The hack on Opyn's Ethereum put options happened around 4:00 AM PT
The team secured 572,165 USDC from its contract, but the hacker still got away with 371,260 USDC
Opyn is decentralized, and the team cannot shut it down in the case of emergency
Opyn, a protocol offering options for ETH, DeFi tokens, as well as insurance on Compound deposits, was hacked. At least 371,260 USDC were lost because of the double-spend attack on its Ethereum put options.
Opyn Protocol Exploited
Only ETH put contracts were affected by the attack. The hacker used an exploit in Opyn protocol’s options tokens (oTokens) to steal collateral from users who sold these ETH puts.
Opyn responded to the exploit by removing the ability to buy corresponding oTokens and draining their own protocol’s smart contract to liquidate ETH puts, saving further collateral from exploitation. A total of 572,165 USDC was drained from the contract.
While security firm OpenZeppelin audited the contracts, the exploit was outside of the audit’s scope, Opyn team announced it would release more technical details on the exploit at a later date.
Response to the Hack
The team reacted responsibly to the attack, saying that it will implement measures to mitigate the impact for people who lost money in the hack. For those with saved collateral and ETH put oTokens still on hand, the team offered to buy the tokens with a 20% markup on Deribit to compensate them for damages.
Opyn’s generalized options protocol “Convexity” is fully decentralized, the team doesn’t control it and can’t shut it down, so there was a limited opportunity to deal with the aftermath of the hack. The project’s example shows that smart-contract development should be treated as hardware development: if you ship a smartphone with a defect, there’s little you can do if things go wrong.
Crypto Briefing reached out to the Opyn team and has yet to receive a comment on the incident.
Opyn is taking other measures to prevent future exploits. In its latest report, the team stated that it would review its internal security and testing practices while increasing its bug bounty rewards. Moreover, it will conduct additional audits besides those already scheduled with Open Zeppelin. Finally, the contracts will go through Echidna, a program for testing smart-contracts created by the well-established audit firm Trail of Bits.
The hack highlights the vulnerability of the DeFi space. Still, Opyn’s response to the incident is adequate and instills optimism about Opyn’s future despite the negative impact of the attack.