Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in next few days.https://t.co/ILNutAiqfU
— opyn (@opyn_) August 4, 2020
In response, the Opyn team drained liquidity of oETH tokens from Uniswap, in addition to white-hat hacking the remainder of vulnerable USDC funds in their protocol.
Now, the technical details of the attack have all been revealed in a recent blog post by blockchain security firm PeckShield.
Where it began: The oETH smart contract
Opyn’s ETH Put tokens (oETH) give users protection from possible downside in ETH prices. oETH tokens give the bearer the right (but not the obligation) to sell Ether at a predetermined price, at any time up until the contract’s expiry. More on how oTokens work here.
To exercise an oETH Put contract, the user will send oETH to the Opyn protocol, along with the ETH they wish to sell . There, the ETH is sold at the agreed-upon price, while the oETH contracts are removed from circulation (burned).
In return, the exerciser receives a payout – in this case, USDC.
The attacker took advantage of a bug in the oETH smart contract code: A fault in its “exercise ( )” function. By calling this function using multiple ETH-based vaults at once, a single amount of ETH could be spent via multiple vaults at the same time.
Put simply, the bug enabled them to “sell” a single batch of ETH more than once while exercising their oETH token rights.
By exploiting this, the attacker extracted multiple payouts of USDC for the sale of only one batch of ETH.
As a result, a total of $371,260 USDC was stolen via the exploit.
How did Opyn respond?
Opyn acted immediately upon news of the attack, disabling purchases of oETH and draining Uniswap of oETH token liquidity.
They also worked directly with a white-hat hacker named ”samczsun” to secure any remaining USDC on Opyn which was vulnerable to the attack.
More than half a million dollars’ worth of USDC was secured via the white-hat patch.
What happens to those affected by the attack?
For users who still hold oETH, Opyn has offered to buy them back at a generous 20% mark-up, via the centralized derivatives exchange Deribit.
Users who sold oETH tokens are advised to reach out to the Opyn team on Discord, where a plan will be put into place to reduce the financial impact upon them.
It has also been recommended that Opyn users do not open any new vaults, until the team gives the green light to safely resume activity.
Reimbursement update for ETH put sellers: To make the reimbursement process as easy, quick, and secure as possible for users, we will be sending each affected put seller’s funds directly back to their address.
Outlining the process below:
— opyn (@opyn_) August 6, 2020
What else you need to know
The attack only affected Opyn ETH Put contracts – none of the other financial instruments on the protocol are affected.
Buyers and sellers of put contracts for all other ERC20 tokens do not need to worry, as the affected portion of the code only exists in the oETH smart contract and no others.
In response to the attack, Opyn has decided to boost auditing efforts and increase the rewards for their bug bounty program. The decision to reimburse users comes in tandem with other projects like bZx and Balancer who also committing to honoring lost funds, even in situations like Balancer when the hacks were not an actual protocol exploit. Still, the preconception that teams will always honor hacked funds is not one which users should get used to. Thankfully, this exploit was relatively small but this does not go to say that should a black swan happen, DeFi users would be protected.
To stay up with the hack and how Opyn rebounds, follow them on Twitter.