An exploit affecting the Opyn ETH Put contracts has been discovered. All other Opyn contracts other than the ETH Put contracts are not affected by this exploit. Since then, we have taken steps to mitigate further loss and will work to assist those who were affected.
What happened?
This morning, at approximately 4:00 AM PT, we became aware of an exploit on the Opyn ETH Put contracts via a user report in our Discord chat. This exploit allowed an attacker to “double exercise” oTokens and steal the collateral posted by certain sellers of these puts. At the time of this post, we’ve found 371,260 USDC that has been stolen from these contracts, but this amount may change as our investigation continues. 439,170 USDC from outstanding vaults was successfully recovered by a white hat hack that the Opyn team conducted on the Convexity Protocol to mitigate further loss. (Update: Working with samczsun we were able to whitehack an additional 132,995 USDC.)
Because Opyn is a permissionless and decentralized protocol, we do not have the ability to shut off access to our contracts as many other protocols do. To mitigate further loss, we removed liquidity from our ETH Put pools on Uniswap to prevent others from buying these oTokens and removed the ability to buy ETH Puts on the opyn.co website. In order to ensure liquidity for existing oToken holders, we also offered and continue to offer to purchase all ETH Put oTokens that were outstanding at the time of the exploit for 20% above market price on Deribit. (If you currently hold an ETH Put, please reach out to the Opyn team on our Discord to redeem your Put option for 20% above market price on Deribit.)
Once these measures were taken, we worked immediately with samczsun from Trail of Bits to develop a whitehat patch which allowed Opyn to remove 439,170 USDC collateral from outstanding vaults in order to safely provide collateral to Put sellers. (Update: Working with samczsun we were able to whitehack an additional 132,995 USDC.) We also engaged with Alejo Salles and Andres Bachfischer of the OpenZeppelin team to understand the details of the attack and develop mitigation strategies. If you still have funds in your vault, please reach out to us on Discord. The patch lowered the collateralization ratio on existing Put contracts and allowed us to liquidate them ourselves, making sure that outstanding Put seller’s collateral is safe in an address that is controlled by the Opyn team. We are working on designing a plan to mitigate the impact on ETH put sellers.
All other Opyn contracts other than the ETH Put contracts are not affected by this exploit.
To our users, we understand that many users lost funds, which is not acceptable. Protecting user funds has always been our top priority, and we did not properly protect user funds in this case. We will continue to work tirelessly to regain your trust, and to ensure that our contracts have an extremely high standard for security. We will be doing an internal review of our security and testing practices going forward, submit further contracts to audit in addition to our existing OpenZeppelin audits, and design a plan to mitigate the impact on put sellers. Please note that the exploited vulnerability was discovered outside the scope of the OpenZeppelin audit. A deeper technical post-mortem will be posted in the coming days.
I am an oToken holder. What should I do?
If you currently hold an ETH Call, COMP Put, BAL Put, cToken Put holder, or aToken Put holder no action needs to be taken. This exploit leaves those products unaffected.
If you currently hold an ETH Put, please reach out to the Opyn team on our Discord to redeem your Put option for 20% above market price on Deribit.
Update: In order to give liquidity to our oETH put users, for the next two weeks, we will buy your ETH put options for 20% above Deribit best ask price. Additionally, in the case that any unsold oETH puts end up in the money before expiry, you will be able to exercise by sending us a message on Discord.
I am an oToken seller. What should I do?
If you sold an ETH Call, COMP Put, BAL Put, or cToken Put holder, no action needs to be taken. Your funds are not at risk.
If you currently sold an ETH Put, please join our Discord for further updates. We are working on a plan to mitigate impact for ETH Put sellers.
Update #1: We will be reimbursing ETH put sellers in full who were affected by the vulnerability. We will have more details on what the reimbursement process will look like in the next 3 days and will post updates on Discord.
Update #2: Details on the reimbursement process can be found here.
Update #3: All ETH put sellers have been reimbursed in full.
Would it have made sense to Opyn turned off once the exploit was discovered?
In short, we can’t turn the protocol off. Opyn is permissionless and decentralized by design, and Opyn contracts are not able to be turned off or disabled. We took action as aggressively as possible to minimize further damage once the exploit was discovered. This included buying additional Put oTokens to prevent further attacks, removing the ability for Put oTokens to be sold, as well as liquidating existing Put sellers to ensure that their collateral was safe.
What will Opyn do in the future to prevent this from happening?
The security of the Opyn protocol has always been and continues to be our highest priority. We have let our users down and will work tirelessly to rebuild your trust. We are taking the following steps:
1) For any set of contracts we release, they will be thoroughly internally tested. We will revisit our internal testing practices to make them even more robust
2) All contracts will go through verification with Trail of Bit’s Echidna system
3) We will continue to only release audited code and work with top auditing firms such as OpenZeppelin and Trail of Bits.
4) We will increase bug bounty rewards for our existing Bug Bounty Program
Expect further details on how we’re working to improve security practices soon.
Please let us know if you have any additional feedback or questions. Our priority is to be there for our users. You can reach us on Discord and feel free to DM us.
We really appreciate the DeFi community’s support and everyone who has reached out as we’ve been navigating this incident. Special thanks to samczsun, Tom Schmidt, Jared Flatow, Taylor Monahan, Alejo Salles, Josselin Feist, Haseeb Qureshi, Andres Bachfischer, Martin Abbatemarco, Geoff Hayes.
