Optimism bug bounty

about the program

Optimism is a Layer 2 Optimistic Rollup network designed to utilize the strong security guarantees of Ethereum while reducing its cost and latency. Optimism is EVM equivalent, making the transition from L1 to L2 as seamless as possible. This means one-click deployments and full compatibility with most of the tooling Ethereum developers are accustomed to. It also means that with very few exceptions, existing Solidity smart contracts can run on Optimism exactly how they run on Ethereum.

This bug bounty program is focused on their smart contracts and on preventing:

• Theft of assets held in their Bridge and Messenger smart contracts.
• Theft, freezing or other loss of funds due to vulnerabilities in their fork of Geth.

The payout for Blockchain/DLT or Smart Contract Bugs found:

• Critical level - up to USD $2,000,042
• High - USD $50,000

Rewards by Threat Level

All smart contract bug reports must come with a PoC in order to be considered for a reward.

For KYC, OptimismPBC will request an invoice, with your name and address in order to payout the reward.

Any freezing of funds that is recoverable via an upgrade would be considered as High severity.

Critical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team.

However, there is a minimum of USD 75 000 for Critical bug reports.

Note: that there appears to be an obvious bug which would allow an attacker to withdraw a fake ERC20 token from L2 in exchange for a real ERC20 (such as WBTC) token on L1. There is no check in the L2StandardBridge, however the withdrawal is prevented from finalizing by a check in the L1StandardBridge. Naturally if you do find a way to circumvent our protections, then we would reward you.

The issues out of scope

The following known issues are considered to be out of scope of this bug bounty program:

• The fact that their contracts are upgradable via a multisig.
• The fact that fault proofs (FKA fraud proofs) are not yet running.
• A bug in Lib_MerkleTrie.sol which will prevent withdrawals from succeeding in some cases. There is a workaround for this, by modifying the proof to add an extra element.
• A bug in Lib_ResolvedDelegateProxy.sol which could result in a storage slot key collision overwriting the address of the implementation. This bug is dependent on the layout of the implementation contract, and Optimism is not affected.
• The user cannot commit to a L1 gas price, the OVM_GasPriceOracle is owned by a key controlled by Optimism and is responsible for setting the L1 gas price.