In addition to the previously mentioned governance issues and security measures, one more component was essential, especially to a young zk-rollup such as the Polygon zkEVM. That component is, the Security Council Multisig.
Since critical bugs or other security issues may occur, and hence warrant instant upgrades, it is good security practice to allow for emergency upgrades.
That is, instead of employing the 2-out-of-3 Admin Multisig Contract and waiting for the time-delay imposed by the Timelock Contract, these contracts get bypassed by deploying a so-called Security Council Multisig.
It is crucial, however, to emphasise that the Security Council Multisig is a temporary measure, and will ultimately be phased-out once the Polygon zkEVM has been sufficiently battle-tested.
Understanding security council multisig¶
The security council is a committee that oversees the security of the Polygon zkEVM during its initial phase.
The security council of a rollup has a two-fold responsibility,
- Seeing to it that the system is timeously halted in case of the emergency state, and
- Ensuring that emergency upgrades are implemented as soon as it is practically possible.
The security council therefore utilises a special multisig contract that overrides the usual Admin Multisig Contract and the Timelock Contract.
Security council composition¶
Security councils generally consist of a certain number of reputable community members, who are typically, individuals or representatives of public organizations who may remain anonymous.
These are individuals or organizations with vested interest in the welfare of the Ethereum ecosystem, and are normally selected from among well-known Ethereum developers and researchers.
The Polygon zkEVM’s Security Council is constituted of eight (8) members, four of whom are internal to the Polygon team, while the rest of the members must be from outside Polygon.
The minimum requirement, even as mentioned in the L2Beat report downloadable here, is for these individuals to be adequately knowledgeable and competent enough to make the best judgment about the actions approved by the multisig.
These members are not completely anonymous as their addresses are publicly known. Their addresses can be checked in Etherscan.
Here is a list of the 8 addresses of the Polygon zkEVM’s Security Council;
Security council multisig?¶
The Security Council Multisig is a multisig contract deployed by the Polygon zkEVM Security Council when either an emergency state is triggered or an emergency upgrade needs to be executed.
The multisig contract is a 6-out-of-8 multisig, which requires six (6) signatures of the Security Council to be attached for the contract to be successfully deployed.
There is a further stipulation that a minimum of 2 out of the 6 attached signatures must be from among the 4 members who are external to Polygon.
Although the ultimate goal is to move towards a totally decentralized Polygon zkEVM, employing a security council multisig is inevitable for the early stages of the zkRollup.
It is a trade-off between security and decentralization. So then, for the sake of long-term security, it is a deliberate decision to have more centralized early stages of development, in order to attain more decentralized later stages.
Although there is always a possibility for the members of Security Council to go rogue and collude, the 75% threshold together with the minimum 33% of external members’ signatures significantly reduces the risk.