The strange case of Oasis reversing part of the Wormhole hack [80]

Oasis retrieves $225M from the Wormhole hack by exploiting its own network

Good afternoon, friends!

The decentralized finance platform Oasis managed to put a feather in its cap recently by reversing some of the damage done during the Wormhole bridge hack in February 2022, which led hackers to steal more than $320 million worth of wETH.

Oasis posted in a blog post that it received an order from the High Court of England and Wales that it could take “all necessary steps” to retrieve lost assets from the hack – which apparently included exploiting its own software.

This worked because the hacker behind the Wormhole hack deposited a portion of the stolen tokens into the multi-signature wallet developed by Oasis.

A group of whitehat hackers informed Oasis of a previously unknown exploit in its software that affected the “design of the admin multisig access” and the software provider then used that exploit to rake back a portion of the funds that were stored there.

“We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us,” Oasis said.

According to a report from CoinTelegraph, the proceeds from the exploit raked back approximately $225 million in digital assets into a wallet under the control of a third party.

“We can also confirm the assets were immediately passed onto a wallet controlled by the authorized third party, as required by the court order. We retain no control or access to these assets,” Oasis said.

It’s not often that the developer of software that is supposed to be secure for its customers uses a vulnerability in its own network against its customers. Even in the case that a bad actor that stole from others using it to store the loot of their ill-gotten goods.

The action rather flies in the face of the usefulness of multi-party multisig access if the developer can just exploit it and steal what’s stored in a vault. Especially if it’s at the bidding of a state actor like a court.

Yes, this was done to a hacker who stole millions of customer funds during an illegal activity and we can all applaud that it was done for the “greater good” with a vulnerability – but hopefully, we can all sit here and see there is cause for concern when it comes to future trust for these sorts of protocols.

The problem that we’re looking at here is that we could be staring down the barrel of a future where courts may begin to seek similar remedies from DeFi protocols for other reasons. Perhaps ones that don’t involve clawing back funds that were stolen illegally. Maybe they’ll demand that customer assets from other countries are frozen or confiscated and moved using similar tactics.

We’ve already seen this happen with the sanctions against Tornado Cash (another decentralized protocol) by the United States, the arrest of Alexey Pertsev, and other examples.

This is a genie that will not fit back into that bottle so easily.

---

Thank you for your support!

If you enjoy this newsletter, you'll want to check these links out.

💛 - Send this email to a friend! Even if you’re on the paid version. It’ll get someone else interested, and possibly subscribed!

🕊️ - I'm the Ops Pod lead for FreeRossDAO, a movement for prison reform and clemency for the unjust imprisonment of Ross Ulbricht. Learn more here, or subscribe to my FreeRossDAO Newsletter.

₿ - I'm the VP at Geosyn Mining, a datacenter for co-locating your bitcoin mining equipment. If you want to learn more about how you can mine bitcoin directly, drop me a line here.

🦢 - Have you started investing in Bitcoin yet? You’ve read about Dollar Cost Averaging, but don’t know where to start? I endorse Swan Bitcoin as a great tool for setting up a disciplined investment regimen, and many of you do, too! If you sign up with this link, I get $10 to help support my efforts with this newsletter.

📧 - Did you get this emailed to you? Click here to try a premium subscription out free for 14-days (generally, two issues).

---

Blockchain Bulletin

• Blockchain chipmaker Chain Reaction out of Tel Aviv prepares to launch new mining silicon. Tel Aviv-based startup Chain Reaction plans to launch its first blockchain miner silicon chips with $70 million in new funding and expand its engineering team to develop new privacy-centric encryption chips, reported CoinTelegraph.

• Spotify tests token-enabled music playlists. Online music streaming service Spotify tests a new “token enabled playlist” service that allows users to access curated playlists based on having certain NFTs in their wallets, reported CoinDesk.

Blockchain Behind the Scenes

• Coinbase launches Layer 2 blockchain Base for easier dapp building. Crypto exchange Coinbase is launching its own Ethereum Layer 2 blockchain “Base” that will act as a bridge to other blockchains and give developers the tools to build out dapps.

• Google Cloud partners with Tezos as a validator. Google Cloud joined Tezos as a validator, or “baker,” enabling customers to launch their own nodes in the cloud and gain access to tools to rapidly build on the Tezos blockchain, giving select startups access to credits and mentorship.