Opyn DeFi Platform Discovers Exploit, Over 370k in USDC Stolen

Revealed today in a blog post, a user report had alerted the company to hackers who exploited Opyn ETH Put contracts. The perpetrators walked away with more than $370,000. According to one DeFi investor who goes by the online moniker ‘Degen Spartan’ on Twitter, traders used flash loans to buy Ethereum Put oTokens (oETH) on Uniswap. The traders then chose USD Coin (USDC) as collateral, only to realize that the result was a double transfer. The attackers used this technique to effectively steal the collateral.

my smol brain 🤏🧠

attackers used the exploit below on @opyn_

looks like they started with flashloans to buy oETH from uniswap to exercise

then they realized fuckit they should just mint oETH themselves

waiting for someone else to confirm and also do the bodycount ☠️ https://t.co/bt2AsWFBue

— 찌 G 跻 じ ⚡️ 🔑 (@DegenSpartan) August 4, 2020

“This exploit allowed an attacker to “double exercise” oTokens and steal the collateral posted by certain sellers of these puts,”

the company said.

Removing Liquidity

The team explained that they’ve removed liquidity from ETH Put pools on Uniswap “to prevent others from buying these oTokens.” They also removed the ability to purchase ETH Puts on the DeFi website.

Hey all, it seems like there has been an issue with some oTokens contracts. We are working hard on understanding this issue so we can let help users as best we can. We have removed liquidity from Uniswap in the mean time. Would be best to not open new vaults at the moment.

— opyn (@opyn_) August 4, 2020

The team offered a 20% premium via Deribit for existing oToken holders to buy any ETH Put oTokens.

“This only applies to oTokens that were bought before today,”

co-founder Alexis Gauba said on Discord (Opyn’s messaging platform). Opyn said that it’s taking serious measures in order to rebuild lost trust among its users. The company is working with samczsun from Trail of Bits to develop a whitehat patch. This has helped to remove 439,170 USDC collateral from outstanding vaults. It continued:

“We are working on designing a plan to mitigate the impact on ETH put sellers.”

The exploit has not affected ETH Call, COMP Put, BAL Put, cToken Put, or aToken Put products, the team mentioned. Opyn will also reimburse “ETH put sellers in full” who were affected by the vulnerability.