Critical bug in Ethereum L2 Optimism, $2 million bounty paid

The Ethereum Layer-2 Optimism solution has fixed a critical software bug in one of its smart contracts on Ethereum. On February 2, the Optimism team was alerted by Jay Freeman from a critical bug in the Optimism fork Ethereal Geth client software. according to optimism advertisement “Funds are Safu.”

The bug made it possible for a malicious hacker to create ETH on Optimism by “repeatedly triggering the “SELF DESTRUCT” opcode on a contract that had an ETH balance.” Opcodes are different types of instructions that can be executed in the Ethereum virtual machine (EVM) runtime environment.

Error caused by an Etherscan employee

Analysis of the Optimism blockchain history by the Optimism team showed that the bug was not exploited. The bug appears to have been accidentally triggered on one occasion by an employee of the popular Etherscan block explorer. According to the report, “there is no usable surplus ETH was generated.”

According to the announcement, within hours of the commit, the Optimism team developed and deployed a fix to the Kovan and Mainnet networks, fixed the bug, and sent alerts to teams developing vulnerable Optimism forks and L1-L2 bridge vendors. . Apart from the announcement, the Optimism team has also published a detailed breakdown of the incident

As part of the Optimism Immunefi Bug Bounty Program, the maximum amount of just over $2 million was paid to Jay Freeman. The fact that the maximum amount was paid indicates the seriousness of the error. However, the ad does not speculate on possible harm if the bug had been exploited by a malicious hacker.

The growing DeFi ecosystem makes security complex

According to the Optimism blog post, defending the DeFi ecosystem against security issues is becoming increasingly complex, largely as a direct consequence of decentralization itself.

The post says:

“It is clear that the ecosystem will soon be too large for this to remain practical. We will update our disclosure protocol to more closely match Geth’s in the near future.”

The post also points out the importance of bug bounty programs.

The Optimism team is currently in the process of specifying and building the next major release, Optimism: Bedrock Edition. According to Optimism, Bedrock Edition will significantly reduce the difference in code base between Optimism’s Geth fork and the “official” go-ethereum client. Not having to modify the original code as much makes it less likely to introduce bugs.