OP Stack DA DoS Vector Recap: From Conduit’s Discovery to Ecosystem Response

Today, OP Labs announced an update addressing a DoS vector on the OP Stack. The patch improves DA throttling mechanisms first introduced last November following Conduit Head of Product Emiliano Bonassi’s initial report of the bug. In the months following, a security research team led by Stefanos Chaliasos independently discovered related attack vectors – our team then worked with him and others from OP Labs and Base to research further and comprehensively address the vulnerability. 

Rollups across the Ethereum ecosystem rely on open source tools like the OP Stack, and today’s fix highlights the importance of a strong, technically proficient community to keep those tools safe. Below, we’ll share an overview of the vulnerability and its threat implications, as well as a timeline of how multiple teams came together to fix it. 

The DA DoS vector explained

The isue in question made it possible to force a reorg of an OP Stack rollup. Essentially, if a bad actor continuously spammed a chain with data-heavy transactions for a long period of time, they could delay finality enough to trigger a reorg via the chain’s native security mechanism.

The danger here is that a bad actor could bridge funds onto the rollup, begin the reorg attack, and then withdraw the funds using a fast bridge within one of the blocks rolled back during the reorg. This would essentially result in double spend – the funds would “exist” in the attacker’s account on a new chain, and on the reorged version of the rollup. Such an attack would put both the rollup and fast bridge in danger of holding unsecured funds. This is just one example of how bad actors could exploit this attack vector.

The timeline: How teams worked together to solve the bug

Emiliano first identified the DA spam vulnerability in October 2024 while working on a congestion issue affecting L3 testnets on Base Sepolia. He and other Conduit engineers engaged the OP Labs team and engineers from Base to investigate further. They found that the vulnerability could be exploited as we described above with a limited amount of capital for gas fees and a few hours’ worth of spam transactions. Their work resulted in the OP Stack’s first DA throttling controls being pushed in op-stack v1.9.5.

In June, Stefanos Chaliasos and his team independently discovered that the DA DoS vector could still be exploited, albeit with a much greater amount of capital – hundreds of thousands in gas fees – and a larger time commitment for spam transactions. Stefanos reported the issue to Luca Donno at L2Beat, who put him in touch with Conduit. We worked with Chaliasos and his team, as well as OP Labs and other teams in the OP ecosystem, to investigate these vectors, discovering more tactics bad actors could use to make these spam attacks more effective. Ultimately, the report Chaliasos submitted following this work led to today’s OP Batcher v1.15.0 release, which fully addresses the security issue. Further improvements suggested by Base to address potential UX deprecation from spam transactions will be introduced in the OP Stack’s upcoming Jovian fork.

It takes a village

We’d like to thank and congratulate all of the teams we worked with in solving this issue: the Optimism Collective, Base, Unichain, Worldchain, and especially Stefanos Chaliasos and his team. Our goal is to help our customers run sustainable onchain businesses. That wouldn’t be possible without the many individuals who work hard to maintain the open-source tools those chains rely on – nowhere else is this more apparent than in security research. 

Conduit will continue to do its part in keeping the Ethereum ecosystem safe alongside our partners and the rest of the onchain community.