- The Opyn DeFi platform has been hacked for 371,260 USDC tokens
- The hacker exploited Ethereum Put contracts and stole collateral posted by users
- Opyn has said it will refund all affected users
Opyn, a DeFi protocol offering options for DeFi tokens, Compound insurance, and Ethereum puts, has been hacked, with over 371,260 USDC stolen. According to a blog post published by Opyn, the issue was down to an exploit in Ethereum Put contracts that allowed the hacker to “double exercise” the Opyn token, oToken, and make off with the collateral put up by some users. Opyn were able to stop the breach fairly quickly, but not before the hacker had got away with the large sum of user tokens.
Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in next few days.https://t.co/ILNutAiqfU
— opyn (@opyn_) August 4, 2020
Swift Action Saves Opyn Further Loss
Opyn says that it first learned of the exploit when a user posted about it in its Discord group and quickly took steps to mitigate the loss, removing the ability for users to buy oTokens and draining their own smart contracts. This liquidated existing ETH puts but saved further collateral from being lost. In total Opyn managed to white hack 572,165 USDC tokens, leaving the loss at $371,260.
Opyn’s fast response to the issue, including their offer to make all affected users whole by purchasing USDC tokens back from other exchanges at a 20% premium, should restore faith that the project cares about its customer base. Opyn has said that in future all contracts will be “thoroughly internally tested” and will go through external verifications, as well as increasing the bug bounty to spot issues before they arise.
Hack Highlights Issues With Permissionless Protocols
The Opyn hack highlights once again the dangers of the permissionless and decentralized protocols used by DeFi projects. When everything goes right, smart contracts allow for quick and cheap transactions, but when things go wrong there is no centralized entity to quickly put the brakes on. This leaves companies in the situation Opyn found themselves in, having to hack themselves and shift funds in order to protect user balances.
If defi companies are intent on pursuing 100% decentralized protocols then there will always be a cat and mouse game with hackers, leaving the threat of total fund loss hanging over those engaging with the space.