The cross-chain bridge multi-signature permission was replaced. What happened to Celo?

November 23 evening, the founder of God fish pond F2Pool forwarded to the microblogging safety risks to the organization Rugdoc tips, he said: “There are mining in the chain Celo Please note that across the chain bridge (Optics) was traded to sign a multi-person It seems that there is a problem. The way to reduce the risk is to sell other assets on the Celo chain to Celo. There are not many people who sell it at present, and they lose a few points. Everyone judges the risk by themselves, whether it is a gamble or a stop loss. The strong and the courageous can also make arbitrage.”


As the cross-chain bridge protocol led by Celo, Optics (contract address: 0x6a39909e805A3eaDd2b61fFf61147796ca6aBB47) is the main channel for the current capital to flow into Celo from the external ecosystem. Problems with this bridge will undoubtedly affect the capital circulation of the entire Celo ecosystem. Therefore, after the issue of Optics was exposed, panic began to spread within the community.


According to the incident explanation statement from Tim Moreton, CEO of cLabs, the development team behind Celo , the multi-signature permission was replaced because someone unilaterally activated the Optics repair mode (recovery mode) on the GovernmentRouter contract. Although the bridge service is all normal, this One operation caused the Optics protocol to be fully controlled by the recovery manager account, and the original multi-signature permissions were also overwritten. However, Tim  believes that the funds locked on the bridge (currently locked funds exceed US$40 million) are currently not at risk.

From the on-chain transaction records disclosed by Tim, it can be seen that the incident actually occurred on October 29, 25 days ago. That is to say, after October 29, Optics has been in repair mode, but the cLabs team has not The situation was publicly disclosed to the community on 22nd.


Most notably, in addition to explaining the technical principles of the replacement of multi-signature permissions, Tim also mentioned a former senior developer  James Prestwich who has been expelled from cLabs . Tim claimed that the activation of the repair mode occurred 15 minutes after James was fired due to misconduct, and that during the deployment of Optics, James created a pull request for the configuration including the repair address, and requested confirmation of this Address and request reimbursement of expenses. Tim also said that since the discovery of the problem, cLabs has tried every means to approach James to solve the problem, but it has not been successful so far.


However, James himself responded to Tim’s “accusation”: “I have never been the key holder of Optics repair mode; I am disappointed that cLabs and Celo chose to make their bullying public. They are attacking by lying. My reputation; according to the lawyer’s advice, I don’t say anything now.”

Obviously, there is a contradiction between the statements of Tim and James. If neither of them lied, then who activated the repair mode?

After the incident, the community also launched an investigation through on-chain records. Community member @diwu1989 pointed out that in the last transaction that activated the repair mode (transaction hash: 0x8b1e0ca5f32c08e0afe64f0ab42204e3519712fe3bba0eeedeece56ccbf49461), the repair management address was modified from ” 0x3d930014952b”. It became “0xdcbf2088b7a6ef91f954be9ca658ea5b8e9b62d4”, and the latter was created by “0x2f4bea4cb44d0956ce4980e76a20a8928e00399a” (created transaction hash: 0xd224025870298fea9877880b89e00399a), so the key address of the problem is to be found is the key address of the problem belongs to 0xd224025870298fea9877880b89e00399a.


Another community member @Ryan continued to investigate along this line and found that this address is related to another project, PartyDAO, because it is one of the few addresses currently holding PARTY tokens. If the project can be contacted, it may be Know his identity.

Community member @Deepcryptodive also pointed out that the funds for addresses starting with 0x2f come from Kucoin addresses starting with 0x2a98. Through Kucoin’s KYC system, it should also be possible to find out the identity of this person.

Under the joint investigation of many people, the truth finally came to light. From the address remarks of the decentralized content platform Mirror, it can be seen that the funds of the address starting with 0x2f belong to a person named Anna, then Anna will be the one that activated the repair mode person?


The answer seems to be yes. Community users found from Github records that it was 26 days ago that a community developer with the same profile picture and name (Anna) reported on Github about  Optics repair mode time lock Vulnerability, in order to fill the loopholes, the repair mode needs to be activated and replaced with a more secure multi-signature address . In addition, from the historical submission code, Anna has indeed participated in the development of  PartyDAO.


At this point, the truth has basically come to the fore. The addresses on the chain are right, and the vulnerabilities and solutions mentioned in the report are also consistent with this incident. Therefore, it can be basically judged that it is Anna that activated the Optics repair mode, and there is a high probability of repairing the management account. Under Anna’s control.

However, although the context has already clarified the situation, but some community members for CE O and  cLabs approach in this matter is very satisfied. As the development team of Celo, cLabs should know the ins and outs of the matter better than any external investigator. However, in Tim’s statement, he did not give a clear explanation. Instead, he made some unfounded guesses and led the finger. To James, a developer who has been fired.

In addition, some other community members are also quite dissatisfied with Tim’s statement that “the funds on the bridge are not risky”, because it is inferred from Tim’s description that the current control of the contract is obviously not in cLabs or other known communities. In the hands of members, it is extremely irresponsible to unilaterally claim that “there is no risk in funds”.

The Twitter Big V @Monet Supply summed up the three mistakes the team made on this matter:


  1. No one checks the deployed contract before the application goes live;
  2. No disclosure to the community for 25 days;
  3. Tim’s weird statement (we have lost control of the contract, but the funds are safe…).

Monet Supply finally attributed all this to the chaos in Celo’s internal management, and said that it would be bearish on CELO as a result.

Last night, in order to calm the panic and dissatisfaction in the community, Celo officially organized an AMA dialogue and explained the matter again in the official forum. This time, it was no longer CEO Tim who spoke on behalf of cLabs, but two other developers, Eric and Marek.

The new statement disclosed some key information, including certain audits of Optics contracts and disclosure to the community, and the release of Optics V2 to migrate user funds. Marek also mentioned: “We will definitely learn from this incident. We will continue to analyze what went wrong and why it went wrong. For this reason, we plan to release a complete incident review report as soon as possible.”

This is the end of the matter, although many details still need to be clarified after the report mentioned by Marek is released (for example, why does there seem to be no communication between Anna and cLabs? Is the repair management account still under Anna’s control? ), But the basic situation of the situation is generally clear.

On the whole, this “Optics security incident” has a certain “false alarm” element. As a community developer, Anna’s purpose of replacing multi-signatures is more like fixing bugs rather than doing evil. This is why Optics has not been in the past 25 days. There is any loss of funds. However, you should not be too optimistic about everything. Before the event is completely over, it is recommended that you reduce the frequency of Optics use as much as possible in the short term. If you have cross-chain needs, you can try to choose Anyswap that also supports the Celo ecosystem, or as suggested by Shenyu Convert the bridged assets to CELO, and then use the centralized exchange to enter and exit.

The cross-chain track has always been an area with a high incidence of safety accidents. Although it has not caused any financial losses for the time being, the warnings sounded by this incident cannot be ignored. I hope that the Celo  development team and other project parties can use this as a warning to improve internal Manage order, improve transparency, and bring users a safer and more assured cross-chain experience.

What do you think?

0 points
Upvote Downvote

Gala Games: Will Steam in the field of chain games be the infrastructure of the metaverse?

OpenSea founder: We can survive the cold winter safely