link.png

ID:

wintermute-931

Date:

Status:

Incident Count:

June 5, 2022

Verified

2

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

No

info.png

Audit By:

Audits:

None

Loss Amount:

20,000,000

info.png

Recovered:

17,000,000

Rewards:

Currency:

USD, OP

info.png

Wintermute is a leading global algorithmic market maker in digital assets - creating liquid and efficient markets on centralized and decentralized trading platforms and off-exchange. Optimism is a low-cost and lightning-fast Ethereum L2 blockchain.

The Wintermute team accidently deposited a loan of 20M OP tokens ($50 million USDC) from Optimism into an incorrect address. The deposit was destined for a Gnosis Safe on mainnet. Prior to to the planned transfer from the safe to the WinterMute's wallet on Optimism, an attacker was able to deploy the multisig to L2 with different initialization parameters before these efforts were completed, assuming ownership of the 20m OP.

Specifically, the safe attacked by a replay attack by replaying the Gnosis Safe MasterCopy 1.1.1 deployment from Eth mainnet. The hacker then used the previously deployed contract 0xE7145dd6287AE53326347f3A6694fCf2954bcD8A to deploy vaults per batches of 162. The hacker then proceeded with selling 1m OP tokens for ETH and withdrew back to L1 via Synapse and Hop bridges to then use Tornado.Cash on mainnet.

Approx. 1M OP has been sold for $1M USD as of 6/8. 1M OP was sent to Vitalik Butterin on 6/9. On 6/10, the exploiter sent back 17M OP to Optimism.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.