The theft, which follows the OP token’s botched airdrop, sent the token’s price to new lows.
Ethereum scaling solution Optimism announced today that $15 million in OP governance tokens have been stolen by attackers.
Hey folks–in the interest of transparency, we'd like to share some details about an ongoing situation:https://t.co/915vIgRIJG
Summary below
— Optimism (✨_✨) (@optimismPBC) June 8, 2022
Optimism intended to send the funds to a crypto market maker, but they fell into the wrong hands when the market maker, Wintermute, provided Optimism’s team with an incorrect blockchain address.
In a statement Wednesday, Wintermute CEO Evgeny Gaevoy took responsibility for allowing the theft: “We made a serious error.”
The attack followed a difficult couple of weeks for Optimism, whose botched OP token airdrop sent the token’s price tumbling in its first hours. The OP token fell an additional 20% on today’s news according to the most recent data from CoinMarketCap.
What happened
In a blog post published on Wednesday, Optimism’s team explained that it sent 20 million OP tokens to crypto market makers Wintermute two weeks ago in preparation for the much-hyped OP token airdrop.
The funds came from the Optimism Foundation’s Partner Fund, and Wintermint’s Gaevoy explained that the money – which came as a loan – would have been used to “provide liquidity in the OP token upon its listing on centralized exchanges.”
An opportunity for attack came when Wintermute gave the wrong wallet address to Optimism. The money was supposed to be held in a multi-signature wallet belonging to the Wintermute team, but the address provided by Wintermute was for a wallet on Ethereum, whereas it should have been an address on Optimism.
Gaevoy said Wintermint sought to retrieve the lost funds after noticing what happened, but an attacker beat it to the punch – draining the full 20 million of OP tokens into a fresh Optimism wallet belonging to the attacker.
The attacker cashed out 1 million of the stolen OP tokens into Ethereum, and it then transferred those funds to an unknown address via Tornado Cash, a tool that allows people to send and receive funds with a scrambled source.
The remaining 19 million tokens are still in the attacker’s wallet. So long as they stay in the attacker’s wallet, the attacker will have the ability to vote on Optimism community governance proposals.
“We are not sure why they chose not to liquidate all of [the tokens] at once,” Gaevoy said in his statement. “There is hope that it is a whitehat exploit … However we are currently operating under the premise that it is not the case.”
What is Optimism
Optimism is a layer 2 rollup chain for Ethereum – a separate blockcahin that can process transactions, bundle them up, and pass them back down to Ethereum. It helps to scale Ethereum’s “layer 1” network through quick transactions and lower fees.
The protocol, which has over $350 million in total value locked (TVL) according to DefiLlama, made headlines last month when it announced that it would be embarking on a much-hyped transition to community governance.
As part of its community handover, Optimism planned to airdrop its new OP token to active members of the Ethereum community.
What’s next
After noticing the error, Optimism sent an additional 20 million OP tokens to Wintermute. This time, Wintermute was required to put up $50 million in USDC as collateral.
Optimism’s decision to continue working with Wintermute have drawn the ire of some members of crypto twitter, as has their decision to hold off on disclosing the attack until two weeks after the fact.
As for how Optimism will handle the stolen funds moving forward, it says the decision will be left to its community. Theoretically the funds can be restored to the Optimism Foundation via a “hard fork” of the chain.
So far none of the misappropriated OP has been used for anything related to governance.
If this changes, we will engage in targeted community discussion at that time, with the benefit of a more comprehensive set of facts.
— Optimism (✨_✨) (@optimismPBC) June 8, 2022
Wintermute, for its part, says it is monitoring the attackers address and “will proceed to buy OP every time the attacker sells it to make the protocol whole eventually.”