The developers of the Ethereum Layer 2 scaling project announced that a “critical bug” had been discovered and fixed earlier this month.
The bug, which could have allowed hackers to create as much “ETH” in Optimism’s account balance as they wanted, was first discovered by White Hat hacker and iOS Cydia jailbreak developer Jay Freeman.
In a detailed blog post, Freeman explained that the bug “will allow an attacker to copy funds on any chain using the go-ethereum OVM 2.0 fork.” For his efforts, Freeman received one of the largest bug awards to date, with a prize pool of $2,000,042.
According to the optimism team, “The bug allowed the creation of ETH on Optimism by repeatedly activating the SELFDESTRUCT token for a contract with an ETH balance.”
In a blog post, the optimism team noted that their network history showed that the bug was not exploited, with the exception of an employee in the data startup Ethersum Etherscan who was accidentally activated, but that “no useful redundancy is created.”
“The issue was tested and distributed to Optimism Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation,” the team said, thanking Infura, QuickNode and Alchemy for their quick response time.
“We have also notified several optimists forks and bridge providers of the problem. All of these projects used the necessary solution.”
At the end of last year, Optimism removed its whitelist so that any developer can start building projects on the Optimism Network. Before that, the network was only available for some projects like Uniswap and Synthetix. This limitation made it easier for developers to troubleshoot potential bugs.
Related: MakerDAO Launches Biggest Mistake Prize of $10M
Optimistic is a layer 2 scaling solution for the Ethereum network that uses “optimistic summaries” that pool transactions outside the Ethereum blockchain.
This offers the advantages of reduced slippage, reduced transaction costs, and significantly improved transaction speeds. However, as this bug has shown, while Layer 2 protocols provide efficiency gains, security in development is still a common problem.
While this reward is one of the largest paid out to date, MakerDAO has just announced that it will offer a maximum reward of $10 million to anyone who can point out serious security threats in their smart contracts. This is the biggest bug bounty chain ever made on the Immunefi platform.
