Superchain Configuration

Table of Contents

Overview

The SuperchainConfig contract is used to manage global configuration values for multiple OP Chains within a single Superchain network.

Invariants

iSUPC-001: The Guardian and Pause Deputy must be able to trigger the Pause Mechanism

We require that the SuperchainConfig is constructed such that both the Guardian and the Pause Deputy must be able to trigger the Pause Mechanism at any time.

Impact

Severity: High

Existing recovery runbooks would not function as expected if the SuperchainConfig prevented one of these actors from triggering the pause as needed.

iSUPC-002: The Guardian must be able to reset or undo the Pause Mechanism

We require that the SuperchainConfig is constructed such that the Guardian must be able to reset or unpause the Pause Mechanism at any time.

Impact

Severity: Medium

If the Pause Mechanism cannot be reset then it cannot be used again without intervention from the Proxy Admin Owner. We consider this to be a Medium severity issue because the Proxy Admin Owner will have several months to coordinate such a fix assuming that iSUPC-001 holds.

Function Specification

initialize

  • MUST only be triggerable once.
  • MUST set the value of the Guardian role.
  • MUST set the value of the pause expiry period.

guardian

Returns the address of the current Guardian.

pause

Allows the Guardian to trigger the Pause Mechanism. pause takes an address Pause Identifier as an input. This identifier determines which systems or chains are affected by the pause.

  • MUST revert if called by an address other than the Guardian.
  • MUST revert if the pausable flag for the given identifier is set to 1 (used/unavailable).
  • MUST set the pause timestamp for the given identifier to the current block timestamp.
  • MUST set the pausable flag for the given identifier to 1 (used/unavailable) to prevent repeated pauses without a reset.

unpause

Allows the Guardian to explicitly unpause the system for a given Pause Identifier rather than waiting for the pause to expire. Unpausing a specific identifier does NOT unpause the global pause (zero address identifier). If the global pause is active, all systems will remain paused even if their specific identifiers are unpaused. Note that unpause will not revert if the pause is not currently active which would cause unpause to act like a call to reset.

  • MUST revert if called by an address other than the Guardian.
  • MUST set the pause timestamp for the given identifier to 0, representing "not paused".
  • MUST set the pausable flag for the given identifier to 0 (ready to pause), allowing the pause mechanism to be used again.

pausable

Allows any user to check if the Pause Mechanism can be triggered for a specific Pause Identifier. The pausable status of a specific identifier is independent of the pausable status of the global pause (zero address identifier).

  • MUST return true if the pausable flag for the given identifier is 0 (ready to pause).
  • MUST return false if the pausable flag for the given identifier is 1 (used/unavailable).

paused

Allows any user to check if the system is currently paused for a specific Pause Identifier.

  • MUST return true if the pause timestamp for the given identifier is non-zero AND not expired (current time < pause timestamp + expiry duration).
  • MUST return false otherwise.

expiration

Returns the timestamp at which the pause for a given Pause Identifier will expire. This function only returns the expiration for the specific identifier provided.

  • MUST return the pause timestamp plus the configured expiry duration if the pause timestamp is non-zero.
  • MUST return 0 if the pause timestamp is 0 (system is not paused) for the given identifier.

reset

Allows the Guardian to reset the pause mechanism for a given Pause Identifier, allowing it to be used again. Note that reset will not revert if the pausable flag is already set to zero.

  • MUST revert if called by an address other than the Guardian.
  • MUST set the pausable flag for the given identifier to 0 (ready to pause).
  • MUST NOT modify the pause timestamp for the given identifier.
  • NOTE: Resetting the pausable flag for a specific identifier does not affect the pause status. If a system is currently paused, it will remain paused until explicitly unpaused or until the pause expires.