Optimism issued OP as the DAO’s governance token, and hired market maker Wintermute to distribute the 20 million OP tokens via an airdrop to Optimism Collective stakeholders in order to continue the project’s launch.
Last week, Optimism finished two test transactions to Wintermute before transferring over the 20 million OP tokens, and Wintermute confirmed both transactions. Wintermute discovered that the tokens had become unreachable after Optimism had sent them over.
On top of the Ethereum network, Optimism is a layer-2 scaling solution. Because they bypass the frequently crowded Ethereum network, second layer solutions allow for faster transactions. However, such convenience carries a higher level of danger.
The 20 million Optimism tokens were sent to Wintermute’s Ethereum (L1) address, but Wintermute was unable to access the money since the smart contract it used to receive the tokens was still running on L1 and had not been changed to operate on Optimism. Because of this technological flaw, the contract was vulnerable to an attack in which a hacker took control of the contract on the L2.
An anonymous hacker grabbed all 20 million OP tokens from the Ethereum address within 24 hours of Wintermute informing Optimism of their discovery. The worth of the haul on June 1st, the day of the hack, was slightly over $35 million.
After that, the hacker sold one million OP tokens for ETH and kept the remaining 19 million. They fell silent after that and haven’t been seen or heard from since.
Wintermute CEO Evgeny Gaevoy said in a statement that “we made a serious error.”
“L1 is confusing enough for most people to navigate, and L2 brings a new set of paradigms over key management and safety, even for experienced crypto users and teams,” Gaevoy said.
“We are not sure why they chose not to liquidate all of it at once,” Gaevoy said. “There is hope that it is a white hat exploit, in which case the remaining funds are potentially recoverable. However we are currently operating under the premise that it is not the case, since we haven’t received any communication from them and our message on the chain was left unanswered.”
Wintermute has commited to acquire back all of the hacker’s tokens. They’ll keep an eye on the address where the missing tokens are kept and buy when the address sells.
Optimism claims that the stolen tokens have not yet been used to affect the governance of their DAO, but that they are keeping an eye on the issue. Both Optimism and Wintermute have attempted to contact the hacker many times, but to no result.
Wintermute claims it will disclose over evidence of the hacker’s identity to law enforcement if the remaining 19 million OP tokens are not returned within a week.
“You have one week to consider being a whitehat,” warned Wintermute, “We already started investigating the potential leads, in certain cases stopping short of informing respective law enforcement agencies. Consider your options and choose to be good and optimistic instead of living in fear.”