- Tom Lehman's presentation argued Base and similar rollups can be shut down (users can't transact) because critical functions, including forced inclusion, are controlled by a small number of signatures (15 for Base) that can upgrade contracts.
- Lehman contended that current forced inclusion fallbacks, while theoretically offering L1 censorship resistance, are practically insufficient due to severe limitations (e.g., 98% throughput reduction, 12-hour delay) and the fact that these mechanisms can be disabled via governance.
- The Q&A explored the definition of "shutdown," the significance of bridge security versus protocol liveness, L2Beat's risk assessment methodology, and potential fixes like making forced inclusion immutable and increasing its gas limits.
Presentation: Gone in 15 Signatures
- Widespread Vulnerability: Most rollups share similar vulnerabilities. Base requires 15 signatures to control its system.
- Centralized Sequencing Issues: While centralized sequencers offer UX benefits, they are a central control point. The Base sequencer can be disabled with zero keys (e.g., hardware failure) or a 3-of-14 multisig.
- Force Inclusion Limitations: Base has a force inclusion mechanism for users to submit transactions directly to L1, bypassing the sequencer.
- A positive is that gas is paid in L1 ETH ("guaranteed gas market").
- However, it has a 12-hour delay and, critically, its throughput is limited to 20 million gas per L1 block – a 98% reduction from Base's normal capacity, rendering it practically unusable for most.
- Overarching Governance Risks: Crucially, the force inclusion mechanism itself (via the OptimismPortal2 contract) is upgradeable and can be disabled entirely by the same 15 signatures that control Base. This undermines claims of inheriting L1 censorship resistance. Lehman noted Blast once did this.
- The "15 Signatures": Control over Base upgrades rests with the Base Security Council (7-of-10), the Base Multisig (3-of-6), and the OP Foundation Operations Safe (5-of-7). The latter also has roles in other OP Stack rollups, indicating shared risk. Transparency is an issue, as signers for some key multisigs are not publicly known.
- Ultimate Control: The Optimism Collective (via token voting) and the OP Foundation (a Cayman Islands entity with a 5-person board and broad discretionary carve-outs) are presented as the ultimate controllers.
- Proposed Fixes: Lehman urged making force inclusion impossible to disable and significantly raising its 20 million gas cap. He deemed current plans for "exit windows" insufficient.
Q&A
Q (Boris Dyakov): Would it be trivial to raise the 20 million gas force inclusion limit for OP Stack roll-ups?
A (Tom Lehman): Yes, it's a configuration value changeable by the 15-signature multisig. He recommended raising it.
Q (Timothy Clancy): The draining of a canonical bridge isn't "only money" as it's how L1 proves rollup state. Sovereign rollups are just alt-L1s.
A (Tom Lehman): If forced inclusion can be paid with L1 gas, the bridge is more application-level. Sovereign rollups derive their state from L1 history, not their own consensus mechanism for block production, unlike alt-L1s.
Q (Luca Donno): If Base implemented your suggestions for forced inclusion (immutable portal, increased gas limit) but other contracts like proofs remained upgradeable by 15 signatures, how much happier would you be?
A (Tom Lehman): He would be significantly happier because users could still transact, provided the gas cap for forced inclusion was reasonably high.
Q (Luca Donno): I wouldn't be much happier as the bridge, securing billions, would still be vulnerable. What's the utility if everyone loses their money, even if they can transact?
A (Tom Lehman): He acknowledged the concern but emphasized distinguishing protocol-level security (ability to transact) from application-level security (like specific bridges). He suggested L2Beat could potentially apply different frameworks.
Q (Boris Dyakov): Can anyone run a Base node? Is it permissionless?
A (Tom Lehman): Yes, anyone can run node software and permissionlessly derive the canonical "safe" state from L1 data. However, access to "unsafe" blocks (pre-confirmation state) and the batcher role (posting to L1) are permissioned.
Q (Irfan Shaik): What's the agenda for the next call?
A (Tom Lehman): The next call will likely focus on how to fix the OP Stack with respect to unstoppability, particularly exploring the "sovereign rollup" approach.
Q (Julie B.): Suggested the Aztec system as a potential case study.
A (Tom Lehman): Agreed, stating it's important to look at new approaches like Aztec and Signet that aim for immutability or different trust models.
Participants
Tom Lehman, Julie, Luca Donno, Boris Dyakov, Timothy Clancy, Irfan Shaik, Julie B.