The Optimism bridge supporting privacy coin BitBTC is actively being exploited for 200 billion BitBTC tokens.
Due to the technicals of the hack, the BitBTC team now has less than 7 days to implement an upgrade to minimize the damages.
A Poorly Designed Bridge
According to Arbitrum tech lead Lee Bousfield on Twitter, the BitBTC bride contained a “critical exploit” that left it “trivially vulnerable.” It involves the bridge’s relationship between Ethereum’s layer 1 (L1) addresses and Optimism’s layer 2 (L2) addresses.
As Bousfield explained, Optimism’s L2 side of the bridge lets users withdraw any token, and pick the L1 token address to which the tokens will pass on the L1 side of the bridge.
However, when the L1 side mints tokens, it simply ignores which token was withdrawn by the layer 2 side in the first place. This means an attacker could mint their own worthless token on Optimism, yet set its L1 token address to a real BitBTC L1 address.
“Then, when the attacker withdraws their malicious token through the BitBTC bridge, it gives them real BitBTC tokens on L1,” explained Bousfield.
The tech lead added that the hack would take seven days to conduct – leaving a window of opportunity for devs to patch the system if the exploit were targeted.
Unfortunately, that’s exactly what happened on Monday, as an attacker withdrew 200 billion fake BitBTC from the system. The dollar value of these tokens is unclear, as BitBTC does not have publicly available market data.
“The BitBTC team has 7 days to fix it on L1!” warned Bousfield.
The tech lead clarified that the bug is exclusive to BitBTC, rather than being the fault of Optimism. He also said he’s contacted the BitBTC team both before and after the bug took place, but is “still looking for signs of life.”
The exploiter has claimed that his attack is merely meant to test the attack vector.
The Binance Bridge Bug
In a similar fashion, Binance bridge was exploited earlier this month, allowing a hacker to mint $2 million BNB (worth $500 million) out of thin air.
Bridges are designed to let crypto users transfer their tokens between different blockchains. While some bridges use centralized/federated systems with trusted third parties to manage the bridge, others use more complex systems based on code. The latter, however, can be prone to bugs that let hackers withdraw illegitimate funds.
At present, blockchain bridges have been the largest victims of DeFi hacks, accounting for $2.5 billion in lost assets.