How Twitter Helped Avert a Critical Exploit

A Twitter user helped prevent a 200 billion BitBTC exploit

by Bessie Liu /
article-image

Source: DALL·E

share

key takeaways

  • This vulnerability was not in Optimism’s code, but rather in a custom bridge provided by BitBTC
  • BitBTC’s custom bridge code did not acknowledge the specific layer-2 token being minted to the layer-1 address

A Twitter user has helped avert a potential exploit after publicly flagging a vulnerability in BitBTC’s Optimism bridge — the latest such near-miss amidst a year full of “successful” thefts. 

Newsletter

Subscribe to Blockworks Daily

Lee Bousfield, a tech lead at Ethereum scaling solution Arbitrum — PlasmaPower0 on Twitter — published what he dubbed a critical exploit after he said his messages were ignored by BitBTC. 

Loading Tweet..

The BitBTC bridge to or from Optimism’s blockchain facilitates withdrawals of any token between layer-2 and a corresponding layer-1 wallet. But, the BitBTC code involved does not acknowledge what the layer-2 token actually is —and mints an arbitrary layer-1 to match. 

“That means an attacker could deploy their own token on Optimism, give themselves all the supply, and set that token’s L1Token to the real BitBTC L1 address,” Bousfield tweeted.

“When the attacker withdraws their malicious token through the BitBTC bridge, it gives them real BitBTC tokens on L1,” he said.

Of note, the apparent vulnerability was not in Optimism’s code, but rather in a custom bridge facilitated by BitBTC, according to Kelvin Fichter, an Optimism developer. Meaning, he said, no assets other than BitBTC assets were at risk.

“We put a lot of time and energy into the standard bridge and I highly recommend using the standard bridge rather than rolling your own custom bridge unless you really know what you’re doing,” Fichter tweeted.

The next day, an attacker — who claimed he was testing the code, tried to withdraw 200 billion BitBTC from Optimism. 

The exploit was able to be stopped as the process of withdrawing the token from the bridge would have taken seven days, and BitBTC in the interim patched the vulnerability via a software update.

“The attacks will now fail when they arrive on L1. Thanks everyone for making noise and helping get this fixed,” Bousfield tweeted.

Bousfield did not immediately return a request for comment.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Permissionless IV Hackathon

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

learn more

recent research

Featured.png

Research

Helium: Decentralizing Telecom with Web3 Incentives

Helium stands at a pivotal moment in its evolution as a decentralized wireless network, balancing rapid growth, economic restructuring, and global expansion. With accelerated growth in domestic DAUs and Hotspots supporting its network, Helium is leveraging strategic partnerships and innovative proposals to scale internationally. The recent implementation of HIP 138, “Return to HNT,” has unified its token economy under HNT, simplifying participation and strengthening liquidity, while HIP 139’s phase-out of CBRS refocuses efforts on scalable Wi-Fi offload. Meanwhile, governance shifts under HIP 141 raise questions about centralization as Nova Labs consolidates control over the roadmap.

by Nick Carpinito

/

news

article-image

PeopleSupply Shock

WikiLeaks, Google and Bitcoin: What happened in 2011

In 2011, WikiLeaks faced a financial blockade imposed by the US government. It was Bitcoin’s first major test.

by David Canellis /
article-image

BusinessEmpire Newsletter

Exclusive: Kado Software acquired by Swapped.com

Kado’s founder Emery Andrew spoke to Blockworks about the acquisition and what’s next for the team

by Katherine Ross /
article-image

BusinessEmpire Newsletter

Inside a16z Crypto’s $55M ZRO purchase

LayerZero’s Bryan Pellegrino chatted with Blockworks about the firm’s next steps and its 10-year runway

by Katherine Ross /
article-image

BusinessLightspeed Newsletter

Solana founders ‘returning to cypherpunk roots’: Colosseum’s Taylor

Colosseum co-founder Matty Taylor is seeing “high-performance [Solana] founders showing a lot of interest in private trading technology”

by Jack Kubinec /
article-image

FinanceForward Guidance Newsletter

Which tokenized RWA segments will boom next?

Executives weigh the growth potential they see in the public stock and private credit/equities arenas

by Ben Strack /
article-image

The DropWeb3

Magic Eden unveils Season 2 of ME token rewards

Players can stake ME, trade tokens and link wallets to climb the leaderboard

by Kate Irwin /