A few hours ago, the Opyn DeFi platform discovered a vulnerability in one of its ETH Put contracts, which enabled an attacker to make off with $371,000 worth of crypto assets.
The Ethereum based decentralized insurance platform allows users to protect themselves from risks they may face in decentralized finance markets. It operates with an options protocol that allows DeFi users to create put and call options.
In simple terms, a put option is a contract that gives an investor the right, but not the obligation, to sell the asset, whereas a call option gives the investor the right, but not the obligation, to buy at a specific price or time.
‘Double Exercise’ Attack
Opyn uses ‘oTokens,’ or oETH, for options, and in this case, a ‘double exercise’ was carried out by the attacker to steal the collateral posted by certain sellers of these puts. Opyn posted an update explaining the breach.
“At the time of this post, we’ve found 371,260 USDC that has been stolen from these contracts, but this amount may change as our investigation continues.”
The attacker(s) started with flash loans to buy oETH from Uniswap to exercise, then reportedly chose an ERC20 token, USD Coin (USDC) in this case, as collateral and used the trading option. The double transfer effectively pilfered the collateral.
Opyn worked with whitehat ‘samczsun’ [@samczsun] in securing a further 439k USDC of collateral from outstanding vaults. Being completely permissionless, Opyn could not shut down the platform but instead removed liquidity from its ETH Put pools on Uniswap to prevent others from buying the oTokens, while removing the ability to buy ETH Puts on its website.
In a more recent tweet, Opyn promised to reimburse anyone that was affected by the attack.
“We have the utmost respect & empathy for our early users & want to do right by our community. We will be reimbursing ETH put sellers in full who were affected by the vulnerability.”
Updates on today’s exploit: we have the utmost respect & empathy for our early users & want to do right by our community. We will be reimbursing ETH put sellers in full who were affected by the vulnerability. We will have more details re reimbursement process in the next 3 days
— opyn (@opyn_) August 5, 2020
Total value locked on the platform has plunged by 40% over the past 24 hours, according to DeFi Pulse , and it is currently just over $1 million. Opyn has no native token.
The exploit is not the first this year, and it certainly will not be the last as the embryonic DeFi ecosystem continues to grow and evolve. Just a few days ago, flash loans were exploited to net a tidy profit with zero collateral invested.