Programmers dig "holes" to get rich: if they find a loophole, they will be rewarded 12.72 million yuan

What are the sidelines suitable for programmers ？ Write an article 、 As a technical coach 、 Developing small programs 、 Receive hair implant endorsements （bushi）… Many people through these sidelines , Over the years , Gradually realized the ideal “ economic freedom ”.

In this , There is also a very popular way of making money in spare time ：“ Only find fault with others , Bonus earned by oneself ” The loophole Bounty Hunter . Whether it is a foreign giant such as apple 、 Microsoft 、 Google, etc , Or large domestic manufacturers such as Huawei 、 Ali 、 Tencent, etc , Have launched their own loophole reward programs , That is, the developer searches for vulnerabilities in the software and reports them to the manufacturer , You can get rich rewards .

And how generous the bonus is ？ Recently, ,iOS Jailbreak software Cydia The father of Jay Freeman Discover a key flaw in Ethereum , To obtain the 200 Thousands of dollars （ About the yuan 1272 Ten thousand yuan ） A huge bonus ！

（ notes ：Jay Freeman, Famous software developers , Known as the iOS The father of prison break , Developed Cydia The app store , Can make have prison break iPhone User in iOS Download unauthorized software from .）

One 、 Create countless ETH The vulnerability of tokens

The etheric fang Layer2 Solution Optimism Able to process transactions on a large scale , At the same time, it also maintains the security of Ethereum , Originally only applicable to Uniswap and Synthetix And so on , Later, it announced the cancellation of the white list mechanism at the end of last year ： Any user can be in Optimism Free deployment contract 、 Building the application . But in recent days, ,Jay Freeman Post a blog saying , He was in Optimism Of Geth A key is found in the bifurcation Bug： Attackers can use this to illegally create countless ETH Tokens, .

In this post ,Jay Freeman The discovery of the Bug The course and Bug The use of ：“ this Bug I would like to call it ‘Unbridled Optimism’, It may be roughly thought of as ‘ Bridge ’ A remote vulnerability , But in fact, this is Optimism An error in the virtual machine executing the smart contract on . Take advantage of this Bug, Attackers can access ‘ Bridge ’ Remote valid and unlimited number of tokens.”

Jay Freeman Made it clear ,Bug Appear in Ethereum VM Medium SELFDESTRUCT Instructions . This directive is for the self destruction of contracts , Remove its account object , It allows the rapid removal of potentially large amounts of... From the blockchain's active set “ obsolete ” state . When the contract reaches SELFDESTRUCT When the command , It will specify a “ beneficiary ” To receive the funds it currently has . The operation code is in go-ethereum Of EVM To add the balance to the beneficiary , And then call StateDB.Suicide. then ,StateDB.Suicide Will clear the account balance .

but Jay Freeman Find out , This step does not use stateObject Of setBalance Setter , And don't use shared common.Big0 Constant , That is, in addition to setting the Boolean value on the object to true Nothing else , And that means “ The contract at this point still exists and continues to own the code it previously owned ！”

Optimism The team also pointed out in the subsequent report ：“ This vulnerability makes it possible to hold ETH The balance is repeatedly triggered on the contract SELFDESTRUCT Opcode in Optimism Create countless ETH.”

Two 、Bug Not yet used , It needs to be repaired as soon as possible

Fortunately ,Jay Freeman And then quickly on 2 month 2 Daily direction Optimism The team reports this Bug, and Optimism The team passes the right Optimism The analysis of chain history shows , Except originally by Etherscan An unexpected trigger from an employee （ No usable redundancy was generated that time ETH）, This vulnerability has not yet been exploited .

For this Bug Appearance ,Optimism The team explained ：“ This error is due to the fact that go-ethereum Code base modification （ Designed to keep up with the old ‘OVM 1.0’ Backward compatibility of the system ）.” Because in the past year Optimism The number of users has increased a lot , Compared with the early release process, it only involves the coordination between a few key infrastructure providers ,Optimism The team says the complexity of publishing is increasing dramatically ： Code base bridge 、 More providers 、 Multiple main network branches are involved . Even if found Bug,Optimism The team cannot immediately release obvious patches —— They can't risk someone reverse engineering vulnerabilities before upgrading .

Within hours of receiving the vulnerability report and confirming the vulnerability ,Optimism The team should Bug The repair was tested , And deployed to Optimism Of Kovan and Mainnet The Internet （ Including all infrastructure providers ）.

Optimism Official reminder , Although at present Bug Not yet used , But in view of this Bug Importance , Many vulnerable Optimism Fork and Bridge providers need attention , Make sure to upgrade to as soon as possible 0.5.11 Version of l2geth.

thereafter , For thanks Jay Freeman The discovery of this critical vulnerability ,Optimism Gave him 2000042 dollar .

3、 ... and 、 Loophole reward scheme , Perhaps essential

It can be seen from this event , The vulnerability bounty program may be essential for many large projects . just as Optimism, The increasing number of users year by year is accompanied by increasingly complex technologies , At the same time Bug The possibility is also increasing , At this time, if only a limited number of project insiders search Bug It's undoubtedly very difficult .

Selfless discovery Bug Of course, there are , But an appropriate reward plan can obviously stimulate many developers to find Bug Enthusiasm and motivation , This may be the reason why many large technology enterprises or projects have released vulnerability reward plans ： It's just Jay Freeman The same day this vulnerability was disclosed ,MakerDAO And the biggest loophole bounty ever , Up to 1000 Thousands of dollars .

But it can't be denied that , The loophole bounty program has also caused some controversy ：

• last year 9 month , Reported to Apple 4 Zero Day vulnerability Denis Tokarev Express , Follow the apple security bounty page , The value of the loophole he reported is 10 Thousands of dollars , But Apple refused to pay .

• Similarly, , developer Jose Rodriguez Previously, it also posted a tweet condemning apple ： The vulnerability he reported was valued at more than 2.5 Thousands of dollars , In the end, I was only rewarded 5000 dollar .

that , What do you think of the loophole bounty program ？

Reference link ：

• https://cointelegraph.com/news/makerdao-launches-biggest-ever-bug-bounty-with-10m-reward

• https://www.saurik.com/optimism.html

• https://optimismpbc.medium.com/disclosure-fixing-a-critical-bug-in-optimisms-geth-fork-a836ebdf7c94