Recently Saurik received what might be the biggest single bug bounty payout ever…two million dollars.
The bug was in Optimism, a project that aims to make it easier to work with the Ethereum blockchain.
Optimism?
Optimism creates a layer on top of Ethereum. It’s an acknowledgement that some activity on the blockchain is too costly and time consuming.
The goal here is a “fast lane” that allows for smaller transactions.
Eventually, these smaller transactions are written to the blockchain but until they do, it’s just a large collection of IOUs.
IOU
Saurik’s discovery was that when a smart contract (the code that manages a set of IOUs) self destructs, it didn’t properly line up the IOUs with the actual transactions.
This allowed for the creation of unlimited IOUs.
That’s bad.
If you’re interested, there’s an extremely detailed breakdown of the bug on Saurik’s website.
Hacking Spree?
Previous attacks—like Wormhole and Qubit Finance—were able to drain funds that already existed. The attacker in these cases was able to move your money to their wallet.
This bug allowed the attacker to create new promises of money (an IOU) that were indistinguishable from legitimate transactions made through Optimism.
As Saurik lays out in his post, the consequences of that could’ve been catastrophic. The other attacks we’ve seen cost specific organizations millions.
Exploiting this bug could’ve destabilized the entire system.
Responsible Disclosure
Thankfully, Saurik disclosed the bug responsibly and it’s been patched. But what about the next one?
All technology takes time to stabilize…but during that time it isn’t usually responsible for millions and millions of dollars in transactions.
Bugs have never been more expensive.