Metis Andromeda logoMetis Andromeda

  • Total value locked$97.29 M8.38%
  • Breakdown
  • Daily TPS0.258.32%
  • 30D tx count528 K
  • TechnologyOptimistic Chain
  • PurposeUniversal

    • ...

    Tokens:

    Milestones

    Data availability change

    2022 Apr 12th

    Update moving data to an off-chain committee.

    Learn more

    Mainnet launch

    2021 Nov 19th

    Public launch of Metis Layer 2 Andromeda, based on the Optimism codebase.

    Learn more
    Show more

    Description

    Fraud proof system is currently under development. Users need to trust block Proposer to submit correct L1 state roots. Since April 2022 the transaction data is no longer kept on-chain, instead it is kept in MEMO distributed data storage system. The optimistic challenge mechanism that allows Validators to force Sequencer to post missing data is not fully implemented yet.

    Metis is an EVM-equivalent Scaling Solution originally forked from Optimism. It provides support for multiple, interconnected L2 chains with main focus on supporting easy creation of DACs (Decentralized Autonomous Companies). The risk analysis below relates to the default chain with chainId=1088 called Andromeda. Since April 2022 Andromeda uses "optimistic data availability" scheme in which transaction data is kept off-chain in MEMO while Validators can request tx data from Sequencer via L1 challenge mechanism if it does not make it available for validation off-chain.

    If you find something wrong on this page you can submit an issue or edit the information.

    Risk Analysis

    Sequencer failureState validationData availabilityUpgradeabilityProposer failure

    State validation

    In development

    Currently the system permits invalid state roots. More details in project overview.

    Data availability

    Optimistic (MEMO)

    Transaction data is kept in MEMO decentralized storage. Validators can force Sequencer to make data available on-chain via L1 contract call if they find that Sequencer did not push tx data to MEMO. Challenge mechanizm is not yet fully implemented.

    Upgradeability

    Yes

    The code that secures the system can be changed arbitrarily and without notice.

    Sequencer failure

    Enqueue via L1

    Users can submit transactions to an L1 queue, but can't force them. The sequencer cannot selectively skip transactions but can stop processing the queue entirely. In other words, if the sequencer censors or is down, it is so for everyone.

    Proposer failure

    Cannot withdraw

    Only the whitelisted proposers can publish L2 state roots on L1, so in the event of failure the withdrawals are frozen.

    Technology

    No automatic on-chain fraud proof system

    For additional security, any staked Validator can challenge invalid state root submitted by the Sequencer. Other Validators will then act as referees in an interactive challenge game. Dishonest Validator majority can push invalid state root on-chain, and potentially slash honest Sequencer.

    • Funds can be stolen if an invalid state root is submitted to the system (CRITICAL).

    1. MVM_Verifier.sol#L133 - Metis source code

    Data is recorded off-chain in MEMO

    Transaction data is not stored on-chain, rather it is recorded in off-chain decentralized storage MEMO from MemoLabs. If Validators find that data is unavailable, they can request that Sequencer posts data on-chain via L1 contract.

    • Funds can be stolen if sequencer withholds data for more than seven days while at the same time submits fraudulent state root (CRITICAL).

    1. The Tech Journey: Lower Gas Costs & Storage Layer on Metis

    Operator

    The system has a centralized sequencer

    While proposing blocks is open to anyone the system employs a privileged sequencer that has priority for submitting transaction batches and ordering transactions.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    1. CanonicalTransactionChain#L735 - Etherscan source code

    Users can force any transaction

    Because the state of the system is based on transactions submitted on-chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract directly.

    1. CanonicalTransactionChain - Etherscan source code

    Withdrawals

    Regular exit

    The user initiates the withdrawal by submitting a transaction on L2. When the block containing that transaction is finalized the funds become available for withdrawal on L1. The process of block finalization usually takes several days to complete. Finally the user submits an L1 transaction to claim the funds. This transaction requires a merkle proof.

    • Funds can be frozen if the centralized validator goes down. Users cannot produce blocks themselves and exiting the system requires new block production (CRITICAL).

    1. Withdrawing from Metis - Metis documentation

    Other considerations

    EVM compatible smart contracts are supported

    Metis uses the Optimistic Virtual Machine (OVM) 2.0 to execute transactions. This is similar to the EVM, but is independent from it and allows fraud proofs to be executed.

    • Funds can be lost if there are mistakes in the highly complex OVM implementation.

    1. MVM repository - Metis source code

    Permissions

    The system uses the following set of permissioned addresses:

    Metis Multisig 0x48fE…cF21

    This address is the owner of the following contracts: MVM_L1CrossDomainMessenger, L1StandardBridge, LibAddressManager. This allows it to censor messages or pause message bridge altogether, upgrade bridge implementation potentially gaining access to all funds stored in a bridge and change the sequencer, state root proposer or any other system component (unlimited upgrade power). This is a Gnosis Safe with 4 / 6 threshold.

    Metis Multisig participants 0x217f…ed690xB383…d8460x7a90…44540x0205…0e3F0xB961…65500xa6D8…098E

    Those are the participants of the Metis Multisig.

    Sequencer 0xcDf0…0019

    Central actor allowed to commit L2 transactions to L1.

    State Root Proposer 0x9cB0…689D

    Central actor to post new L2 state roots to L1.

    Data Availability Verifiers 0x48fE…cF21

    Those addresses can try to force the sequencer to post data on chain.

    Execution Verifiers 0x48fE…cF21

    Those addresses can challenge the state roots submitted by the state root proposer.

    Smart Contracts

    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    The system consists of the following smart contracts:

    MVM_CanonicalTransaction 0x6A1D…d41aImplementation (Upgradable)Admin

    MVM CanonicalTransaction is a wrapper of Canonical Transaction Chain that implements optimistic data availability scheme L1. If Sequencer is not malicious, it simply forwards appendSequencerBatch() calls to CanonicalTransactionChain.

    CanonicalTransactionChain 0x56a7…e1C9

    The Canonical Transaction Chain (CTC) contract is an append-only log of transactions which must be applied to the OVM state. It defines the ordering of transactions by writing them to the CTC:batches instance of the Chain Storage Container. CTC batches can only be submitted by OVM_Sequencer. The CTC also allows any account to enqueue() an L2 transaction, which the Sequencer must eventually append to the rollup state.

    StateCommitmentChain 0xf209…9380

    The State Commitment Chain (SCC) contract contains a list of proposed state roots which Proposers assert to be a result of each transaction in the Canonical Transaction Chain (CTC). Elements here have a 1:1 correspondence with transactions in the CTC, and should be the unique state root calculated off-chain by applying the canonical transactions one by one. Currently only OVM_Proposer can submit new state roots.

    ChainStorageContainer-CTC-batches 0x3847…16B7
    ChainStorageContainer-CTC-queue 0xA91E…2E57
    ChainStorageContainer-SCC-batches 0x1073…d6f9
    BondManager 0xf51B…b3be

    The Bond Manager contract will handle deposits in the form of an ERC20 token from bonded Proposers. It will also handle the accounting of gas costs spent by a Verifier during the course of a challenge. In the event of a successful challenge, the faulty Proposer's bond will be slashed, and the Verifier's gas costs will be refunded. Current mock implementation allows only OVM_Proposer to propose new state roots. No slashing is implemented.

    L1CrossDomainMessenger 0x081D…23ffImplementation (Upgradable)

    The L1 Cross Domain Messenger (L1xDM) contract sends messages from L1 to L2, and relays messages from L2 onto L1. In the event that a message sent from L1 to L2 is rejected for exceeding the L2 epoch gas limit, it can be resubmitted via this contract's replay function.

    MVM_DiscountOracle 0x7f6B…7063

    Oracle specifying user fees for sending L1 -> L2 messages and other parameters for cross-chain communication.

    Lib_AddressManager 0x9187…867d

    This is a library that stores the mappings between names such as OVM_Sequencer, OVM_Proposer and other contracts and their addresses.

    MVM_Verifier 0xe70D…b5cbImplementation (Upgradable)Admin

    This contract implements a voting scheme with which the majority of Verifiers can challenge malicious Sequencer.

    MVM_L2ChainManagerOnL1 0xf3d5…EBc0Implementation (Upgradable)Admin

    Contract that allows METIS_MANAGER to switch Sequencer.

    L1StandardBridge 0x3980…c04bImplementation (Upgradable)Admin

    Main entry point for users depositing ERC20 tokens and ETH that do not require custom gateway. This contract can store any token.

    The current deployment carries some associated risks:

    • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).