Optics Recovery Mode

I used the bridge to transfer some ETH from celo to polygon, and it worked, but its weird, i see that the WETH token contract on polygon is this one:

but the right one used on dApps is this:

Something to worry about?? i see there are transfers using that contract from 65 days ago, but i dont see how i can transform the WETH to the real one!

call it a bug. Optics is in beta for a reason. They shall fix this in Optics V2. For now you can bridge it back to Celo, then swap it to cUSD.

The audit report was released Oct 8th. A comment is right there. No one in Optics team bothered to read audit report I assume, but Option V2 will have this issue fixed?

Line 164-180 Function
Confidential
GovernanceRouter.initialize(address,address)
recoveryManager = _recoveryManager (governance/GovernanceRouter.sol#173)
Issue
code sets recoveryManager without emitting an event which is difficult to track offchain.
Recommendation
Emit an event for critical parameter changes.

Might I recommend renaming the redeployment of Optics V2?

2 Likes

Hi Thawin, if you want that specific wETH on Polygon, you would need to bridge “wETH (Optics)” from Celo to Ethereum network, and then use the Polygon bridge to bridged to the Polygon network. If you have more questions or need help, the team is on discord. #bridges-support

[updated] Thanks @yeet @rq-crypto for flagging.

1 Like

This is not a good answer. Optics bridge shall manage this issue automatically(swap from wETH(Optics) to wETH(PoS)) or block it. Think what if WETH bridged by Celo to Ether is an unique token just like this wETH(Pos)? It will be a disaster. It feels that Optics team has no product manager, just a bunch of wild developers not knowing the need of an average user.
Another thing is that Optics bridge shall automatically unwrap WETH to ETH in Ether chain, because most users starts with ETH, not WETH. And most exchanges only recognize ETH. I assume a lot of users will have issue when bridging back WETH from celo to exchange address, because it will not show up.

Bridges don’t work like this. The PoS weth is from Polygon Proof of Stake Bridge. The underlying weth is held on ethereum in a contract optics bridge has no control over.
Even weth bridged via Polygon Plasma bridge is not interchangeable with weth bridged via PoS bridge.

Where tokens are minted or burned bridging is non trivial.
If you want to “swap” tokens across chains use liquidity bridges like xpollinate and always check which token you are getting on the other side, as there will likely be several, though won’t be liquidity for all them on exchanges.

Thanks for the explanation. We know bridging is tough, especially multi-chain bridging, which is why there is a team running Optics. Optics must have been working hard to make sure cross-chain validation is solid, however, I do not think it’s hard to establish a principal for cross-chain swaps. For each token in a specific chain, there should only have one path in-and-out, which is what an average user expect. And in Celo, there should be only one token, not multiple versions of wrappers. And Optics manages the technical details. In the case of wETH(Optics) to Polygon, why bridge protocol could not perform wrapper swap automatically, but leave the details to the users? Is internal swap hard to maintain? I think it’s hard, but doable. The bridge itself can manage token balance of contract address on various chains, and transfer between them cross-chain automatically using chain-specific bridge when contracts balances are off(every chain has native bridge with Ether). The Optics bridge itself is nothing more than a central clearing facility, with one branch per chain. If it works out, the multi-chain bridge itself can become a major application area of Celo network, as everyone is looking to pay for fast and reliable cross-chain transfers.

Thank y’all for your patience and kindness

I always have and always will fiercely protect users’ safety and security. Based on everything I know, I do not believe there is a security threat to users’ funds or to the bridge.

If you have not yet, please read this ticket: recoveryTimelock mis-configured ¡ Issue #918 ¡ celo-org/optics-monorepo ¡ GitHub

I’ve had to retain lawyers to protect my rights. Im hopeful that I’ll be able to share more info soon :heart:

  • Anna
11 Likes

Anna, thank you for posting here. I am glad we are aligned: we all want to be sure the funds in the bridge are secure. We see that the biggest tension causing anxiety is the lack of transparency about who controls the recovery manager. How can we move Optics out of Recovery mode and the recovery manager to a known multisig as proposed in V2?

6 Likes

It’s great that bridge V2 will learn from the mistake and build on stronger governance. I think one thing should not get lost there, is that Optics has been performing well this week under heavy load. This is a actually a good sign and it might have a great potential as cross-chain bridges among strong competitions already from allbridge/Anyswap/RelayBridge. Bridge V2 can be more reliable, DAO governed, faster, but it needs to be more convenient to use. And that will make it stand out - because most users do not want to deal with bridging mass. Just get out of dev team habit and think of three things -(1) use the same contract address cross multiple chains to avoid confusion, (2) do not call cUSD as WcUSD in Ether chain, and look at how UST did it, (3) have only one wrapped edition per token per chain as long as the asset is passed through Optics bridge - it can be optics contract, it can be native assets(USDC) or established asset, like wETH on Polygon. Deliver user the end asset, and charge them if necessary

1 Like

Thanks for the feedback – this subject and the roadmap in general is something I want us to make time to discuss later next week.

Optics v2 update: The Optics v2 deployment has been completed and can go live as soon as Monday.

Huge thanks to the team that have worked through the Thanksgiving holiday to get this done.

We’re committed to launching Optics v2 in a thoughtful and secure manner that maximizes trust and confidence in the new bridge. Before it is considered live, we encourage members of the community to audit the deployment and its governance. We’re sharing details in this post for anyone interested in reviewing.

An update on Optics v1: Over the weekend, multiple individuals came forward with information regarding the identities of the holders of the multisig. However, we have not been able to verify this information. Moreover, we still cannot confirm the identity of the holder of the recovery manager account for non-Ethereum chains. We will continue to investigate the facts around this incident, to contribute towards a detailed public incident review. However right now the lack of public transparency of privileged key holders has not changed. This means the team is focused on providing a community-owned, secure v2 for users.

For current users of the Optics v1 bridge, we continue to recommend that users perform the following actions as soon as possible:

  • For large holders not impacted by the cost of gas on Ethereum, we suggest using the current instance of Optics (v1) to move your funds back to Ethereum and then back to Celo using the newly deployed Optics v2 at a later time once it is launched.
  • For smaller holders not looking to be impacted by the price of gas on Ethereum, there are numerous non-optics assets that are not affected (e.g. cUSD, cEUR, cETH, cBTC) that we recommend trading into, and back to the Optics v2 assets once they are live.
1 Like

A short time ago, we identified activity on Ethereum that took Optics v1 out of recovery mode, then (while out of recovery mode) transferred the recovery manager to the new community v2 multisig that was prepared ahead of the launch of Optics v2 today. We obviously welcome these steps as a move toward community governance of Optics v1, which still holds considerable user funds. At this time we still do not know the identity of the holder of the EOA that controls recovery mode on Celo and Polygon, and that previously put Optics v1 into recovery mode on Ethereum. Our recommendation for users remains unchanged and Optics v2 will launch later today.

3 Likes

hi! i have been following this as i have bridged funds and really don’t want to move them. looks like the other ones were transferd on the other chains! seems like funds are safe now and contracts are completely community-owned!!

https://explorer.celo.org/address/0xcEc158A719d11005Bd9339865965bed938BEafA3/logs

Thanks for your support and attention to this – I’ve been using the bridge without significant issues for the past month or so. As I suspect is true of many users of Optics right now, I’m primarily using it for the purpose of farming Optics assets (WETH and DAI) on Sushiswap. I plan to continue to farm on Sushiswap after v2 is live, so my main concern right now is around what to do with my v1 assets:

Keep on Celo in hopes of swapping to v2 without bridging back to ETH: Advantages here are that I can keep on farming until sushi is live with v2 assets (I know v2 is going live soon but things in crypto are often delayed / not sure when sushi will switch over to the new v2 assets) and I avoid eth gas fees.

Transfer back to ETH and wait for v2 bridge to be live. Advantages here are that I can avoid the risk that my assets cannot be bridged back to ETH or that I have to trade to v2 below 1:1.

My suggestion would be to give users some clarity sooner rather than later on plans for the v1 - v2 swap option in celo. Some options for this:

  1. (Best option imo) Implement a guaranteed 1:1 swap between v1 and v2 – this would allow users to keep their assets in Celo (benefitting Celo TVL and the overall ecosystem), save on high ETH gas fees, and avoid panic selling v1 assets given fears they won’t be supported any longer.

  2. (Okay option) v1 - v2 swap with community-provided liquidity AND keep Optics v1 bridge live. I would be potentially willing to provide liquidity for this depending on yield. It is crucial to keep the v1 bridge live for this – otherwise the v1 asset is essentially worthless / locked in Celo forever, and the trading flow would likely be purely in the v1 → v2 direction, so if it’s a typical AMM the price of v1 would tank pretty quickly. If you kept v1 open, I could imagine large holders (I would do this) arbitraging between v1 on Celo / v2 on Celo / asset on Ethereum chain or CEXs. I could see this arb being profitable for me and others with a lot of capital but it’s unnecessarily complex compared to the prior option, and I think that tying v1 to v2 1:1 in celo is much better for the community and average holder.

  3. (Bad option) Community provided v1 - v2 liquidity WITHOUT live v1 bridge. In this scenario, v1 becomes worthless (defi protocols start using v2 assets and your asset is locked on celo forever), so the price of v1 assets death spirals and people who didn’t bridge before v2 lose a lot.

In any case, I urge transparency on plans here prior to closing the v1 bridge. In particular, if it’s not going to be a 1:1 swap and / or the v1 bridge is going to be offline or potentially unable to handle a high volume of transfers from Celo to Eth chain, people should have some warning prior to that happening.

Thanks! Excited for this migration.

3 Likes

Thanks everyone for all the conversation and input today on the Optics project here, on Discord and elsewhere. Great to see so much energy.

It does appear that several smart contract calls have been made on multiple networks when taking Optics v1 out of recovery mode. We want to make sure the transition to community ownership is complete. We are inspecting the on-chain state right now.

We’ll have more details to share in the next 24 hrs.

1 Like

I agree completely with bigguinea.

Btw, on Solana, they had a Wormhole bridge version 1 and version 2.
Assets from version 1 coexisted with version 2 for some times, a couple of months certainly,
and you could bridge them to version 2 on a 1:1 basis for a normal solana fee (cheap).

Main pools were provided with co-existing assets like SOL-WETHv1, SOL-WETHv2 on main solana dexes like Raydium and Saber, and both were incentized for some time, then progressively reduced for v1 assets to incentize token holders to migrate from v1 to v2.

That certainly would be the best option here. Of course it is ugly, not “clean”, with confllicting named assets for newbies, but reality is made of past errors and added solutions.

Just my 2 cents.

2 Likes

We wanted to send a quick update about Optics v1 and the launch plans for Optics v2.

We paused the launch of Optics v2 on Monday afternoon after governance transactions were made on Optics v1. After reviewing the contract state on every network over the past few hours, we believe that Optics v1 is now fully out of recovery mode and that the original EOA recovery key is no longer in control of any of the contracts on any of the chains. This is a positive step for the prospect of staying with Optics v1.

To this end, we are working hard on ensuring that Optics v1 can be trusted and maintained in the long term and that users’ funds are absolutely safe. We are continuing our efforts to reach out to the Optics v1 governance holders whose support is essential in making v1 viable. We will continue to keep everyone updated here. Thanks for your patience while we all work through this together.

1 Like

Thanks for the update! Yes, as has been previously discussed by myself and others, a migration that involves having a v1 and v2 version of a given asset is doable IF necessary – but it adds complexity – especially given that there’s yield products involved, like you’d want to coordinate with sushiswap so the DEX / farms migrate over to v2. Anyway, I think if it can be avoided by sticking with / improving what’s already there, personally I think that’s great. But if it does turn out that the only way to have long-term security and make the product improvements you’re looking to make by switching assets, that’s fine but great if it can be avoided.

2 Likes