The Optimism Foundation has issued a statement confirming that 20M OP tokens meant for a liquidity provisioning partner have been sent to the wrong address. The price of the OP token dropped from $1.12 on June 8 to just $0.70 after the news broke. The statement read,
“The Optimism Foundation engaged Wintermute for liquidity provisioning services … a temporary grant of 20 million OP tokens was allocated to Wintermute from the Foundation’s Partner Fund.
Wintermute provided an address to receive the borrowed tokens. The Optimism Foundation sent two separate test transactions, and upon Wintermute’s confirmation for each, sent the rest. Unfortunately, Wintermute later discovered they could not access these tokens because they had provided an address for an Ethereum (L1) multisig that they had not yet deployed to Optimism (L2).”
The very partner hired to help facilitate liquidity services was not using the product Optimism had hired them to support. Although Wintermute claims to be a “leading global algorithmic market maker in digital assets”, it has made what can be considered a fundamental mistake in crypto, especially for an algorithmic market maker.
In recompense, Wintermute has:
“committed to buying back the tokens lost. They will monitor the address that holds these lost tokens and buy as the address sells.”
Recovery process
Optimism stated that Wintermute had attempted to resolve the situation without the need to repurchase the tokens as they “began a recovery operation with the goal to deploy the L1 multisig contract to the same address on L2.” However, Optimism claims:
“an attacker was able to deploy the multisig to L2 with different initialization parameters before these efforts were completed, assuming ownership of the 20m OP.”
With that mistake, Wintermute essentially left 20 million OP tokens out on the street for anyone to pick up by deploying an Optimism L2 contract to the address. So, it could be seen as a PR move to refer to the new owner as an “attacker;” putting in question the validity of the “exploit” or “hack”. Optimism has since reported that 1 million OP has been sold from the wallet.
Whoever obtained access to the wallet has undoubtedly made an ethically grey move by exploiting the ineptitude of an automated market maker. However, Wintermute’s recent statement suggests there was more to the situation than a simple, smart contract deployment.
Wintermute response
Wintermute wrote a response to the Optimism community via its governance forum. In it, the team explained:
“as we communicated the wallet address to the Optimism team, we made a serious error. We had a Gnosis safe deployed on mainnet for a while and due to an internal mistake, we’ve communicated the very same wallet as the receiving address.”
The post confirmed that this was “not a smart thing to do.” However, it appears that this happened on May 30, the day before the mainnet launch for Optimism.
Wintermute then took possession of a further 20 million OP by “providing $50 million USDC as collateral.” However, a third party was faster than Wintermute in retrieving the funds, the “attacker,”:
“proceeded with performing a replay attack by replaying the Gnosis Safe MasterCopy 1.1.1 deployment from Eth mainnet. They then used the previously deployed contract 0xE714… to deploy vaults per batches of 162.”
Wintermute then explained a complicated method used by the external third party to access the funds was through a Tornado Cash deposit. The depiction indeed gives the impression that a complex attack took place.
Indeed, Wintermute praised the attack stating, “the attack has been performed has been rather impressive” before even offering them “consulting opportunities” if they return the funds.
In the face of a highly embarrassing situation, the crypto community is not all buying the story; Bear Baron Hellspawn said:
“Either amateur hour by so-called “liquidity provider”
Either inside job. Because unless you do some voodoo sh*t you cannot assume that $OP tokens will be transferred at a very SPECIFIC address.”
Wintermute ended its statement with a threat to the “attacker” stating,
“we are 100% committed to returning all the funds, tracking the person(s) responsible for the exploit, fully doxxing them and delivering them to the corresponding juridical system. Remember that robbers need to get lucky every time. Cops only have to get lucky once.”
Wintermute is currently at Consensus 2022 in Texas, starting June 9. CryptoSlate reached out to both the CEO and COO, but no response was received at the time of publishing.
