Why This Hacker Sent 1M Optimism Tokens To Vitalik Buterin
The inventor of Ethereum Vitalik Buterin was the unintended recipient of 1 million OP tokens from this network’s scalability solution Optimism. The team behind this project addressed concerns about a potential exploit related to the launch of their governance token.
As clarified by Optimism, they entered a deal with liquidity provider Wintermute to “facilitate a smoother experience for users” looking to buy OP and participate in the project’s governance model. As part of the agreement, Optimism sent 20 million OP tokens to a multi-signature address.
However, the liquidity provider was unable to access the funds as it discovered the address was designed as an Ethereum layer-1 multi-sig without an Optimism, which operates as a second layer solution, smart contract deployment. About this, the liquidity provider said:
As we communicated the wallet address to the Optimism team, we made a serious error.
The Optimism partnered began a “recovery operation” to gain access to the funds, as they concluded with Wintermute that the funds “were potentially retrievable and that nobody other than Wintermute could recover those funds”, the liquidity provider said in a statement.
The recovery operation was scheduled, the liquidity provider clarified, for June 7th, 2022, but a hacker beat them to it. The team behind the Ethereum second layer solution explained:
Unfortunately, an attacker was able to deploy the multisig to L2 with different initialization parameters before these efforts were completed, assuming ownership of the 20m OP.
Furthermore, Optimism claims the attacker began selling the stolen funds. As much as 1 million OP tokens have been “dumped” into the market from the hacker’s address: 0x4f3a120E72C76c22ae802D129F599BFDbc31cb81.
At the time of writing, this address still holds 18 million OP tokens or $14 million with an additional $3 in USD Coin (USDC). However, new developments made the whole incident weirder.
Why Sent Part Of The Funds To Vitalik Buterin?
Developer Yoav Weiss, Security Fellow at the Ethereum Foundation, provided other details about the recent events. He believes the attacker could be a Whitehat hacker.
He based this presumption on the fact that the attacker waited four days before taking ownership of the OP funds. During that time, there was a risk that Wintermute might have deployed the solution to recover the funds.
In addition, the attacker hasn’t moved the funds, as Optimism believed. In step, the inventor of Ethereum Vitalik Buterin received 1 million tokens and Weiss himself received another 1 million OP.
And the plot thickens. As I was writing this explainer, the attacker delegated the 1M OP voting power to *me*: https://t.co/75VPmS91J5
Thank you for delegating 🙂
Hint: no, I’m not the attacker and I don’t know who is. But now guessing it’s a whitehat.
Projects often send Vitalik Buterin tokens to celebrate the launch of their platforms, or to “burn them”, as the inventor of Ethereum rarely uses them. The fact that Weiss is a security fellow seems to be part of a message from the attacker.
The team behind Optimism claims the hacker has not used the funds for any activity related to its governance model. If this situation changes, they claim additional measures will be taken alongside the OP community.
Other measures are available, but the Optimism team refuses to enforce them and jeopardizes the project’s vision of a permissionless network. They concluded:
(…) incidents like this are the growing pains of an evolving industry. This is a reminder to everyone dealing with contracts across different chains that the security assumptions of one chain do not necessarily carry over to another.