Optimism fixes bug allowing infinite ETH creation, whitehat hacker awarded $2M

  • Ethereum layer-2 scaling solution Optimism has detected and fixed a critical bug that would have allowed the repeated creation of ETH tokens.
  • The issue was first discovered and reported by developer Jay Freeman, who has since been awarded a $2M bounty.

Optimism, Ethereum’s fourth-largest layer-2 scaling solution by total value locked (TVL), recently identified and subsequently fixed a “critical bug” in its coding. The network got wind of the vulnerability last week after it was discovered and reported by whitehat hacker Jay Freeman – the developer behind the Cydia and Orchid Protocols. 

News has it that the bug was unintentionally triggered by an Etherescan employee. This would have allowed for the infinite creation of ETH tokens by triggering a code on the contract holding ETH balance. As Freeman explained in a deep-dive blog post, the bug “would allow an attacker to replicate money on any chain using their ‘OVM 2.0’ fork of go-ethereum.” A similar explanation by the Optimism team reads:

The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.

Optimism introduces a fix to ETH creating bug

Fortunately for the network, no malicious actors got knowledge of the bug before its patching. Within hours of confirming the issue, Optimism tested and deployed a fix on the Kovan testnet and Optimism Mainnet. Furthermore, the team notified other vulnerable Optimism forks and bridge providers of the technical weakness. All projects connected to Optimism are now free of the bug.

As a show of gratitude, Optimism has awarded Freeman the maximum, and one of the largest bounty awards of $2,000,042. If the bug was never discovered in time, it is likely the network would have suffered a great loss. By extension, the reward encourages other members of the developer community to report such susceptibilities rather than exploit them.

Security concerns in crypto projects

Optimism is not the only Ethereum scaling solution that has had trouble with bugs. As December drew to a close, Polygon quietly fixed a bug that put 9.27 billion of its 10 billion MATIC tokens at risk of theft. Two white hat hackers who were first to report the issue were rewarded a combined total of $3.5 million. And in October, with the help of another whitehat hacker, Polygon fixed another vulnerability that would have cost it $850 million.

Read More: Polygon explains recent fix to a critical bug that would have cost the network over $24B

While layer-2 protocols have brought numerous advantages to Ethereum and its users, these events point to greater concern in their security protocols.

To stay ahead of blackhats, decentralized organization MakerDAO has launched a maximum bounty of $10M to anyone who can help identify significant security threats in its smart contracts. The offering is the largest ever to be hosted by bug bounty platform Immunefi.