In earlier February, the team behind Ethereum layer 2 scaling solution Optimism received word on a critical bug that could allow a bad actor to “create ETH” on the network. The bug was part of the solution’s Geth fork and was discovered by Jay “saurik” Freeman, Head of Technology at Orchid Protocol.
A bad actor could have leveraged the vulnerability on this Ethereum layer 2 solutions via the SELFDESTRUCT opcode on a contract that held funds in the underlying cryptocurrency, according to an official post. However, the bug was fixed without it ever being exploited.
The team behind Optimism conduced a chain history and discovered the bug was only triggered once, 40 days before being discovered, accidentally by an Etherscan employee. However, the person didn’t generate ETH, per the investigation conducted by Freeman. The team added:
A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation.
Optimism forks were also alerted on the vulnerability and, as the team said, all applied the fix. In that sense, they call on everyone running a replica of their software to update to l2geth version 0.5.11 or risk un-synchronization with the rest of the network.
Freeman will receive the maximum bounty, estimated at $2 million, for his contribution to the Ethereum scaling solution. The team behind Optimism thanked him for “helping to keep Optimism safe”. They added the following on the new challenges that a growing project faces:
Today, between bridges, more providers, and even multiple mainnet forks of our codebase, it’s a different story. It’s great for decentralization, but it adds complexity to releases. And security releases bring even more complexity — we can’t immediately publish an obvious patch, or we risk someone reverse-engineering the vulnerability before anyone upgrades.
How To Attack An Ethereum Scaling Solution
Freeman published a detailed report on his discoveries, adding that the second layer solution was opened to an attack via their client, OVM 2.0 a fork of go-Ethereum referred to as l2geth. The Orchid Protocol, as he said, is a second layer scaling solution. So, his experience was invaluable when discovering the vulnerability of Optimism.
Freeman called the bug he discovered “Unbridle Optimism” and claimed it originated on the virtual machine executing smart contracts on the Optimism. By exploring it, a bad actor could produce ETH on “the far side of the bridge” connecting the L1, Ethereum, and its second layer. He wrote in his report:
(…) It is my contention that this is more dangerous than merely tricking the reserves into allowing a withdrawl. With the ability to sneakily print IOUs (known on Optimism as OETH) on the other side of the bridge, you still can try to (slowly) withdraw money from the reserves, but now it will look like a legitimate transfer, making it easier to go unnoticed.
The calamity might have spread to the entire Ethereum ecosystem as a bad actor could have been able to go into decentralized protocols using Optimism and “mess with their economies”, the report said. Thus, Freeman called it an “economic griefing attack” with the potential to jeopardize the “entire ledger”.
