Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Ethereum is quite slow. In order to make it faster, several ideas have been proposed. One of these is an Off-Chain solution, commonly referred to as Layer 2 (L2). These L2 solutions execute code off-chain in a separate but similar environment to the EVM

When using L2, only a summary of the data executed is stored on Ethereum (L1). The actual computation and storage of the contracts is done on L2, making it much more efficient. This is called a rollup.

The term "optimistic rollups" is the batching of rolls. By doing this, we loose some of the security guarantees. The optimistic part is simply assuming that all transactions are valid. There are outside validators to make sure corrupt of the state does not occur.

Optimism depends on fault proofs to advance the state of Ethereum with summaries. If there is a dispute between two actors, then the data is re-executed on the Ethereum blockchain.

Of course, this causes problems because some data such as blocknumber will be different. So, the solution to this problem is OVM replacing context-dependent opcodes in the OVM to be similar to those in on the L1 blockchain.

The final key to understanding this bug is how ETH is stored in the OVM. Instead of using ETH natively, it is stored in an ERC20 token. To allow this to work, they applied patches to StateDB to store the native balances in an ERC20 token. This means the ETH balance will always be 0 but the users balance is within the specific contract.

Now, time for the actual vulnerability! When calling the selfdestruct function, the ETH at this location triggers the ERC20 token to send money to the specific address. Afterwards, it needs to 0 out the money for this contract in the ERC20 as well.

However, the difference between ETH and the ERC20 ETH causes the problem. Instead of setting the balance of the ERC20 token of ETH to 0, the real ETH is set to 0! This means that a selfdestructing contract can send the ERC20 ETH to another location and keep its original balance. This is a money duplication bug!

I assume the fix was simply using the ERC20 version of the ETH for the selfdestruct setting the contract to 0. For more information on this bug and the internals of Optimism, read here.

This was an insanely complicated exploit which required a very deep understanding of the eco-system to find. I would guess that the author of the post realized that not everything could have been changed from the actual ETH to the ERC20. Then, decided to look for it. Crazy enough this was out of scope, but the company paid out the max bounty anyway!