The cross-chain bridge multi-signature authority was replaced, what happened to Celo?
text
On the evening of November 23rd, Beijing time, Shenyu, the founder of F2Pool, forwarded the risk warning of the security organization Rugdoc on Weibo, saying: "If you are mining on the Celo chain, please note that the multi-signature of the cross-chain bridge (Optics) has been replaced by others." Yes, there seems to be a problem. The way to reduce the risk is to sell other assets on the Celo chain into Celo. At present, there are not many people who sell them, and the loss is a few points. Everyone judges the risk by themselves, whether to gamble or stop the loss, it all depends on If you have the strength, you can also arbitrage if you have the courage.”
According to an explanation of events from Tim Moreton, CEO of cLabs, the development team behind Celostatement,statementThe multi-signature permission was replaced because someone unilaterally activated the Optics recovery mode on the GovernanceRouter contract. Although the bridge service was normal, this operation caused the Optics protocol to be fully controlled by the recovery manager account. Originally The multi-signature permissions are also overridden.
However, Tim sees no risk to the funds locked on the bridge (currently over $40 million locked).
From the on-chain transaction records disclosed by Tim, it can be seen that the incident actually happened on October 29th, 25 days ago, that is to say, after October 29th, Optics has been in repair mode, but the cLabs team did not fix it until 11th. The situation was only publicly disclosed to the community on 22 April.
Most notably, in addition to explaining the technical rationale behind the replacement of multi-signature permissions, Tim also mentioned James Prestwich, a former senior developer who has been fired from cLabs. Tim claims that the repair mode was activated 15 minutes after James was fired for misbehavior, and that during Optics deployment, James created a pull request for the configuration that included the repair address, and asked for confirmation of this address and request reimbursement of expenses. Tim also said that since the discovery of the problem, cLabs tried everything possible to approach James to solve the problem, but so far without success.
However, James himself responded to Tim's "accusation" by saying: "I was never the key holder of the Optics repair mode; I am disappointed that cLabs and Celo chose to make their bullying public, they are attacking by lying My reputation; on the advice of my lawyers, I will say nothing at this time."
Clearly, Tim and James are contradicting each other, and if neither of them is lying, who actually activated Repair Mode?
After the incident, the community also launched an investigation through on-chain records. Community member @diwu1989 pointed out that in the last transaction that activated the repair mode (transaction hash: 0x8b1e0ca5f32c08e0afe64f0ab42204e3519712fe3bba0eeedeece56ccbf49461), the repair management address changed from "0x3d9330014952bf0 a3863feb7a657bffa5c9d40b9" was modified became "0xdcbf2088b7a6ef91f954be9ca658ea5b8e9b62d4", which was created from "0x2f4bea4cb44d0956ce4980e76a20a8928e00399a" (creation transaction hash: 0xd224025870298fea9877880b89 b24ed0569c41d3dd147e6afec5ac41da4d098e), so the key to the problem is to find the address at the beginning of 0x2f.
Another community member @Ryan continued to investigate along this line of thought and found that this address is related to another project PartyDAO, because it is one of the few addresses currently holding PARTY tokens. If the project can be contacted, it may be possible to know its identity.
Community member @Deepcryptodive also pointed out that the funds at the address starting with 0x2f come from the Kucoin address starting with 0x2a98, and the identity of this person should also be found out through Kucoin's KYC system.
Under the joint investigation of many people, the truth finally came to light. According to the address remarks of the decentralized content platform Mirror, the funds at the address starting with 0x2f belong to a person named Anna, so Anna will be the one who activated the repair mode person?The answer seems to be yes, community users have checked from Github records,
Exactly 26 days ago, a community developer with the same avatar and name (Anna) reported a bug on Github about the time lock in Optics repair mode. In order to fix the bug, you need to activate the repair mode and replace it with a A more secure multi-signature address. In addition, from the historical submission code, Anna did participate in the development of PartyDAO.
So far, the truth has basically come to light. The address on the chain is correct, and the vulnerabilities and solutions mentioned in the report are also consistent with this incident. Therefore, it can be basically judged that it was Anna who activated the repair mode of Optics, and there is a high probability of repairing the management account. Under Anna's control.However, although the context of the situation has been clarified, some community members are not satisfied with the way CELO and cLabs have handled the matter.
As Celo's development team, cLabs should know the ins and outs of the matter better than any external investigators, but Tim's statement did not give a clear explanation. Instead, he made some unfounded guesses and pointed the finger at To a fired developer James.
In addition, some other community members are also quite dissatisfied with Tim's statement that "funds on the bridge are not at risk", because it can be inferred from Tim's description that the current control of the contract is obviously not in cLabs or other known communities It is extremely irresponsible to unilaterally claim that "funds are not at risk".
Twitter big V @Monet Supply summed up the three mistakes made by the team on this matter:
No one checks the deployed contract before the application goes live;
25 days late without any disclosure to the community;
Tim's spooky statement (we lost control of the contract, but the funds are safe...).
Monet Supply finally attributed all this to the chaos of Celo's internal management, and said that it would therefore be bearish on CELO.
Last night, in order to quell the panic and dissatisfaction in the community, Celo officially organized an AMA dialogue, and explained the matter again on the official forum. This time, it was no longer Tim, the CEO, who spoke on behalf of cLabs, but two other developers, Eric and Marek.The new statement reveals some key information,This includes conducting certain audits of the Optics contract and disclosing it to the community, as well as migrating user funds through the release of Optics V2.
Marek also mentioned: "We will definitely learn from this incident, and we will continue to analyze what went wrong and why it went wrong. To this end, we plan to publish a full incident review report as soon as possible."
That's it, and while many of the details will have to wait for the report Marek mentioned to be released (like why there seems to be no communication between Anna and cLabs? Is the repair admin account still under Anna's control?), But the basics of the situation are largely clear.
On the whole, this "Optics security incident" has a certain amount of "false alarm". As a community developer, Anna's purpose of replacing multi-sig is more like fixing bugs rather than doing evil. This is why Optics has not Any loss of funds occurs. However, everything should not be too optimistic. Before the incident is completely closed, it is recommended that you minimize the frequency of Optics usage in the short term. If you have cross-chain needs, you can try to choose Anyswap that also supports the Celo ecology, or as suggested by Shenyu Convert the bridging assets to CELO, and then use the centralized exchange to enter and exit.
