Attacking an Ethereum L2 with Unbridled Optimism

This is a concerning aspect of Ethereum's strategy to push scaling to layer-2 networks: Ethereum is a heavily audited and tested protocol that runs an extremely decentralized network of diverse clients. L2s can be...an AWS instance running arbitrary buggy code. Much of the confidence in the "base layer" that people using Ethereum currently experience will be significantly undermined if mundane transactions wend in and out of different L2s.

Hey! Optimism&#x27;s head of engineering here!<p>We&#x27;re super greatful to saurik for writing up such a great analysis of what he found. If you want to hear some of our key takeaways as the maintainers of the network, you can check out our disclosure post here [1].<p>If you&#x27;re wondering WTF Optimism is... we are building an optimistic rollup on top of ethereum. The basic idea is to de-couple blockchain computation from data availability and allow a new operator to exist called a sequencer which can accept transaction requests and submit the calldata to Ethereum Mainnet, but do the computation on Optimism Mainnet. There is an idea of a fault proof which means you can verify that the computation done on Optimism Mainnet followed the exact rules of the EVM, and you can prove this on Ethereum Mainnet. Our fault proof codebase, cannon, was built by another jailbreak legend (geohot) precisely with the goal of running Ethereum&#x27;s battle-tested code and minimize the chances of bugs like this. It&#x27;s some really cool stuff. If you&#x27;re into compilers, VMs, and blockchains alike, check it out! [2]<p>The protocol is still in active development, it is not done yet, and that&#x27;s exactly why we set up this bug bounty program. We think bug bounties matter, a lot, and we&#x27;re proud to now become the record holders of the largest bug bounty payout in history, however we hope to very quickly be beaten by someone else. Developers like saurik, who we&#x27;ve gotten to know recently, are super important for this ecosystem to thrive. Building this stuff is hard, and we want the best hackers in the world to get rich breaking these protocols because if we succeed in this industry, this technology will be the backbone of the world&#x27;s financial infrastructure — it needs to be secure. Everything we write is also MIT licensed and developed completely in the open.<p>Very happy to answer any questions, I&#x27;ll check this thread for the rest of the day — AMA :)<p>Also, we are hiring! [3]<p>[1] <a href="https:&#x2F;&#x2F;optimismpbc.medium.com&#x2F;disclosure-fixing-a-critical-bug-in-optimisms-geth-fork-a836ebdf7c94" rel="nofollow">https:&#x2F;&#x2F;optimismpbc.medium.com&#x2F;disclosure-fixing-a-critical-...</a> [2] <a href="https:&#x2F;&#x2F;github.com&#x2F;ethereum-optimism&#x2F;cannon&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ethereum-optimism&#x2F;cannon&#x2F;</a> [3] <a href="https:&#x2F;&#x2F;boards.greenhouse.io&#x2F;optimism" rel="nofollow">https:&#x2F;&#x2F;boards.greenhouse.io&#x2F;optimism</a>

At least Optimism is smart enough to offer huge bounties. They awarded him $2,000,042 for this.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;saurik&#x2F;status&#x2F;1491821215924690950" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;saurik&#x2F;status&#x2F;1491821215924690950</a>

This title is way underselling this.<p>As far as I could gather from a quick googling, this is the largest single bug bounty payout in history.

Can someone explain this to me?<p>He states that Optimism doesn’t have a native gas token and native currency, and eth balances are implemented using ERC20 tokens with OVM instead of the native balance mechanism<p>However the exploit is using selfdestruct to transfer and create the remaining balance to the target address, effectively creating new tokens out of thin air.<p>&gt; This means that, when a contract self-destructs, its balance is BOTH given to the beneficiary AND ALSO KEPT. If the contract had 10 ETH, 10 ETH are CREATED from thin bits and handed to the beneficiary.<p>But I thought from this explanation that contracts don’t have a balance because ETH is stored in an ERC20 contract, and is set to 0. How can the contract have balance (10 ETH) to transfer on selfdestruct when optimism doesn’t have a native balance?

Excellent write up! Glad you were well compensated.

Whats the best way to replicate these states on localhost?<p>When using the L1s, it is easy to fork the current state of the network with Brownie and bang at smart contracts for free using fake gas on localhost. Reserving any advantage or unexpected behavior you find for the bug report, or redeploying it on mainnet for the bug bounty paying the gas just that one time<p>But with L2s in the mix, especially Optimism, how would one do the same? Would it be like two instances of Brownie in virtual environments? Kind of like having a cluster of microservices booted up in Vanguard on localhost?

Wow I haven&#x27;t heard Jay Freeman&#x27;s name in the news since the old iPhone jailbreaking days. Glad to see he is still at it.

Page seems to be down. Can’t connect to server

May I recommend cracking an economics textbook