The honeymoon period of the layer 2 scaling solution, Optimism, has been cut short by a bug in its market maker’s smart contract that has caused the loss of 20 million OP tokens.
The failure took place on May 26, but has just been communicated to the community. One million tokens valued at about $1.3 million were sold on June 5. An additional one million tokens valued at around $730,000 were transferred to Vitalik Buterin’s Ethereum address on Optimism earlier today at 12:26am UTC. The remaining tokens are dormant for now, but could be sold at any time or used to influence governance decisions.
Hey folks–in the interest of transparency, we’d like to share some details about an ongoing situation:https://t.co/915vIgRIJG
Summary below
— Optimism (✨_✨) (@optimismPBC) June 8, 2022
OP tokens are the native token of the layer-2 (L2) solution, Optimism, and a portion of the supply was given away to network users on June 1. L2 solutions help alleviate congestion on a layer 1 blockchain like Ethereum.
A summary of events from the Optimism team detailed on Thursday how the 20 million OP tokens were intended to be used by cryptocurrency market-making firm Wintermute. After sending two test transactions, the Optimism team sent the full amount of tokens.
Nevertheless, Wintermute discovered that it was unable to access the tokens because the smart contract it was using to accept the tokens was still at Layer 1 and had not been updated to be deployed on Optimism. This technical oversight opened the contract to an attack in which a malicious actor took control of the contract at layer 2.
As soon as Wintermute realized the problem, “began a recovery operation with the goal of deploying the multisig contract at layer 1 to the same address at layer 2”, but his attempt to remedy the situation was too late.
“An attacker was able to implement layer 2 multisig with different initialization parameters before the recovery operation was complete and took control of the 20 million OP tokens.”
A multisig contract requires the approval of multiple key holders to execute a transaction.
In a June 9 message to the Optimism community, Wintermute took full responsibility for the exploit. The company stated that it would make PO buybacks equal to the amount the attacker sold as a means of making “best efforts to smooth out the effects” of price volatility.
Wintermute also offered to accept the incident as a white hat exploit if the hacker agreed to return 19 million tokens within a week. This offer was made before the hacker transferred another million tokens.
Responses to Wintermute’s message mostly applauded the company for being transparent in disclosing the problem and accepting blame for what happened.
In the short term, the Optimism team has given Wintermute an additional 20 million OP grant “so they can continue their work while things develop.” But the team also noted that these market-making efforts are temporary.
“The community should not expect or rely on the Optimism Foundation to support future liquidity provision efforts.”
Some $OP tokens got hijacked.
Optimism is grappling with the idea of whether it should use its multisig to take the tokens back from the thief.
In this tweet, they’re saying “we coullllld do it.. but then you’d all hate us.. so we won’t.. for now.”
DANGEROUSLY CENTRALIZED. https://t.co/p7JiPY2TzU
— Chris Blec (@ChrisBlec) June 8, 2022
The host of the Proof of Decentralization podcast, Chris Blec said the team had considered (but refused) regain control of the stolen funds by performing a network upgrade. This means that, in his opinion, Optimism (like most DeFi projects with admin keys) is “dangerously centralized”.
Blec also suggested that the most obvious explanation for the exploits involves those most involved, meaning that someone involved with Wintermute may have carried out the attack themselves. I ask: “Why is everyone in this space always averse to investigating the most obvious possibilities?” There is currently no evidence to support this theory.
Investors in OP have responded negatively to the update, as the price of the token is down 31.2% trading at $0.76 in the last 24 hours, according to CoinGecko.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.