Unknown hacker steals 20 million OP tokens due to Wintermute’s market-maker error

A hacker intercepted 20 million OP tokens (~$17 million) sent by the Optimism Foundation’s market-maker to Wintermute.

The Wintermute team has committed to buying back the misappropriated tokens, by monitoring the address that holds them and buying as the address sells.

You can read more about their commitments here:https://t.co/LhlFo65cjs

— Optimism (✨🔴_🔴✨) (@optimismPBC) June 8, 2022

Ethereum scaling L2 solutions for Ethereum scaling chose Wintermute as the liquidity provider for centralized exchanges after airdrop OP. On May 30, on the eve of token distribution, the Optimism Foundation transferred 20 million OP to the market-maker’s address.

According to the Wintermute team, an internal error caused them to designate the Gnosis Safe multisig wallet on the Ethereum network for the transaction.

“As some of you may know, this is unwise—the control over Safe on the mainnet does not guarantee it on other chains compatible with EVM (unlike ordinary wallets),” Wintermute explained.

Having discovered that the funds at the Optimism address were inaccessible, Wintermute negotiated for an additional 20 million OP, providing collateral of $50 million.

The market-maker contacted the Gnosis Safe and Optimism teams for a possible return of the funds. Experts concluded that this high-risk operation could be carried out only once and scheduled it for June 7.

However, on May 31, an unknown attacker targeted Wintermute’s address on the L2 network, deploying the Gnosis Safe multisig contract with its own initialization parameters. He sold 1 million OP for ETH and withdrew the funds to the mainnet via the Synapse and Hop bridges, before sending to the Tornado Cash mixing service.

The Wintermute team committed to buy back the lost funds. They also urged the hacker to return the remaining 19 million OP.

“We are prepared to treat this as a white-hat exploit. Moreover, the attack method was quite impressive. We may even consider advisory opportunities and other forms of collaboration in the future,” they told the unknown.

A week was given to the hacker to respond. Otherwise Wintermute pledged to track and deanonymize the hacker and to approach law enforcement.

Optimism developers permitted a network upgrade to block the movement of the remaining tokens at that address.

In principle, a network upgrade could be carried out to halt the movement of those OP tokens which have not already been transferred or sold.

We will not take this step at this time due to the precedent it would set. Optimism is a permissionless network and behaved as intended.

— Optimism (✨🔴_🔴✨) (@optimismPBC) June 8, 2022

“We will not take this step at this time because it would set a precedent. Optimism is a permissionless network and has behaved as intended,” they added.

The price of OP hovered near $1.60 by June 3 before turning lower. In the wake of the Optimism Foundation and Wintermute’s explanations of the incident, intraday quotes sank to around $0.70. As of writing, the token trades at about $0.85.

In February, the Optimism team fixed a critical vulnerability. The programmer Jay Freeman received a $2 million reward.