(ORDO NEWS) — The developers of the Optimism project, dedicated to scaling Ethereum, reported the discovery of a critical bug that allowed the creation of an arbitrary number of tokens of this cryptocurrency.
At the moment, this possibility has been eliminated and a record reward has been paid for the discovery of the bug.
The vulnerability, in theory, allowed attackers to create as much Ethereum in an Optimism account as they would like – this was discovered by white hat hacker Jay Freeman, who is best known as the developer of the Cydia iOS hacking software.
In one post, Freeman explained that the bug allowed an attacker to duplicate money using the Optimistic Virtual Machine (OVM) 2.0 fork of the Go Ethereum tool.
For his discovery, Freeman received the largest reward in the history of “bounty hunters” – $ 2,000,042. According to the Optimism team, the bug allowed creating Ethereum on their platform by repeatedly running the SELFDESTRUCT execution code to replenish the balance.
The Optimism blog mentions that the analysis of the blockchain showed that the bug had not been exploited before, with the exception of an accidental activation by an employee of the startup Etherscan, but he did not use the opportunities that presented themselves. The issue was fixed by Optimism within hours of being confirmed to exist.
At the end of last year, Optimism abandoned the “whitelist”, allowing any developers to build projects on its network. Before that, it was only available to special projects like Uniswap and Synthetix. This limitation made it easier to recognize and eliminate potential bugs.
Optimism is a Layer 2 scaling solution for the Ethereum network, executing transactions on the external chain, outside of the main Ethereum network.
This, in particular, has a very beneficial effect on the speed and cost of transactions. At the same time, the discovery of a bug showed that Layer 2 protocols are more vulnerable to external interference.
While Freeman’s bounty is one of the largest in history, MakerDAO has already announced that it will offer a reward of up to $10 million for discovering critical vulnerabilities in its smart contracts.
Contact us: [email protected]