Revealed today in a blog post, a user report had alerted the company to hackers who exploited Opyn ETH Put contracts. The perpetrators walked away with more than $370,000.
According to one DeFi investor who goes by the online moniker ‘Degen Spartan’ on Twitter, traders used flash loans to buy Ethereum Put oTokens (oETH) on Uniswap.
The traders then chose USD Coin (USDC) as collateral, only to realize that the result was a double transfer. The attackers used this technique to effectively steal the collateral.
“This exploit allowed an attacker to “double exercise” oTokens and steal the collateral posted by certain sellers of these puts,”
the company said.
The team explained that they’ve removed liquidity from ETH Put pools on Uniswap “to prevent others from buying these oTokens.” They also removed the ability to purchase ETH Puts on the DeFi website.
The team offered a 20% premium via Deribit for existing oToken holders to buy any ETH Put oTokens.
“This only applies to oTokens that were bought before today,”
co-founder Alexis Gauba said on Discord (Opyn’s messaging platform). Opyn said that it’s taking serious measures in order to rebuild lost trust among its users.
The company is working with samczsun from Trail of Bits to develop a whitehat patch. This has helped to remove 439,170 USDC collateral from outstanding vaults. It continued:
“We are working on designing a plan to mitigate the impact on ETH put sellers.”
The exploit has not affected ETH Call, COMP Put, BAL Put, cToken Put, or aToken Put products, the team mentioned. Opyn will also reimburse “ETH put sellers in full” who were affected by the vulnerability.