Ethereum scaling startup Optimism announced that it had identified and patched a critical bug earlier this month. The bug, which was found in the project’s Geth fork, would have allowed hackers to create infinite ETH.
The bug was first discovered by iOS jailbreak software Cydia developer and white-hat hacker Jay Freeman.
Details of the Bug
Freeman announced the discovery of the bug on Twitter while also posting a blog post that explained the bug in great detail. Freeman posted,
“Last week, I discovered (and reported) a critical bug (which has been fully patched) in @optimismPBC (a “layer 2 scaling solution” for Ethereum) that would have allowed an attacker to print arbitrary quantity of tokens, for which I won a $2,000,042 bounty.”
He further added in his blog post that the bug would have allowed any hacker to replicate money and create infinite ETH on any chain through the OVM 2.0 fork of go-Ethereum. According to Optimism, Hackers could repeatedly trigger the SELFDESTRUCT opcode on any contract that held ETH balance. The bug was first disclosed to Optimism and its team on the 2nd of February.
Freeman was awarded one of the largest bounties to date, receiving an amount of $2,000,042 as a reward for discovering the bug.
Bug Not Exploited
The Optimism team reported that the bug had not been exploited, going by the chain history. It did, however, reveal that there was an accidental activation by an Etherscan staffer. However, this activation did not result in any usable excess amount of ETH.
Optimism Deploys Fix
The Optimism team announced that the issue was patched, with the team testing and then deploying a fix on Optimism’s Kovan and Mainnet networks. The team released a statement regarding the fix, stating,
“A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation. We’d like to thank Infura, QuickNode, and Alchemy for their fast response times.”
The team also altered other Optimism forks and bridge providers about the issue, with all the projects also applying the required fix for the bug.
“We also alerted multiple vulnerable Optimism forks and bridge providers to the presence of the issue. These projects have all applied the required fix.”
Optimism Opens Its Network For Developers
Optimism had removed its whitelist last year, opening the network to developers who want to build their projects on the Optimism Network. Prior to removing the whitelist, Optimism was available only to a select number of projects like Synthetix and Uniswap, allowing developers to detect and resolve bugs easily.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Source: https://cryptodaily.co.uk/2022/02/optimism-pays-out-2-million-bounty-to-dev-for-discovering-critical-bug