- Vitalik Buterin and Ethereum’s security expert Yoav Weiss have received one million OP tokens each from the hacker supposed to be a whitehat.
- Marketmaker Wintermute has taken the responsibility for the hack and promised to return the stolen funds.
Ethereum’s Layer-2 scalability solution Optimism launched its governance token OP earlier this month. However, it has been in major trouble since its launch.
On Thursday, June 8, Optimism said that it accidentally sent 20 million OP tokens, for the Optimism Collective DAO, to the wrong address. Well, a hacker exploited this opportunity and stole all 20 million OP tokens.
Before we proceed to understand how the hack happened, another twist in the tale is that the hacker sent nearly 1 million OP tokens to Ethereum founder Vitalik Buterin. The same has been confirmed by Theft detector PeckShield.
— PeckShieldAlert (@PeckShieldAlert) June 9, 2022
The hacker has not exploited the use of OP tokens to manipulate the governance on Optimism. Instead, the hacker has granted 1 million OP voting rights to Ethereum Foundation’s security expert Yoav Weiss. Just as Yoav was explaining the sequence of the hack, he too received 1 million OP tokens. Based on the events, Weiss thinks that this could be a whitehat exploit. He wrote:
And the plot thickens. As I was writing this explainer, the attacker delegated the 1M OP voting power to *me*. Thank you for delegating 🙂 Hint: no, I’m not the attacker and I don’t know who is. But now guessing it’s a whitehat.
The events of Optimism hack
The native OP tokens from Optimism serve as the governance tokens for its DAO. To distribute these 20 million OP tokens via an airdrop, Optimism hired market maker Wintermute. Before sending the 20 million OP tokens to Wintermute last week, Optimism had conducted two successful test transactions. However, when they finally sent these 20 million OP tokens, Wintermute said that this amount was inaccessible to them.
So how did this happen? Just like Polygon, Optimism is also a Layer-2 scalability solution for Ethereum. However, these solutions come with their own set of risks. Now, in this case, Optimism sent 20 million OP tokens to Wintermute’s Ethereum (L1) address. But since the address wasn’t deployed/synced to an Optimism (L2) address, the funds were left inaccessible or floating on L1. The hacker exploited this situation.
Wintermute has taken full responsibility for the error. It has also urged the hacker to return the stolen Optimism funds. Wintermute also said that it is ready to work with the hacker for any consulting opportunities in the future. Wintermute has given a week’s time to the hacker to respond. After that, it will start tracking the hacker and return funds.
Wintermute later discovered they could not access these tokens, because the provided address was for an Ethereum/L1 multisig that they had not yet deployed to Optimism/L2. They began a recovery operation with the goal to deploy the L1 multisig contract to the same address on L2.
— Optimism (✨🔴_🔴✨) (@optimismPBC) June 8, 2022
Wintermute staff has also told the Optimism foundation that the funds are potentially retrievable, via a high-risk, one-time operation. Since the hack, Wintermute has already purchased one million OP tokens.
However, all these events have left a bad reputation for OP tokens in investors’ minds. Since the launch, the OP token price has gone through an 80% correction. Currently, each OP token is trading at a price of $0.82.