The honeymoon period for the Optimism layer-2 scaling solution has been cut short after a bug in its market maker smart contract resulted in the loss of 20 million OP tokens.
The bug happened on May 26, but was just reported to the community. One million tokens worth approximately $1.3 million were sold on June 5. Another 1 million tokens worth approximately $730,000 were transferred to Vitalik Buterin’s Ethereum address at 12:26AM UTC today. The remaining tokens are currently dormant but can be sold at any time, or used to influence governance decisions.
Hi everyone, In the interest of transparency, we would like to share some details of what is going on
Here is the summary
— Optimism (✨_✨) (@optimismPBC) June 8, 2022
The OP token is the native token of Optimism Layer-2 (L2), and a portion of the supply was airdropped to network users on June 1st. L2 solutions help alleviate congestion on layer 1 blockchains such as Ethereum.
A summary of events from the Optimism team on Thursday detailed how the Wintermute cryptocurrency market-making firm intends to spend 20 million OP tokens. After sending two test transactions, the Optimism team sent all tokens.
However Wintermute found that it was unable to access the tokens because the smart contract it used to accept the tokens was still on L1 and had not been updated to be deployed on Optimism. This technical oversight allowed the contract to be compromised, where a bad actor took control of the contract on L2 himself.
When Wintermute became aware of the issue, it "started a recovery operation with the goal of deploying the L1 multisig contract to the same address on L2," but it was too late to try to remedy the situation.
"An attacker was able to deploy a multisig to L2 with different initialization parameters and control 20 million OP tokens before the recovery operation was complete."
A multi-signature contract requires the approval of multiple keyholders to execute a transaction.
In a message to the Optimism community on June 9, Wintermute took full responsibility for the vulnerability. The company said it would execute OP repurchases equal to the amount sold by the hacker as a means of “doing its best to smooth out the effects of price volatility.”
Wintermute also offered to accept the incident as a white hat attack if the hacker agreed to return the 19 million tokens within a week. This proposal came before the hacker moved another million coins.
Responses to Wintermute's message mostly praised the company for its transparency in uncovering the problems and for taking responsibility for what happened.
In the short term, the Optimism team has awarded Wintermute an additional 20 million OP grant “so they can continue their work as things evolve.” But the team also notes that this market-making effort is temporary.
"The community should not expect or rely on the Optimism Foundation to support future liquidity provisioning efforts."
Decentralized Proof podcast host Chris Blec said the team considered (but declined) performing a network upgrade to regain control of the stolen funds. This means that, in his view, Optimism (like most DeFi projects with admin keys) is “dangerously centralized.”
Those involved may have carried out the attack themselves. "Why is everyone in the field always so against censoring the most obvious possibilities?" he asks. At this stage there is no evidence to support this theory. Wintermute also suggests that the most obvious explanations for the exploit involve those most closely related, which means that with Blec
YouQuan
Brian
Davin
TheBlock
Cointelegraph
Bitcoinist