Wintermute, a crypto market maker, made a rookie mistake, which led to a loss of 20 million Optimism (OP) tokens, currently worth 17 million USD.
Wintermute was to receive a “temporary grant” of OP 20 million for liquidity provisioning services ahead of the OP coin launch. The Optimism team successfully delivered the full number of tokens after sending two test transactions.
Hey folks–in the interest of transparency, we’d like to share some details about an ongoing situation:https://t.co/915vIgRIJG
Summary below 🧵👇
— Optimism (✨🔴_🔴✨) (@optimismPBC) June 8, 2022
On the other hand, the crypto market creator provided an address for multi-signature Ethereum (ETH) that had not yet been implemented on Optimism. According to the Optimism team’s description of events, it could not access the tokens as a result.
“Before the recovery procedure was done, an intruder was able to deploy the multi-sig to L2 with alternative initialization values and take possession of the 20 million OP tokens,” the team said.
Last weekend an attacker was able to gain control of the Optimism addresses that correspond to various Gnosis Safe multisigs on Ethereum that had not yet been deployed to Optimism. A quick thread on security in the multi-chain world ~~
— smartcontracts (✨🔴_🔴✨) (@kelvinfichter) June 8, 2022
The blunder was described as an “amateur mistake” by Dovey Wan, a founding partner of Primitive Ventures, an international venture capital organization that invests in blockchain and crypto technology.
“Can’t believe what an amateur error Wintermute made 1. They used the wrong chain 2 to launch the multi-sig contract. She stated that they did not attempt to send a tx with the funds they got to ensure it was indeed “their fund.” “This is not how you handle your multi-sig recipient of a large size.”
She further argued that Optimism should have prolonged their airdrop in light of the incident.
OP team should have postponed the airdrop for a better consequence the moment they realized it’s not recoverable .. and push out this transparency report momentarily so everybody is on the same page (everyone was monitoring the wintermute addresses anyway
— Dovey “Rug The Fiat” Wan🪐 (@DoveyWan) June 9, 2022
The Rectification
Wintermute admitted responsibility for the incident in a Thursday message to the Optimism community, stating it was “100%” their fault. As part of its “best efforts to moderate the consequences” of price volatility, the company also promised to undertake OP buybacks equal to the amount the exploiter sells.
The exploiter was also asked to consider becoming a “whitehat” by surrendering the remaining 19 million tokens within a week. This is because the exploiter had already sold 1 million tokens on Sunday.
Following Wintermute’s offer, the exploiter sent an extra 1 million tokens to Ethereum co-founder Vitalik Buterin’s Optimism address. For the time being, the remaining OP 18m tokens in this address are dormant.
According to the Optimism team, a network upgrade could have halted the movement of OP tokens that had not been sold or transferred. “We will not take this action at this moment because it would set a precedent,” they continued.
The Response
Chris Blec, the host of the Proof of Decentralization podcast, responded by claiming that this demonstrates that Optimism is “DANGEROUSLY CENTRALIZED.”
“If they can use their multi-sig to freeze a thief’s wallet, THEY CAN FREEZE YOUR WALLET TOO,” he continued.
Some $OP tokens got hijacked.
Optimism is grappling with the idea of whether it should use its multisig to take the tokens back from the thief.
In this tweet, they’re saying “we coullllld do it.. but then you’d all hate us.. so we won’t.. for now.”
DANGEROUSLY CENTRALIZED. https://t.co/p7JiPY2TzU
— Chris Blec (@ChrisBlec) June 8, 2022
In the meantime, the OP token has taken a beating today. The coin is now trading at USD 0.85 at 8:16 UTC, down 13.2 percent in the last 24 hours. It has also dropped 31.3 percent in the last week.