About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

How did a hacker steal OP?- 1099

BantegPosted 3 Years Ago
  • Optimism is a L2 blockchain and Wintermute is a liquidity provider.
  • Optimism sent funds to Wintermute on the L2 chain but it should have been on mainnet ETH. So, nothing should happen, right?
  • Wintermute's mainnet safe from deployed using an older version of the Proxy Factory; earlier than the first Optimism deployment. The Safe that was deployed uses a non-EIP-155 (replay attack prevention) compliant deployment!
  • An attacker can replay the deployment with the Proxy Factory used by Wintermute on Optimism. The safe was created using the CREATE opcode, which uses the contracts nonce to determine the address. By creating enough contracts (8884), one will have the proper nonce and deploy to the proper address.
  • They had now grabbed the address that Optimism sent the funds to. The Gnosis Safe deployed there could now retrieve the lost funds for themselves.
  • Interesting vulnerability that required a lot of things to go wrong. Pretty neat!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed