Trader Exploits Opyn ETH Put Options, Runs Off With $370k Collateral; Team Recovers Over $500k
Opyn, a decentralized finance platform, faced a hack in the early morning hours on Wednesday, 5 August 2020 PT, as hackers made away with about $370,000. The hackers exploited a bug in the code to double exercise the oETH (put options) and make away with part of the collateral on the platform.
Opyn’s security and development team has since been able to secure about $440,000 from the theft at the time of notice and an additional $133,000 secured through a whitehat hack.
Opyn oETH Put Options Hacked
The security of DeFi platforms is raising concerns after yet another project faced a hack due to a bug in the code. First noted on Twitter by DegenSpartan, the Opyn hack started at around 4.00 AM PT on Aug 5th, whereby the traders exploited the system by depositing ETH and using flash loans to buy oETH put contracts on Uniswap. The traders then selected an ERC20 token – USDC in this case – as the collateral to exercise the options in place.
Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in next few days.https://t.co/ILNutAiqfU
— opyn (@opyn_) August 4, 2020
The oETH put options were supposed to be paid out in USDC on exercise. The traders, however, were able to withdraw their ETH, which was deposited as well as the USDC payout as part of the platform’s collateral – concluding the double exercise option – and making away with 371,260 USDC in profits.
However, given the decentralized properties of Opyn, the ‘admins’ cannot shut down the operations on the platform; hence they elected to withdraw all the collateral in their Uniswap oETH put contract. This reduces the ability of the hackers buying oETH put options to exploit the system further.
For those still holding the “at-risk” put options, Opyn will be ready to purchase them at a 20% markup price to the market price on Deribit. Complaints can be sent to their Discord group for further clarification.
The team has already recovered 439,170 USDC from the remaining collateral on Uniswap with a further 132,995 USDC recovered in the past few hours, the statement reads.
Opyn is further working with a smart contract auditing firm, OpenZepplin, to mitigate future risks on the platform and further understand the hacker’s exploits.
The statement by Opyn confirms no other call or put contracts are in danger except the oETH put contracts.