Increasing Confidence in the OP Mainnet Bridge with Two-Step Withdrawals

The Bedrock upgrade will introduce a new two-step withdrawal process to the Optimism Mainnet bridge that will improve its security & make exploits much more difficult.

Increasing Confidence in the OP Mainnet Bridge with Two-Step Withdrawals

Of all the scenarios keeping protocol engineers up at night, bridge exploits are close to the top of the list. When it hits OP Mainnet, the Bedrock upgrade will introduce a new two-step withdrawal process to the bridge that aims to improve security, provide a better user experience, and help our ecosystem devs sleep a bit sounder.

How Two-Step Withdrawals Work

The new withdrawal process on the L1 has been split into two parts: proving and finalizing. To withdraw funds from OP Mainnet, users must submit a proof for their withdrawal as soon as the output for the L2 block that contains the withdrawal transaction appears on the L1. On average, it takes about an hour for this output to appear on Ethereum. Once the proof for the withdrawal is submitted, users wait the standard seven day finalization window before the withdrawal can be finalized by the user on the L1.

Previously, withdrawals were only subjected to the seven day finalization window. Fraudulent withdrawals could be challenged, but there were more opportunities for bad actors to take advantage of bugs in this withdrawal process.

Since two-step withdrawals introduce a requirement to prove all withdrawals on L1, an opportunity to challenge fraudulent proofs is also introduced. Once the proof has been submitted, the OptimismPortal contract starts the seven day finalization period, which becomes a window of time in which to challenge any fraudulent proof. This makes it harder for anyone to take advantage of a bug in the merkle-patricia trie (MPT) contract, which verifies inclusion proofs.

Essentially, the decoupling of proof verification and finalizing transactions boosts the security of the bridge by vastly increasing the difficulty of exploiting OP Mainnet’s bridge. Any attempts at an exploit are also more transparent and monitorable. A fun side effect of this approach is that decoupling of proof verification and withdrawal execution also brings us closer to the true properties of optimistic rollups.

Visualizing the New Withdrawals Flow

So, how does this new process work? Here's a technical breakdown of the steps involved:

  1. The old finalized withdrawal transaction function inside the OptimismPortal contract has been split into two functions: proveWithdrawalTransaction and finalizeWithdrawalTransaction.
  2. The SDK has been updated to support both proving and finalizing withdrawals on L1.
  3. Once the output that contains your withdrawal has been proposed on Ethereum Mainnet, you are able to prove your withdrawal transaction. Once you prove your withdrawal transaction, the 1-week window starts.
  4. At the end of this window, if your transaction hasn’t been challenged, you no longer need to provide that proof to the finalized withdrawal transaction call.
  5. When you call finalize withdrawal transaction, it will check to see if the proof you submitted a week ago passed the challenge window. If it has and hasn’t been challenged, the funds will be realized on L1.

Here are two diagrams that visualize these changes:

Increasing Confidence in Bridge Security

This approach provides a significant upgrade to the security of OP Mainnet’s bridge—it is worth noting that bugs faking MPT proofs have impacted other protocols in the past, so bridge improvements were a key priority when scoping the Bedrock upgrade.

It is our hope that the introduction of two-step withdrawals increases confidence in the security of OP Mainnet’s bridge, especially for our partners who may limit the amount of funds they hold on OP Mainnet due to fears of bridge hacks. With this upgrade, users can monitor for bad behavior themselves, making it easier for them to participate in the ecosystem with peace of mind.