20 million OP stolen: the story behind the loss and the latest developments

Early yesterday morning, Optimism and cryptocurrency market maker Wintermute revealed that 20 million Optimism tokens were stolen by hackers.

Affected by this incident, OP once fell below 0.7USDT, and has now risen to 0.82USDT, a 24-hour drop of 17%.

Cryptocurrency market maker Wintermute wrote to the Optimism community taking responsibility for the blunder.

Timeline of events

Two weeks ago, the Optimism Foundation hired Wintermute to provide liquidity for its OP tokens listed on centralized exchanges. As part of the agreement, Wintermute received 20 million OP tokens.

Initially, 20 million OP will be deployed in the Optimism wallet in Wintermute. When we communicated the wallet address to the Optimism team, we made a critical mistake. We had Gnosis Safe deployed on mainnet for a while, and due to an internal error, we used the same wallet as the receiving address. However, unlike a normal wallet, having control of the mainnet Safe does not guarantee control over other EVM-compatible chains.

We notified the Optimism team on May 30th. As Launch was confirmed for the next day, we agreed to accept an additional 20 million OPs (providing $50 million as collateral) while exploring ways to retrieve the funds. At the same time, we contacted the Gnosis Safe team and asked them to assist in recovering the funds. After consulting with the Optimism and Safe teams, Wintermute made an assessment that the funds were likely to be recovered and that no one except Wintermute could recover the funds. The assessment also concluded that this was a high-risk retrieval that could only be attempted once and required Safe support. Remediation was scheduled for June 7th. However, the assumption that the funds could only be recovered by Wintermute was proven to be wrong.

develop

However, less than 24 hours after we notified Safe and Optimism of the situation, wallet 0x8BcFe4f1358E50A1db10025D731C8b3b17f04DBB had access to funds via Tornado Cash. It proceeded to perform a replay attack by resetting the Gnosis Safe MasterCopy 1.1.1 deployment of the ETH mainnet. They then deployed the vault using the previously deployed contract 0xE7145dd6287AE53326347f3A6694fCf2954bcD8A. The hacker then proceeded to sell 1 million OP tokens for ETH and bridged back to L1 via Synapse and Hop before using Tornado Cash on the mainnet.

What we plan to do about this

As of this writing, the attacker still holds 19M OP tokens. We are unsure why they chose not to liquidate all at once. Hopefully this was a white hat exploit, in which case the remaining funds may be recoverable. We have not heard from them, though, and our on-chain messages have gone unanswered.

We want to make one thing clear - the initial bug was 100% Wintermute's fault, so we will be buying OP every time the attacker sells it (we did start buying the 1 millionth OP token yesterday). We know it may create price volatility in the token, and will do our best to minimize the impact.

A message to hackers

We are happy to consider this a white hat exploit. Furthermore, the way the attack was executed is impressive enough that we may even consider future consulting opportunities or other forms of collaboration, in the hope that the remaining 19 million tokens will be returned to the Optimism wallet: 0x2501c477d0a35545a387aa4a3eee4292a9a8b3f0.

You have one week to think about it, and if the above does not happen, we are 100% committed to returning all funds, tracking the attackers, fully fleshing them out and handing them over to the appropriate judicial system. The Optimism team has already begun investigating potential leads, in some cases without notifying the respective law enforcement agencies.

In addition to the 1 million OPs sold, data on the Optimism chain shows that the hacker address of the 20 million OPs stolen by Optimism has sent 1 million OPs to Vitalik’s wallet 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045. As of now, the hacker still holds 18 million OPs, and Vitalik has not yet responded to the matter.

Latest Developments

In addition to the 1 million OPs sold, data on the Optimism chain shows that the hacker address of the 20 million OPs stolen by Optimism has sent 1 million OPs to Vitalik’s wallet 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045. As of now, the hacker still holds 18 million OPs, and Vitalik has not yet responded to the matter.

The official Optimism Foundation tweeted that it recommends all teams pursuing cross-chain strategies: 1. Do not assume that control between L1 and L2 is always guaranteed. Please pay special attention to old smart contract wallets that may not be able to utilize create2. 2. Ethereum is a "dark forest" and anyone who can get ahead will get ahead. Act quickly in a rescue operation because you never know who is watching the blockchain. 3. Multi-chain introduces new considerations and problems. Application developers should seriously consider the multi-chain context and how applications behave on multiple chains, especially in the context of deterministic deployment, create2, and context-specific behavior.

In principle, a network upgrade could be performed to stop the movement of those OP Tokens that have not been transferred or sold. We will not take this step at this time because of the precedent it would set. Optimism is a permissionless network and behaves as expected.

Additionally, the Optimism Foundation has provided a second short-term grant of 20 million OP to Wintermute so that they can continue to work as events unfold. This engagement is temporary in nature. The community should not expect or rely on the Optimism Foundation to support future liquidity provision efforts.

The Foundation also noted that the Wintermute team is world-class and that incidents like this are growing pains for an evolving industry. This is a reminder to everyone working on contracts across different chains that security assumptions on one chain do not necessarily carry over to another. At this time, most of the problematic OPs have not yet been transferred. Both the Optimism and Wintermute teams are monitoring the situation closely. While the situation is still ongoing, we wanted to share this overview with the community in the spirit of openness and transparency.

Twitter user @kelvinfichter said these are the growing pains of a multi-chain world. This is an unfortunate event, but it highlights the importance of designing systems for multi-chain users. CREATE2 and deterministic deployment are critical, especially for contract wallets. If using a multi-signature wallet on Ethereum, it is highly recommended to take the time to understand the security properties of the wallet and whether the wallet will be controlled on a chain other than Ethereum.

Twitter user @bantg said that this incident makes me think that we need a standard chain-aware address format .