Jay Freeman, also known for iOS Jailbreak and Cydia, wrote a Twitter post about a vulnerability he had found in Layer-2’s (L2) scaling protocol called Optimism. Freeman claims that the flaw, now fixed, allowed attackers to make infinite amounts of tokens.
Cydia Creator ‘Saurik’ Discovers Optimism L2 Vulnerability
Jay Freeman is an acclaimed software developer, best known for Cydia and iOS Jailbreak. Freeman’s Cydia graphical user interface (GUI) was released in February 2008, and it gives users with jailbroken iPhones the ability to download unauthorized software for the Apple smartphone operating system iOS. Freeman recently published a blog post called “Attacking an Ethereum L2 with Unbridled Optimism,” which explains how he reported a critical security issue to the developers of the L2 scaling solution Optimism.
Optimism’s L2 solution allows users to move ethereum for a fraction of the cost. Optimism currently allows you to transfer ether at $0.56 per transaction, as opposed with the current L1 gas fee of $3.29 per transaction. A user will need to spend $16.47 to exchange coins onchain with L1, but the cost of using Optimism for swapping coins will be $0.83. Freeman reported that the Optimism flaw was discovered on February 2, 2022. This bug has since been corrected.
The attack would have allowed “an attacker to replicate money on any chain using their “OVM 2.0” fork of go-ethereum (which they call l2geth),” Freeman said. Further, the developer explained that he will be speaking about the Optimism vulnerability at Ethdenver 2022 on February 18, 2019. Freeman also spoke. awardedA $2,000,042 reward for detecting the bug and disclosing the information to the team. The software engineer’s blog post describes how the attacker could mint an arbitrary quantity of tokens before the bug was patched.
“The bug presented here — which I dub ‘Unbridled Optimism’ — can maybe be (crudely) modelled as a bug on the far side of a ‘bridge,’” Freeman wrote. “But is actually a bug in the virtual machine that executes smart contracts on Optimism. This allows the attacker access to an unbounded amount of tokens, aka the IOUs on the other side of the bridge. It is my contention that this is more dangerous than merely tricking the reserves into allowing a withdrawal.” The developer continued:
Further, with your unbounded supply of IOUs, you could go to every decentralized exchange running on the L2 and mess with their economies, buying up vast quantities of other tokens while devaluing the chain’s own currency. You could also manipulate the onchain pricing and/oracles for leverage to launch other attacks. Arbitragers will continue to flock to your network until they realize your currency is fake.
Cross-Chain Applications and the Pessimism That Surrounds Them
Freeman also discussed the vulnerabilities in Optimism in detail. Freeman mentioned that on the very same day as he revealed the bug to Optism, Wormhole was also attacked. In his blog post, Freeman mentioned the Poly Network hack. “Even when hackers do steal money from a bridge, the ramifications are limited,” Freeman’s blog post explains.
Freeman discovering the Optimism bug follows the slew of hacks against cross-chain bridges and the community’s newfound concern over the security of this up-and-coming technology. The Cydia developer’s blog post mentions concepts like “’insurance policies’ against crypto hacks.” Moreover, Ethereum (ETH) co-founder Vitalik Buterin recently discussed concerns tied to the security of cross-chain bridge platforms. “I am pessimistic about cross-chain applications,” a recent Reddit post by Buterin declares.
What do you think about Jay Freeman’s Optimism bug discovery? Please comment below to let us know your thoughts on this topic.
Credits for the imageShutterstock. Pixabay. Wiki Commons
DisclaimerThis article serves informational purposes. This article is not intended to be a solicitation or offer to sell or buy any product, service, or company. Bitcoin.com is not a provider of investment, tax, legal or accounting advice. The author and the company are not responsible for any loss or damage caused by the content or use of any goods, services, or information mentioned in the article.