Last weekend an attacker was able to gain control of the Optimism addresses that correspond to various Gnosis Safe multisigs on Ethereum that had not yet been deployed to Optimism. A quick thread on security in the multi-chain world ~~
As a quick upfront note, this incident was not the result of any vulnerability in Optimism or Gnosis Safe, but instead stemmed from (reasonable) security assumptions made in an old version of Gnosis Safe long before multi-chain was a vibrant reality.
Let's quickly explain what happened. Older versions of Gnosis Safe factory contracts were deployed via transactions without a chain ID (non EIP-155 tx). This meant it was possible to replay these transactions on chains other than Ethereum.
In some ways, this is really useful. It means that the same factory can be deployed to every chain at the same address. And that's exactly what happened -- the factory was deployed to Optimism.
Unfortunately, at the time in which this older factory contract was being used, it seems that the Gnosis Safe UI sometimes used the function createProxy which created multisigs via CREATE instead of CREATE2. 
Unlike CREATE2, the address of a contract created via CREATE is not based on the code being used to create the contract and is only based on the nonce of the creator address.
This means that it was possible for the attacker to deploy the old Safe factory to Optimism and begin to trigger the createProxy function repeatedly to create the multisigs on L2.
However, because createProxy uses CREATE and not CREATE2, the attacker was able to initialize these multisigs so that they were owned by the attacker.
Users often assume that any account they can access on Ethereum will also be accessible on other EVM-based chains. For externally owned accounts (aka non-contract accounts), this is generally true.
The same does not necessarily apply to smart contract accounts. Contracts can be created at the same address on different chains with completely different code and, as a result, completely different owners.
Misunderstandings like this can have serious real-world consequences. Last week, Wintermute accepted a loan of 20m OP tokens to an L1 multisig wallet they believed they could access on L2. This L2 address was one of the multisigs later deployed by the attacker.
These are the growing pains of a multi-chain world. It's an unfortunate event, but it highlights the importance of designing systems for multi-chain users. CREATE2 and deterministic deployment is critical, especially for contract wallets.
If you're using a multisig wallet on Ethereum, I highly recommend that you take the time to understand the security properties of your wallet and whether or not you will control that wallet on chains other than Ethereum.
When in doubt, if receiving funds on a new chain, attempt to execute transactions from your account on the chain on which those funds are being received. Don't just assume that you will have access everywhere -- confirm it.
This isn't the first time something like this has happened, and it probably won't be the last. Be careful out there, especially when dealing with large balances. You can never be too cautious in the face of immutability.
And a final PSA because it's really important: this is *not* specific to Optimism! Same thing could happen on any chain. Confirm that you have control of an account by transacting from that account.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
