Single Bug that Triggered $370k DeFi hack: Opyn

by ImmuneBytes

Decentralized funding system Opyn was robbed of $370k in a double-spending assault. Security researcher’s study elaborates that the double-spend happened due to an exploited smart contract bug, allowing attackers to loot freely all USDCs inside Opyn’s smart contracts. The Opyn team sprung into action after becoming aware of an issue Tuesday afternoon, siphoning liquidity from decentralized Uniswap exchange to avoid further problems. To prevent more losses, the team also enlisted the help of a white-hat hacker known as “samczsun” to collect a minimum of USDC 572,165 from existing Opyn smart contracts as mentioned in the tweet by Opyn on their twitter page.

A detailed description of the Hack

In the oETH shrewd agreement code, the attacker exploited a bug ”Blatant”: a shortcoming in its “activity” highlight. Utilizing various ETH-based vaults without a moment’s delay to call this component, a single aggregate of ETH could be spent at the same time through numerous vaults. The bug permitted them to “sell” a solitary clump of ETH more than once while practicing their symbolic rights to the oETH. By making use of this, the attacker was gathering a few USDC payouts for selling just one group of ETH. Subsequently, the programmer took money through this attack.

As and when the company came to know about the hack in progress, it quickly informed its consumers on social media. Also, since Opyn was decentralized, it could not have been closed down suddenly.

Opyn quickly followed up on updates on the attack, impairing oETH exchanges and emptying oETH token liquidity of Uniswap. They additionally worked with a white-cap programmer called “samczsun” legitimately to make sure about any remaining USDC on Opyn that was defenseless against the assault. The white-cap fix made sure about the greater part of a million dollars of USDC. They were able to recover $572,165 from the contract, but the attacker was able to take away money till that time as said by Team.

Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in the next few days.

Update: Working with @samczsun we were able to whitehack an additional 132,995 USDC

More to know

The attack just influenced agreements for Opyn ETH, none of the other conventional money related instruments are influenced. The influenced part of the code persevered distinctly in the keen agreement of the oETH, and no other. Here, you can see the tweet from the post mortem analysis they did after the hack. 

Opyn decided to boost auditing efforts in response to the attack and increase the rewards for their bug bounty program. The decision to reimburse users came in conjunction with other initiatives such as bZx and Balancer which also commit to honoring missing funds, including in cases such as Balancer where the hacks were not an actual exploit protocol. Below is what Opyn twitted on their official twitter page regarding reimbursement. 

For ETH put buyers, please ping on Discord to redeem your Put option for 20% above Deribit market price.

To all users, please do not create any new oETH put vaults or buy/sell oETH puts except through the process defined above with the Opyn team, tweeted on Aug 5.

Main Highlights of hack:

  • $572,165 were recovered, but $370,000 were lost in an Ethereum hack 
  • 20% of compensation was offered to those who experienced this hack.
  • The help of a white-hat hacker was taken to solve the bug.

Conclusion

The vulnerability of the Defi space has been demonstrated by this hack. Opyn could have protected itself from this hack by taking a review of its security and testing practices periodically. 

So, you must go for a periodic audit of your Smart Contract and rectify the bugs.

Get in touch with us to secure your Smart Contract!

Spread the love

You may also like