A mix-chain bridge between BitBTC and also the Ethereum layer-2 network Optimism has had the ability to avoid a potentially pricey exploit because of the work of the bald eagle-eyed Twitter user.
The custom mix-chain bridge provides a ramp for users to send assets between Optimism’s network and BitAnt’s decentralized finance (DeFi) ecosystem, including yield services, nonfungible tokens (NFTs), swaps and also the BitBTC token, by which a million BitBTC represents 1 Bitcoin (BTC).
The BitBTC bridge bug was highlighted by L2 network Abirtrum tech lead Lee Bousfield within an March. 18 Twitter publish, warning that “BitBTC’s Optimism bridge is trivially vulnerable.”
Bousfield stated he printed the Tweet because the “team has overlooked my messages, so I will publish the critical exploit here.”
BitBTC’s Optimism bridge is trivially vulnerable. Their team has overlooked my messages, so I am likely to publish the critical exploit here. https://t.co/onyN9SzBjt
— Lee Bousfield (@PlasmaPower0) October 18, 2022
Based on Bousfield, the BitBTC bridge were built with a bug that will allow an assailant to mint fake tokens somewhere from the bridge, and swap them legitimate ones alternatively.
“The Optimism L2 side from the bridge enables you to withdraw any token, also it let’s that token select the L1Token address passed towards the L1 side from the bridge. However, the L1 bridge completely ignores exactly what the L2 token was, and merely goes ahead and mints the arbitrary L1 token!” he authored, adding that:
“That means an assailant could deploy their very own token on Optimism, give themselves all of the supply, and hang that token’s L1 Token towards the real BitBTC L1 address.”
For that bug to become exploited effectively, Bousfield outlined it would take “7 days to undergo, where the L1 bridge might be fixed with an upgrade.”
Soon after noting such, someone continued to check that theory, by having an attacker trying to withdraw “200 billion fake BitBTC from Optimism.”
The attacker apparently claimed it had become merea test.
Bousfield also noted inside a subsequent update around 10 hrs later the bug had since been patched after he were able to contact the BitBTC team.
Cointelegraph has arrived at to the BitAnt team for confirmation on these records and can update the storyline when they respond.
Related: Ethereum Noisy Alarms exploit results in $260K in stolen gas charges to date
Optimism developer Kevin Fichter on March. 18 confirmed the bug was on BitBTC’s aspect, because it had used its very own custom bridge instead of Optimism’s standard bridge it provides to partners.
Fichter also noted that assets “other than BitBTC aren’t in danger,” adding there was lots of “time and put into the conventional bridge” and encouraged individuals to make use of the standard bridge “unless guess what happens you’re doing.”
