Critical bug in Ethereum L2 Optimism, $2M bounty paid
Announced today, the Ethereum layer-2 chain Optimism was alerted by a white hat hacker of a critical bug in a smart contract. The bug was fixed and $2 million in bug bounty was paid out to the hacker.
Ethereum Layer-2 solution Optimism has fixed a critical software bug in one of its smart contracts on Ethereum. On February 2nd, the Optimism team was alerted by Jay Freeman of a critical bug in Optimism’s fork of the Ethereum Geth client software. As per the Optimism announcement “Funds Are Safu.”
The bug made it possible for a malicious hacker to create ETH on Optimism by “repeatedly triggering the “SELF-DESTRUCT” opcode on a contract that held an ETH balance.” Opcodes are different types of instructions that can run on the Ethereum Virtual Machine (EVM) execution environment.
Bug triggered by Etherscan employee
Analysis of Optimism’s blockchain history carried out by the Optimism team showed that the bug was not exploited. The bug seems to have been accidentally triggered on one occasion by an employee at the popular block explorer Etherscan. As per the report, “no usable excess ETH was generated.”
According to the announcement, within hours of confirmation, the Optimism team developed and deployed a fix on the Kovan and Mainnet networks, mending the bug, and sent alerts to teams developing vulnerable Optimism forks and to L1-L2 bridge providers. Apart from the announcement, the Optimism team has also published a detailed breakdown of the incident.
As part of Optimism’s Immunefi bug bounty program, the maximum amount of just over $2 million was paid out to Jay Freeman. The fact that the maximum amount was paid, indicates the seriousness of the bug. The announcement does not, however, speculate on possible damages if the bug had been exploited by a malicious hacker.
Growing DeFi ecosystem makes security complex
According to Optimism’s blog post, defending the DeFi ecosystem against security issues is becoming increasingly complex, to a significant extent as a direct consequence of decentralization itself.
The post reads:
“it’s clear that the ecosystem will soon be far too large for this to remain practical. We’ll be updating our disclosure protocol to more closely match Geth’s in the near future,”
The post also points to the importance of bug bounty programs.
The Optimism team is currently in the process of specifying and building the next major release, Optimism: Bedrock Edition. According to Optimism, Bedrock Edition will significantly reduce the difference in the code base between Optimism’s Geth fork, and the “official” go-ethereum client. Not having to modify as much of the original code makes it less likely to introduce bugs.