Editor's Note: This article comes fromChain News ChainNews (ID: chainnewscom), published with permission.

Editor's Note: This article comes from

Chain News ChainNews (ID: chainnewscom)

Chain News ChainNews (ID: chainnewscom)

, published with permission.

According to the analysis of @udon_crypto, the contract affected by this hacker attack is oETH. After the hacker used ETH to mint oETH, he quickly exercised the option, and the Opyn contract not only paid the USDC of the exercise value that should have been paid, but also "extra return "The ETH used when minting the corresponding oETH. To put it simply, the hacker "doubled" the ETH assets through a simple operation.

what happened?

The news quickly fermented on the Internet. During this period, more than one user reported to the official team of Opyn that the funds had been lost. These feedbacks and the rapid spread of the incident on social media have aroused great attention from the official team. After nearly 6 hours of investigation and sorting, the official Medium account of Opyn released the announcement of the hacking incident at 6:50 Beijing time, restoring the whole picture of the hacking attack in detail, and made a timely A series of responses, the full text of which is as follows:

All other Opyn contracts except the ETH put contract were not affected by this vulnerability. After the discovery of the vulnerability, the official Opyn team has taken a series of countermeasures to control the loss as much as possible, and promised to provide sufficient support and assistance to users who suffered losses due to the vulnerability.

secondary title

what happened?

About 12 hours ago, the official team members received user feedback in Discord and found that someone was maliciously exploiting Opyn's ETH put option vulnerability for profit. The hacker stole the ETH mortgaged by some put option sellers when selling options through the "double exercise" of oToken. Although Opyn officially used the Convexity Protocol to recover 439,170 USDC from the security vault through a white hat hacker attack, it has been confirmed that 371,260 USDC have been stolen as of the time of publication.

In order to ensure the rights and interests of existing oToken holders, the team will purchase all ETH Put oTokens that have not been exercised when the vulnerability is exploited at a price 20% higher than the market price of Deribit options. (If you currently hold ETH Put oToken, please contact the Opyn team via Discord)

The team immediately worked with samczsun of Trail of Bits to develop a white hat patch that allowed Opyn to remove 439,170 USDC of collateral from outstanding vaults in order to safely provide collateral to put option sellers. If you still have funds in your vault, please contact us via Discord. This patch reduces the collateralization rate of existing put option contracts and allows the official team to perform self-liquidation, thereby ensuring that the collateral of the seller of the unexercised put option is safe within the address controlled by the Opyn team.

All other Opyn contracts except the ETH put contract are not affected by this vulnerability.

secondary title

I am an oToken holder, what should I do?

If you currently own an ETH Call, COMP Put, BAL Put, cToken Put, or aToken Put, you do not need to take any action. The vulnerabilities exploited in this attack do not affect these contracts.

secondary title

I am an oToken seller, what should I do?

If you have currently sold ETH put rights, please join the official Discord to get the most timely solution. At present, the authorities are formulating specific plans to minimize the impact of this incident on you.

secondary title

Would it make sense to shut down Opyn once a vulnerability is discovered?

Officials cannot close the protocol. Opyn is permissionless and decentralized, and the official team cannot close or disable the Opyn contract. However, once a loophole is discovered, the official team will take active measures to minimize the loss of users. For example, through some means to prevent further attacks from happening and to ensure the safety of the collateral of users who may be affected as much as possible.

secondary title

What steps will Opyn take in the future to prevent this from happening?

1) For any contract we release, it will be thoroughly tested internally. We will reorganize the process of internal testing to make it more robust;

Further reading:

2) All contracts will be verified through Trail of Bit's Echidna system;

3) We will continue to release only audited code and work with top auditing firms such as OpenZeppelin and Trail of Bits;

4) We will add bounty rewards to the existing bug bounty program.

Further reading:

At the beginning of its establishment in 2019, Opyn tried margin trading, and transformed into an insurance platform in February 2020. Users can purchase insurance for their Compound deposits to avoid the platform's technical and related financial risks. At the end of March 2020, Opyn launched the first batch of protective options for ETH holders. These oTokens are ETH put options that provide liquidity through Uniswap, so these products can be regarded as insurance products for DeFi users. So the Opyn platform is not born for speculation.

refer to:

https://medium.com/

https://twitter.com/

https://www.chainnews.com/