Optimism is one of the most promising solutions to the pending problem of Ethereum scalability. Its protocol allows so-called optimistic roll-ups that scale on a second layer by bundling transactions and passing on mere receipts rather than waiting for confirmations on the blockchain. Given the growth of the Ethereum DeFi ecosystem Optimism is just what is needed to finally scale and lay out the foundation for mass adoption.
Optimism had to face a lot of struggles in the past weeks and part of it has been resolved. Why did the team lose 20 million OP tokens and how were they returned?
20 million tokens got lost
On June 9th the developers made an expensive mistake by sending 20 million OP tokens to the wrong address. At that time the stake that was lost was worth around $35 million. Combined with an exploit that was possible due to the smart contract of the liquidity provider Wintermute made it possible for an attacker to snatch all the tokens.
The first thing the attacker did was to sell 1 million OP on the secondary market in return for Ether. He eventually decided to keep the rest of it. It was last Friday when the Optimism team announced via Twitter that the attacker had sent 17 million OP tokens back to the Optimism Foundation in 17 transactions, each batch worth 1 million OP.
Before he did send the amount he was doing a transaction prior with Vitalik Buterin by sending him 1 million OP and demanding to verify that the target address was indeed affiliated with the Optimism Foundation.
Is this a happy ending?
The attacker kept 1 million OP tokens for himself and kept the Ether that he made when selling 1 million OP prior to returning the funds. According to the Optimism team, Wintermute agreed to reimburse the missing 2 million OP tokens.
While the market took another hit the value of the Optimism token decreased further. Even though it seems to be the only way to resolve the situation and return the missing funds, there is still a controversy about whether it is wrong to reward a hacker rather than go after him.
On the other hand, there wouldn’t have been an exploit in the first place if only the team members wouldn’t have sent the tokens to the wrong address. At the end of the day, the team got lucky. There is more than one example in the history of crypto where the attacker chose to keep all the funds even when it was clear that he might never be able to spend the money.