One of Largest Ethereum Layer 2s Faces Critical Vulnerability, But Funds Are Safe

Optimism, one of the largest Layer 2 solutions for Ethereum, has fixed a critical vulnerability within hours of confirmation which allowed the network to avoid an exploit that could’ve cost millions for Optimism users.

On Feb. 2, software engineer Jay Freeman behind Cydia and Orchid, who goes by the name of saurik, cautioned the Optimism team about the existence of a crucial vulnerability in the Geth fork. The bug allowed the “creation” of ETH on the Optimism contract by exploiting the “selfdestruct” function on the contract that was holding layer 1’s coins. 

According to the chain history of Optimism, the bug hasn’t been used by scammers or hackers. As the contract’s page suggests, the vulnerability has been used once by an undisclosed Etherscan employee who accidentally used the function but didn’t generate usable ETH.

The fix has been developed shortly after. It was then silently deployed on the testnet network and released on the main network of Optimism. According to Optimism’s medium article, it took developers only a few hours from the time of initial confirmation to come up with the fix. 

The development team behind the layer 2 solution has already alerted bridge providers about the presence of the issue and instructed them to update their networks. Projects have successfully updated their software to fix the vulnerability. Users who are running a replica should upgrade their l2geth version to get synced with the network.

According to the official Immunefi bug bounty program, hackers that help keep the network safe are eligible for a bounty reward that currently stays at the maximum of $2 million. The actual reward for saurik hasn’t been disclosed. 

Prior to that, numerous Ethereum and Solana-related DeFi and NFT platforms became exploited due to various front and backend vulnerabilities discovered by hackers that weren’t cooperative with developers and decided to use bugs for their own good.