{"id":62672,"date":"2022-06-09T11:31:07","date_gmt":"2022-06-09T08:31:07","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=62672"},"modified":"2025-09-05T19:25:17","modified_gmt":"2025-09-05T16:25:17","slug":"unknown-hacker-steals-20-million-op-tokens-due-to-wintermutes-market-maker-error","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/unknown-hacker-steals-20-million-op-tokens-due-to-wintermutes-market-maker-error\/","title":{"rendered":"Unknown hacker steals 20 million OP tokens due to Wintermute&#8217;s market-maker error"},"content":{"rendered":"<p>A hacker intercepted 20 million OP tokens (~$17 million) sent by the Optimism Foundation&#8217;s market-maker to Wintermute.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">The Wintermute team has committed to buying back the misappropriated tokens, by monitoring the address that holds them and buying as the address sells.<\/p>\n<p>You can read more about their commitments here:<a href=\"https:\/\/t.co\/LhlFo65cjs\">https:\/\/t.co\/LhlFo65cjs<\/a><\/p>\n<p>\u2014 Optimism (\u2728\ud83d\udd34_\ud83d\udd34\u2728) (@optimismPBC) <a href=\"https:\/\/twitter.com\/optimismPBC\/status\/1534631772700516352?ref_src=twsrc%5Etfw\">June 8, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Ethereum scaling <a href=\"https:\/\/forklog.io\/chto-takoe-resheniya-masshtabirovaniya-vtorogo-urovnya\/\">L2 solutions<\/a> for Ethereum scaling chose Wintermute as the liquidity provider for centralized exchanges after <a href=\"https:\/\/forklog.com\/en\/news\/optimism-team-carried-out-airdrop-of-native-token\">airdrop OP<\/a>. On May 30, on the eve of token distribution, the Optimism Foundation transferred 20 million OP to the market-maker&#8217;s address.<\/p>\n<p>According to the Wintermute team, an internal error caused them to designate the Gnosis Safe multisig wallet on the Ethereum network for the transaction.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cAs some of you may know, this is unwise\u2014the control over Safe on the mainnet does not guarantee it on other chains compatible with <span data-descr=\"Ethereum Virtual Machine, the Ethereum Virtual Machine\" class=\"old_tooltip\">EVM<\/span> (unlike ordinary wallets),\u201d Wintermute explained.<\/p>\n<\/blockquote>\n<p>Having discovered that the funds at the Optimism address were inaccessible, Wintermute negotiated for an additional 20 million OP, providing collateral of $50 million.<\/p>\n<p>The market-maker contacted the Gnosis Safe and Optimism teams for a possible return of the funds. Experts concluded that this high-risk operation could be carried out only once and scheduled it for June 7.<\/p>\n<p>However, on May 31, an unknown attacker targeted Wintermute&#8217;s address on the L2 network, deploying the Gnosis Safe multisig contract with its own initialization parameters. He sold 1 million OP for ETH and withdrew the funds to the mainnet via the Synapse and Hop bridges, before sending to the Tornado Cash mixing service.<\/p>\n<p>The Wintermute team committed to buy back the lost funds. They also urged the hacker to return the remaining 19 million OP.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWe are prepared to treat this as a white-hat exploit. Moreover, the attack method was quite impressive. We may even consider advisory opportunities and other forms of collaboration in the future,\u201d they told the unknown.<\/p>\n<\/blockquote>\n<p>A week was given to the hacker to respond. Otherwise Wintermute pledged to track and deanonymize the hacker and to approach law enforcement.<\/p>\n<p>Optimism developers permitted a network upgrade to block the movement of the remaining tokens at that address.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">In principle, a network upgrade could be carried out to halt the movement of those OP tokens which have not already been transferred or sold.<\/p>\n<p>We will not take this step at this time due to the precedent it would set. Optimism is a permissionless network and behaved as intended.<\/p>\n<p>\u2014 Optimism (\u2728\ud83d\udd34_\ud83d\udd34\u2728) (@optimismPBC) <a href=\"https:\/\/twitter.com\/optimismPBC\/status\/1534631776018120704?ref_src=twsrc%5Etfw\">June 8, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWe will not take this step at this time because it would set a precedent. Optimism is a permissionless network and has behaved as intended,\u201d they added.<\/p>\n<\/blockquote>\n<p>The price of OP hovered near $1.60 by June 3 before turning lower. In the wake of the Optimism Foundation and Wintermute&#8217;s explanations of the incident, intraday quotes sank to around $0.70. As of writing, the token trades at about $0.85.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/b7R05suJjgJYFczUhO1WXPcbApkIrzaHFIXFAE6LkTRwSSfBnedC3sbNu6R7baLtxnCLqNRqdvMAZdbQ3QakPRGBFwI2N3qIaBKhsvDbHdImtnZ2VEewUj7xGWP1u0lCDLSwrBWZwbN5opd5VQ\" alt=\"Unknown hacker stole 20 million OP tokens due to Wintermute market-maker error\"\/><figcaption>Hourly OP\/USDT chart on the Binance exchange. Data: TradingView.<\/figcaption><\/figure>\n<p>In February, the Optimism team fixed a critical vulnerability. The programmer Jay Freeman <a href=\"https:\/\/forklog.com\/en\/news\/optimism-team-pays-out-over-2-million-for-disclosed-vulnerability\">received a $2 million reward<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A hacker intercepted 20 million OP tokens (~$17 million) sent by the Optimism Foundation&#8217;s market-maker to Wintermute.<\/p>\n","protected":false},"author":1,"featured_media":62673,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1362,1149],"class_list":["post-62672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-optimism-op","tag-wintermute"],"aioseo_notices":[],"amp_enabled":true,"views":"25","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/62672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=62672"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/62672\/revisions"}],"predecessor-version":[{"id":62674,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/62672\/revisions\/62674"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/62673"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=62672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=62672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=62672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}