By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts.
The vulnerability was exploited because of a flaw in BitBTC code, in which the said contract utilized a custom bridge instead of the standard bridge that Optimism provides.
The L2 side of their bridge permits the withdrawal of any token and allows that token to choose the l1Token address transmitted to the L1 side of the bridge.
Nonetheless, the L1 bridge disregards what the L2 token was and simply mints the arbitrary L1 token.
Thus, an adversary could deploy their own token on Optimism, give themselves the entire quantity, and set the l1Token of their token to the actual BitBTC L1 address.
An attacker withdraws billions of fake BitBTC tokens from Optimism.
Then, when the attacker attempted to withdraw their fraudulent token via the BitBTC bridge, they are given actual BitBTC tokens on L1.
To ensure that there are no other asset security issues, the team had suspended their Swap service. They also communicated and collaborated with major security agencies in order to track down the hackers and recover the stolen assets.
Security is of the foremost importance, therefore project teams should use the standard bridge as opposed to developing a custom bridge without any prior risk estimates..
Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.
Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.
Join us in our mission to cover, protect, and secure on-chain digital assets.
We have sent email confirmation. Please confirm to receive our
newsletter.
Unfortunately, something went wrong while trying to complete your
request. Please try again later. If the problem persists, do not
hesitate to let us know through the community channels.
