A little over a year after a hacker stole 120,000 ETH on the Wormhole bridge, whitehats managed to trap him in turn on the Oasis protocol. Back on this impressive turnaround.
Wormhole hacker hacked
On February 2, 2022, Wormhole Bridge suffered an impressive hack, allowing a malicious entity to steal 120,000 ETH for worth $320 million at the time. This had not been without consequences, because part of the synthetic ETH (wETH) on the Solana (SOL) blockchain were no longer guaranteed. To prevent systemic risk, investment fund Jump Crypto, which had invested in the protocol, had replaced the stolen ETH.
From then on, heavy investigative work was launched to try to recover the stolen funds, and this feat would have taken place on February 21. Indeed, the hacker decided to use the Oasis loan and borrowing application, in order to make the ill-gotten funds work there.
But a group of whitehats found a loophole in Oasis that would turn the situation to their advantage. The protocol also explains in a press release that he received an order from the High Court of England and Wales, to allow the operation to proceed as it should. Said group of ethical hackers had actually approached the Oasis teams with a proof of concept on February 16:
A statement regarding the transactions from the oasis multisig on 21st Feb 2023 https://t.co/ua78BAAEj4
— Oasis.app 🌴 (@oasisdotapp) February 24, 2023
👉 Find our guide on best practices to limit the risk of hacking
The best way to secure your cryptocurrencies 🔒
🔥 The world leader in crypto security
The course of the operation
The Wormhole Hacker was therefore hacked in turn. The operation, very complex from a technical point of view, which allowed the recovery of the funds, has been commented on in detail by our colleagues from Blockworks, and we will try to simplify it as much as possible to make it understandable.
This hacker thus opened a position on Oasis, so as to borrow $78 million of DAI, guaranteed by the funds they had stolen, then in the form of wstETH. In order to secure his operation, he added an automated stop-loss, but this is where the Oasis protocol had a flaw that could be exploited.
Indeed, the whitehats realized that such an operation allowed a smart contract controlled by the Oasis multisig address to have access to these funds. These whitehats were then added as co-signatories of said multi-portfolio for the duration of their operation.
After a multitude of manipulations, the group then managed to move the funds, to a controlled address “by an authorized third party»as required by the court.
For its part, Oasis wanted to reassure users:
“What happened on February 21, 2023 was only possible due to a previously unknown vulnerability in the design of multisig administrator access. […] It should be noted that at no time in the past or present have user assets been at risk of access by an unauthorized party. »
While this operation was legitimate and should be welcomed, it could nevertheless raise questions about the true decentralization of decentralized finance (DeFi), and shows that any funds are at risk, the moment they are deposited on a protocol.
👉 Also in the news – IMF says benefits of cryptocurrencies “have yet to materialize”
🎁 Cryptoast Research Launch Offer
1st Newsletter Free with the code TOASTNL
Sources: Blockworks, Oasis
Newsletter 🍞
Receive a summary of crypto news every Monday by email 👌
What you need to know about affiliate links. This page presents assets, products or services relating to investments. Some links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus by using our links.
Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this article. Investments related to crypto-assets are risky by nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.
AMF recommendations. There is no guaranteed high return, a product with high return potential involves high risk. This risk-taking must be in line with your project, your investment horizon and your ability to lose part of this savings. Do not invest if you are not ready to lose all or part of your capital.
To go further, read our Financial Situation, Media Transparency and Legal Notices pages.
I timidly discovered the world of blockchain at the end of 2018 during my quest for financial freedom. Initially invested moderately, it was only two years later that I took the gamble of betting everything on the movement that was taking shape then. I then dedicate 2021 to training myself better to acquire more knowledge and seriousness. As I often like to say: I still have a billion things to learn. And what I do know, I want to share with you.
Vincent Mayor
493 items
