Search

Search for projects by name

Celo logoCelo

Badges

About

Celo is an Ethereum Optimium based on the OP stack, scaling real-world solutions & leading a thriving new digital economy for all.


Value secured
$406.66 M0.00%
Canonically Bridged
$166.94
Natively Minted
$398.82 M
Externally Bridged
$7.84 M

  • Tokens
  • Past day UOPS
    5.440.00%
  • 30D ops count
    2.92 M
  • Gas token
    CELO

  • Type
    Optimium
  • Purpose
    Universal
  • Sequencer failureState validationData availabilityExit windowProposer failure

    Badges

    About

    Celo is an Ethereum Optimium based on the OP stack, scaling real-world solutions & leading a thriving new digital economy for all.

    Recategorisation

    79d
    10h
    00m
    54s

    The project will be classified as "Other" due to its specific risks that set it apart from the standard classifications.

    The project will move to Others because:

    There are less than 5 external actors that can submit challenges

    Consequence: projects without a sufficiently decentralized set of challengers rely on few entities to safely update the state. A small set of challengers can collude with the proposer to finalize an invalid state, which can cause loss of funds.

    There is no data availability bridge

    Consequence: projects without a data availability bridge fully rely on single entities (the sequencer) to honestly rely available data roots on Ethereum. A malicious sequencer can collude with the proposer to finalize an unavailable state, which can cause loss of funds.

    Learn more about the recategorisation
    Value Secured

    2025 Mar 14 — 31

    Activity

    2025 Mar 26 — 30

    Milestones & Incidents

    Celo becomes an Ethereum L2

    2025 Mar 26th

    Celo migrates from an L1 to an L2 architecture on Ethereum and EigenDA.

    Learn more
    Risk summary
    Risk analysis
    Sequencer failureState validationData availabilityExit windowProposer failure

    Sequencer failure

    Self sequence

    In the event of a sequencer failure, users can force transactions to be included in the project’s chain by sending them to L1. There can be up to a 12h delay on this operation.

    State validation

    None

    Although the OP stack fraud proof system is deployed, it assumes by default that data was made available. During a potential data withholding attack, it is impossible to prove a malicious state root.

    Data availability

    External

    Proof construction and state derivation fully rely on data that is posted on EigenDA. Sequencer transaction data roots are not checked against the ServiceManager DA bridge data roots onchain.

    Exit window

    None

    There is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.

    Proposer failure

    Cannot withdraw

    Only the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.

    Technology

    Fraud proofs ensure state correctness

    After some period of time, the published state root is assumed to be correct. For a certain time period, one of the whitelisted actors can submit a fraud proof that shows that the state was incorrect.

    • Funds can be stolen if no validator checks the published state. Fraud proofs assume at least one honest and able validator.

    1. DisputeGameFactory.sol - Etherscan source code, create() function
    2. PermissionedDisputeGame.sol - Etherscan source code, attack() function
    Data availability

    Data is posted to EigenDA

    Transactions roots are posted onchain and the full data is posted on EigenDA. Since the ServiceManager bridge is not used, availability of the data is not verified against EigenDA operators, meaning that the Sequencer can single-handedly publish unavailable commitments.

    • Funds can be lost if the sequencer posts an unavailable transaction root (CRITICAL).

    • Funds can be lost if the data is not available on the external provider (CRITICAL).

    1. EigenDA Docs - Overview
    2. Derivation: Batch submission - OP Mainnet specs
    3. BatchInbox - address
    4. OptimismPortal2.sol - source code, depositTransaction function
    State validation

    Updates to the system state can be proposed and challenged by anyone who has sufficient funds. If a state root passes the challenge period, it is optimistically considered correct and made actionable for withdrawals.


    State root proposals

    Proposers submit state roots as children of the latest confirmed state root (called anchor state), by calling the create function in the DisputeGameFactory. A state root can have multiple conflicting children. Each proposal requires a stake, currently set to 0.0 ETH, that can be slashed if the proposal is proven incorrect via a fraud proof. Stakes can be withdrawn only after the proposal has been confirmed. A state root gets confirmed if the challenge period has passed and it is not countered.

    1. OP stack specification: Fault Dispute Game
    Challenges

    Challenges are opened to disprove invalid state roots using bisection games. Each bisection move requires a stake that increases expontentially with the depth of the bisection, with a factor of 1.09493. The maximum depth is 73, and reaching it therefore requires a cumulative stake of 0.00 ETH from depth 0. Actors can participate in any challenge by calling the defend or attack functions, depending whether they agree or disagree with the latest claim and want to move the bisection game forward. Actors that disagree with the top-level claim are called challengers, and actors that agree are called defenders. Each actor might be involved in multiple (sub-)challenges at the same time, meaning that the protocol operates with full concurrency. Challengers and defenders alternate in the bisection game, and they pass each other a clock that starts with 3d 12h. If a clock expires, the claim is considered defeated if it was countered, or it gets confirmed if uncountered. Since honest parties can inherit clocks from malicious parties that play both as challengers and defenders (see freeloader claims), if a clock gets inherited with less than 3h, it generally gets extended by 3h with the exception of 6h right before depth 30, and 1d right before the last depth. The maximum clock extension that a top level claim can get is therefore 10d. Since unconfirmed state roots are independent of one another, users can decide to exit with a subsequent confirmed state root if the previous one is delayed. Winners get the entire losers’ stake, meaning that sybils can potentially play against each other at no cost. The final instruction found via the bisection game is then executed onchain in the MIPS one step prover contract who determines the winner. The protocol does not enforce valid bisections, meaning that actors can propose correct initial claims and then provide incorrect midpoints. The protocol can be subject to resource exhaustion attacks (Spearbit 5.1.3).

    1. Fraud Proof Wars: OPFP
    Operator

    The system has a centralized operator

    The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    Users can force any transaction

    Because the state of the system is based on transactions submitted on the underlying host chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract on the host chain directly.

    1. Sequencing Window - OP Mainnet Specs
    2. OptimismPortal2.sol - source code, depositTransaction function
    Withdrawals

    Regular exits

    The user initiates the withdrawal by submitting a regular transaction on this chain. When a state root containing such transaction is settled, the funds become available for withdrawal on L1 after 3d 12h. Withdrawal inclusion can be proven before state root settlement, but a 7d period has to pass before it becomes actionable. The process of state root settlement takes a challenge period of at least 3d 12h to complete. Finally the user submits an L1 transaction to claim the funds. This transaction requires a merkle proof.

    1. OptimismPortal2.sol - Etherscan source code, proveWithdrawalTransaction function
    2. OptimismPortal2.sol - Etherscan source code, finalizeWithdrawalTransaction function

    Forced messaging

    If the user experiences censorship from the operator with regular L2->L1 messaging they can submit their messages directly on L1. The system is then obliged to service this request or halt all messages, including forced withdrawals from L1 and regular messages initiated on L2. Once the force operation is submitted and if the request is serviced, the operation follows the flow of a regular message.

    1. Forced withdrawal from an OP Stack blockchain
    Other considerations

    EVM compatible smart contracts are supported

    OP stack chains are pursuing the EVM Equivalence model. No changes to smart contracts are required regardless of the language they are written in, i.e. anything deployed on L1 can be deployed on L2.

    1. Introducing EVM Equivalence
    Permissions

    Ethereum

    Roles:

    Challenger 0x6b14…9583

    Allowed to challenge or delete state roots proposed by a Proposer.

    Allowed to pause deposits and withdrawals. In op stack systems with a proof system, the Guardian can also blacklist dispute games and set the respected game type (permissioned / permissionless).

    • OpFoundationUpgradeSafe has the role if the number of Optimism Security Council members falls below 8
    • OpFoundationOperationsSafe has the role if not revoked by the Security Council
    Proposer 0x1204…A689

    Allowed to post new state roots of the current layer to the host chain.

    Sequencer 0x0cd0…cA60

    Allowed to commit transactions from the current layer to the host chain.

    Actors:

    CeloProxyAdminOwner 0x4092…E112
    • A Multisig with 2/2 threshold.
    • Member of Safe.
    • Can act on behalf of ProxyAdmin.
    • Is allowed to interact with AddressManager - set and change address mappings - acting via ProxyAdmin.
    • Is allowed to interact with SystemConfig - it can update the preconfer address, the batch submitter (Sequencer) address and the gas configuration of the system.
    • Can upgrade the implementation of L1ERC721Bridge, OptimismMintableERC20Factory, SystemConfig, DelayedWETH, AnchorStateRegistry, DelayedWETH, SuperchainConfigLocal, OptimismPortal2, DisputeGameFactory - acting via ProxyAdmin.
    • Can upgrade the implementation of L1StandardBridge - upgrading the bridge implementation can give access to all funds escrowed therein - acting via ProxyAdmin.
    OpFoundationUpgradeSafe 0x847B…9D92
    • A Multisig with 5/7 threshold.
    • Member of SuperchainProxyAdminOwner.
    • Can act on behalf of LivenessModule - takes ownership of Optimism Security Council if the number of Optimism Security Council members falls below 8.
    • A Guardian - acting via Optimism Guardian Multisig, Optimism Security Council, LivenessModule if the number of Optimism Security Council members falls below 8.

    Used in:

    SuperchainConfig 0x9570…4a4C
    • Used to manage global configuration values for multiple OP Chains within a single Superchain network. The SuperchainConfig contract manages the PAUSED_SLOT, a boolean value indicating whether the Superchain is paused, and GUARDIAN_SLOT, the address of the guardian which can pause and unpause the system.
    • Is allowed to interact with SuperchainConfigLocal - act as an override that pauses the SuperchainConfigLocal if the (global) SuperchainConfig is paused.

    Used in:

    OpFoundationOperationsSafe 0x9BA6…6b3A
    • A Multisig with 5/7 threshold.
    • Can act on behalf of DeputyGuardianModule if not revoked by the Security Council.
    • A Guardian - acting via Optimism Guardian Multisig, DeputyGuardianModule if not revoked by the Security Council.

    Used in:

    Optimism Security Council 0xc281…Bd03
    • A Multisig with 10/13 threshold. It uses the following modules: LivenessModule (used to remove members inactive for 98d while making sure that the threshold remains above 75%. If the number of members falls below 8, the OpFoundationUpgradeSafe takes ownership of the multisig).
    • Member of Optimism Guardian Multisig, SuperchainProxyAdminOwner.
    • A Guardian - acting via Optimism Guardian Multisig.

    Used in:

    SuperchainProxyAdminOwner 0x5a0A…3d2A
    • A Multisig with 2/2 threshold.
    • Can act on behalf of SuperchainProxyAdmin.
    • Is allowed to interact with AddressManager - set and change address mappings - acting via SuperchainProxyAdmin.
    • Can upgrade the implementation of SuperchainConfig - acting via SuperchainProxyAdmin.

    Used in:

    LivenessGuard 0x2442…4a25

    Is allowed to interact with LivenessModule - can remove members of Optimism Security Council inactive for 98d.

    Used in:

    Optimism Guardian Multisig 0x09f7…dAf2
    • A Multisig with 1/1 threshold. It uses the following modules: DeputyGuardianModule (allows the OpFoundationOperationsSafe, called the deputy guardian, to act on behalf of the Gnosis Safe).
    • Can act as a Guardian.

    Participants (1):

    Optimism Security Council

    Used in:

    GnosisSafe 0x42d2…9c64
    • A Multisig with 2/2 threshold.
    • Member of OpFoundationUpgradeSafe, OpFoundationOperationsSafe.

    Participants (2):

    0xb237…97A50x4665…7429

    Used in:

    Celo Multisig 2 0x9Eb4…D34d
    • A Multisig with 6/8 threshold.
    • Member of CeloProxyAdminOwner.
    Celo Multisig 1 0xC031…4636
    • A Multisig with 6/8 threshold.
    • Member of CeloProxyAdminOwner.
    Smart contracts

    Ethereum

    Contains configuration parameters such as the Sequencer address, gas limit on this chain and the unsafe block signer address.

    The OptimismPortal contract is the main entry point to deposit funds from L1 to L2. It also allows to prove and finalize withdrawals. It specifies which game type can be used for withdrawals, which currently is the PermissionedDisputeGame. This contract stores the following tokens: ETH.

    The dispute game factory allows the creation of dispute games, used to propose state roots and eventually challenge them.

    A local contract acting as source of truth for the paused status and the guardian role for the local chain.

    Sends messages from host chain to this chain, and relays messages back onto host chain. In the event that a message sent from host chain to this chain is rejected for exceeding this chain’s epoch gas limit, it can be resubmitted via this contract’s replay function.

    Used to bridge ERC-721 tokens from host chain to this chain.

    The main entry point to deposit ERC20 tokens from host chain to this chain. This contract can store any token.

    PermissionedDisputeGame 0x2bCe…7755

    Same as FaultDisputeGame, but only two permissioned addresses are designated as proposer and challenger.

    SuperchainProxyAdmin 0x543b…fB04
    • Can be used to interact with AddressManager - set and change address mappings.
    • Can be used to upgrade implementation of SuperchainConfig.

    Proxy used in:

    A helper contract that generates OptimismMintableERC20 contracts on the network it’s deployed to. OptimismMintableERC20 is a standard extension of the base ERC20 token contract designed to allow the L1StandardBridge contracts to mint and burn tokens. This makes it possible to use an OptimismMintablERC20 as this chain’s representation of a token on the host chain, or vice-versa.

    ProxyAdmin 0x783A…E374
    • Can be used to interact with AddressManager - set and change address mappings.
    • Can be used to upgrade implementation of L1ERC721Bridge, OptimismMintableERC20Factory, SystemConfig, DelayedWETH, AnchorStateRegistry, DelayedWETH, SuperchainConfigLocal, OptimismPortal2, DisputeGameFactory.
    • Can be used to upgrade implementation of L1StandardBridge - upgrading the bridge implementation can give access to all funds escrowed therein.
    FaultDisputeGame 0x876e…BEBC

    Logic of the dispute game. When a state root is proposed, a dispute game contract is deployed. Challengers can use such contracts to challenge the proposed state root.

    The MIPS contract is used to execute the final step of the dispute game which objectively determines the winner of the dispute.

    Contract designed to hold the bonded ETH for each game. It is designed as a wrapper around WETH to allow an owner to function as a backstop if a game would incorrectly distribute funds.

    Contains the latest confirmed state root that can be used as a starting point in a dispute game.

    Contract designed to hold the bonded ETH for each game. It is designed as a wrapper around WETH to allow an owner to function as a backstop if a game would incorrectly distribute funds.

    PreimageOracle 0xfaB0…0DC4

    The PreimageOracle contract is used to load the required data from L1 for a dispute game.

    Value Secured is calculated based on these smart contracts and tokens:

    Main entry point for users depositing ERC20 token that do not require custom gateway.

    Can be upgraded by:

    Main entry point for users depositing ETH.

    Can be upgraded by:

    The current deployment carries some associated risks:

    • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).