Backup if users mistakenly send ETH/tokens to system contract addresses

[protolambda]

If a user transfers ETH or a token, then the funds may be lost forever if we do not prepare system contracts.
However, it may be better to not deploy code if we cannot support such rescue missions.

For the deposit-rollup phase we do not run it in production, so users are not affected.

In the future, we may want to secure:

• The batch submission address
• The deposit contract (not all assets work)
• Any special addresses we use for deposit logic (if we use any magic values)

Also, a common mistake is to sign and submit a transaction for the wrong network. Addresses that we use in production, or in open testnets, should be secured in both L1 and L2. Another mistake is locking up NFTs and such in fungible-only bridges.

We may also just adopt the current optimism approach once this specification gets closer to a production deployment, or collect feedback based on that.

[norswap]

I think maybe this is more of an implementation concern. We could just keep the terminology "address" and add a comment to the effect that the address could reference an EOA/contract controlled by the team if they want to support token rescue, and not otherwise.