How Ethereum’s Layer-2 Optimism Lost $17 million to a Hacker

It was more pessimistic than optimistic as Optimism, Ethereum’s layer-2 protocol, lost 20 million OP tokens to a hacker this week.

Unfortunately, an attacker was able to deploy the multisig to L2 with different initialization parameters before these efforts were completed, assuming ownership of the 20m OP.

This address has since sold 1m OP:https://t.co/W8uiYPB9Of

— Optimism (✨🔴_🔴✨) (@optimismPBC) June 8, 2022

In response, Wintermute, who partnered with OP to provide liquidity, has admitted to an error on its part.

In an open letter to Optimism’s community, Wintermute strove to explain its involvement from the Genesis of its collaboration with OP.

It explained how OP approached the liquidity provider a fourth night ago and how it was offered a 20 million loan in OP tokens.

The Error

When receiving the loan, Wintermute said they sent an Ethereum (L1) address that had not been deployed to OP (L2).

Even so, they claimed to have confirmed the two test transactions from OP before the original transaction was made.

It was later discovered that OP tokens sent could not be accessed.

In the recovery operation that entailed deploying Ethereum (L1) to OP (L2), an attacker took advantage before the process could be completed. The unauthorized person went on to control the majority of the 20 million OP tokens, throwing a spanner to work.

Wintermute indicated that the hacker sold 1 million OP tokens at spot rates.

OP Recovery Attempts

A recovery process has been publicly proposed to OP’s community.

Hey folks—in the interest of transparency (😉,😅), the address has returned a majority of the OP, and @wintermute_t has committed to reimbursing the Optimism Foundation for the remaining 2mm OP, which was kept as a bounty.https://t.co/jtElgPdNPk

— Optimism (✨🔴_🔴✨) (@optimismPBC) June 10, 2022

Wintermute has taken it upon itself to monitor the address in possession of these tokens and has promised to buy back the tokens every time the address sells.

Although the second grant of 20 million OP tokens is granted to Wintermute to continue its work, it is essential to implement specific measures to prevent such mistakes.

In its address to the community, the Optimism Foundation recalled a similar event and educated the community on provisional measures for protection and prevention.

It says that it is common to mistake L1s with L2s. And once the mistake is made, it is essential to move with speed and alacrity on a recovery mission because you never can tell who is watching the chain like in this unfortunate incident.

Ethereum layer-2 protocols like Optimism are meant to scale the base layer. Users access lower transaction fees and fast settlement. However, they are less secure since transactions are routed off-chain before settling on-chain.