Some mistakes are more valuable than others. This is perhaps the first lesson we can learn from the case of Jay Freeman, a programmer who discovered a bug in an Ethereum layer 2 smart contract application and received a $2,000,042 bounty.
It is perhaps the largest bounty ever paid for finding a bug, at least among those that have been made public.
Freeman, who is also known as saurik for his work on Cydia, an app that works as an alternative to the App Store for iOS devices, yesterday published a detailed account of how he found a bug in the code of Optimism Rollup.
Advertising
The programming flaw would have allowed an attacker to “have access to an unlimited amount of tokens” OETH. So the finding and its report prevent Optimism, a second layer network that offers cheap transactions for the Ethereum market, from suffering a hack of great economic proportions, if it had not been recognized and fixed in time.
According to the detailed description by freeman, the vulnerability was in the virtual machine which ran the Optimism smart contracts.
To get an idea of how Optimism works and what this vulnerability represents, it is necessary to understand that the procedure that Optimism uses to execute transactions through its network requires that the transferred value be periodically redeemed or transferred to a smart contract in Ethereum. .
This is done through a “bridge” that allows ETH to be locked into a smart contract to create the OETH tokens on the Optimism blockchain (which are literally IOUs, short for “I owe you”). ), so that the money is cashed, to put it in simple terms, every time it is necessary to balance funds on the Ethereum side.
Optimism vulnerability was not so optimistic
In the words of Jay Freeman, “with the ability to surreptitiously print IOUs (Optimism OETH tokens) over the other side of the bridge, you can still try to (slowly) withdraw money from reserves, but now it will look like a legitimate transferwhich makes it easier to act without being noticed.
This ability to create unlimited tokens, Freeman speculates, could have given an attacker the power to go to every exchange running on Ethereum’s second layer and buy unlimited amounts of other tokens. Plus, with that reach, the attacker could “further manipulate price oracles and take advantage of other attacks” before anyone realizes all that money is fake, he adds.
Optimism vulnerability exposed
According to Jay Freeman, his interest in Optimism began in 2020, when he thought that this company’s solutions could be used to develop his own work in Orchid, a network that enables a decentralized VPN through which its users can buy bandwidth from a group of global suppliers. Orchid uses an ERC 20 token, and Freeman needed a mechanism to enable micropayments across various blockchains.
Specifically, what Freeman, who describes himself as a gray hat security researcher, observed, was that when a contract hits the SELFDESTRUCT script or instruction, it designates a beneficiary to “receive whatever funds you still hold.”
The implementation of this opcode in the Ethereum virtual machine, which is used by the go-ethereum client, adds balance to the payee and then calls another statement called StateDB.Suicide to execute, which clears the balance of the account. and leaves it at 0. However, this actually defers until the entire transaction is complete.
At some point, the StateDB.Suicide script continues to directly modify the contract balance field, but this time in the Optimism virtual machine, without making the calls to the other scripts that should change the status of the contract already finished.
However, this did not happen as planned, because when a contract “self-destructed” its balance was delivered to the beneficiary and also kept. If a contract had 10 ETH, another 10 ETH of “thin bits” was created and delivered to the beneficiary.
On Twitter, Freeman public a tweet noting that a GitHub repository, from a fork of Optimism, had not yet deployed the patch, even after the bug findings were disclosed.
A gray hat security researcher
The most surprising thing about all this is that Freeman tried to check if someone had used this vulnerability through a simulation with the same Optimism virtual machine, checking every time the instruction to self-destruct a balance contract was used (which he admits is not a very common procedure).
He then found that in three months only one user tried it, precisely on Christmas Eve 2021. In those transactions, which can be seen in the Optimism block explorer hosted on EtherScan, it was recorded how three contracts were created and destroyed. The first two times by the recipient of Ethereum smart contracts and the third time by the user of Optimism.
When Freeman tracked down this user, convinced that this person had been aware of the vulnerability, he discovered that he was in fact an employee of EtherScan. This “simply proves that sometimes even people looking directly at a bug don’t always see the indirect security implications“, he reasons. He adds that he himself hasn’t had time to check if the bug wasn’t used in either of the two forks of Optimism, known as Boba and Metis.
speed vs security
Jay Freeman is also a lecturer, constantly pondering programming ethics or the ethics of hacking, especially when considering the issues of limited hardware and the fight against digital rights management. “The moral trade-offs have become somewhat clear to me over the years,” he argues.
He warns that in his experience as a security researcher “working with cryptocurrencies feels much murkier”, even more so when destruction as an ethic is hidden behind slogans such as “code is law”.
The frightening thing about working with cryptocurrencies, Freeman thinks, is that many believe there is to “play fast” regardless of the economic consequencesand that those who “spend too much time protecting user privacy before releasing new features are at a disadvantage.”
The perseverance, and the degree of detail of the investigation and observation of this security researcher, can be considered the second lesson of this story.