Celo Optics Project Team Misconduct

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Celo

Optics Protocol is a cross-chain bridge as part of the Celo platform. Multi-signature permissions were replaced on the protocol by one of the developers. The wrong developer was accused. No funds appear to have been lost due to the development error.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8]

About Celo

"The Celo Foundation is a non-profit organization based in the US that supports the growth and development of the open-source Celo Platform. Guided by the Celo community tenets, the Foundation contributes to education, technical research, environmental health, community engagement, and ecosystem outreach—activities that support and encourage an inclusive financial system that creates the conditions for prosperity for everyone."

"Optics is a new design for radically cheaper cross-chain communication without header verification. We expect operating Optics to cut 90% of gas costs compared to a traditional header relay. To accomplish this, we took inspiration from optimistic systems (a la Optimistic Roll-ups). Optics features many of the features we prize in an optimistic mechanism, like public verification, low gas fees, broad participation, but has a slightly different security model."

"Optics will form the base layer of a cross-chain communication network that provides fast, cheap communication for all smart contract chains and rollups. It relies only on widely-available cryptographic primitives (unlike header relays), has a latency of a few hours (rather than an ORU’s one week latency), and imposes only about 120,000 gas overhead on message senders."

"Optics has been designed for ease of implementation in any blockchain that supports user-defined computations. We will provide initial Solidity implementations of the on-chain contracts, and Rust implementations of the off-chain system agents. We aim to follow up with Rust implementations of the on-chain contracts targeting Near and Solana later this year."

"Optics is usable in any chain that supports basic smart contract implementations, only has a latency of a few hours, compared to the one-week latency period that optimistic rollups provide, and requires only about 120,000 gas overhead on message senders."

"The Celo team uses a notary service as a comparison to their protocol." "Since Optics is working across multiple chains, the home chain acts as the source of truth. Meaning the sending chain will contain the “home” contract where the messages await to get processed. Once the messages are committed to the merklized “message tree,” the root of that tree is notarized and relayed by the updater to the receiving chain in an “update.” The updates are signed and approved by the updater, committing to the previous root and a new root."

"Optics allows any chain to implement a smart contract with the data of the updater and the current root. Celo calls this smart contract a “Replica” contract. This “Replica” essentially ensures that the receiving chain reaches the same root as the “home” chain. Since the root will ultimately be committed to the message tree, the message will be proven and processed once it gets transmitted."

"A significant difference highlighted by Celo is that Optics permits fraud. Through their security model, participants can prove fraud at any time to the home contract on the sending chain. So to curb updaters from signing off to fraud, the updater has to submit a bonded stake on the home chain, which will get slashed as a penalty for accepting a fraudulent update. Not only does a fraudulent signer’s bond gets slashed, but they are also exposed to all the other participants on the network, meaning users can avoid malicious actors."

"Optics Bridge was attacked and ownership of the multi-signature wallet was transferred." "[I]nvestigation disclosed that the incident actually occurred on October 29, by a community developer in order to fix a contract bug." "[T]he multi-signature permission of Optics was replaced because someone unilaterally activated the Optics repair mode (recovery mode) on the GovernmentRouter contract. Although the bridge service is all normal, this operation caused the Optics protocol to be fully controlled by the recovery manager account, and the original multi-signature permissions were also overwritten."

On the evening of November 23, Beijing time, the founder of Yuchi F2Pool, Shenyu, forwarded a risk warning from the security organization Rugdoc on Weibo, saying: “If you have mining on the Celo chain, please note that the multi-signature of Optics has been replaced. It is suspected that there is a problem. The way to reduce the risk is to sell other assets on the Celo chain to Celo. There are not many people selling at present, and they lose a few points. Everyone judges the risk by themselves, whether it is a gamble or a stop loss. The strength and the courage can also make arbitrage.”

"Most notably, in addition to explaining the technical principles of the replacement of multi-signature permissions, Tim also mentioned a former senior developer James Prestwich who has been expelled from cLabs. Tim claimed that the activation of the repair mode occurred 15 minutes after James was fired due to misconduct, and that during the deployment of Optics, James created a pull request for the configuration including the repair address, and requested confirmation of this Address and request reimbursement of expenses. Tim also said that since the discovery of the problem, cLabs has tried every means to contact James to solve the problem, but it has not been successful so far."

However, James himself responded to Tim’s “accusation”: "I have never been a keyholder on Optics recovery mode. I am disappointed that cLabs and Celo hace chosen to bring their bullying into public spaces, and that they chose to lie about me to attack my reputation. On the advice of my lawyer, I have nothing else to say right now."

"Obviously, there is a contradiction between the statements of Tim and James. If neither of them lied, then who activated the repair mode?"

"Under the joint investigation of many people, the truth finally came to light. From the address remarks of the decentralized content platform Mirror, it can be seen that the funds of the address [performing the action] belong to a person named Anna."

"Community users found from Github records that it was 26 days ago that a community developer with the same profile picture and name (Anna) reported on Github about Optics repair mode time lock Vulnerabilities, in order to fill the loopholes, the repair mode needs to be activated and replaced with a more secure multi-signature address. In addition, from the historical submission code, Anna has indeed participated in the development of PartyDAO." "[I]t can be basically judged that it is Anna that activated the Optics repair mode, and there is a high probability of repairing the management account. Under Anna’s control."

"[A]lthough the context of the matter has been clarified, some community members are very dissatisfied with the way CELO and cLabs handled the matter." "The cross-chain track has always been a field with a high incidence of security accidents. Although it has not caused any financial losses for the time being, the warnings sounded by this incident cannot be ignored."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Celo Optics Project Team Misconduct
Date Event Description
November 23rd, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1, 2022)
  2. What happened to Celo when the cross-chain bridge multi-signature permission was replaced? - CoinYuppie: Bitcoin, Ethereum, Metaverse, NFT, DAO, DeFi, Dogecoin, Crypto News (Feb 9, 2022)
  3. https://docs.celo.org/celo-codebase/protocol/optics (Feb 10, 2022)
  4. SlowMist Hacked - SlowMist Zone (Feb 10, 2022)
  5. Bridges In Crypto Space (Feb 10, 2022)
  6. Celo: Mobile-First DeFi Platform for Fast, Secure, and Stable Digital Payments (Feb 10, 2022)
  7. About Celo: Learn more about Celo’s team (Feb 10, 2022)
  8. https://docs.celo.org/celo-codebase/protocol/bridging/migrating-to-optics-v2 (Mar 7, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Celo_Optics_Project_Team_Misconduct&oldid=4314"