OP Labs, the entity behind the Ethereum layer 2 network Optimism, has patched two vulnerabilities with the fraud proof system deployed on the testnet.
The fix was disclosed by Offchain Labs, the developers of Arbitrum, another popular layer 2 network that is widely considered to be a competitor to Optimism.
Offchain Labs co-founder Ed Felton said in a Friday blog post that the team had disclosed the vulnerabilities to OP Labs on March 22, but held off on making them known to the wider community until the security flaws were patched late on April 25.
Today, we disclosed two serious vulnerabilities in the recently released OP Stack fraud proofs.
We coordinated closely with the OP Labs team on this disclosure. We’re all on team Ethereum, and happy to lend resources to make Ethereum safer for everyone.https://t.co/vC4SWBdTuZ
— Offchain Labs (@OffchainLabs) April 26, 2024
“The vulnerabilities allowed a malicious party to force the OP Stack fraud proof mechanism to accept a fraudulent chain history, or to prevent the OP Stack fraud proof mechanism from accepting a correct chain history,” Felton said.
“The problems stemmed from flaws in how the OP fraud proof design handles timers.”
Felton noted that OP Labs has since made some changes to their timer-handling code that resolves the potential exploits that could have taken place as a result of them. It is worth noting that these issues were noticed on the testnet, which acts as a sort of sandbox environment for developers to test new features, and importantly, fix critical issues like this one before the updates are rolled out on the mainnet.
In an blog post on Friday, OP Labs shared a special thank you to the Offchain Labs team for reporting the two issues with its FaultDisputeGame contract.
“Although this bug would have been detected and caught by the safety nets in place for the current fault proof system, it would have forced the Optimism Security Council to temporarily pause withdrawals while the bug was being fixed, likely creating headaches for users of the OP Stack,” said the OP Labs team.
OP Labs started a Sherlock audit contest last month for its proposed fault proof system and reported that there were no critical vulnerabilities that would be able to bypass the safety mechanisms in place.