A Twitter user sounded the alarm about a vulnerability in a BitBTC Optimism Bridge on Tuesday, with an exploiter quickly testing the theory, initiating a withdrawal of 200 billion BitBTC tokens.
Lee Bousfield, the tech lead at PlasmaPower, an Ethereum scaling solution Arbitrum, said on Twitter: “BitBTC’s Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I’m going to publish the critical exploit here.”
BitBTC’s cross-chain bridge offers a ramp for users to exchange tokens from the BitBTC decentralized finance protocol and the Optimism layer-2 blockchain network.
Bousfield outlined the chain’s vulnerability in a series of tweets, explaining that potential attackers could deploy their own malicious token on Optimism, give themselves all the supply, and then use the bridge to withdraw it as real BitBTC tokens.
Within the same day, a user tested the theory, trying to withdraw 200 billion BitBTC from Optimism. But withdrawing the token from the bridge typically requires seven days to process, and the BitBTC bridge vulnerability was patched via a software update on Thursday, preventing the exploit, said Bousfield.
Defi protocols and bridges, in particular, have been targeted relentlessly by hackers this October, which has been the biggest month ever for cryptocurrency hacks, according to data from Chainalysis.
“Cross-chain bridges are an attractive target because they often feature a central storage point of funds that back the “bridged” assets on the receiving blockchain,” Kimberly Grauer, head of research at American blockchain analysis firm Chainalysis told Forkast in an email. Many bridge models are also new and untested, presenting vulnerabilities for bad actors to exploit, she added.
According to Kelvin Fichter, an Optimism developer, the vulnerability was not in Optimism’s code but rather the fault of a custom bridge design created by BitBTC.
“I highly recommend using the standard bridge rather than rolling your own custom bridge unless you really know what you’re doing,” Fichter tweeted, thanking Twitter users for “making noise and helping get this fixed.”
Fitcher also responded to Bousfield in a tweet: “I think there were alternative ways of reaching out to the BitBTC team that would’ve been better than posting this publicly and allowing it to be exploited.”
See relate article: ‘Hacktober’ continues with US$1 mln taken from BitKeep token swap service