Why White Hat Hackers Are Vital to the Crypto Ecosystem

Jay Freeman stopped a potential $750 million vulnerability from being exploited on three of Ethereum's layer 2 networks.

Feb 23, 2022 at 11:02 p.m. UTC

Edward was an analyst on the CoinDesk Research team focusing on Ethereum and DeFi. He holds ETH, AVAX, OHM and a small amount of other cryptocurrencies.

This past weekend at ETHDenver, Jay Freeman took the stage to highlight his nearly billion-dollar bug discovery within the core code of Optimism, Boba and Metis, which he dubbed "Unbridled Optimism."

Freeman has a history of software development and hacking, notably playing a critical role in the development of software for jailbreaking iOS. His experience has proven to be priceless within the Wild West, open-source crypto industry. Just two weeks ago a smart contract vulnerability left the Wormhole bridge with a $350 million hole to repair – and that wasn't even the largest exploit in recent history. However, Freeman mentioned that bridge exploits are often found quickly as they are used often and watched over constantly by the teams responsible for maintaining them.

During the first week of February, Freeman discovered a critical bug within Optimism’s virtual machine – one that developers might not have been ready to patch quite as quickly. The bug was rooted in Optimism’s selfdestruct function that allows contracts to be destroyed and sends any remaining ether balance to a designated address.

It sounds dangerous, so why do blockchains contain the selfdestruct function? The function allows for obsolete or dangerous contracts to be removed from the chain while returning the ether balance to the rightful owner.

Unless there is a bug, of course.

Optimism’s selfdestruct function returned the ether balance to the designated address without ever burning the balance within a contract. According to Freeman, “This means that, when a contract self-destructs its balance is BOTH given to the beneficiary AND ALSO KEPT.” If attackers were able to successfully call the contract, they could create a loop that doubles their OETH balance until noticed and patched by Optimism developers.

Freeman noted that he was not the first person to find the bug after scanning previous selfdestruct calls on Optimism and tracking one wallet back to an employee of Etherscan. The employee had found and tested the bug, but apparently hadn’t understood the severity of the situation and let it be. The vulnerability had gotten worse over time as more funds were bridged to Optimism and other layer 2 systems copied the code Optimism had put in place. Layer 2s are companion networks connected but functionally separate from the base layer.

Consequently, Freeman noted, had he not found the bug, a minting vulnerability would have allowed an attacker to double their funds every time the selfdestruct function was called on Boba and Metis as well.

White Hats and DeFi

Even if the Optimism team had noticed and temporarily paused bridge transactions via the sequencer during a theoretical attack, an attacker could have still wreaked havoc on layer 2 decentralized finance (DeFi). Using the falsely minted OETH, any attacker would be able to drain decentralized exchanges and exploit lending platforms with useless collateral. The exploit would have likely caused irreparable damage within the Ethereum ecosystem and layer 2 users could have had all of their funds rendered useless, with no assets left on the other end of the bridge. Combined, Optimism, Boba and Metis had around $750 million locked in DeFi the day the vulnerability was reported, almost all of which was at risk.

The need for friendly adversarialism

Decentralized finance continues to be a vulnerable industry with anonymous founders, open-source code and billions of dollars looking to take on risk. This enormous amount of capital has created an incentive system aligned with teams that build fast and release tokens.

Conversely, caution and professionalism are a lot less exciting to traders and investors. The world economy has seen over and over again the effect of incessant risk taking, even though the market eventually punishes shortcuts. There is no reason to think this same outcome won’t continue to play out in crypto and decentralized finance, with only the most meticulous protocols coming out alive in the end.

Freeman has also contemplated where the middle ground between “Code is Law” and third-party trust falls. He raised the point that bug bounties are essential in incentivizing good actors to seek out and find vulnerabilities. By setting the reward for being a good actor on a similar scale as the payout for being a bad actor, that scale suddenly tilts the incentives toward white hatting.

As Freedman put it, this sort of “friendly adversarialism” can encourage ecosystem participants to be more open, honest and even pessimistic about new ideas.

That pessimism is key. Today, the environment is perhaps overly optimistic, getting investors and DeFi users excited about protocols that could never work or might even be dangerous. This lack of oversight, combined with the nature of open-source code, creates the perfect environment for hackers and scammers, an issue much of the crypto industry does not seem ready to admit.

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Edward was an analyst on the CoinDesk Research team focusing on Ethereum and DeFi. He holds ETH, AVAX, OHM and a small amount of other cryptocurrencies.

CoinDesk - Unknown

Edward was an analyst on the CoinDesk Research team focusing on Ethereum and DeFi. He holds ETH, AVAX, OHM and a small amount of other cryptocurrencies.

Trending

1
CoinDesk - Unknown
We Need to Talk About Exchanges That Sell You Coins Like UST

How much responsibility should they have, legally and morally, for projects that fail spectacularly?

How much responsibility should they have, legally and morally, for projects that fail spectacularly?

CoinDesk - Unknown
2
CoinDesk - Unknown
Terra lanzaría su nueva blockchain el sábado, seguida del airdrop de LUNA

Serán las primeras acciones de un plan más amplio para ayudar a revivir el ecosistema Terra y sus tokens.

Serán las primeras acciones de un plan más amplio para ayudar a revivir el ecosistema Terra y sus tokens.

CoinDesk - Unknown
3
CoinDesk - Unknown
The Quantum Revolution That Will Change Everything

Blockchains need to start migrating to new quantum-proof systems now otherwise they’ll be rendered worthless.

Blockchains need to start migrating to new quantum-proof systems now otherwise they’ll be rendered worthless.

CoinDesk - Unknown
4
CoinDesk - Unknown
Tether Expands With Introduction of Dollar-Pegged Stablecoin on Polygon

Tether is now available on over 11 blockchain networks.

Tether is now available on over 11 blockchain networks.

CoinDesk - Unknown