Optimism, Ethereum’s fourth-largest Layer 2 scaling solution after Total Value Locked, recently identified and fixed a system-critical flaw in its program code. The network learned of the vulnerability last week after it was discovered and reported by whitehat hacker Jay Freeman, the developer of the Cydia and Orchid protocols.
It was revealed that the bug was unintentionally triggered by an Etherescan employee. This would have made it possible to generate infinite ETH tokens by launching a mini-program on the contract containing the ETH balance. As Freeman explained in a Deep Dive blog post, the bug would allow an attacker to replicate funds on any chain using their OVM 2.0 fork of Go-Ethereum. It goes on to say:
“The bug would have allowed ETH to be generated on Optimism by repeatedly firing the SELFDESTRUCT opcode on a contract containing an ETH balance.”
Whitehat hacker receives $2 million
Luckily for the network, no malicious hackers were aware of the flaw prior to patching. Within hours of confirming the issue, Optimism was testing and deploying a fix on the Kovan testnet and the Optimism mainnet. The team has also notified other vulnerable Optimism forks and bridge providers about the technical vulnerability. All projects connected to Optimism are now free of the error.
As a token of gratitude, Optimism has awarded Freeman the maximum, one of the largest, awards of approximately $2 million. If the bug had not been spotted in time, the network would likely have suffered an immense loss. Additionally, the reward encourages other members of the developer community to report such vulnerabilities instead of exploiting them.
Security concerns in crypto projects
Optimism isn’t the only Ethereum scaling solution that has had issues with bugs. Towards the end of December, Polygon quietly fixed a bug that put 9.27 billion of its 10 billion MATIC tokens at risk of being stolen. Two white hat hackers who were the first to report the problem received a total reward of $3.5 million; and back in October, with the help of another whitehat hacker, Polygon fixed a vulnerability that could have cost the company $850 million.
While Layer 2 protocols have brought numerous benefits to Ethereum and its customers, these events point to larger issues in their security protocols.
To stay one step ahead of blackhat hackers, MakerDAO has offered a reward of up to $10 million for anyone who helps identify significant vulnerabilities in their smart contracts. The offer is the largest ever made by bug bounty platform Immunefi.