Counter-hack could open a whole new can of worms
Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis Network have successfully managed to recover about $225 million by counter hacking the Wormhole hacker.
February 2022’s Wormhole attack was one of the biggest ever thefts, and saw the hacker exploit a vulnerability in the Wormhole token bridge, to make way with 120,000 Ether (ETH), worth about $325 million at the time.
Read More: Crypto hacking totalled a record $3.8 bn in 2022
It has now emerged that the exploiter was continuously moving the stolen funds through various Ethereum applications, such as Oasis. They recently created two vaults on Oasis in the first two months of 2023, in order to create a levered long position on two ETH staking derivatives, namely Wrapped Staked ETH (wstETH), and Rocket Pool ETH (rETH).
By February 16, the two vaults drew a total of $78 million in debt in MakerDao’s DAI stablecoin against $220M of collateral.
Soon after the exploit, Wormhole’s parent company Jump Crypto plowed back all the stolen 120,000 ETH from its own coffers. It also offered a $10 million bounty, along with a white hat agreement to the hackers in exchange for returning the funds.
In an interview, a company representative had stated that it was working “in very close consultation with government resources, with private resources,” adding that it will not stop until it’s managed to recover the funds.
Looks like it made good on its word.
In a recent blog post, Oasis confirmed that it had counter-exploited the hacker based on a “order from the High Court of England and Wales” that had given it permission to retrieve certain assets from wallets associated with the Wormhole exploit.
Read More: Can these new technologies help reduce crypto fraud?
Sharing details about its actions Oasis said that it conducted the operation together with a court-authorized third party. A Blockworks Research article that preceded the Oasis statement had already identified Jump Crypto as the owner of the wallets that received the seized funds.
Blockworks based its assumption on publicly available information, which showed that it was a wallet controlled by Jump Crypto that had paid down MakerDao’s debt to withdraw the collateral. The transaction history further showed that Oasis then moved 120,695 wsETH and 3,213 rETH and placed them in wallets under Jump Crypto’s control.
Can of worms
Oasis’ actions, of being able to retrieve crypto assets from its user vaults, has ruffled quite a few feathers in the crypto sphere.
Anticipating the negative implications of its actions, Oasis claimed that it was only able to recover the funds due to a previously unknown vulnerability in the design of the admin multisig access.
“We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us,” Oasis said, adding that “it should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorized party.”
That has done little to quell the criticism over the counter-exploit. Asking for a copy of the court order, blockchain consultant Martin Krung wondered what jurisdiction does a court in the United Kingdom have over Jump and Oasis.
Read More: There’s a greater chance of being defrauded on DeFi
Others expressed their concern about the kind of precedent the counter-exploit sets for government intervention, and that too in a supposedly decentralized ecosystem.