On Wednesday, layer-2 scaling solution, Optimism reportedly lost 20 million OP tokens to an exploitation. However, barely 48 hours after, the attacker has returned virtually all of the stolen OP tokens.
According to a Friday tweet from Optimism, the attacker has returned 17 million of the tokens, with a million more still being expected. Meanwhile, the attacker will get to keep 2 million OP tokens, as a bounty reward.
Optimism Shares Details
Optimism claims that the funds have been returned to an address it owns, in 17 separate transactions. But here’s how the entire situation started.
As part of its efforts towards achieving greater community involvement, Optimism launched the OP governance token in May. And shortly after, the layer-2 solution partnered with crypto market maker Wintermute, to access its liquidity services.
However, the worst soon happened when Wintermute mistakenly sent an Ethereum address to Optimism instead of an Optimism address. This was to receive the funds it loaned out to its partner.
The attacker wasted no time, and before Wintermute could get the funds back, the attacker had set up base at the receiving address. In short, all 20 million OP tokens sent by Optimism, went straight into his wallet.
Meanwhile, after the incident, Wintermute immediately released a statement claiming it would not take any legal action against the attacker. However, that promise would only hold, if the attacker returns the stolen funds within a week.
Indicating his interest in returning the stolen OP tokens, the attacker had earlier reached out to Vitalik Buterin — Ethereum co-founder, via an on-chain message. He asked Vitalik to help verify the return address and promised to return 18 million of the stolen tokens. He wrote in part:
“I only have 18M and this is what I can return. Stay Optimistic!”
Meanwhile, the attacker has already taken out 1 million OP for himself and sent another 1 million to Buterin, who is actively working to see the funds returned, per Optimism. At publication, blockchain data still shows that 1 million tokens, worth approximately $900,000, are still in the attacker’s wallet.