How Twitter Helped Avert a Critical Exploit

A Twitter user helped prevent a 200 billion BitBTC exploit

by Bessie Liu /
article-image

Source: DALL·E

share

key takeaways

  • This vulnerability was not in Optimism’s code, but rather in a custom bridge provided by BitBTC
  • BitBTC’s custom bridge code did not acknowledge the specific layer-2 token being minted to the layer-1 address

A Twitter user has helped avert a potential exploit after publicly flagging a vulnerability in BitBTC’s Optimism bridge — the latest such near-miss amidst a year full of “successful” thefts. 

Lee Bousfield, a tech lead at Ethereum scaling solution Arbitrum — PlasmaPower0 on Twitter — published what he dubbed a critical exploit after he said his messages were ignored by BitBTC. 

Loading Tweet..

The BitBTC bridge to or from Optimism’s blockchain facilitates withdrawals of any token between layer-2 and a corresponding layer-1 wallet. But, the BitBTC code involved does not acknowledge what the layer-2 token actually is —and mints an arbitrary layer-1 to match. 

“That means an attacker could deploy their own token on Optimism, give themselves all the supply, and set that token’s L1Token to the real BitBTC L1 address,” Bousfield tweeted.

“When the attacker withdraws their malicious token through the BitBTC bridge, it gives them real BitBTC tokens on L1,” he said.

Of note, the apparent vulnerability was not in Optimism’s code, but rather in a custom bridge facilitated by BitBTC, according to Kelvin Fichter, an Optimism developer. Meaning, he said, no assets other than BitBTC assets were at risk.

“We put a lot of time and energy into the standard bridge and I highly recommend using the standard bridge rather than rolling your own custom bridge unless you really know what you’re doing,” Fichter tweeted.

The next day, an attacker — who claimed he was testing the code, tried to withdraw 200 billion BitBTC from Optimism. 

The exploit was able to be stopped as the process of withdrawing the token from the bridge would have taken seven days, and BitBTC in the interim patched the vulnerability via a software update.

“The attacks will now fail when they arrive on L1. Thanks everyone for making noise and helping get this fixed,” Bousfield tweeted.

Bousfield did not immediately return a request for comment.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Tags

Upcoming Events

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

learn more

recent research

ao cover.jpg

Research

The AO Computer: Spawning an Agent Economy

Arweave recently launched the testnet for AO computer, a new messaging protocol that will sit atop a PoS network and aims to become a scalable global compute platform through parallel processing and modularity.

by 0xpibblez

/

news

article-image

Business

Buyers and sellers: How bitcoin miners are thinking about post-halving M&A

Marathon Digital and Riot Platforms each have more than $1 billion in cash and BTC to deploy, while CleanSpark has said it could be “one of the most aggressive acquirers”

by Ben Strack /
article-image

DeFi

Worldcoin teases ‘World Chain’ layer-2

Worldcoin-related activity currently makes up 43% of activity on Optimism, a Dune dashboard suggests

by Jack Kubinec /
article-image

Education

Q&A: What to watch ahead of the bitcoin halving 

Grayscale’s research team sheds light on what is different about this halving and how to prepare

by Casey Wagner /
article-image

Analysis

Empire Newsletter: Solana patch targets congestion woes

During the first week of the year, Solana raked in less than 3% of the total fees across 11 major blockchains

by David Canellis&Katherine Ross&Casey Wagner /
article-image

Web3

Empire Newsletter: Uniswap’s SEC woes drag DeFi below CeFi

In this edition: Analyzing the SEC’s market impact, the 13F ETF tell-all and FTX generating bipartisan unity in Congress

by David Canellis&Katherine Ross&Casey Wagner&Michael McSweeney /
article-image

Business

A16z raises $7.2B

The firm raised the funds for the American Dynamism, Apps, Games, Infrastructure and Growth ventures, a post said

by Katherine Ross /