A hacker stole 20 million Optimism (OP) tokens by taking advantage of human error prior to handing out governance tokens to users, a process called air drop. At the closing of this note, the amount is equivalent to USD 17 million.
The scalability solution for Ethereum Optimism made a distribution of OP tokens to its users a few days ago. To do this, he had the assistance of Wintermute, a decentralized finance (DeFi) platform whose function was to provide liquidity during the process.
However, the transfer of funds between Optimism and Wintermute resulted in a bug that a hacker was able to detect and exploit 12 days ago. It happens that the deposit 20 million OPs by Optimism were sent to a second layer (L2) on Ethereum, but the Wintermute address was operating on the mainnet.
This second layer is precisely Optimism. It is a rollup that allows grouping transactions to lower costs when uploading them to the main network.
Why did this attack happen? As reported by Optimism in a release, Wintermute was not prepared (or sent the wrong address) to receive the tokens in that second layer. As a consequence, he had to devise a method to access the tokens. However, instead of achieving it, opened a vulnerability that was exploited by the hacker.
At the time of writing this article, the address The attacker’s current account has about 18 million OPs, equivalent to just over USD 15.3 million, based on the current token price ($0.85) according to CoinGecko data. Just as he has sold close to 1 million OP tokens so far, the hacker “can easily sell the rest,” Optimism claims in its post. Interestingly, part of what was stolen was sent to the address of Vitalik Buterinco-creator of Ethereum.
The issue may have a significant impact on the broader Optimism community. On the day of air drop of the token, such a high demand had been generated that it caused complications in the process, as CriptoNoticias reported. It should be noted that the 20 million stolen OPs are equivalent to almost 10% of the total circulation of the token, today at 214,748,364 OPs.
An user questioned on Twitter the fact that the transfer of funds to the hacker’s address was made 12 days ago (as shown in the image below), but both companies decided to make the episode public only today. Several people joined this claim, and surely Optimism will have to speak out on this to bring more clarity to the matter.
How they plan to recover the stolen funds
To try to fix this problem, Wintermute has “committed” to buy back all lost tokens. Through a release, the AMM developer team reported that they will buy OP as the attacker sells. This could add volatility to the value of the token, “but we will do our best to smooth the effect,” they say.
Because the hacker decided not to liquidate all the funds together, Wintermute claims hope it is a whitehat exploit, that is, a hack of a person who will return the funds and who acted with the intention of alerting about a vulnerability. “In that case, the funds are potentially recoverable,” they say.
“However, we operate under the premise that this is not the case, as we did not receive any communication from the hackers and our message on the chain went unanswered,” they added. “The error was 100% Wintermute,” they admit.
Finally, in a message addressed to the attacker, Wintermute gives him a week to show his goodwill, which even “could open up possibilities for collaboration in the future”, due to how intelligent his intervention was. If they do not receive answers, the funds will be traced and the authorities will intervene to find the person responsible for the theft, they say.
The Optimism Foundation, meanwhile, made a second temporary deposit of 20 million OP to Wintermute in order to continue the process. It is clarified, however, that providing liquidity is not a task that the Foundation must fulfill and that such a thing should not be expected in the future.
Optimism’s lessons after the episode
Beyond Wintermute’s attempts to remedy the problem, Optimism stresses that there are “fundamental lessons to take home” from what happened. “This is not the first time that an error of this type has happened,” they say, and they also underline the difficulties of using the different layers of networks such as Ethereum“even for experienced users and teams”.
Given this, Optimism rescued several lessons, such as “do not assume that control of an address between L1 and L2 is guaranteed”, move carefully in “the dark forest of Ethereum” because “you never know who is watching the chain”, and, for developers, control the behavior of multi-chain applications.
Regarding the governance of the protocol, Optimism assured that “so far there has been no impact” but they are watching the direction of the attacker. Likewise, the Optimism Foundation ruled out the possibility of censoring the address with the stolen tokens because a centralized control measure like this “would represent a significant antecedent.”
What is Wintermute and why was it associated with Optimism?
Wintermute is an automatic market maker. This means that its function is to provide liquidity to decentralized exchanges (DEX) and decentralized finance protocols (DeFi) so that they can maintain their operations.
The purpose of Optimism’s alliance with this company was “to facilitate the experience of users who acquire OP to participate in the governance of the Collective.” To that end, 20 million OP tokens were deposited into Wintermute, which then ended up in the wrong hands.