Skip to content

Commit

Permalink
Merge pull request #163 from ethereum-optimism/update-sc
Browse files Browse the repository at this point in the history
Add DGM security properties
  • Loading branch information
mds1 authored May 6, 2024
2 parents 238cc44 + 4b0a51f commit a4d61e5
Showing 1 changed file with 26 additions and 7 deletions.
33 changes: 26 additions & 7 deletions specs/experimental/security-council-safe.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,14 @@
**Table of Contents**

- [Deputy guardian module](#deputy-guardian-module)
- [Deputy Guardian Module Security Properties](#deputy-guardian-module-security-properties)
- [Liveness checking mechanism](#liveness-checking-mechanism)
- [Liveness checking methodology](#liveness-checking-methodology)
- [The liveness guard](#the-liveness-guard)
- [The liveness module](#the-liveness-module)
- [Owner removal call flow](#owner-removal-call-flow)
- [Shutdown](#shutdown)
- [Security Properties](#security-properties)
- [Liveness Security Properties](#liveness-security-properties)
- [In the guard](#in-the-guard)
- [In the module](#in-the-module)
- [Interdependency between the guard and module](#interdependency-between-the-guard-and-module)
Expand All @@ -24,8 +25,10 @@

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

The Security Council uses a specially extended Safe multisig contract to provide additional security
guarantees on top of those provided by the Safe contract.
The Security Council (at
[eth:0xc2819DC788505Aac350142A7A707BF9D03E3Bd03](https://etherscan.io/address/0xc2819DC788505Aac350142A7A707BF9D03E3Bd03))
uses a specially extended Safe multisig contract to provide additional security guarantees on top of
those provided by the Safe contract.

## Deputy guardian module

Expand Down Expand Up @@ -59,14 +62,14 @@ interface DeputyGuardianModule {
function unpause() external;
/// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments
/// with the arguments necessary to call `blacklistDisputeGame()` on the `DisputeGameFactory` contract.
/// necessary to call `blacklistDisputeGame()` on the `OptimismPortal2` contract.
/// Only the deputy guardian can call this function.
/// @param _portal The `OptimismPortal2` contract instance.
/// @param _game The `IDisputeGame` contract instance.
function blacklistDisputeGame(address _portal, address _game) external;
/// @dev When called, this function will call to the Security Council's `execTransactionFromModule()`
/// with the arguments necessary to call `setRespectedGameType()` on the `OptimismPortal2` contract.
/// @dev Calls the Security Council Safe's `execTransactionFromModule()`, with the arguments
/// necessary to call `setRespectedGameType()` on the `OptimismPortal2` contract.
/// Only the deputy guardian can call this function.
/// @param _portal The `OptimismPortal2` contract instance.
/// @param _gameType The `GameType` to set as the respected game type
Expand All @@ -77,6 +80,22 @@ interface DeputyGuardianModule {
For simplicity, the `DeputyGuardianModule` module does not have functions for updating the `safe` and
`deputyGuardian` addresses. If necessary these can be modified by swapping out with a new module.

### Deputy Guardian Module Security Properties

The following security properties must be upheld by the `DeputyGuardianModule`:

1. The module must correctly enforce access controls so that only the Deputy Guardian can call state
modifying functions on the `DeputyGuardianModule`.
1. The module must be able to cause the Safe to make calls to all of the functions which the
Guardian role is authorized to make.
1. The module must not be able to cause the Safe to make calls to functions which the Guardian role
is not authorized to make.
1. The module must be safely removable.
1. The module must not introduce any possibility of disabling the the Safe so that it can no longer
forward transactions.
1. The module must format calldata correctly such that the target it calls performs the expected
action.

## Liveness checking mechanism

The Security Council's liveness checking mechanism is intended to ensure that any loss of access to
Expand Down Expand Up @@ -157,7 +176,7 @@ In the unlikely event that the signer set (`N`) is reduced below the allowed min
owners, then (and only then) is a shutdown mechanism activated which removes the existing
signers, and hands control of the multisig over to a predetermined entity.

### Security Properties
### Liveness Security Properties

The following security properties must be upheld:

Expand Down

0 comments on commit a4d61e5

Please sign in to comment.