The Ethereum Layer 2 scaling solution Optimism is once again under scrutiny as it loses 20M OP tokens as an attacker took advantage of a token recovery process involving Wintermute, who later accepted that it was their fault that caused this attack.
What Went Down
According to the blog post, the Optimism Foundation contacted Wintermute to provide liquidity provisioning services in advance of the OP token launch. Wintermute received a temporary grant of 20 million OP tokens from the Foundation’s Partner Fund to operate this.
Wintermute provided an address to which the borrowed tokens might be sent. The Optimism Foundation sent two test transactions before sending the rest after Wintermute validated each one.
Wintermute later learned that they were unable to access the tokens since they had provided an address for an Ethereum (L1) multisig that they had not yet deployed to Optimism (L2).
Because of this technical flaw, the contract was vulnerable to an attack in which a malicious party acquired control of the contract on the L2 level.
Wintermute began a recovery operation with the intention of deploying the L1 multisig contract to the identical address on L2 as soon as it became aware of the error, but it was too late.
The attacker then swapped 1 million OP tokens for Ethereum, then sent the funds to another address utilizing Tornado Cash transfer.
Response from Wintermute
The Wintermute team accepted that the initial error is completely their fault so as to compensate they plan to buy OP tokens whenever the attacker sells it.
The team did initiate buying the 1st million OP tokens. They are ready to make every effort required to mitigate the effect that caused the price fluctuation in OP tokens after all these events.
Wintermute is willing to consider this as a white-hat attack. As they find the method of attack admirable they are cool with consulting opportunities or other types of cooperation in the future with the attacker.
They also pitched the idea to the attacker of returning the remaining 19 million tokens to the Optimism wallet.
The attacker is only given one week to determine to come out as a whitehat. If they fail to act upon it, the team agrees that they will recover all the funds, find the attacker, and deliver them to the legal system.
Wintermute concluded their statement saying “Us being careless still leaves you a criminal. We already started investigating the potential leads, in certain cases stopping short of informing respective law enforcement agencies. Consider your options and choose to be good and optimistic instead of living in fear.”
Aftermath
Optimism says that there has been no impact on governance so far with the stolen tokens. If something like that happens they plan to host a community debate with a more complete set of data.
A network upgrade might halt the movement of stolen OP tokens that have not yet been transferred or sold. But Optimism has opted not to take such measures at this time because the Foundation does not hold the cash and does not desire a centralized approach.
Wintermute has since then received an additional 20 million OP grant from the Optimism team in the short term so that they may continue with their work as things evolve. The team cautioned that such market-making efforts are just temporary.
The Optimism and Wintermute teams are both keeping a close eye on the issue. As the event unfolds, the team will be active across all communication channels to involve the community.
Some of the community members have responded harshly to Optimism’s decision to continue working with Wintermute, as well as its decision to keep the attack hidden for the entire two weeks.
The reaction is evident as OP token is now trading at the price of $0.851081 down 13% at the time of writing.
Also Read: Optimism receives backlash on its OP token Airdrop
