Today there was a new attack against decentralized finance (DeFi) to the detriment of Opyn, that confirmed the attack on Twitter.
Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in next few days.https://t.co/ILNutAiqfU
— opyn (@opyn_) August 4, 2020
Before going into how the attack was perpetrated, let’s first explain what Opyn is. It’s a decentralized platform that allows users to secure their deposits in DeFi and operate with tokens that emulate the real ones, so that, in theory, they don’t risk losing their funds.
The platform, through a smart contract, allows generating oTokens and for each token, the relative counterpart is emulated.
The vulnerability that has been exploited for this attack is related to the ETH contract and in particular to the Opyn ETH Put contract, whereas all the others are not affected by this problem.
The loot of the latest DeFi attack against Opym
The attack allowed as much as 370,000 USDC to be stolen, while more than half a million USDC was recovered by a whitehat, limiting the damage for the platform, given that since it is decentralized, it has no direct control over the funds and the only thing that could be done was to remove the liquidity from the contract.
To incentivize oTokens holders to use the platform again, the team is now offering a 20% surcharge over the Deribit price to accelerate the patch process that will follow with the help of Trail of Bita and the Open Zeppelin team.
The team notes that an audit was done by Open Zeppelin itself but this type of vulnerability was not expected. Despite this, the team explained that even if they are not obliged, all affected users will be compensated.
Unfortunately, the protocol can’t be shut down because when the team created the platform they chose to decentralize and be permissionless.
Finally, in the statement, the team says that it will improve its techniques and will rely on several audits to get support in the security area.
Once again this is an attack against a growing industry such as DeFi.
At the rate of one attack per month, cybercriminals are stealing millions of funds.