On Aug 4th, 2020, the decentralized finance (DeFi) platform Opyn was hacked, resulting in the theft of over $370,000 in user funds.
The hackers exploited a flaw in the Opyn ETH Put contracts. The latter is a protocol that offers investors ETH options and DeFi tokens as well as compound deposits.
One of the first people to detect the hack stated in a tweet that the attackers used flash loans to buy ETH Put oTokens (oETH) from Uniswap.
They then reportedly chose USD Coin (USDC) as collateral and exercised the trading option. The result was a double transfer, which saw the attackers receive both their original ETH deposits and USDC options.
Opyn reacted to the exploit by disabling the ability to procure oTokens and trade their smart contract portfolios. This move helped to liquidate ETH Puts, thus averting the possibility of any further collateral from exploitation.
Since the hack took place, the Opyn team has removed 439,170 USDC collateral from outstanding vaults to provide collateral to Put sellers safely. They have also removed liquidity from Opyn ETH pools on the token exchange platform Uniswap.
Opyn Offers to Buy oTokens Above Market Price
The Opyn team reacted swiftly to the attack, promising full reimbursement for ETH Put oTokens sellers who lost money in the hack. They also offered to buy oTokens with a 20% markup on Deribit options exchange to compensate token purchasers for damages.
Opyn’s general options protocol “Convexity” is fully decentralized, and thus the team behind the DeFi platform doesn’t control it and can’t shut it down in the event of a hack.
While security firm Open Zeppelin audited the affected contracts, the exploit was outside of their scope, so the Opyn team has decided to release more technical data about the incident at a later date.
That said, the DeFi platform is taking further measures to prevent future exploits. In its latest report, the team promised to review its internal security and testing practices while increasing its bug bounty rewards.
Moreover, the Opyn dev team will conduct additional audits besides those already scheduled with Open Zeppelin and start examining all future contracts via Echidna, an advanced program for testing smart-contracts.
Uniswap Vulnerabilities Exposed
Ethereum-based platform Uniswap, a widely-used non-custodial crypto token exchange, has managed to maintain its dominance in the decentralized exchange (DEX) sector. Uniswap has more than 2,800 virtual asset markets supported on the platform.
However, Opyn’s exploit highlighted the numerous vulnerabilities that exist on the permissionless, non-custodial exchange – which may be attributed to its open listing policy.
Since the DeFi explosion commenced, crypto community members have warned users that scam tokens have increasingly targeted common DeFi protocols such as Curve Finance, dYdX, and 1inchExchange.
For instance, Defiprime recently noted that there’s a scam token called “DYDX” that claims to be associated with the dYdX protocol, but this project does not have its official token.