DeFi hack

Jump Crypto & Oasis.app counter exploits Wormhole hacker for $225M

The counter exploit came after the High Court of England and Wales ordered Oasis.app to work with Jump Crypto to retrieve the stolen funds.

Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app have conducted a “counter exploit” on the Wormhole protocol hacker, with the duo managing to claw back $225 million worth of digital assets and transfer them to a safe wallet.

The Wormhole attack occurred in February 2022 and saw roughly $321 million worth of Wrapped ETH (wETH) siphoned via a vulnerability in the protocol’s token bridge.

The hacker has since shifted around the stolen funds through various Ethereum-based decentralized applications (dApps), and via Oasis, they recently opened up a Wrapped Staked ETH (wstETH) vault on Jan. 23, and a Rocket Pool ETH (rETH) vault on Feb. 11.

In a Feb. 24 blog post, the Oasis.app team confirmed that a counter exploit had taken place, outlining that it had “received an order from the High Court of England and Wales” to retrieve certain assets that related to the “address associated with the Wormhole Exploit.”

The team stated that the retrieval was initiated via “the Oasis Multisig and a court-authorized third party,” which was identified as being Jump Crypto in a preceding report from Blockworks Research.

Transaction history of both vaults indicates that 120,695 wsETH and 3,213 rETH were moved by Oasis on Feb. 21 and placed in wallets under Jump Crypto’s control. The hacker also had around $78 million worth of debt in MakerDao’s DAI stablecoin that was retrieved.

“We can also confirm the assets were immediately passed onto a wallet controlled by the authorized third party, as required by the court order. We retain no control or access to these assets,” the blog post reads.

*@spreekaway tweet on the counter exploit: Twitter*

Referencing the negative implications of Oasis being able to retrieve crypto assets from its user vaults, the team emphasized that it was “only possible due to a previously unknown vulnerability in the design of the admin multisig access.”

The post stated that such a vulnerability was highlighted by white hat hackers earlier this month.

“We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us. It should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorized party.”

pic.twitter.com/NX1fclJs5V

— foobar (@0xfoobar) February 24, 2023

Jump Crypto and Oasis.app ‘counter exploits’ Wormhole hacker for $225M

The asset retrieval came after the High Court of England and Wales ordered Oasis.app to work with Jump Crypto to recover the stolen funds.

Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app have conducted a “counter exploit” on the Wormhole protocol hacker, with the duo clawing back $225 million of digital assets and transferring them to a safe wallet.

The Wormhole attack occurred in February 2022, with roughly $321 million worth of wrapped ETH (wETH) exploited via a vulnerability in the protocol’s token bridge.

The hacker has since moved the stolen funds through various Ethereum-based decentralized applications (DApps), such as Oasis, which recently opened up wrapped stETH (wstETH) and Rocket Pool ETH (RETH) vaults.

In a Feb. 24 blog post, the Oasis.app team confirmed that a counter exploit had taken place, outlining that it had “received an order from the High Court of England and Wales” to retrieve certain assets related to the “address associated with the Wormhole Exploit.”

The team stated that the retrieval was initiated via “the Oasis Multisig and a court-authorized third party,” which was identified as Jump Crypto in a preceding report from Blockworks Research.

Both vaults’ transaction history indicates that Oasis moved 120,695 wsETH and 3,213 rETH on Feb. 21 and placed in wallets under Jump Crypto’s control. The hacker also had around $78 million debt in MakerDAO’s Dai (DAI) stablecoin, which was retrieved.

*@spreekaway tweet on the counter exploit. Source: Twitter*

The post stated that such a vulnerability was highlighted by white hat hackers earlier this month.

pic.twitter.com/NX1fclJs5V

— foobar (@0xfoobar) February 24, 2023

Wintermute inside job theory ’not convincing enough:’ BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough.”

Earlier this week, cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.”

In Edward’s original post, he essentially drew attention as to how the hacker was able to enact so much carnage on the exploited Wintermute smart contract that “supposedly had admin access,” despite showing no evidence of having admin capabilities during his analysis.

BlockSec, however, promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

Our short analysis of the Accusation of the Wintermute Project: https://t.co/6Lw6FjUrLp @wintermute_t @evgenygaevoy @librehash @WuBlockchain @bantg

Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

— BlockSec (@BlockSecTeam) September 27, 2022

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

Edwards also questioned the reasons why Wintermute had $13 million worth of Tether (USDT) transferred from two or their accounts on two different exchanges to their smart contract just two minutes after it was compromised, suggesting it was foul play.

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there:

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards’ claims and has asserted that his methodology is full of inaccuracies.

Wintermute inside job theory ‘not convincing enough’ —BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a Tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

BlockSec however promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

Our short analysis of the Accusation of the Wintermute Project: https://t.co/6Lw6FjUrLp @wintermute_t @evgenygaevoy @librehash @WuBlockchain @bantg

Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

— BlockSec (@BlockSecTeam) September 27, 2022

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there.

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards claims, and has asserted that his methodology is full of inaccuracies.