Jump Crypto and Oasis.app ‘counter exploits’ Wormhole hacker for $225M
Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app have performed a “counter-exploit” on the Wormhole protocol hacker, in which the duo recovered $225 million worth of digital assets and transferred them to a secure wallet.
The wormhole attack occurred in February 2022, with roughly $321 million worth of wrapped ETH (wETH) exploited via a vulnerability in the protocol’s token bridge.
The hacker has since moved the stolen funds through various Ethereum-based decentralized applications (DApps), such as Oasis, which recently opened up wrapped stETH (wstETH) and Rocket Pool ETH (RETH) vaults.
In a February 24 blog post, the Oasis.app team confirmed that a counter-exploit had taken place, describing that they had “received an order from the High Court of England and Wales” to retrieve certain assets related to “the address associated with the wormhole exploit.”
The team stated that the pickup was initiated via “Oasis Multisig and a legally authorized third party,” which was identified as Jump Crypto in an earlier report by Blockworks Research.
Both vaults’ transaction history indicates that Oasis moved 120,695 wsETH and 3,213 rETH on February 21 and placed in wallets under Jump Crypto’s control. The hacker also owed about $78 million in MakerDAO’s Dai (DAI) stablecoin, which was retrieved.
“We can also confirm that the assets were immediately transferred to a wallet controlled by the authorized third party, as required by the court order. We retain no control or access to these assets,” the blog post said.
Referring to the negative implications of Oasis being able to retrieve cryptoassets from user vaults, the team emphasized that it was “only possible due to a previously unknown vulnerability in the design of the admin multisig access.”
Related: DeFi Security: How Trustless Bridges Can Help Protect Users
The post stated that such a vulnerability was highlighted by white hat hackers earlier this month.
“We emphasize that this access was there solely for the purpose of protecting user assets in the event of a potential attack, and would have enabled us to move quickly to remediate any vulnerabilities disclosed to us. It should be noted that it does not at no time, past or present, has been in danger of being accessed by any unauthorized parties.”
— foobar (@0xfoobar) 24 February 2023