The Optimism Foundation has issued a statement confirming that 20M OP tokens meant for a liquidity provisioning partner have been sent to the wrong address. The price of the OP token dropped from $1.12 on June 8 to just $0.70 after the news broke. The statement read,
âThe Optimism Foundation engaged Wintermute for liquidity provisioning services ⊠a temporary grant of 20 million OP tokens was allocated to Wintermute from the Foundationâs Partner Fund.
Wintermute provided an address to receive the borrowed tokens. The Optimism Foundation sent two separate test transactions, and upon Wintermuteâs confirmation for each, sent the rest. Unfortunately, Wintermute later discovered they could not access these tokens because they had provided an address for an Ethereum (L1) multisig that they had not yet deployed to Optimism (L2).â
The very partner hired to help facilitate liquidity services was not using the product Optimism had hired them to support. Although Wintermute claims to be a âleading global algorithmic market maker in digital assetsâ, it has made what can be considered a fundamental mistake in crypto, especially for an algorithmic market maker.
In recompense, Wintermute has:
âcommitted to buying back the tokens lost. They will monitor the address that holds these lost tokens and buy as the address sells.â
Recovery process
Optimism stated that Wintermute had attempted to resolve the situation without the need to repurchase the tokens as they âbegan a recovery operation with the goal to deploy the L1 multisig contract to the same address on L2.â However, Optimism claims:
âan attacker was able to deploy the multisig to L2 with different initialization parameters before these efforts were completed, assuming ownership of the 20m OP.â
With that mistake, Wintermute essentially left 20 million OP tokens out on the street for anyone to pick up by deploying an Optimism L2 contract to the address. So, it could be seen as a PR move to refer to the new owner as an âattacker;â putting in question the validity of the âexploitâ or âhackâ. Optimism has since reported that 1 million OP has been sold from the wallet.
Whoever obtained access to the wallet has undoubtedly made an ethically grey move by exploiting the ineptitude of an automated market maker. However, Wintermuteâs recent statement suggests there was more to the situation than a simple, smart contract deployment.
Wintermute response
Wintermute wrote a response to the Optimism community via its governance forum. In it, the team explained:
âas we communicated the wallet address to the Optimism team, we made a serious error. We had a Gnosis safe deployed on mainnet for a while and due to an internal mistake, weâve communicated the very same wallet as the receiving address.â
The post confirmed that this was ânot a smart thing to do.â However, it appears that this happened on May 30, the day before the mainnet launch for Optimism.
Wintermute then took possession of a further 20 million OP by âproviding $50 million USDC as collateral.â However, a third party was faster than Wintermute in retrieving the funds, the âattacker,â:
âproceeded with performing a replay attack by replaying the Gnosis Safe MasterCopy 1.1.1 deployment from Eth mainnet. They then used the previously deployed contract 0xE714⊠to deploy vaults per batches of 162.â
Wintermute then explained a complicated method used by the external third party to access the funds was through a Tornado Cash deposit. The depiction indeed gives the impression that a complex attack took place.
Indeed, Wintermute praised the attack stating, âthe attack has been performed has been rather impressiveâ before even offering them âconsulting opportunitiesâ if they return the funds.
In the face of a highly embarrassing situation, the crypto community is not all buying the story; Bear Baron Hellspawn said:
âEither amateur hour by so-called âliquidity providerâ
Either inside job. Because unless you do some voodoo sh*t you cannot assume that $OP tokens will be transferred at a very SPECIFIC address.â
Wintermute ended its statement with a threat to the âattackerâ stating,
âwe are 100% committed to returning all the funds, tracking the person(s) responsible for the exploit, fully doxxing them and delivering them to the corresponding juridical system. Remember that robbers need to get lucky every time. Cops only have to get lucky once.â
Wintermute is currently at Consensus 2022 in Texas, starting June 9. CryptoSlate reached out to both the CEO and COO, but no response was received at the time of publishing.
Credit: Source link
