Developer gets $2 mn reward for removing a bug that could cause losing billions of tokens

Optimism has revealed that a “critical bug” in its codebase has been detected and later rectified by software engineer Jay Freeman earlier this month. While detecting the bug, it was deduced that a malicious actor could “mint” an arbitrary number of ETH tokens on any blockchain that utilises Optimism Virtual Machine (OVM).  

Optimism is a Layer 2 Optimistic Rollup network designed to utilise the strong security guarantees of Ethereum (ETH) while reducing its cost and latency. 

The company revealed that while analysing the chain history, it was deduced that the bug was not exploited and a fix for the issue was tested and deployed to its Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation.  

“On February 2, the Optimism team was alerted by Jay Freeman (saurik of Cydia and Orchid fame) to the existence of a critical bug in Optimism’s Geth fork. The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.” Optimism revealed on its blogsite. 

Furthermore, Jay Freeman, best known for creating the Cydia software application and related software, was also awarded over $2 million. On his blogsite he stated that he reported a critical security issue to Optimism — an “L2 scaling solution” for Ethereum — that would allow an attacker to replicate money on any chain using their “OVM 2.0” fork of go-Ethereum (which they call l2geth).  

Freeman in a tweet said, “Last week, I discovered (and reported) a critical bug (which has been fully patched) in @optimismPBC (a “layer 2 scaling solution” for Ethereum) that would have allowed an attacker to print arbitrary quantity of tokens, for which I won a $2,000,042 bounty.”