Optimism loses 20M tokens after L1 and L2 confusion exploited

Published at: June 9, 2022

The honeymoon period for the Optimism layer-2 scaling solution has been cut short, as an exploit in its market maker’s smart contract led to the loss of 20 million OP tokens.

The exploit took place on May 26 but has only just been reported to the community. One million tokens valued at about $1.3 million were sold on Sunday. An additional 1 million tokens valued at about $730,000 were transferred to Vitalik Buterin’s Ethereum address on Optimism earlier today at 12:26 am UTC. The remaining tokens are dormant for now but could be sold at any time or used to sway governance decisions.

Hey folks--in the interest of transparency, we'd like to share some details about an ongoing situation:https://t.co/915vIgRIJGSummary below

— Optimism (✨_✨) (@optimismPBC) June 8, 2022

OP tokens are the native token for the Optimism layer 2 (L2) blockchain, and a portion of the supply was airdropped to network users on June 1. L2 solutions help alleviate congestion on a layer-1 (L1) blockchain such as Ethereum.

A summary of events from the Optimism team on Thursday detailed how the 20 million OP tokens were intended to be used by the Wintermute crypto market-making firm. After sending two test transactions, the Optimism team sent the full amount of tokens.

However, Wintermute discovered that it could not access the tokens because the smart contract it used to accept the tokens was still on L1 and had not been updated to be deployed on Optimism. This technical oversight opened the contract to an attack, in which a bad actor took control of the contract on the L2 themselves.

As soon as Wintermute became aware of the problem, it “began a recovery operation with the goal to deploy the L1 multisig contract to the same address on L2,” but its attempt to remedy the situation was too late.

“An attacker was able to deploy the multisig to L2 with different initialization parameters before the recovery operation was completed and took control of the 20 million OP tokens.”

A multisig contract requires the approval of multiple key holders to execute a transaction.

In a Thursday message to the Optimism community, Wintermute took full responsibility for the exploit. The firm stated that it would perform OP buybacks equal to the amount the exploiter sells as a means of making “best efforts to smoothen the effects” of price volatility.

Wintermute has also offered to accept the incident as a white hat exploit if the hacker agreed to return 19 million tokens within one week. This offer was made before the hacker transferred another 1 million tokens.

Replies to Wintermute’s message mostly applauded the firm for its transparency in revealing the issue and for accepting the blame for what happened.

Related: Hacker tastes own medicine as community gets back stolen NFTs

In the short-term, the Optimism team has granted Wintermute an additional 20-million-OP grant “so that they can continue with their work as things unfold.” But the team also pointed out that such market-making efforts are temporary.

“The community should not expect or rely on the Optimism Foundation to support liquidity provisioning efforts in the future.”

Some $OP tokens got hijacked.Optimism is grappling with the idea of whether it should use its multisig to take the tokens back from the thief.In this tweet, they're saying "we coullllld do it.. but then you'd all hate us.. so we won't.. for now."DANGEROUSLY CENTRALIZED. https://t.co/p7JiPY2TzU

— Chris Blec (@ChrisBlec) June 8, 2022

Chris Blec, host of the Proof of Decentralization podcast, said the team had considered (but rejected) regaining control of the stolen funds by performing a network upgrade. This meant that, in his view, Optimism (like most decentralized finance projects with admin keys) is “DANGEROUSLY CENTRALIZED.”

Blec also suggested that the most obvious explanation for exploits involves those most closely involved, meaning someone involved with Wintermute may have performed the attack themselves. He asked, “Why is everyone in this space always so opposed to vetting the most obvious possibilities?” There is no evidence at this stage to support this theory.

OP investors have responded negatively to the update, as the token price is down 31.2% trading at $0.76 over the past 24 hours according to CoinGecko.

Tags
Nft
Altcoin
Defi
Hackers
Smart Contracts
Layer2
Related Posts
Altcoin Roundup: 3 portfolio trackers NFT and DeFi investors can use to stay organized
The cryptocurrency ecosystem has seen a tremendous amount of growth over the past couple of years, as the introduction of decentralized finance (DeFi) and the popularity of nonfungible tokens (NFT) have led to an explosion of projects on more than a dozen blockchain networks. The rapidly growing ecosystem means investors have to keep track of multiple wallet addresses, making portfolio trackers a popular option for traders needing to manage a diverse multichain portfolio. Here are three portfolio-tracking decentralized applications, or DApps, crypto traders can use to help monitor their investments. Zapper Zapper supports the basic management of cryptocurrencies held on …
Nft / Feb. 25, 2022
Bitcoin is great, but real crypto innovation has moved elsewhere
Something is brewing, and those with finely tuned noses can smell it. As traders have come to expect, Bitcoin (BTC) is doing “Bitcoin things” by bouncing around between the usual “key” support and resistance levels, and to be honest, it’s all starting to feel a bit boomerish. Bitcoin’s long-awaited “moon” depended on institutional investor buy-in, breaking the previous all-time high at $19,000 and a set of other firmly held beliefs. Well, all that happened, and the run to $64,900 exceeded many investors’ wildest dreams. But despite this, the entire BTC situation just feels predictable and boring if you are of …
Blockchain / Sept. 18, 2021
3 reasons why REN price is up 340% from its July swing low
Interoperability has become one of the driving themes within the crypto market and as the blockchain ecosystem evolves into an interconnected web of layer-one protocols, the importance of communication and efficiency among decentralized applications (dApps) will also increase. Ren (REN), a blockchain protocol designed to provide interoperability and liquidity between different blockchain platforms, has started gaining traction over the past month and a half as activity in the decentralized finance (DeFi) sector has been on the rise. Data from Cointelegraph Markets Pro and TradingView shows that after reaching a low of $00.41 on Aug. 9, the price of REN has …
Nft / Sept. 16, 2021
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
The state of Solana: will the layer-1 protocol rise again in 2023?
About two months after the FTX collapse, the Solana network is stronger than ever, according to Austin Federa, the head of strategy and communications at the Solana Foundation. Federa defines the recent SOL token price crash as a short-term market reaction to the perceived connection between Solana and the defunct crypto exchange FTX. While FTX founder Sam Bankman-Fried was invested in many Solana-based projects, Federa pointed out he didn't have any influence on the network’s operations and fundamentals. “The external perception was that there was a very close relationship between the Solana network and FTX, which wasn't the case," Federa …
Blockchain / Jan. 27, 2023