Developers from the Ethereum layer-2 scaling project Optimism announced that a “critical bug” had been identified and subsequently patched earlier this month.
The bug, which could have enabled hackers to create as much Ether (ETH) in an Optimism account balance as they wished, was first discovered by white-hat hacker and iOS jailbreak software Cydia developer Jay Freeman.
In a deep-dive blog post, Freeman explained that the bug, “would allow an attacker to replicate money on any chain using their "OVM 2.0" fork of go-Ethereum.” For his efforts, Freeman was awarded one of the largest bug bounties to date, netting a total reward amount of $2,000,042.
According to the Optimism team, “The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.”
In a blog post, the Optimism team noted that its chain history showed that the bug had not been exploited, except for an accidental activation by a staffer at Ethereum data startup Etherscan, but “no usable excess was generated.”
“A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation,” the team said, thanking Infura, QuickNode and Alchemy for their fast response times.
“We also alerted multiple vulnerable Optimism forks and bridge providers to the presence of the issue. These projects have all applied the required fix.”
Late last year Optimism removed its whitelist, allowing for any developer to start building projects on the Optimism network. Prior to this, the network was only accessible to specific projects such as Uniswap and Synthetix. This limitation made it easier for developers to detect and resolve potential bugs
This provides the benefits of reducing slippage, decreasing transaction costs and vastly improving transaction speeds. However, as this bug has made clear, while layer 2 protocols offer improvements in efficiency, security during ongoing development remains a common point of concern.
While this bounty is one the largest to have been paid out so far, MakerDAO has just announced that it will be offering a maximum bounty of $10 million to anyone who can point out critical security threats in its smart contracts. This is the largest series of bug bounties ever to have been hosted on bug bounty platform Immunefi.