The multi-signature permissions of the cross-chain bridge have been replaced. What exactly happened with Celo?
Infighting? Mistake? The root cause may be the chaos of internal management.Author: Azuma, Planet Daily
On the evening of November 23, Beijing time, Fish, the founder of the mining pool F2Pool, retweeted a risk alert from the security organization Rugdoc on Weibo, stating: "If you are mining on the Celo chain, please be aware that the multi-signature of the cross-chain bridge (Optics) has been changed, which is suspected to have issues. A way to reduce risk is to sell other assets on the Celo chain for Celo; currently, there are not many sellers, and you may incur some losses. Everyone should assess the risk themselves, whether to take a gamble or cut losses, entirely based on your own strength. Those with guts can also arbitrage."
As a cross-chain bridge protocol led by Celo officials, Optics (contract address: 0x6a39909e805A3eaDd2b61fFf61147796ca6aBB47) is currently the main channel for funds flowing into Celo from external ecosystems. Any issues with this bridge will undoubtedly affect the liquidity of the entire Celo ecosystem. Therefore, after the problems with Optics were revealed, panic began to spread within the community.
According to an event explanation from Tim Moreton, CEO of cLabs, the development team behind Celo, in a statement, the multi-signature permissions were replaced because someone unilaterally activated the recovery mode on the GovernanceRouter contract for Optics. Although the bridge service is functioning normally, this action resulted in the Optics protocol being completely controlled by the recovery manager account, overriding the original multi-signature permissions. However, Tim believes that the funds locked in the bridge (currently over $40 million) are not at risk.
From the on-chain transaction records disclosed by Tim, it can be seen that the incident actually occurred 25 days ago on October 29, meaning that since October 29, Optics has been in recovery mode, but the cLabs team did not publicly disclose the situation to the community until November 22.
Notably, in addition to explaining the technical principles behind the replacement of multi-signature permissions, Tim also mentioned a former senior developer at cLabs, James Prestwich, who has been dismissed. Tim claimed that the activation of recovery mode occurred just 15 minutes after James was fired for misconduct, and during the deployment of Optics, James had created a pull request that included the recovery address and had requested confirmation of this address and reimbursement of expenses. Tim also stated that since the problem was discovered, cLabs had tried every possible way to contact James to resolve the issue, but so far, they have not been successful.
However, in response to Tim's "accusation," James himself stated: "I have never been a key holder for the Optics recovery mode; I am disappointed that cLabs and Celo chose to publicize their bullying. They are attacking my reputation by lying; based on my lawyer's advice, I will not say anything further."
Clearly, there is a contradiction between Tim and James's statements. If neither of them is lying, then who activated the recovery mode?
After the incident, the community also conducted an investigation through on-chain records. Community member @diwu1989 pointed out that in the last transaction that activated recovery mode (transaction hash: 0x8b1e0ca5f32c08e0afe64f0ab42204e3519712fe3bba0eeedeece56ccbf49461), the recovery management address was changed from "0x3d9330014952bf0a3863feb7a657bffa5c9d40b9" to "0xdcbf2088b7a6ef91f954be9ca658ea5b8e9b62d4," and the latter was created by "0x2f4bea4cb44d0956ce4980e76a20a8928e00399a" (creation transaction hash: 0xd224025870298fea9877880b89b24ed0569c41d3dd147e6afec5ac41da4d098e). Therefore, the key to the problem is to find the owner of the address starting with 0x2f.
Another community member, @Ryan, continued the investigation along this line and discovered that this address is associated with another project, PartyDAO, as it is one of the few addresses currently holding PARTY tokens. If they can contact this project, they may know the identity of the owner.
Community member @Deepcryptodive also pointed out that the funds from the address starting with 0x2f came from a Kucoin address starting with 0x2a98. Through Kucoin's KYC system, this person's identity should also be traceable.
Through the joint investigation of multiple people, the truth finally came to light. From the address notes of the decentralized content platform Mirror, it was revealed that the funds from the address starting with 0x2f belong to a person named Anna. So, could Anna be the one who activated the recovery mode?
The answer seems to be affirmative. Community users found from GitHub records that 26 days ago, a community developer with the same avatar and name (Anna) reported a vulnerability regarding the time lock of the Optics recovery mode. To patch the vulnerability, it was necessary to activate recovery mode and replace it with a more secure multi-signature address. Additionally, from historical code submissions, Anna indeed participated in the development work of PartyDAO.
At this point, the truth is basically clear. The on-chain address matches, and the vulnerabilities and solutions mentioned in the report align with this incident, so it can be reasonably concluded that it was indeed Anna who activated the recovery mode for Optics, and the recovery management account is likely under Anna's control.
However, although the context of the incident has been clarified, some community members are quite dissatisfied with the handling of the matter by CELO and cLabs. As the development team of Celo, cLabs should be more aware of the ins and outs of the situation than any external investigators, but Tim's statement did not provide a clear explanation; instead, it made some unfounded speculations and pointed fingers at a dismissed developer, James.
In addition, some community members are also quite unhappy with Tim's statement that "the funds on the bridge are not at risk," because based solely on Tim's description, the current control of the contract is clearly not in the hands of cLabs or other known community members, so unilaterally claiming "the funds are safe" is extremely irresponsible.
Twitter influencer @Monet Supply summarized the three mistakes made by the team regarding this matter:
No one checked the deployed contracts before the application went live;
There was no disclosure to the community for 25 days;
Tim's bizarre statement (we lost control of the contract, but the funds are safe…).
Monet Supply ultimately attributed all of this to the internal management chaos of Celo and stated that they would be bearish on CELO as a result.
Last night, in order to quell the panic and dissatisfaction within the community, Celo officially organized an AMA dialogue and issued another explanation on the official forum regarding this matter. This time, the representatives from cLabs were not CEO Tim, but two other developers, Eric and Marek.
The new statement disclosed some key information, including that there will be an audit of the Optics contract and disclosure to the community, as well as the migration of user funds through the release of Optics V2. Marek also mentioned: "We will definitely learn from this incident, and we will continue to analyze where things went wrong and why. To this end, we plan to release a complete event review report as soon as possible."
At this point, although many details still need to wait for the report mentioned by Marek to be published for further clarification (such as why there seems to be no communication between Anna and cLabs? Is the recovery management account still under Anna's control?), the basic situation of the incident is generally understood.
Overall, this "Optics security incident" has a certain element of "false alarm." As a community developer, Anna's purpose in replacing the multi-signature seems more like fixing a bug rather than malicious intent, which is why there has been no loss of funds in Optics over the past 25 days. However, one should not be overly optimistic; until the incident is completely resolved, it is advisable for everyone to minimize the frequency of using Optics in the short term. If there is a need for cross-chain transactions, it is recommended to choose Anyswap, which also supports the Celo ecosystem, or, as Fish suggested, to exchange bridged assets for CELO and then use centralized exchanges for entry and exit.
The cross-chain track has always been a high-risk area for security incidents. Although no financial losses have occurred so far, the warning sounded by this incident should not be ignored. It is hoped that the Celo development team and other project parties can take this as a lesson to improve internal management order, increase transparency, and provide users with a safer and more reassuring cross-chain experience.
