Optimism is one of the most competitive Ethereum layer-2 scaling solutions
Optimism sent out a total amount of 20 million OP tokens to Wintermute’s layer-1 address by accident. Later, both realized that the address hadn’t been deployed to Optimism’s layer-2 address.
- Optimism disclosed that a hacker took advantage of the team’s technical negligence and stole 20 million OP tokens.
- Those tokens were initially granted to Wintermute for liquidity services.
- However, Wintermute had provided an address for an Ethereum (layer-1) multisig that they had not yet deployed to Optimism (layer-2).
- A hacker succeeded in stealing those 20 million tokens before recovery actions were taken.
- Wintermute promised to buy back all the stolen tokens and offered to accept the incident as a white hat hack for a specific period.
Optimism is one of the most highly anticipated Ethereum Layer 2 scaling solutions. Nonetheless, the vaunted project has bad news to tell this time. According to Optimism’s official Twitter account, it lost 20 million tokens due to confusion between the wallet addresses on layer-1 and layer-2. Those Optimism native tokens, OPs, were initially granted to Wintermute for liquidity service.
According to DappRadar Token Explorer, the price of OP token has been sliding over the past 30 days, trading at $0.83 at the time of writing but it remains to be seen how this theft incident will affect Optimism.
How did it happen?
On May 31, Optimism kicked off a token airdrop to reward its early adopters and incentivize future users. In addition, to facilitate a smoother experience for users seeking to acquire OP after the airdrop, Optimism engaged Wintermute to provide market-making services with 20 million OPs.
After sending two test transactions, upon Wintermute’s confirmation for each, the Optimism team sent the full amount. Unfortunately, Wintermute failed to access the tokens because Wintermute had provided an address for an Ethereum (layer-1) multisig that they had not yet deployed to Optimism (layer-2).
To regain control of these tokens, Wintermute initiated a recovery operation, hoping to deploy the multisig contract to the same address on the Optimism network. However, the attempt was already too late. Before the recovery operation was achieved, a hacker took the advantage and stole the 20 million OP tokens by deploying the multisig to the layer-2 network with different initialization parameters.
Basically, the hacker has gained control of these tokens and sold the first 1 million tokens already. Another 1 million tokens valued at about $730,000 were sent to Vitalik Buterin’s Ethereum address on Optimism. As for the rest of the tokens, the hacker can easily sell or use them to hijack governance decisions.
Cleaning the mess
What has happened is now irreversible. So, what are Optimism and Wintermute’s latest remedies?
Firstly, Wintermute has decided to take full responsibility for this accident. The firm also promised to repurchase the same amount of tokens. Notably, Wintermute has bought back the first 1 million tokens, the same amount the attacker sold.
Meanwhile, Optimism will go on with the market-making effort and has provided Wintermute with another 20 million OP tokens, for which Wintermute paid a $50 million deposit this time. Moreover, Wintermute adopted some soft actions as well. If the attacker agrees to give back the remaining tokens within one week, Wintermute will accept the incident as a white hat exploit. Otherwise, there will be a thorough investigation to identify the hacker before handing it over to the judiciary.