- The Layer 2 scaling solution provider failed to sync its Optimism address to an Ethereum address before a large transfer.
- The stolen OP tokens were valued at $35 million at the time of the hack, with 19 million tokens still missing.
Optimism may have a good reason to be pessimistic.
The company behind the Ethereum scaling protocol announced today that in preparing to launch a native OP token for the Optimism Collective DAO, it accidentally sent 20 million tokens to the wrong blockchain address. The error resulted in the theft of all 20 million OP tokens by a hacker.
DAOs, or decentralized autonomous organizations, are blockchain-based collectives that vote on decisions, often via a native token. Optimism created OP as the governance token for its DAO, and hired market maker Wintermute to more efficiently distribute the 20 million OP tokens in an airdrop to Optimism Collective stakeholders to continue its launch.
Optimism sent two test transactions to Wintermute before sending over the 20 million OP tokens last week, and both transactions were confirmed by Wintermute. Optimism then sent the tokens over, only for Wintermute to discover that they were now inaccessible.
How? Optimism is a layer-2 scaling solution built on top of the Ethereum network. Second layer solutions permit faster transactions as they bypass the oft-congested Ethereum network. But such convenience also brings greater risk.
In the case of the Optimism transaction, the 20 million tokens were sent to Wintermute’s Ethereum (L1) address, but because that address had not yet been deployed, or synced, to an Optimism (L2) address, the funds were left floating, inaccessible, on L1.
Wintermute took full responsibility for the error when it was discovered on May 30. Wintermute staff also told the Optimism Foundation that the funds were potentially retrievable through a high-risk, one-time operation. They also insisted that the funds, if not accessible, were nonetheless secure: no one external could access them.
The assertion turned out to be false.
Within 24 hours of Wintermute relaying their discovery to Optimism, an anonymous hacker seized all 20 million OP tokens from the Ethereum address. On June 1st, the date of the hack, the value of the haul was valued at just over $35 million.
The hacker then sold off one million OP tokens for ETH, and retained the other 19 million. They then went silent, and haven’t been heard from since.
As part of accepting responsibility, Wintermute has committed to buying back all tokens sold by the hacker. Wintermute already bought back the one million OP tokens sold last week.
Optimism says that so far, the stolen tokens have not been used to influence their DAO’s governance, but that they are monitoring the situation.
Both Optimism and Wintermute have made multiple attempts to contact the hacker, to no avail. Both companies went public with the details of the attack today, partially in the hopes of attracting the hacker’s attention. In a blog post this afternoon, Wintermute appealed directly to the mysterious bandit, commending their sophistication and offering them potential employment.
“The way the attack has been performed has been rather impressive and we can even consider consulting opportunities or other forms of cooperation in future,” Wintermute wrote.
The sweet overture, however, came with a sour pill: if the remaining 19 million OP tokens aren’t returned within a week, the company claims it will turn over evidence of the hacker’s identity– thus-far undisclosed–to law enforcement.
“You have one week to consider being a whitehat,” warned Wintermute.
What evidence the companies possess, and what incentives the hacker has to come clean, remain open questions. In the meantime, the predicament seems to have taken a toll on Optimism’s typically-cheery and public-minded reputation.
“Consider your options,” Wintermute growled in its blog post at the hacker, “and choose to be good and optimistic instead of living in fear.”