From e30511a58824137228a4d0d652b0f14f48f8d46b Mon Sep 17 00:00:00 2001 From: leruaa Date: Wed, 8 Jan 2025 06:42:07 -0800 Subject: [PATCH 1/6] add FMA for operator fee --- security/fma-operator-fee.md | 59 ++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 security/fma-operator-fee.md diff --git a/security/fma-operator-fee.md b/security/fma-operator-fee.md new file mode 100644 index 00000000..8f34e524 --- /dev/null +++ b/security/fma-operator-fee.md @@ -0,0 +1,59 @@ +# [Operator Fee]: Failure Modes and Recovery Path Analysis + + + + +- [Introduction](#introduction) +- [Failure Modes and Recovery Paths](#failure-modes-and-recovery-paths) + - [FM1: Operator Fee scalars are set to incorrect values](#fm1-operator-fee-scalars-are-set-to-incorrect-values) + - [Generic items we need to take into account:](#generic-items-we-need-to-take-into-account) +- [Action Items](#action-items) + + + +| | | +| ------------------ | -------------------------------------------------- | +| Author | leruaa | +| Created at | 2025-01-08 | +| Initial Reviewers | | +| Need Approval From | maurelian | +| Status | Draft | + +## Introduction + +This document covers initial deployment of Operator Fee. + +The OperatorFee is a new transaction fee that allows new OP chain variants to account for their unique cost structure. For example, the existing fee structure isn't friendly to chains using alt-DA's, since the l1fee only accounts for Ethereum's blobGasFee instead of an alt-DA's fee. + +Below are references for this project: + +- [Design Doc](../protocol/operator-fee.md) +- [Spec](https://github.com/ethereum-optimism/specs/pull/382) + +## Failure Modes and Recovery Paths + +### FM1: Operator Fee scalars are set to incorrect values + +- **Description:** + If the operator fee scalars are incorrectly initialized or updated, there is a risk that the transcations fees will be too high. This could lead to a situation where the chain become unusable. +- **Risk Assessment:** High impact, low likelihood. + **Mitigations:** + Every operator fee scalars update should be carefully tested and reviewed before deployment. +- **Detection:** + Monitoring gas cost estimation. +- **Recovery Path(s)**: + If the operator fee parameters are set to unreasonable values, the rollup operator should update the `operatorFeeScalar` and `operatorFeeConstant` to reasonable values as soon as possible. + +### Generic items we need to take into account: + +See [./fma-generic-hardfork.md](./fma-generic-hardfork.md). + +- [X] Check this box to confirm that these items have been considered and updated if necessary. + +## Action Items + +Below is what needs to be done before launch to reduce the chances of the above failure modes occurring, and to ensure they can be detected and recovered from: + +- [ ] Resolve all comments on this document and incorporate them into the document itself (Assignee: document author) +- [ ] _Action item 2 (Assignee: tag assignee)_ +- [ ] _Action item 3 (Assignee: tag assignee)_ From bd02ef3c6110b64e026fffa5a3b879fa8800a578 Mon Sep 17 00:00:00 2001 From: leruaa Date: Fri, 10 Jan 2025 12:34:33 -0800 Subject: [PATCH 2/6] feedbacks --- security/fma-operator-fee.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/fma-operator-fee.md b/security/fma-operator-fee.md index 8f34e524..5f47ba2a 100644 --- a/security/fma-operator-fee.md +++ b/security/fma-operator-fee.md @@ -25,6 +25,8 @@ This document covers initial deployment of Operator Fee. The OperatorFee is a new transaction fee that allows new OP chain variants to account for their unique cost structure. For example, the existing fee structure isn't friendly to chains using alt-DA's, since the l1fee only accounts for Ethereum's blobGasFee instead of an alt-DA's fee. +Also, For OP Stack variants that want to utilize ZK proofs, the cost of ZK proving a transaction is a significant resource that is not taken into consideration in the current fee structure. + Below are references for this project: - [Design Doc](../protocol/operator-fee.md) @@ -36,9 +38,10 @@ Below are references for this project: - **Description:** If the operator fee scalars are incorrectly initialized or updated, there is a risk that the transcations fees will be too high. This could lead to a situation where the chain become unusable. -- **Risk Assessment:** High impact, low likelihood. +- **Risk Assessment:** + High impact, low likelihood. **Mitigations:** - Every operator fee scalars update should be carefully tested and reviewed before deployment. + Every update to the operator fee scalars should be carefully tested and reviewed before deployment. - **Detection:** Monitoring gas cost estimation. - **Recovery Path(s)**: From be6aa6e61d67e5b9e7f7f26e95b4426141522057 Mon Sep 17 00:00:00 2001 From: Ratan Kaliani Date: Mon, 3 Feb 2025 11:46:48 -0800 Subject: [PATCH 3/6] feat: add more failure modes --- security/fma-operator-fee.md | 42 ++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/fma-operator-fee.md b/security/fma-operator-fee.md index 5f47ba2a..7be50336 100644 --- a/security/fma-operator-fee.md +++ b/security/fma-operator-fee.md @@ -47,6 +47,48 @@ Below are references for this project: - **Recovery Path(s)**: If the operator fee parameters are set to unreasonable values, the rollup operator should update the `operatorFeeScalar` and `operatorFeeConstant` to reasonable values as soon as possible. +### FM2: Broken Fee Estimation (Wallets) + +- **Description:** + If wallets fail to update their fee estimation logic, users will no longer be shown the accurate costs of a transaction. +- **Risk Assessment:** + Medium impact, medium likelihood. + **Mitigations:** + Coordinate with wallet providers to update their fee estimation logic. This includes MetaMask, Coinbase Wallet, and others. +- **Detection:** + Confirm that wallets are using the correct fee estimation logic post-launch. This can be done manually on chains that have added an operator fee. +- **Recovery Path(s)**: + Notify wallets of the new fee structure and ask them to update their fee estimation logic if the operator fee is enabled. + +### FM3: Bug in Receipt Hydrating Logic + +- **Description:** + If there is a bug in the receipt hydrating logic, the operator fee may not be correctly reflected in transaction receipts, leading to incorrect fee reporting and potential accounting issues. +- **Risk Assessment:** + Medium impact, low likelihood. +- **Mitigations:** + Extensive testing of receipt hydration with various transaction types and fee configurations. Ensure backwards compatibility with existing receipt formats. +- **Detection:** + Monitor transaction receipts and compare reported fees with expected calculations. Watch for discrepancies in accounting systems. +- **Recovery Path(s):** + Deploy fix for receipt hydration logic. Historical receipts will remain incorrect but can be recalculated using on-chain data if needed. + +### FM4: Database Growth Impact on Nodes + +- **Description:** + The addition of operator fee fields increases the size of transaction receipts, leading to faster database growth. This could accelerate the need for solutions like EIP-4444 or other history expiry mechanisms. +- **Risk Assessment:** + Medium impact, high likelihood. +- **Mitigations:** + - Implement history expiry solutions like EIP-4444 when available. +- **Detection:** + - Monitor database growth rate compared to pre operator fee baseline. + - Track disk usage metrics across internal nodes. +- **Recovery Path(s):** + - Use archive nodes to maintain historical data. + - Consider implementing receipt compression retroactively if needed. + + ### Generic items we need to take into account: See [./fma-generic-hardfork.md](./fma-generic-hardfork.md). From 34fc92c6625fa8d2c1debfb779771b042d48485d Mon Sep 17 00:00:00 2001 From: Ratan Kaliani Date: Mon, 3 Feb 2025 12:32:37 -0800 Subject: [PATCH 4/6] fix: TOC --- security/fma-operator-fee.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/fma-operator-fee.md b/security/fma-operator-fee.md index 7be50336..2ef84bb1 100644 --- a/security/fma-operator-fee.md +++ b/security/fma-operator-fee.md @@ -6,6 +6,9 @@ - [Introduction](#introduction) - [Failure Modes and Recovery Paths](#failure-modes-and-recovery-paths) - [FM1: Operator Fee scalars are set to incorrect values](#fm1-operator-fee-scalars-are-set-to-incorrect-values) + - [FM2: Broken Fee Estimation (Wallets)](#fm2-broken-fee-estimation-wallets) + - [FM3: Bug in Receipt Hydrating Logic](#fm3-bug-in-receipt-hydrating-logic) + - [FM4: Database Growth Impact on Nodes](#fm4-database-growth-impact-on-nodes) - [Generic items we need to take into account:](#generic-items-we-need-to-take-into-account) - [Action Items](#action-items) From 0e2f1628a50ddb5dfc7db8b537f41e23b95b8697 Mon Sep 17 00:00:00 2001 From: Ratan Kaliani Date: Mon, 3 Feb 2025 12:36:51 -0800 Subject: [PATCH 5/6] feat: remove generic items --- security/fma-operator-fee.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/security/fma-operator-fee.md b/security/fma-operator-fee.md index 2ef84bb1..0b9f6ef1 100644 --- a/security/fma-operator-fee.md +++ b/security/fma-operator-fee.md @@ -9,7 +9,6 @@ - [FM2: Broken Fee Estimation (Wallets)](#fm2-broken-fee-estimation-wallets) - [FM3: Bug in Receipt Hydrating Logic](#fm3-bug-in-receipt-hydrating-logic) - [FM4: Database Growth Impact on Nodes](#fm4-database-growth-impact-on-nodes) - - [Generic items we need to take into account:](#generic-items-we-need-to-take-into-account) - [Action Items](#action-items) @@ -91,13 +90,6 @@ Below are references for this project: - Use archive nodes to maintain historical data. - Consider implementing receipt compression retroactively if needed. - -### Generic items we need to take into account: - -See [./fma-generic-hardfork.md](./fma-generic-hardfork.md). - -- [X] Check this box to confirm that these items have been considered and updated if necessary. - ## Action Items Below is what needs to be done before launch to reduce the chances of the above failure modes occurring, and to ensure they can be detected and recovered from: From f6e5bf80af58243f9139af6f6fcc9e825372e86a Mon Sep 17 00:00:00 2001 From: leruaa Date: Tue, 4 Feb 2025 07:43:30 -0800 Subject: [PATCH 6/6] feat: add a generic item --- security/fma-generic-hardfork.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/security/fma-generic-hardfork.md b/security/fma-generic-hardfork.md index 4407ad52..eeb78fbc 100644 --- a/security/fma-generic-hardfork.md +++ b/security/fma-generic-hardfork.md @@ -86,3 +86,17 @@ Since there is no chain halt, we can just live with it and fix it in an upcoming - [ ] ACTION ITEM (BLOCKING): We have implemented extensive cross-client / differential testing of the new functionality. - **Detection:** Replicas of one kind of client will diverge from the sequencer - **Recovery Path(s)**: Most likely we would have the op-node/op-geth chain be the canonical one as this is the reference implementation. Other clients would need to be patched to resolve any discrepancies. + +### Operator fee: `L1Block` badly hydrated + +- **Description:** At each hardfork, new data can be add to the `L1Block` contract, and the method called to hydrate it change (for instance + `setL1BlockValuesEcotone` to `setL1BlockValuesIsthmus`). If there is a bug in a future method ending up to operator fee params no + longer being updated in the `L1Block` contract, the operator fee will no longer be taken into account in transactions fee. +- **Risk Assessment:** medium severity / low likelihood +- **Mitigations:** + Add end to end tests to ensure that the operator fee is taken into account in transactions fee. +- **Detection:** + Monitor the operator fee vault balance and alert if it's no longer increasing for every transactions. +- **Recovery Path(s):** + - If the bug is located in op-node, a new version must be deployed. + - If the bug is located in the `L1Block` contract, the contract must be upgraded to fix the bug. \ No newline at end of file