A little over a year after a hacker stole 120,000 ETH on the Wormhole bridge, whitehats have managed to trap him in turn on the Oasis protocol. A look back at this impressive turn of events.
Wormhole hacker hacked
On February 2, 2022, Wormhole’s bridge suffered an impressive hack, allowing a malicious entity to steal 120,000 ETH worth $320 million at the time. This was not without consequences, as some of the synthetic ETH (wETH) on the Solana blockchain (SOL) were no longer guaranteed. To prevent a systemic risk, the investment fund Jump Crypto, which had invested in the protocol, replaced the stolen ETH.
A major investigative effort was then launched to try and recover the stolen funds, and this feat is said to have taken place on 21 February. Indeed, the hacker decided to use the Oasis lending and borrowing application, in order to put the ill-gotten funds to work.
But a group of whitehats found a loophole in Oasis that would allow them to turn the situation to their advantage. The protocol explains in a press release that it has received an order from the High Court of England and Wales to allow the operation to proceed as it should. The said group of ethical hackers had indeed approached the Oasis teams with a proof of concept on 16 February:
A statement regarding the transactions from the oasis multisig on 21st Feb 2023 https://t.co/ua78BAAEj4
– Oasis.app (@oasisdotapp) February 24, 2023
The operation
The Wormhole hacker was hacked in turn. The operation, very complex from a technical point of view, which allowed the recovery of funds, has been commented in detail by our colleagues from Blockworks, and we will try to simplify it as much as possible to make it understandable.
The hacker opened a position on Oasis in order to borrow $78 million from DAI, secured by the funds they had stolen, then in the form of wstETH. In order to secure his trade, he added an automated stop-loss, but this is where the Oasis protocol had a flaw that could be exploited.
Indeed, the whitehats realised that such an operation would allow a smart contract controlled by the Oasis multi-sig address to have access to these funds. These whitehats were then added as co-signers of the said mutlisig portfolio for the duration of their operation.
After much manipulation, the group then managed to move the funds to an address controlled by an ‘authorised third party’, as required by the court.
For its part, Oasis was keen to reassure users:
“This is a very important issue for us.
What happened on 21 February 2023 was only possible because of a previously unknown vulnerability in the design of the multi-sig administrator access. […] It should be noted that at no time, past or present, were user assets at risk of access by an unauthorised party. “
While this operation was legitimate and should be welcomed, it may nevertheless raise questions about the true decentralisation of DeFi, and shows that any funds are at risk, as soon as they are deposited on a protocol.
