On February 10, well-known Cydia and iOS Jailbreak developer Jay Freeman, otherwise known as Saurik, posted a Twitter thread about a bug he found in the Layer-2 scaling protocol. (L2) known as Optimism. According to Freeman, the vulnerability, which has been patched, could have allowed an attacker to create an infinite amount of tokens.
Cydia Creator ‘Saurik’ Discovers Optimism L2 Vulnerability
Jay Freeman is a prominent software developer well known for his iOS Jailbreak and Cydia tools. Freeman’s Cydia Graphical User Interface (GUI) was released in February 2008 and gives users of jailbroken iPhones the ability to download unauthorized software for the iOS operating system of Apple smartphones. Freeman recently published a blog post titled “Attacking an Ethereum L2 with Unbridled Optimism,” which explains how he reported a critical security issue to the developers of the L2 Optimism scaling solution.
Optimism’s L2 solution allows users to move Ethereum for a fraction of the cost. Currently, moving Ether using Optimism can cost $0.56 per transfer, unlike the current L1 gas fee which is $3.29 per transaction. To trade coins on-chain using L1, it will cost a user $16.47 in ether, but using Optimism to trade coins will cost $0.83. Freeman reported the Optimism vulnerability on February 2, 2022, and the bug has since been fixed.
The attack would have allowed “an attacker to replicate money on any chain using their ‘OVM 2.0’ fork of go-ethereum (which they call l2geth),” Freeman said. The developer further explained that he plans to talk about the Optimism vulnerability on February 18 at Ethdenver 2022. Freeman was also reward a bounty of $2,000,042 for discovering the bug and disclosing it to the team. The software engineer’s blog post describes how the attacker could hit an arbitrary amount of tokens before the bug was fixed.
“The bug presented here – which I dub ‘Unbridled Optimism’ – can perhaps (roughly) be modeled as a bug across a ‘bridge,'” Freeman wrote. “But it’s actually a bug in the virtual machine that runs the smart contracts on Optimism. Exploiting this allows the attacker to gain access to an effectively unlimited number of tokens (aka, IOUs) across the bridge. I argue that this is more dangerous than simply tricking the reserves into allowing a withdrawal. The developer continued:
Additionally, with your unlimited supply of IOUs, you can go to any decentralized exchanges operating on the L2 and waste their savings, buying large amounts of other tokens while devaluing the chain’s own currency. Using your access to infinite capital, you can further manipulate on-chain pricing oracles to take advantage of other attacks; and, until someone finally realizes your money is counterfeit, arbitrageurs will flock to the network to sell you their assets.
The pessimism surrounding cross-chain apps
In addition to the vulnerability found in Optimism, Freeman discussed the cross-chain bridge technology in detail. The developer mentioned that the same day he disclosed the bug to Optimism, the Wormhole Bridge was attacked. Freeman also touched on the Poly Network hack in his post. “Even when hackers steal money from a bridge, the ramifications are limited,” Freeman’s blog post explains.
Freeman discovering the optimism bug comes on the heels of the slew of cross-chain bridge hacks and new community concern over the security of this burgeoning technology. The Cydia developer’s blog post mentions concepts such as “‘insurance policies’ against crypto hacks”. Additionally, Ethereum (ETH) co-founder Vitalik Buterin recently spoke about the security concerns of cross-chain bridge platforms. “I’m pessimistic about cross-chain apps,” says a recent Reddit post from Buterin.
What do you think of Jay Freeman’s discovery of the Optimism bug? Let us know what you think about this topic in the comments section below.
Image credits: Shutterstock, Pixabay, Wiki Commons
Warning: This article is for informational purposes only. This is not a direct offer or the solicitation of an offer to buy or sell, or a recommendation or endorsement of any product, service or company. Bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.