Optimism's BitBTC Bridge Vulnerability Leads To Hacker Minting 200 Billion Tokens
The cross-chain bridge on Optimism, a layer-two blockchain on top of Ethereum that supports privacy coin BitBTC, led an attacker to mint 200 billion BitBTC tokens out of thin air owing to its vulnerability.
As pointed out by Arbitrum tech lead Lee Bousfield on Twitter, the BitBTC and Optimism bridge is "trivially vulnerable" and when he reached out to the development of the BitBTC project, he did not receive a reply. After that, in a Twitter thread, Bousfield said the platform has close to seven days before any attacker's transaction goes through.
A cross-chain bridge is a link between tokens of two different blockchain networks and Optimism's bridge is no different. However, Bousfield pointed out a vulnerability that could allow an attacker to create tokens on the Optimism side of the bridge. This means that an attacker could link a token of actual value to a worthless token on the other side of the bridge and then, swap them both.
"I've been unable to get in contact with their team and my messages on Telegram have been unanswered, so unfortunately I'm left having to publish this on Twitter and hope that they fix it in time," said Bousfield.
Following the Twitter post from the Arbitrum tech lead, an attacker minted 200 billion BitBTC tokens on the other side of the bridge. However, as previously pointed out by Bousfield, for any transactions to go through, it would take at least seven days. Therefore, now the development team of the BitBTC project, which was created by a self-described "19-year-old Bitcoin believer," has seven days to rectify and remove the vulnerability.
BitBTC claims to have a value of 1/1,000,000 of a BTC, meaning, the attacker, on paper, has 200,000 Bitcoin. But, this is a very new project and while the developers haven't been transparent regarding their Bitcoin stash, it is nowhere near 200,000 BTC.
Meanwhile, the attacker left a note stating "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."
© Copyright IBTimes 2024. All rights reserved.