The developers of Optimism, a layer-two solution for scaling Ethereum, have fixed a critical vulnerability.
The bug was discovered by programmer Jay Freeman in the code for a fork of Geth for Optimism. According to the description, the vulnerability allowed the creation of ETH in the protocol by repeatedly activating the SELF-DESTRUCT function.
Freeman reported the bug to the Optimism team on February 2. He received the maximum reward under the bounty program in the amount of $2,000,042 for disclosing the issue.
The conducted retrospective analysis showed that the bug was not abused, except for the accidental activation of the Ethereum explorer Etherscan by an employee. No coins have been issued.
“The fixed update was tested and deployed to Optimism Kovan networks and the main net (including all infrastructure providers) within hours of being reported,” the team wrote.
The developers have also alerted a number of vulnerable forks of Optimism and bridge providers to the issue. All projects have applied the necessary fixes.
The Optimism team emphasized that the incident demonstrated the importance of the bug bounty program. Around these days, the Wormhole cross-chain bridge was hacked for 120,000 ETH (~ $ 319 million), after which the project thought about launching a bounty initiative for $ 3.5 million.
In October 2021, the Polygon second-level solution team paid the maximum $2 million under the bug search program for disclosing a vulnerability that threatened to lose the company $850 million.