The Optimism Foundation, a non-profit organization that promotes sustainability via software centered around Ethereum tech, recently launched its Optimism Token (OP) on various centralized exchanges.
Unfortunately, it encountered serious issues shortly after it got off the ground. In the course of a deal with Wintermute, a partnered liquidity provider, 20 million OP were redirected and sent to an unaffiliated wallet after a Tornado transfer meant to obscure the history of the address in question.
In preparation for the ill-fated transaction, Optimism had sent two separate test transfers to Wintermute, both of which were confirmed to have reached the intended recipient. However, the tokens never made it to their intended destination.
Layer Incompatibility at Fault
The tokens were originally sent to Wintermute’s address from Optimism’s Layer-2 wallet, which turned out to be a Layer-1 Ethereum address. Due to an incompatibility pertaining to multi-sig tech unavailable for Optimism’s Layer-2 address, this led to the funds remaining stuck in Layer-1, inaccessible to either party.
Wintermute commenced efforts to switch to Layer-2 in order to receive the funds. Unfortunately, the entity was not the only one, and an unknown actor managed to deploy the contract with different parameters before Wintermute could.
1 Million Sold, 19 To Go
The stolen tokens were valued at $17.2 million at the time of writing, according to CoinGecko. The unintended recipient has since sold 1 million OP and is still in possession of the remaining tokens, with no indication of what they intend to do with them.
Both Wintermute and Optimism are attempting to contact the author of the exploit, to no avail.
In the meantime, we will be active across all communication channels to engage the community as the situation progresses.
If you have any questions about this incident, you can ask them in Discord: https://t.co/uaKMDtlpl0
— Optimism (✨🔴_🔴✨) (@optimismPBC) June 8, 2022
On its side, Wintermute addressed not only the understandably disappointed community – but the exploiter as well, laying out a potential olive branch in case they change their mind – or had benign intentions in the first place.
“We are open to see this as a white hat exploit. Moreover, the way the attack has been performed has been rather impressive and we can even consider consulting opportunities or other forms of cooperation in future. We are also content with the scenario where the remaining 19 million tokens are returned to Optimism wallet.”
Wintermute continues by setting a time limit of 1 week for the exploiter to get in touch or to simply return the funds, after which the team will begin trying to discover their identity and pursue them in court, assuming their sleuth attempts are successful.
Wintermute has accepted the blame for the incident and has committed to buying back the remaining tokens from the person responsible for the exploit in case they are not returned.