https://news.ycombinator.com/item?id=30289240
My (I'm the hacker) article / post-mortem this blog post is referring to:
https://www.saurik.com/optimism.html
At the time of this last getting traction a few days ago, some people were sad that the title of my article and the discussion that resulted focused more on the bug instead of the bounty (which my article gets into near the end as part of some high-level thoughts on ethics), which is maybe why I am suddenly seeing this appear here again this morning (as this news article is instead focussing on the bounty angle)?
FWIW, the $2M bounty--which was actually listed as $2,000,042 (as they wanted it to sort higher on the list at Immenufi, lol)--was potentially (none of us realized this at the time I "won", and I am honestly still not 100% sure of it now, though I haven't yet come across any counter-examples) the largest single bug bounty payout ever (...though, by only $42 ;P).
https://twitter.com/bobanetwork/status/1491989915336388618?s...
So I was the coder for a payroll system for those paid out of the channel islands, in 2008, day after boxing day I was asked to add 3 more digits to the payroll system so a trader could be paid a bonus. That system moved alot of money all around the world.
Another example of costs. $81million nicked from Federal Reserve Bank of New York. https://www.reuters.com/article/us-cyber-heist-bangladesh-id...
Here is an example of what has to be paid out when things go wrong, it was made into a film, adjust for inflation and quantitative easing.
https://en.wikipedia.org/wiki/Nick_Leeson#Downfall_and_impri... https://www.imdb.com/title/tt0131566/
Best office I have seen is Nomura's directors office in London. You could fit a house in it!
Probably a lot you can do.
Congrats on the bounty, glad to see you don't plan on blowing through it mindlessly :) With a worldwide diversified ETF portfolio you should be able to live off of this amount of money indefinitely.
(Dec 28 2021)
> Polygon is paying out a bounty of $2.2m in stablecoins to Leon Spacewalker and 500,000 MATIC to Whitehat2, which according to current market value is worth $1,262,711. The $2.2m exceeds the maximum value of Polygon’s critical bounty in recognition of the severity of the vulnerability.
More info about the bug: https://medium.com/immunefi/polygon-lack-of-balance-check-bu...
Interestingly, this reminds me of a report I wrote a long time ago about the dangers of ecrecover (as it can give ambiguous results)
I'm not sure if this was discussed in the previous thread, but does the bug allow the creation of real ETH coins, or it just increase the counter in the Optimism database (or whatever system they are using)?
The native currency on Optimism (used to pay gas, like ETH is used on Ethereum) is effectively ETH; but, as it isn't Ethereum, that ETH on Optimism has to actually live on Ethereum: it gets locked into a contract there which acts as a repository/reserve for all of the ETH being used on Optimism.
When you deposit ETH in this reserve on Ethereum you get credited the same amount on Optimism in the form of cryptocurrency IOUs (which we might call "OETH"), and you can later withdraw that money back to Ethereum, whereupon the OETH is destroyed and ETH is unlocked from the reserve contract.
The bug here (which I go into detail in in my post-mortem, along with another / different description of how these "bridges" work) was in the VM used for the smart contract behaviors on Optimism, which would mean you could arbitrarily replicate OETH (the IOUs for ETH).
For avoidance of any doubt: you couldn't use this bug to create an arbitrary amount of ETH/Ether, but the issue is that a lot of people call the money on Optimism--which is normally backed 1:1 with ETH--"ETH". (There is a discussion about what it should be called in the Ethereum chains database; I personally think what we need is a terminology for describing the full path whenever you have "ETH via an indirect path".)
More seriously, will you keep it in the bank and extract $100k a year the rest of your life? What are you going to do?
(FWIW, I maybe should at some point buy a car--as I currently waste money on renting one; pre-pandemic I was using a combination of ZipCar and Lyft, but both services suck now--but I can't imagine myself buying a pointlessly extravagant car; and, sadly, now is a bad time to buy a car anyway... which I think is related to the ZipCar issue: I imagine they might have sold their fleet? Maybe ZipCar will return in force when prices rebalance.)
https://www.zillow.com/sunnyvale-ca-94087/luxury-homes/?sear...
Yesterday I was reading "how to drop out", to me it seemed like a bad plan overall: https://news.ycombinator.com/item?id=30318285
Some people want to learn to live on the cheap to drop out, or to fatFIRE (which is another way to do the same). Personally, I love working and doing interesting things, and being with other people and society itself!
So my personal plan is the opposite of fatFIRE: work until I die regardless of what happens on the side, because I enjoy what I do, so stopping what I do just because something happened on the side would be like punishing myself, then waiting to die out of boredom?
Doesn't seem like such a bright idea to me. Maybe it's different (if you don't like modern society, or maybe other people, or the idea of work itself?
Also, thank you for Cydia, I used it in middle school and high school. It definitely made an impression, thank you.
Orchid looks cool too!
https://immunefi.com/bounty/wormhole/
Good job btw.
Immunefi turns out to be the correct spelling (weird that Google didn't figure that one out).
Wondering (some of it aloud), how long was the vulnerability present in the code? Is it possible to know if someone was actually using this exploit to mint OETH's? How would a disconnect of this sort show up? Regular reconciliation (hourly, daily) or perhaps there are other methods.
Though it's pretty weird that I wasn't sure whether you were referencing geohot's (another infamous hacker, mentioned in the article) rap songs at first: https://soundcloud.com/tomcr00se
Not sure why it's a thing for prominent hackers to have aspirations to become soundcloud rappers.
It is thereby really only "required" (for the world to function) that there is sufficient monetary motivation for people who don't want to spend the rest of their life feeling either the guilt or stress (even if merely due to the ramifications of people finding out) of having done something "wrong" (which I put in quotes as I feel the "code is law" argument that can result at this point isn't actually that useful in a discussion of morality) to bother to then go out of their way to help (as opposed to not searching hard in the first place, looking the other way instead of reporting, or merely hoarding the bug as a parlor trick).
And so like, while I totally see how this bug could easily be worth at least tens of millions of dollars to someone, it isn't clear to me that finding and reporting this bug should imply that I would need to be paid (and "by who?" is a then a hard question to answer even if we think this, one which might bleed into "and how?" a bit as the first answer is probably awkwardly decentralized in scope) the tens (or even hundreds) of millions of dollars that that hypothetical black hat might have figured out how to extract (which I make a bit theoretical as profiting from crypto hacks is harder than people often assume, something I touch on in my article; I think you might have to go for extortion, and even that didn't work for the Wormhole hacker)... most people simply aren't of the moral constitution to be black hats (which is probably a good thing).
(In this case, the main lingering ethics question related to this bounty that I come back to occasionally is that there are projects--such as Metis--that forked Optimism and now compete with it using Optimism's own code and vision... projects that (in the case of Metis) are actually of similar size to it (based on "total value locked", which is imprecise but probably the best measure here for potential impact: Defi Llama lists Optimism at $344M and Metis at $347M) which are still relying on Optimism to motivate the security efforts for their platform... it feels at least awkward to me that they should get a "free pass" here simply because their listed bounties were lower than Optimism's? Like, even if you don't think I should get money from them, maybe they should be helping compensate Optimism?)
The true value of exploits is NOT the cost of the damage they could do, because that externalizes various costs to the perpetrator: evade law enforcement for the rest of your life, lose access to friends and family, become a high-value target for traditional organized crime, etc. For many people that is a net negative, even for a 9-figure payout. And that is a good thing, I think.
Do you not understand the immense amount of effort they would have needed to expend to hide, not to mention the ongoing stress involved afterward?
That person is there, maybe not today, maybe not within 10km. By wait a few years, or drive a few thousand KM or both.
Does that make the first, already above-average offer 'pennies'?
Off course not.
> This could’ve easily been a bug worth hundreds of millions of dollars
That doesn't mean that you could find someone to give you $100 mil, clean or unclean.
Edit: He has a great write-up about the vulnerability and its discovery on his blog:
https://www.saurik.com/optimism.html
(which was on HN a couple days ago)
Clubs have members; businesses have employees.
I think I'll take my lessons on business terminology from someone else, if it's all the same to you.
"What are you coding there?" "Oh, I'm writing an application to manage patients at my dental practice" "You're a dentist?" "Yup"
Funny how it all works.
Minting supply inflation bugs happen all the time, but not usually for something redeemable for something so liquid and valuable.
The bridges are a new unique target.
I can understand the anger at Proof-of-Work cryptos, or perhaps the current somewhat "wild west" state of them, where fly-by-night operations work to separate people from their money, but ultimately I see them as the wave of the future.
Ultimately I think the cryptos that see the most success will likely be those that can be better regulated, which is somewhat at odds with why crypto came about, but without some protection it would be like an unregulated stock market.
Dan's general attitude is that crypto isn't revolutionary and isn't really trying to be. It's not trying to democratize money. It's trying to build a system with the same power dynamics as the current system, but with different people at the top of that power structure. His take is that crypto doesn't solve any of the problems with the existing systems and just creates a bunch of new ones.
My recollection is that he doesn't spend much time on the energy use (he touches on it but IIRC doesn't dwell on it). He does go deep into the "wild west" state of them. His attitude seems to be "wild west" isn't a transitory phase; it's the end state of crypto.
I don't think he says it in that video, but in a subsequent interview, Dan pointed out a danger with this and all deflationary currencies - they reward early adopters and people with a lot of capital. People who buy in late (either by choice or because they were simply born later) have a compounded difficulty in "catching up". He says he's worried about a future where crypto isn't an option and everybody needs to use it to some extent in day-to-day life. Moms and dads - or toddlers - who didn't "get in early" will be at a significant disadvantage.
---
Personally, my main concern is with PoW. It's fine to say that PoS will eventually replace PoW, but that's not the situation right now. PoW is wasteful by design, and that just rubs me the wrong way. It's great that miners tend to use more renewable sources on average than the average utility customer, but they're still using an awful lot of nonrenewable sources as well. I guess I just think about all the other things we could do with that electricity and it seems like such a waste.
My secondary concern is with the hype machine in overdrive. It feels a lot like the dotcom bubble to me - people making all kinds of wild claims about crypto, NFTs, web3.0, etc. Everybody so desperately wants it to be the next big thing because they smell an opportunity to make a buck. But it feels very cart-before-horse to me. It's not clear to me, for the kinds of problems that crypto is trying to solve, that crypto is the best solution to those problems. How many use cases really call for a decentralized, trustless ledger?
This article (https://thecorrespondent.com/655/blockchain-the-amazing-solu...) mentioned a couple of projects that got greenlit due to blockchain hype, yet either don't have anything to do with blockchain or else use blockchain in pointless ways - such as having a small, fixed pool of trusted mining nodes controlled by one entity.
And they're crowding out better uses of those renewable energy resources, too.
I am curious, would it be easy to detect an individual who was exploiting this vulnerability?
For anyone who may have missed the link in the article or thread, this is it: https://www.saurik.com/optimism.html
Just wait until AI gets its mittens on it.
It's good to see white hat hackers in this space trying to fix what is already broken.
But sorry to be that person, just a timely reminder of the truth: All cryptocurrencies and 'DeFi projects' are ponzi scams including Orchid.
All tokenization schemes are ponzi scams including USD, it's just that some use violence to stay relevant, and other use bug bounties.
It's irrelevant. We don't use 'algorithms as ownership' in the real world. We use social agreements like contract law to undo problems.
"All tokenization schemes are ponzi scams including USD, it's just that some use violence to stay relevant, and other use bug bounties."
We use the law to maintain civil infrastructure. Yes, if someone wants to murder you or someone else, or launder billions, we'll use violence to stop them.
An algorithm that is effectively used as a Pyramid Scheme is not going to save your from anything.
However, I can use USD, GBP or any fiat currency in my local grocery store.
Can I use Bitcoin, Shib, Doge, or even Orchid at my grocery store without waiting hours in the queue for the transaction to complete and no huge fees?
Seems like just an opinion to me, and a poorly opinionated one at that.
What I would say is that most cryptocurrencies have no fundamental value, and are therefore bubbles. I don't know what the term is for when someone deliberately creates an asset bubble with the intention of profiting from it. It's something like a very long-form, deliberative pump-and-dump.
All I see are people holding coins and not using them at all for anything else other than 'I want coin to go up'.
Other organization bounties should go higher. Especially Web2 ones.
Why do I have to pay more fees to swap tokens on decentralised exchanges making them unusable, and how exactly is DeFi decentralised?
How sad to see web3 rehashing the failures of webs 1 through two.
No - sorry - ETH doesn't get a 'pass' on this.
The 'Rest Of The World' is tired of the Crypto Scam Delusion masquerading as something reasonable and watching these critical failures getting swept under the rug.
This issue demonstrates that critical failures will exist in the wild (and it's wrong to suggest that they won't come up in the future - they will) creating an existential flaw for systems in which there is no intrinsic remedy. Forks by 'completely arbitrary central powers' entirely defeat the purpose.
Just last week we had the FBI arrest criminals laundering literally billions in Crypto.
It's a tiring fraud absorbing enormous amounts of attention and energy for no apparent benefit but entertainment.
The concept is currently fundamentally flawed, it belongs in 'side project' territory for now, not in the mainstream.
I expect that my bank is not perfectly secure. And when it fails, there will be ways to redress the problem, i.e. account insurance, bank refunds, legal recourses etc..
Blockchains have 'no way out'. When there is a problem, it breaks everything. Recently, there was a grift on ETH and to overcome the problem, there was a massive fork, which is enormously hypocritical because it implies that there are 100% 'Central Authorities' with ETH, who are unarmed, unrestrained by any regulation or oversight, policy and probably any legality. Etc.
The only way for Blockchains to maintain their ideological integrity is if they are 'perfect'. But they are not 'perfect' and require 'maintenance and oversight'. Ergo they are self defeating their own purpose.
Ultimately, it's a ruse or will mostly be used as such.
