Opyn stands as a protocol that offers options for DeFi Tokens, Ether (ETH) as well as an insurance service regarding Compound deposits. However, the Opyn protocol managed to get hacked, with a minimum of 371,260 in USDC being lost due to a double-spend attack. This attack was placed on its Ethereum put options.
Exploiting To Steal Collateral
The hack only affected the ETH put contracts, however. A brief explanation of the matter is that the hacker discovered and subsequently used an exploit within the Opyn protocol’s options tokens (oTokens). Through doing so, this hacker managed to steal collateral from users that sold ETH puts.
As a direct response, Opyn has subsequently removed the ability to buy corresponding oTokens. Alongside this, Opyn drained their own protocol’s smart contract that liquidates ETH puts, which prevented further collateral from being exploited in the same way. As it stands now, a grand total of 572,165 of USDC was drained from the contract.
An Unexpected Avenue
OpenZeppelin, a security firm, was tasked with auditing the contracts. However, the exploit the hacker managed to use was outside of the scope of said audit. Opyn itself gave a public statement about the matter, promising a more technical explanation regarding the exploit at a later point in time.
The team has reacted effectively against this exploit attack. Opyn explained that it would start implementing measures dedicated to mitigating the impact felt by those that managed to lose money through this attack. Opyn has even offered to buy saved collateral, and ETH put oTokens that some users still have on-hand, doing so for a 20% markup within the Deribit exchange. This comes as a bid from the group to try and compensate the victims for their financial damages.
Complications And Solutions
The generalized options protocol for Opyn, dubbed “Convexity,” stands fully decentralized. As such, it’s impossible for the Opyn team to control it or even shut it down. As such, the ability to handle the aftermath of the hack is somewhat limited, as opposed to how a centralized structure would be able to. An example given by the project itself, is that the development of smart contracts should be seen as the development of hardware. If you ship out a smartphone with a hardware defect, you can’t really do much to get rid of the defect.
Future exploit prevention measures has been put in place, as well. Within the report, the Opyn team explained that it would start with internal security and testing practice reviews. Alongside this, an increase will be made on the bug bounty rewards, as well. An increase in audits will be done as well, increasing the number of total audits Open Zeppelin is doing. Alongside this, all smart contracts will now go through Echidna, which is a testing program for smart contracts, created by Trail of Bits, a well-established auditing firm.