PNC Mainnet
Security
Privileged Roles

Privileged Roles in PNC Mainnet

PNC Mainnet is on a Pragmatic Path to Decentralization. In its current state, PNC Mainnet still includes some "privileged" roles that give certain addresses the ability to carry out specific actions. Read this page to understand these roles, why they exist, and what risks they pose.

L1 Proxy Admin

The L1 Proxy Admin is an address that can be used to upgrade most PNC Mainnet system contracts.

Risks

  • Compromised L1 Proxy Admin could upgrade contracts to malicious versions.
  • Compromised L1 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
  • Compromised L1 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

Addresses

L2 Proxy Admin

The L2 Proxy Admin is an address that can be used to upgrade most PNC Mainnet system contracts on L2.

Risks

  • Compromised L2 Proxy Admin could upgrade contracts to malicious versions.
  • Compromised L2 Proxy Admin could remove or lock ETH or tokens in the Standard Bridge.
  • Compromised L2 Proxy Admin could fail to mitigate a risk as described on this page.

Mitigations

  • L2 Proxy Admin is controlled by the same L1 account as the L1 Proxy Admin.

Addresses

System Config Owner

The System Config Owner is an address that can be used to change the values within the SystemConfig contract on Ethereum.

Risks

  • Compromised System Config Owner could cause a temporary network outage.
  • Compromised System Config Owner could cause users to be overcharged for transactions.

Mitigations

Addresses

Batcher

Description

The Batcher is a software service that submits batches of transactions to Ethereum on behalf of the current PNC Mainnet Sequencer. PNC Mainnet nodes will look for transactions from this address to find new batches of L2 transactions to process.

Risks

  • Batcher address is typically a hot wallet.
  • Compromised batcher address can cause L2 reorgs or sequencer outages.

Mitigations

  • Compromised batcher address cannot publish invalid transactions.
  • Compromised batcher address can be replaced by the L1 Proxy Admin.

Addresses

Proposer

Description

The Proposer is a role that is allowed to create instances of the PermissionedDisputeGame dispute game type. The PermissionedDisputeGame can be used as a fallback dispute game in the case that the FaultDisputeGame is found to include a critical security vulnerability. The Guardian role is responsible for changing the respected dispute game type if necessary.

Capabilities

  • Can create instances of the PermissionedDisputeGame dispute game type.
  • Can participate in the PermissionedDisputeGame dispute game process.

Risks

  • Proposer address is typically a hot wallet.
  • Compromised proposer address could propose invalid state proposals.
  • Invalid state proposals can be used to execute invalid withdrawals after 7 days.

Mitigations

  • Compromised proposer address can be replaced by the L1 Proxy Admin.
  • Invalid state proposals can be challenged by the Challenger within 7 days.

Addresses

Challenger

Description

The Challenger is an address that can participate in and challenge PermissionedDisputeGame instances created by the Proposer role.

Capabilities

  • Can participate in the PermissionedDisputeGame dispute game process.

Risks

  • Compromised challenger could invalidate valid state proposals.
  • Compromised challenger could fail to challenge invalid state proposals.

Mitigations

  • Compromised challenger address can be replaced by the L1 Proxy Admin.
  • Challenges can be executed by replaced challenger address.

Addresses

Guardian

Description

The Guardian is an address that can be used to pause several system contracts on PNC Mainnet. This is a backup safety mechanism that allows for a temporary halt, particularly of withdrawal logic, in the event of a security concern. The Guardian can also manage various aspects of the PinnacleChain contract to address active security concerns.

Capabilities

  • Pause several system contracts on PNC Mainnet.
  • Disable the ability for specific dispute game types from being used to execute withdrawals.
  • Disable the ability for specific dispute game instances from being used to execute withdrawals.

Risks

  • Compromised guardian could pause withdrawals indefinitely.

Mitigations

  • Compromised guardian address can be replaced by the L1 Proxy Admin.
  • Withdrawals can be unpaused by replaced guardian address.

Addresses

Mint Manager Owner

The Mint Manager Owner is an address that controls the MintManager contract that can be used to mint new PNC tokens on PNC Mainnet.

Risks

  • Compromised Mint Manager Owner could mint arbitrary amounts of PNC tokens.
  • Compromised Mint Manager Owner could prevent PNC tokens from being minted.

Mitigations

  • Mint Manager Owner is a 3-of-5 multisig.

Addresses

  • Ethereum: 0x2a82ae142b2e62cb7d10b55e323acb1cab663a26
  • Sepolia: 0x5c4e7ba1e219e47948e6e3f55019a647ba501005
Security Model & FAQSecurity Policy