Developers for the Ethereum scaling project Optimism said Thursday that it patched a “critical bug” earlier this month.
As noted in a disclosure blog post, the team said that the bug was discovered in the project’s fork of Geth, the popular Ethereum implementation. “The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.”
A bug bounty of $2,000,042 was awarded to developer Jay Freeman, who penned a separate blog post about the issue after identifying the bug. The bug was reported to the Optimism team on February 2.
The team said that, according to its analysis, “the bug was not exploited” save for an accidental activation by a staffer at Ethereum data startup Etherscan.
“A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation. We’d like to thank Infura, QuickNode, and Alchemy for their fast response times,” the team wrote. “We also alerted multiple vulnerable Optimism forks and bridge providers to the presence of the issue. These projects have all applied the required fix.”
Optimism is focused on the development of optimistic rollups, which operate at the so-called second layer and aggregate transactions outside of the Ethereum blockchain, where transactions are ultimately settled, with the goal of reducing the cost of transacting on the network. But as today’s disclosure demonstrates, layer-two protocols are subject to potentially risky security issues.
A number of optimistic rollups are in operation today, encompassing more than $5 billion in total value locked (referring to the funds contained therein). Optimism’s own rollup had roughly $530 million in locked ETH and ERC-20 tokens as of February 10, according to data collected by The Block Research.