In a somewhat unusual development for the crypto world, the High Court of England and Wales ordered DeFi platform Oasis to “take all necessary steps” in order to retrieve assets associated with last year’s Wormhole token bridge hack from an Oasis.app vault.
According to a research article by Blockworks, this entailed a coordinated action between Oasis and Wormhole developer Jump Crypto, exploiting a vulnerability in the admin multisig access. The potential attack vector was identified last month by a white hat hacking group, who immediately reached out to Oasis with the find.
Following the recovery action 120,695 wstETH and 3,213 rETH was moved into wallets assumed to be under the control of Jump Crypto. As Oasis confirmed, “the assets were immediately passed onto a wallet controlled by the authorized third party, as required by the court order.”
In February 2022 the Wormhole platform experienced a security exploit on its token bridge between the Ethereum and Solana blockchains, resulting in the removal of around 120,000 wETH. Wormhole offered the hacker a $10 million bug bounty and white hat agreement for the return of the funds, but this was not taken up and ultimately the ETH was replaced by Jump Crypto.
The hacker has moved the stolen tokens through multiple Ethereum DApps over the past year, most recently opening two Oasis.app vaults earlier this year. These were used to borrow $78 million of DAI, and unfortunately for the hacker, also used Oasis’ automation services, which left them vulnerable to the counterattack.
Importantly, the Oasis automation contracts use an upgradeable proxy pattern, which means that the logic can be changed by the contract owner at any time. The contract owner in this case is a 4 of 12 multisig controlled by Oasis.
In order to exploit the vulnerability identified by the white hat group, Oasis added an additional wallet address, thought to be controlled by either Oasis or Jump Crypto, to the multisig. This address then used these privileges to deploy two new contracts, closing the hacker’s vault, and migrating its positions to a new vault.
It then paid down the $78 million DAI debt, and withdrew the collateral to a further address assumed to be under Jump Crypto’s control, before being removed from the Oasis multisig. The whole process took under two hours, with the counter-exploiting wallet being an eligible signer for just 1 hour and 53 minutes.
While hackers are an eternal blight on the crypto industry, and the recovery of stolen funds should always be applaud, the mechanics of this counter-hack will perhaps not be celebrated by everyone in the space. The driving ethos of crypto is one of self-sovereignty, and it could be argues that Oasis shouldn’t have been able to intervene.
In its blog post regarding the action Oasis seems to trip over itself, assuring readers that the counter exploit “was only possible due to a previously unknown vulnerability in the design of the admin multisig access,” before immediately going on to stress that, “this access was there with the sole intention to protect user assets in the event of any potential attack.”
So was it an unknown vulnerability, or did it work as designed to protect user assets? What if the court order to seize funds had come from a rogue state such as North Korea? The whole incident raises many questions, and while not as controversial as the infamous Ethereum fork following the $60 million DAO hack, is sure to generate forum chatter which will be interesting to observe.