An exploit in market maker’s smart contract led to the loss of 20 million Optimism (OP) tokens

Although the airdrop occurred less than two weeks ago, problems have already arisen for the vaunted layer-2 scaling solution’s team and market maker. Due to mining in the market maker smart contract resulted in the loss of 20 million OP tokens.

Optimism loses 20M tokens after L1 and L2 confusion exploited

The mining took place on May 26th but has only just been announced to the community. One million tokens worth about $1.3 million were sold on Sunday. An additional 1 million tokens worth around $730,000 were moved to Vitalik Buterin’s Ethereum address on Optimism earlier today at 12:26 a.m. UTC. The remaining tokens are currently inactive but can be sold at any time or used to change governance decisions.

The OP token is the native token for the Layer 2 Optimism (L2) blockchain, and part of the supply went live to network users on June 1. L2 solutions help alleviate congestion on a layer-1 (L1) blockchain such as Ethereum.

A summary of events from the Optimist team on Thursday detailed how the 20 million OP tokens are intended to be used by crypto market maker Wintermute. After submitting two test transactions, the Optimism team sent the full amount of tokens.

However, Wintermute discovered that they couldn’t access the token because the smart contract it used to accept tokens was still on L1 and hadn’t been updated to deploy on Optimistic. This technical oversight opened up a contract attack in which a bad guy took control of a contract on L2 itself.

As soon as Wintermute became aware of the problem, it “began a recovery operation with the goal to deploy the L1 multisig contract to the same address on L2,” but its attempt to remedy the situation was too late. “An attacker was able to deploy the multisig to L2 with different initialization parameters before the recovery operation was completed and took control of the 20 million OP tokens.” A multi-character contract requires the approval of multiple key holders to execute a transaction.

In a message Thursday to the Optimistic community, Wintermute took full responsibility for the mining. The company states that it will make OP buybacks equal to miner sales to make “best efforts to soften the effects” of price fluctuations.

Wintermute has also offered to accept the incident as a white hat mining if the hacker agrees to return 19 million tokens within a week. This offer was made before the hacker transferred another 1 million tokens. Responses to Wintermute’s message mostly applauded the company for its transparency in disclosing the problem and accepting blame for what happened.

In the immediate future, the Optimistic team has granted Wintermute an additional 20 million-OP funding “so they can continue their work as things work out.” But the team also points out that such go-to-market efforts are temporary. “The community should not expect or rely on the Optimism Foundation to support liquidity provisioning efforts in the future.”

Chris Blec, the host of the Proof of Decentralization podcast, said the team considered (but denied) regaining control of the stolen funds by performing a network upgrade. This meant that, in his view, Optimism (like most decentralized finance projects with admin keys) is “DANGEROUSLY CENTRALIZED.”

Blec also suggests that the most obvious explanation for the exploit involves those most closely related, meaning that someone associated with Wintermute may have carried out the attack themselves. He asked, “Why is everyone in this space so opposed to considering the most obvious possibilities?” There is no evidence at this stage to support this theory.


OP/USD 4-hour chart | Source: TradingView

OP investors reacted negatively to the update, as the token price is down 31.2% while trading at $0.84 over the past 24 hours.

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like