ZIP-5 — Security Council Verification

Protocol Development Security Council
1

[ZIP-5] Upgrade Governance Contracts — Security Council Verification

The Security Council has completed its review of ZIP-5 and has verified the accuracy of the call data associated with the proposal. During the review, three key issues were identified and have been acknowledged by the proposal author.

1. Discrepancy in Voting Delay and Quorum Extension

The ZIP-5 proposal initially stated that the late quorum vote extension would be reduced from 7 days to 2 days, whereas the call data indicated a 3-day extension instead. After internal verification, it has been confirmed that the intended and correct value for both the voting delay and quorum extension is 3 days.

While the proposal cannot be edited once posted on Tally, the ZIP-5 forum post has been updated to be consistent with the call data.

2. Erroneous Refund Recipient Address

A second issue was identified in the refund recipient address for requestL2Transaction transactions. The recipient address was found to be:

0x1804c8AB1F12E6bbf3894d4083f33e07309d1f38

This address is the default Foundry script address and was likely included by accident. While this does not pose an immediate security risk, it is not the intended recipient for refunds. Moving forward, a more appropriate refund recipient should be designated to prevent accidental misallocation of funds.

The losses associated with this error are very small, and the proposal author decided it did not warrant further action.

3. Emergency Upgrade Required

The BridgeHub, StateTransitionManager, L1SharedBridge, ValidatorTimelock, and L1USDCBridge contracts are all 2-step ownable. Since the upgrade does not call acceptOwnership on any of the affected contracts, it means that the current protocol upgrade handler will remain the owner of some contracts while the new upgrade handler has permissions on L2.

The proposal author acknowledged that the intention was always to execute an Emergency Upgrade to acceptOwnership. This also presents an opportunity to test the Emergency Upgrade functionality on mainnet.

The Security Council agrees with this approach and is onboard with initiating an Emergency Upgrade to finalize the implementation of ZIP-5. A recommendation was made by the Security Council for the proposal author to update the forum thread with information about this step.

Next Steps

The Security Council will continue to monitor governance proposals to ensure accuracy and alignment with the intended governance framework.