- The L1 multisig contract had already been deployed to the identical address on L2.
- A bad actor was able to take possession of the contract on the L2.
The Optimism layer-2 scaling solution’s positive phase was shattered when a smart contract vulnerability resulted in the loss of 20 million OP tokens.
When the bug was discovered, it had already taken place on May 26. There were a total of one million tokens sold for $1.3 million on Sunday. On Optimism, Vitalik Buterin’s Ethereum address received an extra 1 million tokens worth around $730,000 at 12:26 a.m. UTC yesterday. Meanwhile, the remaining tokens are inactive but might be sold or utilized to influence governance.
L1 and L2 Confusion Exploited
For the Optimism layer 2 (L2) blockchain, OP tokens are the native cryptocurrency, and on June 1, a part of the supply was distributed to network members through an airdrop. Congestion on a layer-1 (L1) blockchain, such as Ethereum’s, may be relieved by L2 solutions like these.
On Thursday, the Optimism team summarized one way in which Wintermute’s 20 million Op tokens were planned to be utilized. Once the team had conducted two test transactions, they transferred the whole token supply to the public at large.
Even though it could not access the tokens, Wintermute realized that it was still using an old version of the smart contract from L1 that hadn’t been upgraded to work on Optimism. A bad actor was able to take possession of the contract on the L2 because of a technical error. Wintermute attempted to fix the issue as soon as it became aware, but it was too late; the L1 multisig contract had already been deployed to the identical address on L2.