I woke up this morning to the news of Optimism’s stolen 20 million OP governance tokens across major crypto news outlets and heated discussion of it among my friends and my readers. It’s no surprise that the panic spreads this quickly - after all, Optimism has just finished a round of airdrop involving multiple interested parties, and it has been put on the pedestal to be the most influential Layer 2 scaling solution.
Before getting into the details of the incident, let’s first talk about Optimism. In one sentence, it is a scaling solution for the Ethereum network. Blockchain scalability happens to be my strong suit as it was my research specialization for my Master’s degree and I had a published SCI Q1 paper on the topic, so I feel comfortable to share about it.
There are two approaches for Ethereum scalability improvements - Layer 1 solution and Layer 2 solution:
A Layer 1 solution directly changes the rules and mechanisms of the original Ethereum blockchain. By analogy, it’s like expanding a two-lane road into a four-lane one.
A Layer 2 solution, on the other hand, indirectly expands the scalability, using an external, parallel network to process computations and transactions off the Ethereum mainchain. In comparison, it’s like building a crossover on top of or a subway system under the surface of the same analogous two-lane road.
The way Optimism works is that it receives transaction data from Ethereum, processes it, and posts the results back to Ethereum. Because many transactions are rolled up into one single transaction, the blockchain translation fee , or “gas fee” required to pay comes down to only one transaction, largely reducing the fee and improving the transaction speed.
Now, back to the incident. Optimism hired the crypto market maker Wintermute and sent 20 million OP tokens to it in preparation for providing liquidity in the OP token upon its listing on centralized exchanges.
Wintermute has been reputed to be a superstar among market makers with its collaboration with a series of mainstream exchanges including Binance, Coinbase, Huobi and so on.
So why the supposedly perfect team up between Optimism and Wintermute, the two leading companies in their respective fields of scalability solutions and market making, ends up with such a humongous loophole loss? Now is the time to introduce a third party - Gnosis Safe.
Gnosis Safe is a multi-signature wallet. To many of you, it may have been a familiar concept - in comparison with the conventional wallet, the owner of which possesses all the rights if they have the private key, the multi-signature wallet allows for customized management rules. For example, a multisig wallet can require more than one private key signature to authorize an asset transfer. Due to its relative security, corporations tend to use multisig wallets. Why do I say it is “relatively” secure? Well, our incident in question is related to it.
Alright, now that Optimism, Wintermute and Gnosis Safe are all introduced, it’s time to talk about what really happened that gave the hacker a chance.
One very important background to understand is the difference between contract addresses and wallet addresses. The wallet address is, for example, your MetaMask address; it belongs to you and is used for actions such as transferring or receiving crypto assets. The contract address which is deployed through smart contract codes, however, can achieve more business logic such as the multi-signature wallet in addition to the basic functions such as transferring and receiving funds thanks to the existence of smart contracts.
For wallet addresses, switching between EVM-compatible chains doesn’t change the wallet address or the ownership right to the wallet, i.e. the private key - only the network changes. Say, you change the network from Ethereum to Polygon, your wallet still belongs to you.
However, the contract address is different - its generating process is to first write the smart contract and then select the chain to deploy. I previously wrote an article introducing the cross-chain project Gh0stlyGh0sts in which talked about how cross-chain was done in the article. Gh0stlyGh0sts just copied and pasted 7 times the same smart contract and deployed on the 7 different chains for chain-crossing. In order to cross anything from A-chain to B-chain, you have to deploy the same smart contracts in A-chain and B-chain.
So far, you might have realized that if it is my personal wallet address, regardless of which EVM-compatible chain I’m on, it will always be my wallet. But for the smart contract address, I only own the smart contracts on the chains I deploy these smart contracts on.
Now let’s explore deploying a contract address on the Ethereum chain, and see what it looks like on other chains. We can guess there will be two outcomes, either this address does not exist, or it does but no one claims it.
The following is the contract address of BAYC on the Ethereum chain. It all looks fine.
Following is the contract address on Optimism - the address exists, but no creator was found, nor was contract or transactions, thus it is a non-claimed address.
We are close to uncovering the mystery, yet here comes the exciting part: the following is a multisignature address of Gnosis Safed created for Wintermute; Although it is called “wallet address”, it actually is a smart contract address. So since it's deployed on Ethereum, it can only be used on Ethereum; if it's not deployed on Optimism, the contract address Optimism is an unclaimed address.
The following is the same address on Optimism compared to Wintermute’s on Ethereum. You may wonder why this address does have transaction history and creator.
Don’t worry, let's look closely to see what happened to this address.
Its first transaction was the transfer of 1OP from 0x25 address, which is the multi-signature address generated by Gnosis Safe, and there were two separate transfers of 20 million more OPs the day after.
As Optimism explained on its twitter account, they sent Wintermute two test transactions and asked Wintermute to confirm receipt. Wintermute did confirm receiving 1 OP since they saw 1 OP received on the address. Optimism then soon made the transfer of 20 million OP to the same address. However, Wintermute only realized afterwards that they wouldn't be able to access the tokens because they didn't deploy the smart contract on the chain, thus the address with transferred tokens didn't belong to them.
One might think now that the 20 million OP tokens were transferred to a non-existent address, they would be locked up forever as it does not belong to Wintermute nor anyone else.
So far, the cooperation between Optimism and Wintermute was doomed to failure. Even if there was no later appearance of this hacker, it has been such a serious oversight that assets have been transferred to a non-existent address.
So now that this address doesn’t belong to anyone, how on earth can the hacker transfer the money later on? It will be a little bit more complicated from here, but please hang in there and keep reading.
Let's look back at the Gh0stlyGh0sts. It bridged 7 chains and deployed 7 contracts, but the addresses of these 7 contracts are different, and not one address is valid for all 7 chains. This may sound tricky but don't worry I will break it down.
First, I deployed a contract with an address of 123 on chain A. At this time, there was also a 123 address on chain B that did not belong to anyone.
Then I deployed a new contract on chain B, and its address was 456 instead of 123.
The address generated after the contract was deployed follows an algorithmic rule. It is not the case that on different chains, the same contract code deployed by the same person results in the same address.
So let's guess how this hack was possibly performed. Either the hacker deployed a contract and the address of the contract was exactly the same as the unclaimed address where Optimism transferred the money into, or the hacker used some method to directly hack into the EVM and transfer the assets in this unclaimed address away? For the second scenario, it's impossible! If so, Vitalik will likely kneel down, bow, and show a salute to him.
The first one has a higher possibility, but as I said just now, the address generated after each contract deployed is different, which means "random", so how did this hacker’s address happen to be the same? We need to first understand how the hacker generates the same contract address.
All Gnosis Safe wallet contracts need to be deployed by the proxy factory contract, so if a hacker wants to generate a wallet contract with a corresponding address on Optimism, he needs to call the proxy factory on Optimism for deployment.
Hackers need to complete the deployment of a proxy factory contract first where hackers use replay attack. A replay attack is a situation in which the attacker intercepts the transaction data of others and sends it again intact to obtain some kind of profit. Definition of replay attack from What Is a Replay Attack? is “ A replay attack occurs when a cybercriminal eavesdrops on secure network communication, intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants. ”
For example, if you go to a restaurant, you go to the front desk to order first, and then a receipt would be printed for you. You take the receipt to the window and give it to the chef. After the chef gets the receipt, he delivers food for you and tears it up. But if you find a receipt that someone else has already used, and for this restaurant, the chef does not tear up receipts whenever he finishes delivering, you can go to the window with someone else's receipt as a freeloader to buy a free meal. What the restaurant sufferers is a replay attack.
As for how to generate an identical address, we need to first understand the rules of contract address generation, which is clearly explained in the following official document from openzeppelin.
I will break it down and explain it in details.
There are two generation rules CREATE and CREATE2.
In CREATE, the contract address is generated from the sender’s address and a nonce.
CREATE2 is much more complicated with more parameters.
If we take a look at the contract codes of Gnosis Safe, we will see that it chooses the CREATE method.
To create a contract address on Optimism that is the same as the one on Ethereum, we just need to make sure that the two parameters, sender’s address and the nonce, are the same as the ones used in generating the valid address on Ethereum.
So the hacker has to first find the proxy factory contract on Ethereum, which is: 0x76E2cFc1F5Fa8F6a5b3fC4c8F4788F0116861F9B
Since this version of the contract does not use eip155 to prevent replay attacks, which is similar to the situation that the restaurant does not tear up the receipt after a customer finishes ordering, it means that the hacker is able to use the original transaction data to create the identical address.
When we look up for the first transaction record of this contract, it shows that the contract was created 912 days ago.
When we check the details of the very first transaction, we will find that the contract was created by the address 0x1a with the original transaction data at the bottom.
Switching to the Optimism network, we can see that the proxy factory contract was also created by 0x1a, and the original transaction data is identical.
It explains how the hacker copied the original transaction data and redeployed the proxy factory contract on Optimism. In addition to the sender’s address, there is the second parameter, nonce. The hacker keeps calling the proxy factory contract to create wallet contracts until the nonce eventually reaches the one used in the address that holds the 20 million OP tokens.
It can be seen that the hacker used the contract 0xe7145dd6287AE53326347f3A6694fCf2954bcD8A to call the contract that Gnosis Safe used to create the multi-signature wallet and executed 64 transactions. What are these transactions for?
When we check the details of one of these transactions, we can see that it entails 162 executed events creating a multi-signature wallet.
The hacker keeps creating contracts, increasing the value of nonce, to finally generate an address on Optimism that is the same as the one on Ethereum.
I went to great lengths to go through all these transactions one by one and finally found the address that stored 20 million OP tokens, 0x00a3da68f0f6a69cb067f09c3f7e741a01636cbc27a84c603b468f65271d415b.
When I found this address, I could imagine what the hacker felt at the moment.
This is the whole story behind the stolen Optimism tokens incident. It takes effort to write this article since it involves more extensive background knowledge than the previous ones.
How do I feel after finishing the article? First of all, I respect the hacker. As I said before in the previous Venus incident story, this kind of attack technique is absolutely not a thing that we ordinary people can perform - it requires technical skills, cognitive ability as well as full load of luck to perform a successful attack.
For a small-probability event like the mistake Wintermute made itself even to happen, one would need a tremendous stroke of luck. Even if it does happen, one then needs sharp cognition to immediately understand and smell the opportunities behind it. And finally, supreme technical skills are required to successfully execute the cognitive decision to reap the profits.
So it is impressive that the hacker has the sophistication. However, in no means hacking is advocated as it causes great damage to others’ legitimate interest.
Original link:
Translation:@Evan @Yue @ YaruiP @Raven
Check:@YaruiP @Davion
Layout:@Coucou