20 million Tokens lost in an Interlayer Snafu by Optimism

The company who is behind the Ethereum scaling protocol made public today that in preparation to launch a native OP token for the Optimism Collective DAO, it accidentally sent around 20 million tokens to a wrong blockchain address. The mistake resulted in the theft of all the 20 million OP tokens by a hacker.

DAOs(Decentralized Autonomous Organizations), are blockchain-based accumulations that vote on decisions, often through a native token. Optimism generated OP as the governance token for its DAO, and hired market maker Wintermute for more efficient distribution of the 20 million OP tokens in an airdrop to the Optimism Collective stakeholders to carry on with its launch. Optimism sent two dummy transactions to Wintermute before they sent over the 20 million OP tokens last week, and both transactions were affirmed by Wintermute. Optimism then finally sent the 20 million tokens over, only for Wintermute to find out that they were now inaccessible.

How? Optimism is a layer-2 scaling solution that is built on top of the whole Ethereum network. The second layer solution allows faster transactions as they bypass the highly congested Ethereum network. But such convenience also brings much more risks. If we consider the case of the Optimism transaction, the 20 million tokens were sent to Wintermute’s Ethereum (L1) address, but since that address had not yet been synced, to an Optimism (L2) address, the tokens were left floating, making them inaccessible, to L1. Wintermute took complete responsibility for the mishap after it was discovered on May 30. Wintermute’s staff also told the Optimism Foundation that the tokens were potentially retrievable but through a high-risk, one-time operation. They also asserted that the tokens, if not accessible, were nonetheless secure as no one externally could access them. However, the assertion turned out to be false.

Within a day of Wintermute revealing their discovery to Optimism, an anonymous hacker seized all of the 20 million OP tokens from the Ethereum address. On June 1st, the value of the plunder was valued at nearly over $35 million. The hacker then allegedly sold off around one million OP tokens for ETH, and retained the left over 19 million. They then went completely silent, and haven’t been heard from since.   As part of accepting responsibility, Wintermute has committed to purchasing back all of the tokens sold by the hacker. Wintermute already bought back the one million OP tokens which had been sold last week. Optimism says that till now, the stolen funds have not been used for influencing their DAO’s governance, but still, they are monitoring the complete situation.

Both Optimism and Wintermute have made several attempts to contact the hacker, but have got no response. Both the companies went public with every detail of the attack today, relatively in the hopes of attracting the hacker’s attention. In a blog post today, Wintermute appealed directly to the anonymous bandit, commending their sophistication and also offering them potential employment.

This sweet overture, however, came with a sour pill that if the remaining of the 19 million OP tokens aren’t returned within the seven days, the company claims it to turn over evidence of the anonymous hacker’s identity– which is so-far undisclosed to law enforcement. What evidence both the companies possess, or what incentives the hacker has to come clean, remain uncertain and debatable.  “Consider your options,” Wintermute stated in its blog post addressing the hacker, “and choose to be good and optimistic instead of living in fear.”

Leave a Reply

Your email address will not be published.