The attackers exploited a security vulnerability in ETH’s Put Opyn contract to withdraw more than $ 370,000.
One of the first crypto-Twitter members to report the theft, DegenSpartan, explained On August 4, traders used flash credits to buy Ethereum oTokens (oETH) put in Uniswap. They then reportedly chose an ERC20 token, in this case USD Coin (USDC), as collateral and exercised the trading option.
The result would have been a double transfer that would have effectively “stolen” the guarantee.. According to blockchain records, the attackers were given both their original Ethereum (ETH) deposits and USDC options.
In an August 4 Opyn blog, the platform estimates the exploit losses at $ 371,260, but said the amount could change.
“This feat allowed an attacker to double-use oTokens and steal the guarantee offered by certain providers of these put options.”
Rapid withdrawal of liquidity
Opyn recognized that something was happening during the day and gave one release on twitter to say that had removed Uniswap’s liquidity during its investigation.
Hello everyone, there seems to be a problem with some oTokens contracts. We are working hard to understand this issue so that we can help users as much as possible. In the meantime, we have withdrawn Uniswap liquidity. It is best not to open new safes at the moment.
– opyn (@opyn_) August 4, 2020
Trying to avoid further abuse of this gap Opyn has recovered $ 439,170 of outstanding vault guarantees with a white hat hackand effectively send it back to Put’s suppliers. However, some users were understandably still upset about the loss and late response:
Screenshots of Opyn’s chat on Discord
According to the co-founder of Opyn, In a Discord chat session, Alexis Gauba offered to buy ETH oTokens Put “at prices above the market”.which they said were 20% higher than the best-selling price in Deribit.
“This only applies to oTokens that were bought before today.” Gauba said. The last published update showed that Opyn was working on a plan “to mitigate the impact on ETH providers”.