DeFi platform Opyn loses $371K after exploit

It has been revealed that 371,260 USDC was lost during the August 4 exploit of the DeFi protocol Opyn. According to the official announcement from the Opyn team, a “double exercise” attack took place.

During the attack, the attacker was able to exploit the platform in a way that allowed them to receive ETH put option contract collateral as well as the ETH put option contract settlement money—when they really should have only had access to the settlement money. This is the sixth DeFi protocol exploit to take place since the beginning of this year. In total, the six exploits have resulted in the loss of over $31 million dollars.

How it happened

What’s interesting about every DeFi exploit that has taken place this year is that none of them involved a hack or a breach of a database. According to an analysis of the Opyn exploit by the blockchain analytics firm PeckShield, the attacker was able to exploit Opyn because they had a strong understanding of the protocol and the functions that could be used to interact with the protocol.

“This hack was done by calling exercise() with more than two vaults with ETH as the underlying assets. Since the implementation treats the same batch of ETH received as multiple batches of ETH receptions, the hacker re-uses that batch of ETH to retrieve the collateral USDC and make profits.”

In its notice, Opyn confirmed that “439,170 USDC from outstanding vaults was successfully recovered by a white hat hack that the Opyn team conducted on the Convexity Protocol to mitigate further loss… [and by] working with [Twitter user] @samczsun, we were able to whitehack an additional 132,995 USDC.”

Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in next few days.https://t.co/ILNutAiqfU

— opyn² – Now Hiring (@opyn_) August 4, 2020

At the moment, it is unclear how the open team was able to recover a total of 572,165 USDC when only 371,260 USDC was exploited during the hack. When CoinGeek reached out to the Opyn team for more insight, we did not hear back at press time.