DoubleUp Roll: Double-spending in Arbitrum by Rolling It Back

Optimistic rollup protocols are widely adopted as the most popular blockchain scaling solutions. As a dominant implementation, Arbitrum has boasted a total locked value exceeding 18 billion USD, highlighting the significance of optimistic rollups in blockchain ecosystem. Despite their popularity, little research has been done on the security of optimistic rollup protocols, and potential vulnerabilities on them remain unknown. In this work, we unveil three novel double spending attacks on Arbitrum, each enabling an attacker to steal funds from cross-chain applications on Arbitrum. To facilitate these double spending attacks, we introduce an attack to induce manipulable delays in the transaction rollup process and propose a cost optimization solution to reduce further transaction fees associated with the attacks. Our investigations broaden the exploitation of our double spending attacks to another leading optimistic rollup protocol, Optimism, highlighting the generability of our proposed attacks. Through extensive experiments on a local test network, we demonstrated that our attacks lead to severe malicious effects, such as fund losses from double spending. From late 2022 to early 2023, we reported these vulnerabilities to the Arbitrum and Optimism teams. All the issues were acknowledged and resolved, and our research safeguarded billions of dollars at risk, earning us half a million dollars in bug bounty rewards.