Optimism / Wintermute 20M OP Token Loss - June 8-9, 2022
The Incident
The hacker stole 20 million OP tokens from Optimism by exploiting a failed transaction involving liquidity provider Wintermute. Optimism intended to send the funds to a crypto market maker, but the funds fell into the wrong hands when the market maker, Wintermute, provided Optimism's team with a wrong blockchain address.
How It Happened
Wintermute had mistakenly provided Optimism with a multi-signature Ethereum address that it had not yet deployed on the Layer 2 network. Due to the mistake, a hacker was able to deploy the multi-signature Gnosis Safe wallet on Optimism and take control of the funds before Wintermute could finalize a recovery operation.
The Attacker's Actions
An attacker beat Wintermute to the punch — draining the full 20 million OP tokens into a fresh Optimism wallet belonging to the attacker. The attacker cashed out one million of the stolen OP tokens into Ethereum and then transferred those funds to an unknown address via Tornado Cash. Blockchain security firm PeckShield noticed that the attacker sent an additional one million tokens to an address belonging to Ethereum co-founder Vitalik Buterin.
Resolution
The hacker confirmed they were a whitehat and asked the project developers to share a return address for the remaining tokens in their possession. The hacker ultimately sent 17 million OP tokens to a wallet Wintermute CEO Evgeny Gaevoy claimed belongs to Optimism.
Sources