Optimism Foundation confirmed that they sent 20M OP tokens to the wrong multi-sig wallet even after completing two test transactions.
The Optimism Foundation has issued a statement confirming that 20M OP tokens meant for liquidity provisioning partner Wintermute have been sent to the wrong address.
The exploit took place on May 26. However, the community was informed just recently. The price of OP tokens was affected harshly by the incident. It went down 31.2%, trading at $0.76 over the past 24 hours, according to CoinGecko.
In an official statement, the Optimism Foundation team explains that they engaged Wintermute for liquidity provisioning services in preparation for the OP token launch. A temporary grant of 20 million OP tokens was allocated to Wintermute from the Foundation’s Partner Fund to carry out this engagement. After sending two test transactions that Wintermute confirmed, the Optimism team sent the total amount of tokens.
Unfortunately, Wintermute later discovered they could not access these tokens because they had provided an address for an Ethereum (L1) multi-sig that they had not yet deployed to Optimism (L2). This technical oversight opened the contract to an attack, in which a bad actor took control of the contract on the L2 themselves.
When the problem became apparent, the Wintermute team “began a recovery operation intending to deploy the L1 multi-sig contract to the same address on L2.” Still, the attempts to fix the situation were too late.
“An attacker was able to deploy the multi-sig to L2 with different initialization parameters before the recovery operation was completed and took control of the 20 million OP tokens. This address has since sold 1 million tokens and can easily sell the rest.”
Optimism is known as a Layer 2 scaling solution for Ethereum that can support all of Ethereum’s dApps. Instead of running all computation and data on the Ethereum network, Optimism puts all transaction data on the chain. It runs computation off-chain, increasing Ethereum’s transactions per second and decreasing transaction fees. OP tokens are the native token for the Optimism blockchain.
In response to the Optimism community, Wintermute acknowledged making “a serious mistake” and took full responsibility for the exploit. The firm stated that it would perform OP buybacks equal to the amount the exploiter sells to make “best efforts to smoothen the effects” of price volatility.
In the statement, Wintermute addressed the hacker, offering to treat the incident as a white hat exploit if the hacker agreed to return 19 million tokens within one week.
“We are 100% committed to returning all the funds, tracking the person(s) responsible for the exploit, fully doxxing them, and delivering them to the corresponding juridical system. Remember that robbers need to get lucky every time. Cops only have to get lucky once,” wrote Wintermute.
Replies to Wintermute’s message mostly applauded the firm for its transparency in revealing the issue and accepting the blame for what happened. However, not all of the crypto community is so supportive. Bear Baron Hellspawn tweeted about the amateurish approach and the inside job:
It looks to me like amateur hour at best from @wintermute_t .
Either amateur hour by so called “liquidity provider”
Either inside job. Because unless you do some voodoo sh*t you cannot assume that $OP tokens will be transfered at a very SPECIFIC address.
— 😈Bear Baron Hellspawn (@hellspawncrypto) June 8, 2022
In his tweet, Chris Blec, the host of the Proof of Decentralization podcast, wondered if the most obvious explanation could be that someone involved with Wintermute may have performed the attack themselves.
Is $20m enough of an incentive for someone at Wintermute to run this “attack” on themselves?
Why is everyone in this space always so opposed to vetting the most obvious possibilities?
Are you afraid to hurt someone’s feelings?
Logic first. Feelings later. https://t.co/EQnrfGJWiF
— Chris Blec (@ChrisBlec) June 8, 2022