QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$0 USD
FEBRUARY 2022
GLOBAL
OPTIMISM
DESCRIPTION OF EVENTS
"Optimism is a low-cost and lightning-fast Ethereum L2 blockchain."
"Optimism is an "Optimistic Rollup," which is basically just a fancy way of describing a blockchain that piggy-backs off of the security of another "parent" blockchain. Specifically, Optimistic Rollups take advantage of the consensus mechanism (like PoW or PoS) of their parent chain instead of providing their own. In Optimism's case this parent blockchain is Ethereum."
"Optimism is built according to a strong design philosophy that stands on four main pillars: simplicity, pragmatism, sustainability, and, of course, optimism."
"As few lines of code as possible separate Optimism from Ethereum's battle-tested infrastructure. Build your app on the L2 that doesn't quit." "Optimism is equivalent with the Ethereum Virtual Machine, not just compatible. This means all Ethereum apps and tooling just work."
"Optimism is a Public Benefit Corporation, a for profit corporation that is obligated to balance financial interests of our stockholders with the best interests of our community, and society."
"Not only are we writing software that scales Ethereum technology, we are also scaling Ethereum values by creating the rails for highly impactful projects that don’t have a business model to succeed. Read more about how we’re doing that here." "Until the project is fully decentralized, we will be donating all profits from running a centralized sequencer towards scaling and sustaining public goods."
"Software engineer Jay Freeman (who goes by Saurik online) didn’t leverage the exploit. Instead, he reported the issue to Optimism’s dev team." "On 2/2/2022, I reported a critical security issue to Optimism—an "L2 scaling solution" for Ethereum—that would allow an attacker to replicate money on any chain using their "OVM 2.0" fork of go-ethereum (which they call l2geth)."
"The bug presented here—which I dub "Unbridled Optimism"—can maybe be (crudely) modelled as a bug on the far side of a "bridge", but is actually a bug in the virtual machine that executes smart contracts on Optimism (an aforementioned L2 rollup)."
"Exploiting this enables the attacker to have access to an effectively unbounded number of tokens (aka, the IOUs) on the far side of the bridge. It is my contention that this is more dangerous than merely tricking the reserves into allowing a withdraw[a]l."
"With the ability to sneakily print IOUs (known on Optimism as OETH) on the other side of the bridge, you still can try to (slowly) withdraw money from the reserves, but now it will look like a legitimate transfer, making it easier to go unnoticed."
"(And, in case you believe that "someone would notice if the total number of IOUs were different than the amount of money locked in the reserves", this bug actually was triggered 40 days ago—as I will point out later—and no alarm bells were raised.)"
"Further, with your unbounded supply of IOUs, you could go to every decentralized exchange running on the L2 and mess with their economies, buying up vast quantities of other tokens while devaluing the chain's own currency."
"Using your access to infinite capital, you could further manipulate on-chain pricing oracles to leverage for other attacks\; and, until someone finally realizes your money is counterfeit, arbitragers will flock to the network to sell you their assets."
"This makes this bug capable of economic griefing attacks, wherein once someone notices—even if it is a mere hour later!—it might be "too late" to unravel what is and what isn't a legitimate transaction, calling into question the entire ledger."
"The UsingOVM flag is set with a USING_OVM environment variable (with no corresponding command line flag, as far as I know; that you need to set this environment variable while initializing the genesis block took me too long to figure out ;P)."
"Operations on the StateDB that affect an account balance are then redirected from the underlying stateObject (which represents an individual, cached account) to storage state in the OVM_ETH contract. Below is the code for state.StateDB.SetBalance."
"Now, there's actually already something interesting going on: s.GetOrNewStateObject has an observable side effect; but, when UsingOVM, this doesn't get called. This means that an account might own native currency without having an account object!"
"The exact issue here is that contracts are able to ask for the hash of the code of other accounts (which is sometimes used to verify their trusted behaviors). If an account has no code, its code is "", so its codehash is the hash of an empty buffer."
"However, if you ask for the codehash of an address that isn't currently backed by an object in the state trie, the codehash you get back is null. This observable effect is an example of the subtle incompatibilities that Optimism keeps experiencing."
"(If this were my project, I'd definitely have dropped everything long ago—pre-OVM 2.0—to prioritize removing this set of patches by fixing GetOVMBalanceKey to store hash preimages, re-executing the chain, and then swapping out the state trie.)"
"The code for Suicide is still directly modifying the stateObject's data.Balance field instead of checking UsingOVM and redirecting that modification to OVM_ETH."
"This means that, when a contract self-destructs, its balance is BOTH given to the beneficiary AND ALSO KEPT. If the contract had 10 OETH, 10 OETH are CREATED from thin bits and handed to the beneficiary."
"One of the questions we often want to answer is "has anyone else already pulled off an exploit using this bug?". To answer this, I instrumented the code for the OVM 2.0 to log any time a transaction destroyed a contract with a balance."
"As SELFDESTRUCT is already a rare opcode, and this is even then a subset of all uses of SELFDESTRUCT—and further, as OVM 2.0 was only released three months ago—there was only a single user who had ever tried this: on Christmas Eve (2021)."
"In those transactions (as seen on the Optimism block explorer hosted by Etherscan) we see a user creating and destroying three contracts. The first two times, the contract's beneficiary is the 0x0 address, while the third time it is the user themself."
"It frankly felt like someone had noticed the bug—seeing that Etherscan left the balance in place after the contract was destroyed—and even played with it a bit (to see if this was a behavior of 0x0)... but hadn't realized it was exploitable."
"I actually managed to track down this user (!!) and it turns out they work for Etherscan ;P. It just goes to show that sometimes even people who are staring directly at a bug don't always see the indirect security implications."
"Last week, I discovered (and reported) a critical bug (which has been fully patched) in @optimismPBC (a "layer 2 scaling solution" for Ethereum) that would have allowed an attacker to print arbitrary quantity of tokens, for which I won a $2,000,042 bounty."
"I'd missed the confirmation of this on Thursday, but @bobanetwork had decided to additionally extend to me their (maximum) $100k bug bounty payout, making the total reward for my Ethereum L2 bug--"Unbridled Optimism"--$2,100,042! (...I think this might actually set a new record?)"
"[Optimism] paid him a $2-million bug bounty."
"We thank Jay Freeman (@saurik) for his amazing detective work in discovering and then reporting the print-ETH vulnerability to Optimism." "In appreciation for @saurik’s deep detective work on this critical vulnerability, we have offered him the maximum amount in our bug bounty program."
"Optimism—whose platform currently uses a centralized "sequencer"—moved to both fix this bug on their nodes and infrastructure, as well as arrange for downstream projects that used their codebase (Boba and Metis) to get patched." "Last week we patched a critical bug in the Optimism codebase, discovered by @saurik." "We’re incredibly thankful to saurik for spending so much time analyzing our protocol over the year--enough to find such an important fix! We highly recommend you check out his in-depth breakdown. We'll award the full $2,000,042 promised in our bug bounty."
"Optimism did a superb job fixing the vulnerability and working with all ORs and Infra providers to roll out a patch across the OR ecosystem within hours. Your funds are safe and Boba was patched within three hours of the vulnerability being reported."
Optimism is a layer 2 scaling solution on Ethereum. A critical bug existed in the protocol which would have allowed an attacker to mint additional unbacked Ethereum. The bug was only exploited once, apparently by accident with no loss of funds. On February 2nd, 2022, a white hacker named Jay Freeman found and reported it. The issue was fixed, and he received bounties that totaled $2.1m.
Hacker could've printed unlimited 'Ether' but chose $2M bug bounty instead (Mar 1)
iOS jailbreak dev wins $2M bounty for finding critical Optimism bug (Mar 4)
@saurik Twitter (Mar 4)
@bobanetwork Twitter (Mar 4)
@optimismPBC Twitter (Mar 4)
Optimism (Mar 4)
How Optimism Works | Optimism Docs (Mar 4)
About Optimism (Mar 4)
Attacking an Ethereum L2 with Unbridled Optimism - Jay Freeman (saurik) (Mar 4)
https://optimistic.etherscan.io/address/0x3d080421c9dd5fb387d6e3124f7e1c241ade9568 (Mar 4)
Critical bug in Ethereum L2 Optimism, $2M bounty paid | CryptoSlate (Mar 4)
Optimism Awards $2 Million Bounty to iOS Jailbreak Developer After Fixing 'Infinite' ETH Bug | Tech Times (Mar 4)
Optimism Pays Out $2 Million Bounty To Dev For Discovering Critical Bug | Bitcoin Insider (Mar 4)
Optimism Bug Bounties | Immunefi (Mar 4)
https://gateway.optimism.io/welcome (May 29)
@amanusk_ Twitter (Jul 21)
