Launch Aave V3 on Metis

l2beat would like to add few points of consideration to the discussion:

Bridge Security

Right now, similarly to Optimism and Boba, bridge is not secured at all as fraud proofs are not deployed since the upgrade from OVM 1.0. So it is strictly not true that the bride is “natively verified”. We are looking forward to Optimism, Boba and Metis to deploy fraud proof mechanism in near future so that the bridge is not secured solely by the centralised Sequencer. Until then, end users - if they spot erroneous L2 state root commit to L1 - have 7 days to alert the community with no ability to challenge Sequencer.

Data Availability Problem

Metis, as of April 2022, is not posting transaction data to the Ethereum chain. The mechanism, as described in the documentation, that will allow Validators to request data from Sequencer, is not yet fully implemented. Again, we are looking forward to the final implementation to fully assess the severity of the grieving problem that such constructions suffer from. Having said that, in general, Ethereum community regards grieving problem as unsolvable and the ultimate security, in the worst case scenario where Sequencer is grieving Validators, falls back to the Governance that would need to boot out malicious Sequencer. The ultimate fallback to Governance is acknowledged by Metis themselves.

Sequencer Rotation

We would like to ask Metis team to point out the exact code that implements Sequencer Rotation and other mechanism mentioned in the documentation. Currently deployed system does not seem to implement this mechanism and there is only one Sequencer (0xcDf02971871B7736874E20B8487c019D28090019) that is whitelisted to post transaction batches.

System Validators

Metis relies on Data Availability Validators so that potentially malicious Sequencer can be challenge, if data is withheld, however right now there is only one address (0x48fE1f85ff8Ad9D088863A42Af54d06a1328cF21) that is whitelisted to perform such challenge. Our understanding is that ultimately this functionality will be permissionless and open to everyone, in the meantime end users have to fully trust Sequencer that it posts data to external data store. This is in stark contrast to Optimism and Boba that post data on-chain and even though there is no fraud proof mechanism implemented, users can always verify the state by re-executing posted L2 transaction batches and they have 7 days to alert the community if anything malicious was going on. With Metis, as it stands, if data is not posted to MEMO, there is no way to know for end users if L2 state root is correct or not so - in a way - any potential fraud might go undetected in practice.

Summary

We are very much looking forward for the Metis team to fully implement all the mechanisms described in their blog posts and documentation so that full assessment of the security of their proposed architecture can be performed. Until then, in our opinion, Metis users have to fully trust that Sequencer is honest.

Disclaimer

Above assessment is derived purely from the analysis of deployed smart contracts listed in Metis Andromeda – L2BEAT. These contracts were deployed in April 2022. If this list is inaccurate and Metis was recently upgraded to new implementation that we are unaware of, we are more than happy to change the current risk profile, however the only change that we have observed was the recent change of the Metis Manager from EOA address 0xDD6FFC7D9a4Fb420b637747edc6456340d12d377 to the Gnosis Safe 0x48fE1f85ff8Ad9D088863A42Af54d06a1328cF21

1 Like