After community-driven audits uncovered security vulnerabilities involving two contracts, the Optimism Foundation reverted its network to its permissioned state. A representative of Optimism contributor OP Labs and protocol engineer Mofi Taiwo proposed a “Granite” hard fork for September 10th to fix the vulnerabilities.

Optimism’s permissionless fraud-proof system went live two months ago. However, the foundation announced reverting to its original permissioned state after community audits revealed vulnerabilities of varying levels of severity in the new system. 

The audits revealed two major vulnerabilities that, according to Optimism’s ImmuneFi bounty scale, would have wreaked havoc upon exploitation.

Audits uncover vulnerabilities in Optimism fraud-proof contracts

The identified bugs were related to the MIPS contracts in the fraud-proof systems, which were never picked up by Optimism’s audit scope. The contracts were wrongly identified in the Posing Life and Reputational risk category and, therefore, did not attract formal audits in line with the project’s guidelines.

The Ethereum layer 2 scaling solution launched the permissionless fraud-proof system on June 10th. it incorporated the upgrade to allow users to challenge potentially incorrect or fraudulent transactions in a more decentralized manner.

Today, @OPLabsPBC posted an upgrade proposal detailing findings from a recent series of community-driven audits on the Fault Proof System, including the plan to fix the bugs identified as part of the audits.https://t.co/Kylblb3Wyx

— Optimism (@Optimism) August 16, 2024

According to an announcement by the Optimism Foundation, the rollback was initiated as a precautionary measure to avoid instability in the network and protect user funds. The announcement also mentioned that Optimism was fixing the bugs, and the process is anticipated to last three weeks.

The foundation emphasized that vulnerabilities were identified before attackers could exploit them, and assets were not at risk. According to Optimism, any pending withdrawals were reset and will be required to undergo the proving process again.

Permissioned fraud-proof systems are more centralized since only trusted proposers are tasked with the ability to challenge fraudulent or incorrect transactions. The Optimism Foundation initiated the new system to deconcentrate the L2 scaling solution and achieve Stage 1 decentralization, according to Ethereum co-founder Vitalik Buterin. 

A layer 2 scaling solution needs an effective fraud-proof system secured by a multisig of trusted parties to achieve Stage 1 decentralization.

Protocol engineer Mofi Taiwo proposes a hard fork upgrade to fix the bugs

Following the network reversion to a permissioned L2 state, a representative of Optimism contributor OP Labs and protocol engineer Mofi Taiwo submitted a proposal to Optimism’s governance forum. 

“[…]However, out of an abundance of caution, the permissioned fallback mechanism has been activated in order to avoid any potential instability while the vulnerabilities are patched.” 

Mofi Taiwo

The proposal suggested activating the fallback system and highlighting the vulnerabilities in the affected contracts. He also mentioned that none of the bugs were exploited, and assets were not at risk.

In the proposal, Taiwo also suggested a hard fork upgrade dubbed “Granite,” scheduled for September 10th at 16:00:01 UTC. The hard fork is yet to undergo a formal audit. However, OP Labs launched an internal security review that concluded the changes were low-risk.