A hyped-up crypto project called Optimism was once seen as an incoming savior for the ailing crypto market, but has fallen on hard times immediately after launching on May 31. This week, a hacker was able to get in the way of a scheduled transaction of crypto tokens and steal around $16 million. Now, the victim—the project’s liquidity provider—is pleading with the hacker, threatening to call the cops and dox them.
On Wednesday, the Optimism Foundation was supposed to send 20 million OP tokens—worth around $16 million as of this writing—to Wintermute, a firm that provides liquidity to crypto projects for trades. That’s when the hacker took advantage of a mishap and took all the funds for themselves, according to a postmortem from the Optimism Foundation.
So far, the hacker has sold one million tokens, currently worth $800,000, and laundered them through the mixing service Tornado Cash.
In its blog post, the Optimism team essentially said that while this is bad, hacks like this can happen. Effectively, they wrote, it was human error. Wintermute provided an address to receive the funds, and confirmed that they received two test transactions, but only after the full amount had been sent did they realize that they could not actually access the tokens, according to Optimism. The reason was that they had provided an address for a wallet on Ethereum that had not yet been set up on Optimism, which is a layer-2 (L2) chain running on top of Ethereum, designed to make it cheaper to use. This is where the hacker stepped in, using a complex chain of operations to deploy the L2 wallet themselves and take control of the 20 million OP tokens.
“This is not the first time an error like this has occurred in crypto. L1 is confusing enough for most people to navigate, and L2 brings a new set of paradigms over key management and safety, even for experienced crypto users and teams,” the blog post read.
Do you have information about hacks or hackers in the world of crypto? Or do you research vulnerabilities in web3 and DeFi projects? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Wintermute’s CEO Evgeny Gaevoy wrote his own postmortem, in which he also sent a message to the hacker that’s both amicable and threatening, and gave the hacker a one week grace period to return the tokens:
“We are open to see this as a white hat exploit. Moreover, the way the attack has been performed has been rather impressive and we can even consider consulting opportunities or other forms of cooperation in future. We are also content with the scenario where the remaining 19 million tokens are returned,” the message to the hacker read. “You have one week to consider being a whitehat. In case the above doesn’t happen, we are 100% committed to returning all the funds, tracking the person(s) responsible for the exploit, fully doxxing them and delivering them to the corresponding juridical system. Remember that robbers need to get lucky every time. Cops only have to get lucky once. This is not a 'code is law' theoretical argument. This is you taking a bag with cash that was left behind by a (careless) person. Us being careless still leaves you a criminal. We already started investigating the potential leads, in certain cases stopping short of informing respective law enforcement agencies. Consider your options and choose to be good and optimistic instead of living in fear.”
Gaevoy did not immediately respond to a request for comment via Twitter DM. A spokesperson for Optimism referred to the blog posts.
Whether the hacker decides to give up the remaining $15 million they stole, or return them in exchange for a vague offer of “consulting opportunities” remains to be seen. But it wouldn’t be the first time a hacker seemingly changes their mind after stealing crypto.
The most famous example of this happened in August of 2021, when a hacker stole around $600 million from the crypto platform Poly Network, and eventually returned all the funds after repeated pleas from the company, which called the hacker Mr. White Hat and even offered them a job as "Chief Security Advisor."
Cases like the one of the Poly Network, or the hack on Multichain, where the hacker returned most of the stolen money except for what they called “tips” for saving people’s money are very different from cases where actual white hats save funds. There have been several cases where benevolent vigilantes or hackers have swooped in and taken cryptocurrency that was left exposed by a flaw and then returned it to the project.
Optimism has been going through some bad times lately. The project botched its token airdrop, sending the token’s value down over 70 percent of its original value at the time.
Ultimately, the incident is a reminder that crypto is chock full of bad actors waiting for their moment to strike, and nobody is immune. “Ethereum is a 'dark forest'—whatever can be frontrun, will be frontrun. Move quickly on rescue operations, as you never know who is watching the chain,” the Optimism Foundation wrote in its blog.
Update: An earlier version of this story stated that Optimism was communicating with the hacker. In fact, the project’s liquidity provider, Wintermute, made the comments. This article has been amended and the headline updated. Motherboard regrets the error.