The developers of the Optimism project, dedicated to scaling Ethereum, announced the discovery of a critical bug that allowed the creation of any number of tokens of this cryptocurrency. At the moment, this possibility has been ruled out and a record bounty paid for discovering the bug.
In theory, the vulnerability allowed attackers to create as much Ethereum as they wanted in an Optimism account – this was discovered by white hacker Jay Freeman, best known as Developer of jailbreak software Cydia for iOS.
In a post, Freeman explained that the bug allowed an attacker to duplicate funds using the Optimistic Virtual Machine (OVM) 2.0 fork of the Go Ethereum tool. For his discovery, Freeman received the largest reward in the history of “bounty hunters” — $2,000,042. According to the Optimism team, the bug allowed the creation of Ethereum on their platform by repeatedly running the SELFDESTRUCT execution code to recover the funds to fill up.
The Optimism blog mentions that analysis of the blockchain showed that the flaw had not previously been exploited, with the exception of an accidental activation by an employee of the startup Etherscan, but it did not take advantage of the opportunities that arose. Optimism fixed the issue within a few hours of confirming it.
At the end of last year, Optimism abandoned the “white list” and allowed all developers to create projects on its network. Before that it was only available for special projects like Uniswap and Synthetix. This limitation made it easier to spot and fix potential bugs.
Optimism is a Layer 2 scaling solution for the Ethereum network that executes transactions on the external chain outside of the main Ethereum network. In particular, this has a very positive effect on the speed and costs of transactions. At the same time, the discovery of a bug showed that Layer 2 protocols are more susceptible to external interference.
While Freeman’s bounty is one of the largest in history, MakerDAO has previously announced that it will offer a reward of up to $10 million for discovering critical vulnerabilities in its smart contracts.