Optimism team pays out over $2 million for disclosed vulnerability

The Optimism developers, layer-2 scaling solution for Ethereum, patched a critical vulnerability.

Last week we patched a critical bug in the Optimism codebase, discovered by @saurik. Here’s our official disclosure and some of the lessons we learned.https://t.co/9DbR8QBYyw

— Optimism (@optimismPBC) February 10, 2022

The bug was discovered by programmer Jay Freeman in the Geth client fork code for Optimism. According to the description, the vulnerability allowed creating ETH in the protocol, repeatedly triggering the SELFDESTRUCT function.

Freeman reported the bug to the Optimism team on February 2. For disclosure he received the maximum bounty of $2,000,042.

Last week, I discovered (and reported) a critical bug (which has been fully patched) in @optimismPBC (a «layer 2 scaling solution» for Ethereum) that would have allowed an attacker to print arbitrary quantity of tokens, for which I won a $2,000,042 bounty. https://t.co/J6KOlU8aSW

— Jay Freeman (saurik) (@saurik) February 10, 2022

A retrospective analysis showed that the bug was not exploited, except for a random activation by an Ethereum-explorer employee at Etherscan. No coins were minted.

“The fix has been tested and deployed in the Optimism Kovan and mainnet networks (including all infrastructure providers) within a few hours after the disclosure,” the team wrote.

The developers also cautioned several vulnerable Optimism forks and bridge providers about the issue. All projects applied the necessary fixes.

The Optimism team stressed that the incident underscored the importance of bug-bounty programs. Around this time, the Wormhole cross-chain bridge was hacked for 120,000 ETH (~$319 million), prompting the project to consider launching a $3.5 million bounty initiative, the developers noted.

In October 2021, the Polygon team behind the layer-2 solution paid out the maximum $2 million under its bug-bounty program for disclosing a vulnerability that threatened losses of $850 million.