Thanks to an alert Twitter user, a cross-chain bridge between BitBTC (Ethernet layer-2 network Optimism) was able to avoid a potentially expensive exploit.
The custom cross-chain bridge allows users to send assets between Optimism and BitAnt’s Decentralized Finance (DeFi) ecosystem. This includes NFTs and swaps as well as BitBTC token. 1,000,000 BitBTC is 1 Bitcoin (BTC).
Lee Bousfield, L2 network Abirtrum tech leader, highlighted the BitBTC bridge problem in a Oct. 18 tweet. He warned that BitBTC’s “Optimism Bridge is trivially vulnerable”
Bousfield claimed that he published the tweet because the “team had ignored my messages, therefore I’m going to post the critical exploit here.”
BitBTC’s Optimism Bridge is extremely vulnerable. I have sent them messages but they ignored me so I am going to publish my critical exploit here. https://t.co/onyN9SzBjt
— Lee Bousfield (@PlasmaPower0 October 18, 2022
Bousfield claims that the BitBTC bridge contained a bug that allowed an attacker to create fake tokens and then swap them for real tokens.
“The Optimism L2 bridge allows you to withdraw any token and it lets that token pick which L1Token address is passed to the L1side of the bridge. The L1 bridge ignores the L2 token and simply mints an arbitrary L1 token.” he wrote.
“This means that an attacker could deploy their token on Optimism and give themselves all the supply. Then, they would set that token’s L1 token to the real BitBTC address.
Bousfield stated that the bug would need to be exploited in a successful manner within seven days. During this time, the L1 bridge could possibly be fixed by an upgrade.
Soon after noticing this, an attacker attempted to withdraw “200 Billion fake BitBTC” from Optimism.
According to reports, the attacker claimed it was a mere test.
Bousfield also mentioned in a later update 10 hours later, that the bug was now fixed after he got in touch with BitBTC.
Cointelegraph reached out to BitAnt for confirmation and will update this story if they respond.
Related: Ethereum Alarm Clock exploit leads at $260K in stolen gasoline fees so far
Kevin Fichter, an Optimism developer, confirmed Oct. 18 that BitBTC had the bug as BitBTC had used its custom bridge instead of the standard one offered to partners.
Fichter noted that BitBTC assets are not at risk. He also said that there was a lot “time and energy” that went into the standard bridge and encouraged people to use it “unless they know what they’re doing.”