The Story About How Vigilance Saved Money or Why It Is Necessary to Listen to the Community
A Twitter user found an exploit in the BitBTC bridge. But, the developers ignored the user's requests until someone started using the exploit.
A Twitter user found an exploit in the BitBTC bridge. But, the developers ignored the user's requests until someone started using the exploit.
We often write about various #Hacks&Bugs. However, in the crypto industry, as in any other IT-related field, hacks of varying severity often happen. But, occurrencesβ like this one rarely happen.
Last month, we described an extraordinary case when a hacker called stealing money from the Mango platform βa highly profitable trading strategy.β This time the case is much more fortuitous. A Twitter user, a tech expert at the company Arbitrum, Lee Bousfield discovered an exploit in the BitBTC bridge of Optimism and helped the developers fix the error, while no one took advantage of the vulnerability.
It all started with a tweet where Lee Bousfield wrote about the vulnerability of the BitBTC bridge. Also, the user wrote that the developers ignored his messages, so he decided to announce the exploit on Twitter.
BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here. π§΅https://t.co/onyN9SzBjt
β Lee Bousfield (@PlasmaPower0) October 18, 2022
What was the problem with the bridge and how did the exploit work? The problem was how the L1 side of the bridge perceived the tokens that came from the L2 side of the bridge. The L1 side completely ignored what the L2 token was. Roughly speaking, a hacker could create fake tokens, send them to the L1 side, and then get real tokens.
The Optimism L2 side of the bridge lets you withdraw any token, and it lets that token pick the l1Token address passed to the L1 side of the bridge. pic.twitter.com/74HlMRpCLs
β Lee Bousfield (@PlasmaPower0) October 18, 2022
But fortunately, according to Lee Bousfield, it would take seven days to use the exploit.
Then, when the attacker withdraws their malicious token through the BitBTC bridge, it gives them real BitBTC tokens on L1! Luckily, this exploit would take 7 days to go through, during which the L1 bridge could be fixed via an upgrade.
β Lee Bousfield (@PlasmaPower0) October 18, 2022
Another problem was that the developers ignored Lee Bousfield's requests. That's why the user decided to post everything on Twitter. Hoping that the developers would pay more attention to the vulnerability and fix it.
I've been unable to get in contact with their team @SatoshiNJunior and my messages on Telegram have been unanswered, so unfortunately I'm left having to publish this on Twitter and hope that they fix it in time.
β Lee Bousfield (@PlasmaPower0) October 18, 2022
Stay safe, and remember, not everyone's going to make it π«
Literally on the same day, some hacker started withdrawing 200 billion fake BitBTC from the side of the Optimism Bridge. And later, the exploiter said that he had no intention of stealing something, he was only testing a vulnerability. An interesting coincidence. Did Lee Bousfield decide to use the exploit himself to attract attention? We shall never know.
It's happening π
β Lee Bousfield (@PlasmaPower0) October 18, 2022
An attacker is withdrawing 200 billion fake BitBTC from Optimism
The BitBTC team has 7 days to fix it on L1!https://t.co/bxLq370xWE
Fortunately everything ended well, the developers released a patch which fixed the vulnerability.
The BitBTC vulnerability has been patched! π
β Lee Bousfield (@PlasmaPower0) October 19, 2022
The attacks will now fail when they arrive on L1. Thanks everyone for making noise and helping get this fixed πhttps://t.co/bTkrwFF4En https://t.co/OOCXhhS5bR
This is a nice story about how important it is to listen to the community. We are glad that everything ended well and continue to observe.