by saurik on 2/13/22, 1:34 PM
Prior discussion of this incident (and the $2M bounty) here on Hacker News:
https://news.ycombinator.com/item?id=30289240
My (I'm the hacker) article / post-mortem this blog post is referring to:
https://www.saurik.com/optimism.html
At the time of this last getting traction a few days ago, some people were sad that the title of my article and the discussion that resulted focused more on the bug instead of the bounty (which my article gets into near the end as part of some high-level thoughts on ethics), which is maybe why I am suddenly seeing this appear here again this morning (as this news article is instead focussing on the bounty angle)?
FWIW, the $2M bounty--which was actually listed as $2,000,042 (as they wanted it to sort higher on the list at Immenufi, lol)--was potentially (none of us realized this at the time I "won", and I am honestly still not 100% sure of it now, though I haven't yet come across any counter-examples) the largest single bug bounty payout ever (...though, by only $42 ;P).
by hbbio on 2/13/22, 1:29 PM
It's not just any white hat hacker, it's saurik who was behind the original jailbreaking tools for iOS and the creator of Cydia, the unofficial app store back then. He is also now the "CTO" (if the term applies) of a well-known blockchain-based VPN, Orchid.
Edit: He has a great write-up about the vulnerability and its discovery on his blog:
https://www.saurik.com/optimism.html
(which was on HN a couple days ago)
by dylanz on 2/13/22, 4:55 PM
I remember walking down the main street in my hometown on my way to drink at a bar and seeing saurik and some friends at a bars all with their laptops out and hacking on something. What caught my eye was a terminal open and a Vim session. I walked up and we all chatted for a bit. Back in the day you didn't run into that very often where we lived so it was pretty cool to see. That boosted my conviction for my choice of IDE and I started bringing my laptop out to the bars in the evenings as well. Years later my friend and I built a business and pretty much all the code was written in the evenings at one of those bars. You can be social and code at the same time it turns out, and coding prevented me from drinking too much while I was out. No real morale to the story, just an anecdote I wanted to share. That said, congrats on the bounty saurik!
by dboreham on 2/13/22, 4:53 PM
Headline is misleading. Creation of wrapped ETH tokens on Optimism, thereby allowing _theft_ of ETH from contract escrowed funds.
by AviationAtom on 2/14/22, 1:19 AM
Why is there such hostility towards crypto?
I can understand the anger at Proof-of-Work cryptos, or perhaps the current somewhat "wild west" state of them, where fly-by-night operations work to separate people from their money, but ultimately I see them as the wave of the future.
Ultimately I think the cryptos that see the most success will likely be those that can be better regulated, which is somewhat at odds with why crypto came about, but without some protection it would be like an unregulated stock market.
by VectorLock on 2/13/22, 8:57 PM
I feel like this title should more accurately reflect this wasn't a bug with Etherum and real ETH couldn't be created.
by baobabKoodaa on 2/13/22, 2:37 PM
Title is misleading, since the bug doesn't actually allow creating ETH.
by vinnymac on 2/13/22, 3:27 PM
> Had the issue not been promptly resolved, malicious users on the chain could have exploited the flaw. This means a cyber actor could have gained access to the unlimited generation of fresh ETH tokens.
I am curious, would it be easy to detect an individual who was exploiting this vulnerability?
by rrjjww on 2/13/22, 4:30 PM
There is some discussion about this above, but I'm curious - does the $2M reward count as ordinary income? Would persons on work visas (i.e. H1B) be able to collect without jeopardizing their immigration status? Could you employer consider it moonlighting?
by everfree on 2/13/22, 5:54 PM
The title isn't really accurate. It wasn't a bug to create ETH, it was a bug to steal ETH from the Optimism contract.
by system2 on 2/13/22, 10:06 PM
I wonder when we are going to see a full Bitcoin crash due to a major hack. These type of news make people trust centralized currencies even more.
by tomas789 on 2/13/22, 6:57 PM
Jay Freeman is the man who found the bug. He is also author of the infamous Cydia - tool to install software on jailbroken iOS devices.
by ineedasername on 2/14/22, 1:01 PM
And it will probably be a lot easier to spend that $2M than $100M of exploited ETH that might have to be laundered clean, and still have some risk attached.
by kordlessagain on 2/14/22, 3:37 PM
> So, as of now, Optimism and other related Ethereum projects are bug-proof.
Just wait until AI gets its mittens on it.
by m4tthumphrey on 2/13/22, 4:33 PM
Was it paid cash or in ETH?
by TheRealNGenius on 2/14/22, 4:18 AM
I don't believe jailbreaking qualifies as white hat.
by OOPMan on 2/14/22, 5:04 AM
Did he get paid in real money or monopoly money?
by colesantiago on 2/13/22, 3:19 PM
This just proves how insecure the blockchain / web3 / cryptocurrency space is.
It's good to see white hat hackers in this space trying to fix what is already broken.
But sorry to be that person, just a timely reminder of the truth: All cryptocurrencies and 'DeFi projects' are ponzi scams including Orchid.
by ForHackernews on 2/13/22, 3:52 PM
How much did he give up by not exploiting it? Whatever happened to 'code is law'?
How sad to see web3 rehashing the failures of webs 1 through two.
by jollybean on 2/13/22, 2:39 PM
In other words: ETH was an insecure blockchain and once compromised, there is no legal or operational recourse, with the implication that issues could indeed exist today. House of Cards.