Blatant “bug” led to $370,000 DeFi hack, say experts

Attackers raided the decentralized finance (DeFi) protocol Opyn yesterday, making off with over 370,000 USDC.

Opyn, which deals primarily with options for ETH, was subject to a double-spend attack. 

"At the time of this post, we've found 371,260 USDC that has been stolen from these contracts," reads Opyn's post-mortem.

Analysis from security researchers PeckShield elaborates that the double-spend transpired due to an exploited smart contract bug, allowing attackers to openly plunder any and all USDC within Opyn’s smart contracts. 

Chiachih Wu Research VP for PeckShield and author of the firm's post mortem told Decrypt that while the exploit itself wasn't devastating financially, consequences for Opyn's standing could be dire.

"I would say it hurts the reputation more," said Wu. "Since it's not a subtle bug. Solidity developers should be able to catch it."

The Opyn hack as it happened

After becoming aware of an issue Tuesday afternoon, the Opyn team kicked into action, siphoning liquidity from decentralized exchange Uniswap to prevent further problems.

The team also enlisted the help of a white-hat hacker, known as "samczsun" to extract a total of 572,165 USDC from remaining Opyn smart contracts, in an attempt to mitigate further losses.

For those still holding the platform’s now-illiquid tokens, Opyn has offered to buy them at a 20% mark-up on the crypto exchange Deribit. 

Despite Opyn providing a litany of remedies, including a bug bounty program, and enhanced auditing, PeckSheild's Wu remains skeptical that DeFi won't suffer the same again.

"Until the day human beings stop coding, people will keep generating bugs," he said. "On the other hand, there's no perfect system. I'm sure we'll see more 0-days or new tricks to attack Ethereum-based software in the future.

Opyn's exploit marks the sixth DeFi hack this year, and with security experts anticipating more to come, DeFi's narrative as the new financial frontier may be more akin to the wild west.