` parameters are hosted and governed onchain.
+ Other configuration, such as contract-permissions, and `SystemConfig` parameters are hosted and governed onchain. Committable suggestion
Suggested change
|
||||||
|
||||||
The superchain configs are made available in minimal form, to embed in OP-Stack software. | ||||||
Full deployment artifacts and genesis-states can be derived from the minimal form using the reference [op-chain-ops](https://github.com/ethereum-optimism/optimism/tree/develop/op-chain-ops) tooling. | ||||||
|
||||||
The `semver.yaml` files each represent the semantic versioning lockfile for all the smart contracts in that superchain. | ||||||
It is meant to be used when building transactions that upgrade the implementations set in the proxies. | ||||||
|
||||||
If you would like to contribute a new chain or superchain, please see our [contributing guide](https://github.com/ethereum-optimism/superchain-registry/blob/main/CONTRIBUTING.md). | ||||||
|
||||||
# Superchain Go Module | ||||||
Superchain configs can be imported as Go-module: | ||||||
|
||||||
``` go get github.com/ethereum-optimism/superchain-registry/superchain@latest``` | ||||||
|
||||||
See [op-chain-ops](https://github.com/ethereum-optimism/optimism/tree/develop/op-chain-ops) for config tooling and for smart-contract bindings. | ||||||
|
||||||
# Validation Go Module | ||||||
|
||||||
A second module exists in this repo whose purpose is to validate the config exported by the `superchain` module. | ||||||
It is a separate module to avoid import cycles and polluting downstream dependencies with things like `go-ethereum` | ||||||
(which is used in the validation tests). | ||||||
The modules are tracked by a top-level go.work file. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ensure consistent use of terminology and capitalization. The term 'top-level' should be hyphenated when used as a compound adjective: - The modules are tracked by a top level go.work file.
+ The modules are tracked by a top-level go.work file. Committable suggestion
Suggested change
|
||||||
The associated `go.work.sum` file is gitignored and not crucial to typical workflows, | ||||||
(perchain-registry/blob/main/.circleci/config.yml). | ||||||
|
||||||
# CheckSecurityConfigs | ||||||
|
||||||
The `CheckSecurityConfigs.s.sol` script is used in CI to perform security checks of OP Chains registered in the superchain directory. | ||||||
At high level, it performs checks to ensure privileges are properly granted to the right addresses. | ||||||
More specifically, it checks the following privilege grants and role designations: | ||||||
|
||||||
### 1. Generic privileges: | ||||||
|
||||||
i. Proxy admins. For example, `L1ERC721BridgeProxy` and `OptimismMintableERC20FactoryProxy` specify | ||||||
the proxy admin addresses who can change their implementations. | ||||||
|
||||||
ii. Address managers. For example, `ProxyAdmin` specifies the address manager it trusts to look up certain addresses by name. | ||||||
iii. Contract owners. For example, many `Ownable` contracts use this role to specify the message senders allowed to make privileged calls. | ||||||
|
||||||
### 2. Optimism privileged cross-contract calls: | ||||||
|
||||||
i. Trusted messengers. For example, `L1ERC721BridgeProxy` and `L1StandardBridgeProxy` specify | ||||||
the cross domain messenger address they trust with cross domain message sender information. | ||||||
ii. Trusted bridges. For example, `OptimismMintableERC20FactoryProxy` specifies | ||||||
the L1 standard bridge it trusts to mint and burn tokens. | ||||||
iii. Trusted portal. For example, `L1CrossDomainMessengerProxy` specifies | ||||||
the portal it trusts to deposit transactions and get L2 senders. | ||||||
iv. Trusted oracles. For example, `OptimismPortalProxy` specifies the L2 oracle they trust with the L2 state root information. | ||||||
a. After the FPAC upgrade, the `OptimismPortalProxy` specifies the `DisputeGameFactory` they trust rather than the legacy `L2OutputOracle` contract. | ||||||
v. Trusted system config. For example, `OptimismPortalProxy` specifies the system config they trust to get resource config from. TODO(issues/37): add checks for the ResourceMetering contract. | ||||||
3. Optimism privileged operational roles: | ||||||
|
||||||
i. Guardians. This is the role that can pause withdraws in the Optimism protocol. | ||||||
a. After the FPAC upgrade, the `Guardian` can also blacklist dispute games and change the respected game type in the `OptimismPortal`. | ||||||
ii. Challengers. This is the role that can delete `L2OutputOracleProxy`'s output roots in the Optimism protocol | ||||||
cpengilly marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
a. After the FPAC upgrade, the `CHALLENGER` is a permissionless role in the `FaultDisputeGame`. | ||||||
However, in the PermissionedDisputeGame, the `CHALLENGER` role is the only party allowed to dispute | ||||||
output proposals created by the `PROPOSER` role. | ||||||
|
||||||
|
||||||
As a result, here is a visualization of all the relationships the CheckSecurityConfigs.s.sol script checks: | ||||||
|
||||||
L1ERC721BridgeProxy -- "admin()" --> ProxyAdmin | ||||||
L1ERC721BridgeProxy -- "messenger()" --> L1CrossDomainMessengerProxy | ||||||
|
||||||
OptimismMintableERC20FactoryProxy -- "admin()" --> ProxyAdmin | ||||||
OptimismMintableERC20FactoryProxy -- "BRIDGE()" --> L1StandardBridgeProxy | ||||||
|
||||||
ProxyAdmin -- "addressManager()" --> AddressManager | ||||||
ProxyAdmin -- "owner()" --> ProxyOwnerMultisig | ||||||
|
||||||
L1CrossDomainMessengerProxy -- "PORTAL()" --> OptimismPortalProxy | ||||||
L1CrossDomainMessengerProxy -- "addressManager[address(this)]" --> AddressManager | ||||||
|
||||||
L1StandardBridgeProxy -- "getOwner()" --> ProxyAdmin | ||||||
L1StandardBridgeProxy -- "messenger()" --> L1CrossDomainMessengerProxy | ||||||
|
||||||
AddressManager -- "owner()" --> ProxyAdmin | ||||||
|
||||||
OptimismPortalProxy -- "admin()" --> ProxyAdmin | ||||||
OptimismPortalProxy -- "GUARDIAN()" --> GuardianMultisig | ||||||
OptimismPortalProxy -- "L2_ORACLE()" --> L2OutputOracleProxy | ||||||
OptimismPortalProxy -- "SYSTEM_CONFIG()" --> SystemConfigProxy | ||||||
OptimismPortalProxy -- "disputeGameFactory()" --> DisputeGameFactoryProxy | ||||||
|
||||||
L2OutputOracleProxy -- "admin()" --> ProxyAdmin | ||||||
L2OutputOracleProxy -- "CHALLENGER()" --> ChallengerMultisig | ||||||
|
||||||
SystemConfigProxy -- "admin()" --> ProxyAdmin | ||||||
SystemConfigProxy -- "owner()" --> SystemConfigOwnerMultisig | ||||||
|
||||||
DisputeGameFactoryProxy -- "admin()" --> ProxyAdmin | ||||||
DisputeGameFactoryProxy -- "owner()" --> ProxyAdminOwner | ||||||
|
||||||
AnchorStateRegistryProxy -- "admin()" --> ProxyAdmin | ||||||
|
||||||
DelayedWETHProxy -- "admin()" --> ProxyAdmin | ||||||
DelayedWETHProxy -- "owner()" --> ProxyAdminOwner | ||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Adequate Explanation or Links for Semantic Versioning Lockfiles
The search results and inspection of markdown files did not reveal any additional documentation or links explaining the semantic versioning lockfiles (
semver.yaml
). To improve clarity, consider adding a brief explanation or a link to relevant documentation within thepages/stack/superchain-registry.mdx
file.Would you like me to draft a brief explanation or find a suitable link to include?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cpengilly, I've prepared a brief explanation and found a suitable link regarding semantic versioning lockfiles. Here's a draft that can be included in the
pages/stack/superchain-registry.mdx
file:This addition should help clarify the purpose and importance of semantic versioning lockfiles within the documentation. If this looks good to you, it can be added to the respective section in the
pages/stack/superchain-registry.mdx
file.