Vitalik Buterin, the Ethereum creator, was the unintended receiver of 1 million OP tokens from Optimism, the network’s scalability solution. Concerns concerning a potential exploit related to the launch of this project’s governance token were addressed by the people behind it.
According to Optimism, they formed a partnership with liquidity provider Wintermute to “enable a simpler experience for customers” interested in purchasing OP and participating in the project’s governance model. Optimism agreed to send 20 million OP tokens to a multi-signature account as part of the deal.
The liquidity provider, on the other hand, was unable to access the funds because the address was created as an Ethereum layer-1 multi-sig address without an Optimism, which is a second layer solution for smart contract deployment. The liquidity provider had this to say about it:
- As we communicated the wallet address to the Optimism team, we made a serious error.
The Optimism partners started a “recovery operation” to get access to the cash after concluding with Wintermute that the monies “were possibly retrievable and that nobody other than Wintermute could recover the funds,” according to a statement from the liquidity provider.
The recovery operation was set for June 7th, 2022, according to the liquidity provider, but a hacker beat them to it. The Ethereum second layer solution’s creators explained:
- Unfortunately, an attacker was able to deploy the multisig to L2 with different initialization parameters before these efforts were completed, assuming ownership of the 20m OP.
Optimism further alleges that the perpetrator started selling the stolen monies. From the hacker’s address: 0x4f3a120E72C76c22ae802D129F599BFDbc31cb81, as many as 1 million OP tokens have been “dumped” into the market.
This address still has 18 million OP tokens or $14 million in OP tokens, plus $3 in USD Coins, at the time of writing (USDC). New events, however, have added to the strangeness of the situation.
Funded via Tornado 7 days ago https://t.co/UqOAhJ7so9
— yoav.eth (@yoavw) June 9, 2022
Then deployed the contract, waited 4 days, and hijacked wintermute's proxy.
Why wait 4 days?