wstETH on Optimism: bridging security management

Bridging stETH to Optimism

Making Lido’s stETH available across L2 has been pronounced as one of the main Lido’s OKRs for 2022. As part of this work, the Lido dev team is preparing to release a bridging solution for Optimism that aims at providing the benefits of yield-bearing staking derivative to users on Optimism.

General bridging solution overview

Because of its rebasing nature, bridging stETH adds a whole layer of complexity to the bridging itself, and to the upcoming integrations of the bridged token across the L2 protocols. E.g. the rewards would normally accrue to the bridge contract and it would take a sophisticated technical solution to mirror the rebases on L2s. It has been decided to go ahead with wstETH, the stable balance wrapper token already adopted widely by many Ethereum-native protocols (see Balancer, Maker).

The bridging solution for wstETH is being built based on a standard Optimism bridge. The implementation consists of two parts - the L1-side bridge and the L2-side bridge. Additionally, there will be some administrative features, i.e. the option to temporarily disable the deposits and withdrawals on each side. It can be of use in case of any malicious usage of the bridge or vulnerability in the smart contracts. Besides, it might be helpful in the implementation upgrade process.

Read the full tech specification of the wstETH bridging solution here.

Security proposal

According to Lido’s high security standards, it is critical to define the actors capable of upgrading the bridging solution on both L1 and L2 sides, as well as using emergency brakes functionality to disable deposits and withdrawals.

We propose establishing two Bridge Guardian Multi-sigs on L1 and L2 with identical composition, and assign administrative roles as follows:

  • DAO Agent can trigger implementation upgrade on L1 (via DAO voting)
  • DAO Agent can disable and enable deposits and withdrawals on the L1 side
  • Ethereum mainnet Bridge Guardian Multi-sig can disable deposits and withdrawals on the L1 side in case of emergency (no need to wait 3 days of DAO voting)
  • Optimism Bridge Guardian Multi-sig can trigger implementation on the L2 side
  • Optimism Bridge Guardian Multi-sig can disable and enable deposits and withdrawals on the L2 side

We have also considered skipping the L2 multi-sig and relying on messages sent from L1 for administrative needs. However, there are two main reasons we propose handling it with multi-sig at least for now:

  1. From our research, it looks like implementing proper L1 → L2 message sending to control the L2 bridge would take additional time and extend the codebase by several smart contracts. This can be done later as an upgrade if it appears to be necessary.
  2. In case of L1 → L2 connectivity issues, we would still need an emergency multi-sig on the L2 side.

Multi-sig composition

We would like to nominate a few Lido core contributors for the multi-sigs on both Ethereum and Optimism sides. The proposed signers would be:

  • @vsh - Lido’s tech lead;
  • @skozin - Lido’s core protocol developer;
  • @ujenjt - Lido’s core protocol developer;
  • @kadmil - Lido’s core protocol developer;
  • @psirex - Lido’s integrations team developer.

We propose having at least a 4/7 multi-sig on each side, thus, you are very much welcome to nominate more signers for the Bridge Guardian multi-sig.

4 Likes

There’s also work on bridging wstETH to Arbitrum being done in parallel with bridging wstETH to Optimism.
Although technical implementation is obviously slightly different, the security setup appears to be very similar to one on the Optimism bridge.
We propose applying the above approach to Arbitrum bridging as well and using the very same Bridge Guardian multi-sigs for emergency brakes on L1 and future upgrades on the Arbitrum side.

1 Like

I can nominate myself if it is appropriate.

I’m glad to see this proposal, but I feel that the progress is still too slow…

We intended to consider protocol contributors from Lido and Optimism sides, Connection with the teams, and high availability in case of emergency are required as well.
Could you make a short introduction about yourself please?

Bridging to Opti and Arbi is literally around the corner now.
But it did take significant time: while bridging assets in a safe manner we need to preserve future options of allowing protocol governance to L2 assets and potentially introduce Ethereum liquid staking as an option right there on L2s.

1 Like

I’m really not a fan of this approach but I see why it’s necessary for the time being. Every multisig we deploy is a liability. The more power it has, the more the liability.

2 Likes

I must be missing something but I thought the entire reason L2s are dope is because bridging via multisigs weren’t necessary.

I’m pretty worried about a multisig bridge. I don’t want to see Lido added to the laundry list of hacks due to security flaws inherent with multisigs.

Maybe having a cap on the amount the bridge controls based on the number of mulitsig signers would be the best option. More wstETH=more signers must be added

It’s not multisig bridge. It’s multisigs for upgrading the wstETH bridging contracts on L2 & safeguarding operations with “emergency stop” kind of thing. To be clear, those aren’t mean in any (any-any!) sense to act as “multisig bridges” where some quorum of dedicated partners should agree on deposit/withdrawal happening.

2 Likes

As GrStepanov has mentioned, we’re working on the solution which would allow us not to have “upgrade multisigs”, though it’s not something readily available, unfortunatelly.

2 Likes

Aren’t the Optimism and Arbitrum bridges upgradable? Thus not trustless?

Hmm, not really. Default bridged token implementations don’t allow for upgradability (I can see why, tbh), and there’s no off-the shelf solution for now.